People and Documentation
Every organization should establish a plan to mitigate the risk of key people being unavailable in the event of a system failure. Keep a list of contact details for backup technicians. Document the configuration of hardware and software applications and keep this up to date so that a new technician can quickly rebuild the system.
Adequate insurance should cover the cost of replacing damaged infrastructure as well as the labor costs to investigate the incident, rebuild systems, and restore data. Consider also insurance for productivity loss resulting from a major system failure or catastrophic event.
Proper IT governance procedures within an organization are critical. Implement a formal risk assessment process and develop policies to ensure that systems are not misused and ensure that applicable policies are continually reviewed and updated to reflect the most current risks. This includes developing incident response policies and procedures to properly respond to, account for, and help mitigate the cost of a potential breach.
Ongoing education to all employees on technology risks should form part of the organization's cyber security framework, with potential security breaches being mitigated as a result of education and policies being promulgated to all levels of staff. Policies should include but are not limited to:
User Account Management: rules and policies for all levels of users; procedures to ensure the timely discovery of security incidents; IT systems and confidential data are protected from unauthorized users.
Data Management: establishing effective procedures to manage the repositories, data backup and recovery, and proper disposal of media. Effective data management helps ensure the quality, timeliness, and availability of business data.
IT Security and Risk Management: process that maintains the integrity of information and protection of the internet of things (IoT). This process includes establishing and maintaining IT security roles and responsibilities, policies, standards, and procedures.
Individual jurisdictions are likely to have enacted legislation that may require particular policies, or issues within a particular policy, to be addressed. Common policies are listed below and cover system use, e-mail use, internet use, and remote access.
Example elements to be considered in an e-mail use policy include:
Prohibiting the use of personal email accounts for business matters.
Prohibiting opening email attachments from unknown sources (as they may contain malicious software).
Prohibiting accessing email accounts of other individuals.
Prohibiting sharing email account passwords.
Prohibiting excessive personal use of the organization’s email.
Notification that the organization will monitor email.
A system use policy generally outlines the rules by which the organization's IT systems can be used. Example elements to be considered in this policy include:
Mandatory use of passwords on all systems, such as phones and tablets, including the need for passwords to be changed regularly and a prohibition of providing passwords to other team members or third parties.
Prohibition of copying organization data and removing the data from the office without approval.
The encryption of memory/USB sticks.
The physical security of equipment.
Use of the system during business hours.
Rules for the private use of the system, if allowed, outside office hours.
Multifactor authentication - using more than one method of authentication from independent categories of credentials to verify the user’s identity for login.
Example elements to be considered in an internet use policy include:
Limiting Internet use to business purposes.
Notification of the ability of the organization to track Internet usage.
Prohibiting access to sites that are offensive to a person’s gender, sexuality, religion, nationality, or politics.
Ensuring that downloads occur only from a safe and reputable website.
Prohibiting downloading executable (program) files as they may contain malicious software, and also prohibiting downloading pirated music, movies, or software.
Prohibiting providing the user’s business email address in order to limit the likelihood of spam.
Consequences of violation.
Example elements to be considered in a remote access policy include:
Approvals are required for external access.
Reimbursement of external access costs.
Security procedures (including disclosure of passwords, third-party use of the system, disconnection from other networks while accessing the organization’s systems, use of firewalls, and installation of appropriate software to protect the remote system from malicious attack and multifactor authentication).
Physical security of organization-supplied equipment such as laptops.
Reporting of any possible breach of security, unauthorized access, or disclosure of the organization's data.
An agreement is that the organization can monitor the activities of the external user to identify unusual patterns of usage or other activities that may appear suspicious.
Consequences of noncompliance.
Contact Six Industries Inc today to get started.