10 Cyber Security Areas to consider for Information Risk Management Regime

Defining and communicating Board’s Information Risk Management Regime is central to organisation’s overall cyber strategy. CESG recommend to review this regime – together with the nine associated security areas described below in order to protect your business against the majority of cyber threats.

10 Aspects to consider for Information Risk Management Regime
10 Aspects to consider for Information Risk Management Regime

Content Summary

Information Risk Management Regime
Secure configuration
Network security
Managing user privileges
User education and awareness
Incident management
Malware prevention
Monitoring ICT systems and traffic
Removable media controls
Home and mobile working

Information Risk Management Regime

Establish a governance framework: Enable and support risk management across the organisation.

Determine your risk appetite: Decide on the level of risk the organisation is prepared to tolerate and communicate it.

Maintain the Board’s engagement with cyber risk: Make cyber risk a regular agenda item. Record cyber risks in the corporate risk register to ensure senior ownership.

Produce supporting risk management policies: An overarching corporate security policy should be produced together with an information risk management policy.

Adopt a lifecycle approach: Risk management is a whole life process and the organisation’s policies and processes should support and enable this.

Secure configuration

Apply security patches and ensure that the secure configuration of all ICT systems is maintained.

Create a system inventory and define a baseline build for all ICT devices.

Develop corporate policies to update and patch systems: Establish and maintain policies that set out the priority and timescales for applying updates and patches. Create and maintain hardware and software inventories: Use automated tools to create and maintain inventories of every device and application used by the organisation.

Lockdown operating systems and software: Create a baseline security build for workstations, servers, firewalls and routers.

Conduct regular vulnerability scans: Run automated vulnerability scanning tools against all networked devices at least weekly and remedy any vulnerability within an agreed time frame.

Network security

Protect your networks against external and internal attack.

Manage the network perimeter.

Filter out unauthorised access and malicious content.

Monitor and test security controls: Use intrusion monitoring tools and regularly audit activity logs.

Police the network perimeter: Establish multi-layered boundary defences with firewalls and proxies deployed between the untrusted external network and the trusted internal network.

Protect the internal network: Prevent any direct connections to external services and protect internal IP
addresses.

Test the security controls: Conduct regular penetration tests and undertake simulated cyber attack exercises.

Managing user privileges

Establish account management processes and limit the number of privileged accounts.

Limit user privileges and monitor user activity: Minimise privileges for all users. Provide administrators with normal accounts for business use. Review the requirement for a privileged account more frequently than standard accounts.

Control access to activity and audit logs.

Establish effective account management processes: Manage and review user accounts from creation and modification to eventual deletion.

Monitor all users: Monitor user activity, particularly access to sensitive information and the use of privileged accounts.

User education and awareness

Produce user security policies covering acceptable and secure use of the organisation’s system.

Establish a staff training programme / induction process: New users should receive training on their personal security responsibilities.

Maintain user awareness of the threats: All users should receive regular refresher training on the cyber risks to the organisation.

Support the formal assessment of IA skills: Encourage relevant staff to develop and formally validate their IA Skills.

Incident management

Produce and test incident management plans.

Provide specialist training to the incident management team: The incident response team should receive specialist training to ensure they have the skills and expertise to address the range of incidents that may occur.

Report criminal incidents to law enforcement.

Obtain senior management approval and backing: The Board should lead on the delivery of the incident management plans.

Establish an incident response and disaster recovery capability: Develop and maintain incident management plans with clear roles and responsibilities, regularly test your plans.

Malware prevention

Produce relevant policy and establish antimalware defences that are applicable and relevant to all business areas.

Develop and publish corporate policies: Produce policies to manage the risks to the business processes from malware.

Establish anti malware defences across the organisation: Agree a corporate approach to managing the risks from malware for each business area.

Scan for malware across the organisation: Protect all host and client machines with anti virus solutions that will automatically scan for malware.

Monitoring ICT systems and traffic

Establish an incident response and disaster recovery capability.

Produce and test incident management plans.

Provide specialist training to the incident management team.

Report criminal incidents to law enforcement.

Establish a monitoring strategy and supporting policies: Implement an organisational monitoring strategy and policy based on an assessment of the risks.

Monitor all ICT systems: Ensure that the solution monitors all networks and host systems (e.g. clients and servers).

Monitor network traffic: Network traffic should be continuously monitored to identify unusual activity or trends that could indicate an attack.

Removable media controls

Scan all media for malware before importing into the corporate system.

Produce a corporate policy: Implement policy to control the use of removable media for the import and export of information.

Limit the use of removable media: Limit the media types that can be used together with user and system access and the information types that can be stored on removable media.

Scan all removable media for malware: All clients and hosts should automatically scan removable media. Any media brought into the organisation should be scanned for malware by a stand alone scanner before any data transfer takes place.

Home and mobile working

Develop a mobile working policy and train staff to adhere to it.

Protect data both in transit and at rest.

Assess the risks and create a mobile working policy: The policy should cover aspects such as information types, user credentials, devices, encryption and incident reporting.

Educate users and maintain their awareness: Educate users about the risks and train them to use their mobile device securely by following the security procedures.

Apply the secure baseline build: All mobile devices should be configured to an agreed secure baseline build.