The actions and steps described below are in accordance with the guidelines from CESG UK and represent a good foundation for effective information risk management in an organization. The degree of implementation of these measures will vary with the organizations depending upon the risks to their business.
1. Information Risk Management
Establishing an information security framework enables and support risk management across the organization and provide entire risk management coverage to the information assets. Risk appetite determines the level of risk the organization is ready to tolerate. The risk management activities in an organization will be depending on the risk appetite that organization possess and the board members should be involved in all risk management activities. Maintaining a corporate risk register is important to make sure the ownership of organizational risks to the board. A corporate security policy should be developed and maintained along with an information risk management policy. Risk management should be incorporated throughout the entire life cycle of policies and processes in the organization.
2. Secure configuration
Corporate policies should be developed and maintained to set priorities and timescales to apply patches and updates on all configuration items (CIs). An up-to-date automated system should be developed for the maintenance of software and hardware inventories. A baseline security or benchmark should be adopted and followed for the security build of servers, workstations and hardware appliances including switching and routing devices. Conducting automated and regular vulnerability scans are important to identify the new vulnerabilities within an evolving threat environment.
3. Network Security
A defense in depth approach should be established with proxies, firewalls and IPS, IDS devices on network perimeter security to separate communication between un-trusted and trusted networks. Direct mapping to services and applications running on internal devices should be avoided. Attacks and intrusions on servers and appliances should be monitored using intrusion detection and prevention systems. Red team exercises and penetration tests should be performed to simulate the external attack and how to respond to those attacks.
4. Managing user privileges
Procedures and processes should be developed to manage the user accounts throughout the entire life cycle from creation, modification to deletion. Privileged accounts should be limited to the minimum numbers and administrators should be given non privileged accounts for business use. Privileged accounts should be reviewed more frequently than normal accounts. All the user activities should be monitored and logged including the usage of privileged accounts.
5. User awareness and education
Policies for acceptable and secure use of systems should be developed and distributed to the users. Personal security responsibilities and security policies should be incorporated in the staff induction process. The users should regularly receive the awareness on threat to the organization and refresher trainings on security awareness should be conducted.
6. Incident Management
The organization must have an incident management plan supported and lead by the board. The incident management plan should define the clear roles and responsibilities of individuals for the incident response processes and tested regularly. The incident response team should receive specialized training to ensure they have skills and expertise to deal with range of incidents that may occur in the organization.
7. Malware prevention
Corporate policies should be developed and published to address the risks from malware to the organization. Antimalware defenses should be deployed across the organization. A corporate plan with clear processes should be developed to manage the risks in each business area. All the endpoints should be managed and protected with antivirus solutions to automatically scan for malware.
An organization wide strategy and policy should be developed to monitor the information systems across the organization based on the risk assessment. The monitoring solution should monitor all the host machines including servers, endpoints, networking appliances etc in the organization. Network traffic should be continuously monitored to identify abnormal activities and trends that could indicate or lead to attack.
9. Removable Media Controls
A corporate policy should be developed and implemented to control and monitor the usage of removable media and block devices. Limit the media types that could be used with the systems and to access the information from the organization. Any media brought to the organization should be thoroughly scanned to make sure the avoidance of malware.
10. Home and Mobile Working
A mobile working policy should be developed and distributed to cover all the aspect of risk with mobile computing such as information types, user credentials, devices, encryption, incident reporting etc. Educate users about the risk and train them to use their mobile devices by adhering to the security procedures. All mobile devices should be built on security baselines and configured with corporate security benchmarks. The data should be protected while it is in rest or in transit.
(The UK government’s National Technical Authority for Information Assurance (CESG), advises organizations on how to protect their information and information systems against today’s threats. https://www.gov.uk/government/organisations/cesg )