Defining and communicating your Business’s Information Risk Strategy is central to your organization’s overall cyber security strategy.
We recommend you establish this strategy, including the nine associated security areas described below, in order to protect your business against the majority of cyber attacks.
1. Set up your Risk Management Strategy
Assess the risks to your organization’s information and systems with the same energy you would for legal, regulatory, financial or operational risks.
To achieve this, embed a Risk Management Strategy across your organization, supported by your leadership and senior managers.
Determine your risk appetite, make cyber risk a priority for your leadership, and produce supporting risk management policies.
2. Network Security
Protect your networks from attack.
Defend the network perimeter, filter out unauthorized access and malicious content.
Monitor and test security controls.
3. User education and awareness
Produce user security policies covering acceptable and secure use of your systems.
Include in staff training.
Maintain awareness of cyber risks.
4. Malware prevention
Produce relevant policies and establish anti-malware defenses across your organization.
5. Removable media controls
Produce a policy to control all access to removable media.
Limit media types and use.
Scan all media for malware before importing onto the corporate system.
6. Secure configuration
Apply security patches and ensure the secure configuration of all systems is maintained.
Create a system inventory an define a baseline build for all devices.
7. Managing user privileges
Establish effective management processes and limit the number of privileged accounts.
Limit user privileges and monitor user activity.
Control access to activity and audit logs.
8. Incident Management
Establish an incident response and disaster recovery capability.
Test your incident management plans.
Provide specialist training.
Report criminal incidents to law enforcement.
Establish a monitoring strategy and produce supporting policies.
Continuously monitor all systems and networks.
Analyse logs for unusual activity that could indicate an attack.
10. Home and mobile working
Develop a mobile working policy and train staff to adhere to it.
Apply the secure baseline and build to all devices.
Protect data both in transit and at rest.