The weather is changing, and spring is upon us. Each year around this time, many people tend to do a thorough cleaning of their home and maybe tackle a few home improvement projects before summer arrives. We cannot forget to do the same maintenance and enhancements to our cybersecurity program. To assist you, we created this basic cybersecurity “to-do” list to ensure that you are being proactive and performing key practices and controls that will help reduce risk and make your organization more secure.
- Policy Check. The first step is establishing a full suite of security policies that will make up your cybersecurity program. Once developed, policies should be reviewed, updated as necessary, and approved by management on at least an annual basis or when any major changes occur. Regular review helps keep your organization up to date with laws and regulations, technology changes, and industry best practices, and ensures your employees follow an accurate and consistent program.
- Train Your People. Employees are your greatest asset, but also the weakest link, when it comes to security. Security awareness and training should be performed to help employees understand the role they play in keeping your organization secure, and to help reduce and mitigate user risks. Topics should include organizational policy review, industry best practices, social engineering, data security and handling, privacy, and how to report a suspected incident or breach, to name a few.
- Review Inventories. Each entity should develop and maintain detailed asset inventories. This includes hardware (including remote and mobile devices), software, and even sensitive data. Details should include, but are not limited to, asset name/tag, description, model, manufacturer, IP address, physical location, and warranty and license information. Listing who each asset is assigned to or who owns the data or software is also critical.
- Update Risk Assessment. Analyze 1) possible threats to and vulnerabilities in your environment, 2) what the likelihood of an event is, and 3) what potential damages or loss may be if an event occurs. By risk ranking areas of concern, you can help achieve better security by working to remediate or compensate for the most critical risks.
- User Recertification. This is the process of ensuring that all user roles and privileges are still appropriate based on their position and responsibilities. Be sure to check logical access rights for general users, power users (administrator), and third parties. Don’t forget physical access to sensitive areas for personnel, both internal and external to the organization. Any individual no longer needing logical or physical access should be documented and removed (or rights adjusted accordingly).
- Compliance Review. Review laws, regulations, and standards that are applicable for your organization to meet based on legal obligations, contract requirements, or industry best practices. This will ensure your compliance strategy meets your current requirements and prepares you to meet any new areas you may need to adhere to.
- Vendor Management. Outsourcing systems or services does not mean you outsource the risk or responsibility of protecting those systems or data. An inventory of vendors, along with their criticality rank to your business operations should be kept up to date. On a regular basis, you should review vendor contracts for appropriateness, as well as their access to any of your systems or data, to see if it’s still necessary. Security and privacy controls at the third-party level is just as important to your internal controls, so consider collecting and reviewing documentation that validates proper controls are in place, such as policies, procedures, and assurance documentation (e.g., SOC 2).
- Technical Testing. A program should be established to ensure that vulnerability scanning and penetration testing of your environment (network, cloud, web) is conducted on a periodic basis. This will help validate security measures and identify weaknesses so they can be fixed or monitored before they can be exploited. Vulnerability scanning should be performed at least monthly and penetration testing, both internal and external, should be performed at least annually. Results should be reviewed, and findings remediated in an appropriate timeframe.
- Exercise Response Plans. Critical to any organization is having an established incident response plan, business continuity plan, and a disaster recovery plan. These plans help manage incidents, disasters, and business resumption by defining key personnel, processes, controls, and timeframes related to adverse events. These plans should be tested annually, via at least a tabletop walkthrough of a mock scenario. Lessons learned from each exercise should be used to update the plans to help better prepare you for an actual event. In addition, be sure to perform data backup restoration tests to ensure backups are available and working properly, as this could be a key process in the event of an incident or disaster.
- Schedule Assessments and Audits. It is important to ensure security controls maintain efficacy. The best way to do this is to have an outside party perform an independent assessment of the administrative, technical, and physical controls within the environment to ensure policies and controls are being followed and any gaps present from people, processes, or technology are identified for remediation. This provides you the ability to baseline your programs activities and show improvement over time.
- Look to Improve. Based on results from control assessments, environment changes, budget, and business or compliance requirements, always look to mature your cybersecurity program. Strengthening processes and controls should be a goal for 2022 and beyond. A few ideas would be to implement controls such as additional security training, multifactor authentication, encryption, data loss prevention, and monitoring tools.
Do you need assistance with items on this to-do list? Whether you are building the foundation or maturing your current cybersecurity program, the team at Avalon Cyber is here to help. Contact us to schedule an appointment to discuss your needs.