Cyber Security is something that should be taken very seriously by businesses of all sizes. Over the past two-years we've seen an uptick in spam, phishing attacks, and data breaches in organizations which in most cases could have been prevented. In a lot of cases organizations are completely unaware of what to look for, how to secure their environment or unwilling to pay professionals to assist because of cost or other circumstances. Let me reiterate, this is a serious issue and we hope that it never happens to you but each of us has to do our part.
We've created a Cybersecurity Questionnaire based on the NIST Cybersecurity Framework, for businesses to perform a self-evaluation on the readiness of their organization against cyber-attacks. If you're not the person who performs such actions within your company please pass along this document to the appropriate personnel.
The five pillars of IT security are: IDENTIFY, PROTECT, DETECT, RESPOND AND RECOVERY.
Pillar One - IDENTIFY
HARDWARE MANAGEMENT - Maintain accurate inventories of information systems and devices.
Do you maintain accurate inventories of hardware?
Where are these inventories maintained, and how can they be accessed/updated?
SOFTWARE MANAGEMENT - Maintain accurate inventories of approved software and applications.
Do you maintain an accurate inventory of software and applications?
DATA FLOW MANAGEMENT - Manage and document data flow management.
How do you document data flow management?
EXTERNAL INFORMATION SYSTEMS - Hosted or maintained services by 3rd parties are documented.
Do you document the systems and services hosted or maintained by 3rd parties?
How do you ensure the 3rd party is aware of this requirement?
RESOURCE VALUE CATEGORIZATION - Assign a classification for all assets and resources.
Does a Data Classification Policy or Standard exist within the organization?
How do you classify data?
Are owners associated to data?
IT SECURITY ROLES & RESPONSIBILITIES - User roles and responsibilities are established and documented.
Do you establish IT Security user roles and responsibilities?
How are these roles identified, filled, and communicated?
SUPPLY CHAIN STAKEHOLDERS & INTERDEPENDENCIES - Document stakeholder relationships within the supply chain.
Do you document supply chain interdependencies among stakeholders?
How do you express security concerns to 3rd parties and validate their conformance to your security requirements?
BUSINESS ROLE - Recognize the organization's role within its industry is and identify applicable risk.
Do you understand the role you play in identifying applicable risk for your customers?
Are you comfortable in the role you have been positioned?
MISSION, OBJECTIVES & ACTIVITIES - Ensure organizational awareness of critical business functions.
How are the mission and objectives established and communicated to the organization?
How do you identify and document functions and dependencies critical for the delivery of services?
DEPENDENCIES ANALYSIS - Document dependencies and functions for the delivery of critical services.
How do you consider the impact of these dependencies on your ability to meet the service levels committed to clients?
RESILIENCY ANALYSIS - Document resilience requirements to support the delivery of critical services.
How do you recognize critical services?
Do you identify and document resilience requirements for the delivery of critical services?
How is resiliency reflected in Service Level Agreements?
IT SECURITY POLICY & STANDARDS - Formal IT Security policies, standards, and procedures exist and are made available to all applicable parties.
Does a formal IT security policy exist?
Is the policy supported by formal procedures?
Is the policy periodically communicated to all relevant employees and external business associates?
IT SECURITY ROLES & RESPONSIBILITIES - Coordinate and align internal and external IT Security roles.
Are there documents that clearly define job functions and responsibilities?
Do these functions complement one another?
REGULATORY & NON-REGULATORY REQUIREMENTS - Adhere to all applicable requirements.
Does the organization adhere to applicable regulatory and non-regulatory requirements?
How do you know if a requirement applies to you or not?
IT SECURITY PROGRAM - Develop a program to govern cybersecurity risks.
Is there an IT security program to govern cybersecurity risk?
Does the organization provide funding and resources as needed to support the Security Program?
VULNERABILITY IDENTIFICATION - From installing missing patches to scanning for vulnerabilities, it is critical for businesses to understand technical weaknesses by identifying and correcting vulnerabilities as those are found.
Can you describe the process implemented for identifying vulnerabilities?
Have resource and asset vulnerabilities been identified?
THREAT & VULNERABILITY INTELLIGENCE - Receive threat and vulnerability information from quality sources.
What are the methods in place to receive threat and vulnerability information as necessary?
How is new information incorporated into the Vulnerability Management Program?
THREAT ASSESSMENTS - Address both internal and external threats as part of the VMP.
Have resource and asset vulnerabilities been assessed?
Are the assessments conducted as part a current Business Impact Analysis (BIA), Risk Assessment (RA), Threat Assessment, or similar process?
BUSINESS IMPACT ASSESSMENT (BIA) - Assess the likelihood and impact associated with inherent and residual risk as part of the VMP.
Has a Business Impact Analysis been conducted?
Is there documentation that identifies critical business functions, impact of the loss of that function, the interdependencies between those critical functions and recovery objectives and timeframes?
RISK DETERMINATION - Use threats, vulnerabilities, likelihoods and impacts to determine risk as part of the VMP.
Does a document exist which outlines risks, business processes at risk/exposed, alternatives to reduce risks, and tolerance for risks?
RISK RESPONSES - Identify and prioritize risk responses as part of the VMP.
Are responses to risk identified and prioritized?
Is this document available as needed for review?
RISK MANAGEMENT FRAMEWORK - Implement an enterprise-wide Risk Management Framework (RMF) to manage risk to an acceptable level.
Is risk acceptably managed at the enterprise level?
How does the RMF assist in making the determination that risk is acceptably managed?
RISK TOLERANCE LEVEL - Determine and document risk tolerance as part of the RMF.
Has the risk tolerance level of the organization been determined and documented?
RISK THRESHOLDS - Identify and document thresholds for incident alerts as part of the RMF.
Have incident alert thresholds been determined and documented?
What is the process used to determine appropriate risk thresholds?
If you or your organization could use some assistance with Cyber Security in Frisco, Plano, Little Elm, Allen, Richardson or Dallas, TX, please reach out to us at 214-872-6773 or info@thebrasseffect.com