Return to flip book view

2 © Convexum Solutions / Griessel Consulting Business executives or small business owners do not necessarily have sufficient technical knowledge to assess IT risks or to take decisions regarding their digital information security, programmes, upgrades, and so on. The guidelines below provide an overview of important areas to focus on and how good IT management can address some of the most prevalent information security threats. Item Measure Why it is necessary / recommended / what type of attacks it can prevent Tools / Software solutions / etc. Systems and security Keep the firmware, operating system and application software on servers, machines and active network components on the same LAN (including wi-fi devices), up to date. Record all updates performed and the times they were applied. Software updates are ways the manufacturer fix bugs, add new features and patch potential security issues among others. Outdated firmware and software will potentially open your systems up for attacks. Records should be kept to ensure that evidence is available of updates should a breach occur. An automation and network management system can consistently monitor and manage your software, operating systems and devices, keeping them up to date as well as producing periodic reports on your IT environmental health. Design and organise processing systems and infrastructure to segment / isolate data systems and networks to avoid propagation of malware within the organisation and to external systems. The main benefits of network segmentation are improved security, better access control and containment as well as improved monitoring and performance. This also helps protect endpoint devices and will minimise damage caused by a successful cyberattack. The more segmented your network, the harder for an attacker to compromise your sensitive systems. This will then help ease your compliance requirements. Physical segmentation – physical firewall, dedicated network and connection for each subnet. This could be complex and possibly require a network redesign. Virtual segmentation – this is more common and can be done within your existing switches as most modern switches allow for virtual firewalls and virtual LANs/networks. (Solution depends on current hardware). Ensure that appropriate organisational, physical and technological security measures have been taken (e.g. patch management to fix known vulnerabilities, anti-malware detection system, backup system, security training programme). Organisational and physical security is required to ensure that assets remain safe and are accessed only by authorised individuals. Technological security is required to protect company assets (data, sensitive documents, etc), ensure availability and to advise management of attempted/successful breaches. Limited access to physical hardware, organisational operating procedures for review, update and changes to all systems. Training of all staff members re utilisation and security of physical and non-physical assets. Updates of all software and operating systems as required by provider, and regular review of all software/operating systems to ensure that no further updates are required. Anti-virus, security and other products to protect assets. Adequate back-up systems/process and appropriate training of IT staff.

3 © Convexum Solutions / Griessel Consulting Item Measure Why it is necessary / recommended / what type of attacks it can prevent Tools / Software solutions / etc. Have up to date, effective and integrated anti-malware software and firewall and intrusion detection and prevention systems. Do security audits, vulnerability assessments and penetration testing on a regular basis. Updated security software will keep you protected against all current and new vulnerabilities and attacks, as well as Zero-Day attacks and any potential security risk not even known yet. Security audits, assessments and testing could identify potential weaknesses in operating procedures and physical/virtual security of IT assets that can be addressed appropriately by management. Vulnerability assessments, security lifecycle reviews, penetration testing and intrusion prevention through a variety of tools. Security and availability software. Physical security of assets. Standard operating procedures for the management of IT assets (all types). Forward / replicate logs to a central log server (this may include the signing or cryptographic time-stamping of log entries). Centralised logs can be used to identify attacks on remote systems & servers. This can help you narrow down the incident cause and proactively manage your network. Automation and network management solutions, create, save, backup and archive logs, to a central location, easy to access, easy to see, down to the most granular of detail. Adding a SYSLOG server or encrypted cloud storage for logs and events will ensure safekeeping of your logs. Strong encryption and authentication, especially for administrative access to IT systems. Two-factor authentication and proper key- and password management. Measures to prevent brute-force attacks (such as limiting the number of attempts to log in); cryptographic hashing and salting of passwords. If you don’t have data encryption on your company’s servers and systems or even networks it is basically like keeping your house, car and office unlocked. Anyone can potentially get access to your data. Encryption provides security and data integrity – in other words the data cannot be stolen or changed. Encryption also protects the privacy of the company/sender and recipient. Cyber security solutions can assist with disk, endpoint or file encryption, locking devices and business critical data from external access. It protects your passwords and puts the correct access protocols in place for all levels of staff. Check for and monitor unusual data flow between the file server and individual workstations. Disabling open cloud services; preventing access to known open mail services. Unusual data flow between servers could be an indicator of unauthorised access to data/documentation, either internally or externally. Disabling access to “open” services will limit the ways that unauthorised access could be gained to your IT environment. Software or utilities to monitor your data flow, vulnerabilities and open services with a data loss prevention solution. This will also allow an authorised user to halt incorrect/unauthorised data transfers and access to systems.

4 © Convexum Solutions / Griessel Consulting Item Measure Why it is necessary / recommended / what type of attacks it can prevent Tools / Software solutions / etc. Backups Have an up to date, secure and tested backup procedure. Keep longer-term backups separate from operational data storage and out of reach of third parties. Backup procedures should be structured, consistent and repeatable. A standardised procedure will ensure that data backups are completed correctly and to specification (This should be reviewed annually to ensure it is still relevant). Data Backups provide protection against data corruption, accidental or deliberate deletion and also hardware failures. Backup software will help you keep multiple copies of your data at alternative sites. Standard operating procedure (SOP) for backups and annual review of procedure. Data backup software, adequate servers, storage space and external backup for disaster recovery requirements. Device loss Turn on device encryption (e.g. Bitlocker); complex password protection. Remote tracking of devices and remote wiping of data enabled. Automatic locking when unattended after period of time. Save data on a central back-end server rather than on the mobile device; use secure VPN to connect. Limit rights for end-users to install software on individual devices; have proper policies on the use of devices inside and outside of the workplace. The use of encryption tools allows only authorised persons within the organisation to unencrypt data for use and therefor controls access when transferring data between users. Remote tracking allows organisations to delete company data/documents from devices should they be lost or stolen. Automatic locking ensures that devices are not accessed by unauthorised persons. Saving data on a central server allows for easier control of data and the utilisation of a VPN ensures a secure connection between the user and the organisation’s server (i.e. work from home) Limited administrative rights to ensure that only approved programmes are loaded onto devices. The use of SOP will allow for clear guidelines for staff on the use of company devices. Encryption programmes on all devices. Physical control of assets through asset registers. Utilisation of approved programmes for mobile devices (VPN, specific product for mobile devices). Set up of complex password and auto-lock when initially configuring devices with approved programmes (i.e. Microsoft Office, etc) Human factor Reduce file exchanges by email – if possible, use dedicated systems for processing customer data; or separate the creation and sending of files. This will reduce the possibility of the routing of data/files/documents, whether intentional or not, to external parties. Sharing of data/files/documents via internal systems is much safer and changes to these are easier to track. Utilisation of email archiving and security solutions to designate authority regarding data/files/documents that can be shared with external stakeholders.

5 © Convexum Solutions / Griessel Consulting Item Measure Why it is necessary / recommended / what type of attacks it can prevent Tools / Software solutions / etc. Train employees on methods to recognise and prevent IT attacks (e.g. if emails are authentic and trustworthy) and how to take the endpoint out of the network and immediately report it to the relevant manager. Training/education of end users to understand how they should use and handle data and utilise workplace processes to report possible breaches. Specific training for IT department staff to ensure that they understand how to utilise products, report breaches and allow management to address breaches rapidly. Annual training (online or live) for all staff on the use and management of email/data/documents. Product specific training for IT staff to understand and utilise products effectively and efficiently. If required by the role, legislative training could be required to ensure adherence to legislation (i.e. POPIA). Email protocols: disclaimers; using BCC by default when sending to multiple recipients; disabling auto-complete when typing in email addresses; prevent the creation of rules by users other than IT and have alerts installed. Limiting the customisation of emails by users will create a safer environment and limit unwitting data breaches (i.e. sending data to the wrong recipient). Rules setting and changes must be limited to authorised users only and all changes should be documented and approved by management. The correct use of email alerts will allow management to be made aware of unauthorised sharing of data/files/documents and allow for corrective action to be taken (such as stopping the email prior to leaving the organisational system). Utilise email and other programmes to set up rules for email users and limit documentation to be shared internally and externally. SOP for use of company assets, including data and documentation. An Acceptable Use Policy for emails and internet usage should be drafted up and user education needs to be done regularly. Have robust and regularly updated data protection / privacy practices, procedures and systems – including access control policies and forcing users to follow the rules (zero standing privileges / remove access when no longer needed). Also things like clean desk policies, printing policies, locking computers automatically after certain time of inactivity. Implement techniques to force user authentication when accessing special personal information. Standard operating procedures ensures that there is clarity for all staff and management about what is allowable and what is not from a data protection/privacy perspective. Clean desk, printing and other policies and generally acceptable working practices will lower the chances of unauthorised access to restricted data/documentation. User authentication will ensure that there is an audit log of all access to and changes made to special personal information, thus making it possible to trace possible breaches. SOP’s for all IT related aspects are required, such as use of assets, review and update of IT programmes/packages, physical access control, etc. Authentication tools for all staff, with specific approvals for specific data/documents.