Cybersecurity Services

Be Cyber Ready by Implementing These Key Controls

Written by Jill Martucci | Jan 24, 2023 8:08:47 PM

As the number and severity of cyber threats and attacks continues to rise, it’s more important than ever to make sure your organization is cyber ready. Safeguarding your environment, including the systems and data within, will both reduce risk and promote business operation continuity and security.

To assist you in developing or maturing your cybersecurity program, there are several controls – safeguards or countermeasures used to avoid, detect, counteract, or minimize security risks – listed below that can be used as a checklist for your business to follow on the road to cyber readiness. So, whether you are considering cyber insurance, facing a state or regulatory audit, or just looking to better protect your business, here are some of the most important administrative, technical, and physical controls to consider.

Administrative

  • Risk Assessments. When designing any security program, you must first identify your critical processes and assets to understand the contextual risk of each. This will also provide insight into the landscape you are trying to protect and the relevant regulations you must comply with. During an assessment, your organization will demonstrate how reasonably foreseeable internal and external risks are identified and what is being done to mitigate those risks. You’ll also analyze potential threats and vulnerabilities to your environment, determine their impact and likelihood, and establish potential losses or damages. By risk ranking areas of concern, you help achieve better security, as you will remediate or compensate for the most critical risks first. At the conclusion of a risk assessment, you will be able to fully identify what needs to be accomplished through additional administrative, technical, and physical means.
  • Select a Cybersecurity Framework. Once you’ve identified your risk landscape, select a framework, which you can use as a guide to build a program that addresses best practices and compliance regulations. Some businesses that are just starting to develop their security program focus on the CIS Top 18, as it is considered a manageable framework for small to midsize organizations to follow.
  • Develop/Implement Your Strategy and Policies. Now, it’s time to establish ownership and accountability within your organization, from the top down, as it relates to cybersecurity. This includes forming teams, assigning roles and responsibilities, allocating resources, developing an 18–24-month roadmap with milestones, and creating specific activities that will help make security a living, breathing program within your organization. As part of this framework development, your team will begin to establish and maintain a full suite of security policies that make up the baseline of your cybersecurity program. Policies should be reviewed, updated as necessary, and approved by management on at least an annual basis or when any major changes occur. Regular review helps keep your organization up to date with laws and regulations, technology changes, and industry best practices and ensures your employees follow an accurate and consistent program.

NOTE: After you’ve identified risks, chosen a framework, and developed cybersecurity policies, there are a few additional administrative controls to implement, as well as technical and physical controls. These can be done in any order you choose now that the foundation of your security program has been established.

  • Educate users on security awareness and safe data practices. Employees are the greatest asset but also the weakest link when it comes to security. Security awareness and training should be performed to help employees understand the role they play in keeping your organization secure and reducing and mitigating user risks. Topics should include organizational policy review, industry best practices, social engineering, data security and handling, privacy, and how to report a suspected incident or breach, to name a few.

  • Inventory Data, Systems, and Assets. Each entity should develop and maintain detailed asset inventories for hardware (including network, remote, and mobile devices), software, and data. Organizations should know what data is being stored, processed, or transmitted and what systems are being used to do so. Data should only be received or generated if there is a valid business need and only retained for that same need, according to laws, regulations, and standards. 

  • Vendor Management. Manage risks associated with third parties used throughout your supply chain. Outsourcing systems or services does not mean you outsource the risk or responsibility of protecting those systems or data. An inventory of vendors, along with their criticality rank to your business operations, should be kept up to date. On a regular basis, review vendor contracts for appropriateness, as well as their access to any of your systems or data to see if it is still necessary.

Security and privacy controls at the third-party level should be equally as important to your internal controls, so consider collecting and reviewing documentation that validates whether proper controls are in place, such as policies, procedures, and assurance documentation (e.g., SOC 2). Formal agreements should be in place and include a right to audit provision. Finally, ensure critical vendors have cyber liability insurance and understand how they will comply with applicable laws, regulations, and standards, including breach notification.

Technical

  • Access Control. Control use of administrative privileges to ensure that only those employees with legitimate role-based need are allowed administrative access to network resources and devices. Monitor all active accounts to minimize authorized access and review for activity for current employees, recently terminated personnel, or third-party contractors who may have been granted access for a specific project.

  • Account Protection. There are many ways to actively protect accounts and the devices used to access organizational information and systems. A few to consider include implementing complex passwords and multi-factor authentication, requiring session timeouts after a period of inactivity, and ensuring devices are encrypted. 

  • Network and Boundary Protections. Organizations should provide protection and monitoring capabilities against threats to the network. Effective network security is based on strong design, installation, and maintenance of protection mechanisms, such as:
    • Establishing secure baseline configurations for all devices
    • Updating operating systems and software to reduce vulnerabilities
    • Implementing email and web browser protections to mitigate the risk that unauthorized users could compromise the system
    • Using spam filters and firewalls to prevent unwanted, harmful emails
    • Using anti-malware software to prevent malicious programs like ransomware from being introduced into your environment
    • Using firewalls to control the flow of traffic and search for evidence of unauthorized access or malicious programs
    • Creating blacklists of malicious IP addresses and whitelists of trusted sites
    • Using VPN or other secure means for remote access
    • Using multi-factor authentication wherever possible, especially for remote access

Physical

It is important to note that organizations should not only consider these physical controls at their own facilities, but also at any third-party vendor that is being used to store, process, or transmit data and associated systems or media.

  • Physical and Environmental Protections. Physical and environmental tools and techniques used to help detect, prevent, and respond to unauthorized access, intrusions or facility and utility issues/failures will vary by organization, but some common controls to keep in mind are:
    • Security guards and alarms
    • Surveillance cameras
    • Requiring visitor sign-in and escorting
    • Secured areas for more sensitive data and equipment with limited access
    • Environment monitoring for events such as power disruptions, temperature and humidity changes, and fire

  • Access Control. Like logical access, physical access to resources should be controlled. Consider mechanisms that give you the ability to limit and track who can enter secure areas by means of authentication and authorization such as key fobs, badges, or passcodes. 

  • Storage and Disposal. Develop and implement a records retention and disposal plan. Data, either on paper or on hard drives, for example, can be a large source of liability for organizations when it comes to the storage, retention, and disposal of data. Ensure that, whether paper or electronic, media is:
    • Securely stored using encryption and physical security controls
    • Kept in locked storage areas while waiting to be disposed or repurposed
    • Disposed of or destroyed using techniques that ensure it cannot be read or reconstructed, such as shredding, degaussing, or other means of destruction
    • Certified as properly disposed, if done by a third-party service provider
    • Disposed within a reasonable amount of time when no longer needed for business purposes

Validating Your Security Controls

As you mature your cybersecurity program, it’s wise to verify that your team knows: 1) how to respond to cybersecurity incidents and 2) your technical controls are performing as expected.

Here’s how to confirm the efficacy of your security controls:

  • Exercise Your Response Plans. Critical to any organization is having an established incident response plan, business continuity plan, and a disaster recovery plan. These plans help manage incidents, disasters, and business resumption by defining key personnel, processes, controls, and timeframes related to adverse events, and should be tested annually, via a tabletop walkthrough of a mock scenario. (Learn more in Avalon Cyber’s white paper on tabletop exercises.) Lessons learned from each exercise should be used to update the plans to help better prepare you for an actual event. In addition, be sure to perform data backup restoration tests to ensure backups are available and working properly, as this could be a key process in the event of an incident or disaster.

  • Technical Testing. A program should be established to ensure that vulnerability scanning and penetration testing of your environment (network, cloud, and web) are conducted on a periodic basis. In addition to validating security measures, technical testing helps identify weaknesses so they can be fixed or monitored before they can be exploited. Vulnerability scanning should be performed at least monthly and penetration testing, both internal and external, should be performed at least annually. Results should be reviewed, and findings remediated in an appropriate timeframe.

Having these key administrative, technical, and physical controls in place is crucial when it comes to hardening your security posture. In addition to protecting your data, implementing these controls will make your organization more desirable to work with (from your client’s risk managers to your underwriters at your insurance carrier), as you have proven your willingness and dedication to keeping your data secure.

If you have questions or need assistance implementing any of these controls, contact our highly experienced cybersecurity strategists.