Category Archives: Risk Management

To improve incident response, you need to consider 3rd party solutions

Organizations reported an average 32% reduction in threat responder workload when they deployed a managed SIEM solution, according to CenturyLink and IDG. Improve incident response The research shows security leaders are turning to managed security services to help augment limited internal resources and bridge the security technology gap. “Security is an inherent ingredient in networking today; however, limited resources and budget constraints make it difficult for companies to develop with their own staff,” says Chris … More

The post To improve incident response, you need to consider 3rd party solutions appeared first on Help Net Security.

7 steps to a successful ISO 27001 risk assessment

Risk assessments are at the core of any organisation’s ISO 27001 compliance project.

They are essential for ensuring that your ISMS (information security management system) – which is the end-result of implementing the Standard – is relevant to your organisation’s needs.

What is an information security risk assessment?

An information security risk assessment is the process of identifying, resolving and preventing security problems.

Your organisation’s risk assessor will identify the risks that your organisation faces and conduct a risk assessment.

The risk assessment will often be asset based, whereby risks are assessed relative to your information assets. It will be conducted across the whole organisation.

ISO 27001 is explicit in requiring that a risk management process be used to review and confirm security controls in light of regulatory, legal and contractual obligations.

So, how should you get started?

How to conduct an ISO 27001 risk assessment

Conducting a risk assessment can be daunting, but we have simplified the process into seven steps:

1. Define your risk assessment methodology

ISO 27001 does not prescribe a specific risk assessment methodology. Choosing the correct methodology for your organisation is essential in order to define the rules by which you will perform the risk assessment. The methodology needs to address four issues: baseline security criteria, risk scale, risk appetite, and a scenario-based or asset-based risk assessment.

2. Compile a list of your information assets

If opting for an asset-based risk assessment, you should work from an existing list of information assets, which includes hard copies of information, electronic files, removable media, mobile devices and intangibles, such as intellectual property.

3. Identify threats and vulnerabilities

Identify threats and vulnerabilities that apply to each asset. For example, the threat could be ‘theft of mobile device’.

4. Qualify the extent of the risk

Assign impact and likelihood values of the risk occurring.

5. Mitigate the risks to reduce them to an agreed and acceptable level

ISO 27001 suggest four ways to treat risks: ‘Terminate’ the risk by eliminating it entirely, ‘treat’ the risk by applying security controls, ‘transfer’ the risk to a third party, or ‘tolerate’ the risk.

6. Compile risk reports

ISO 27001 requires your organisation to produce a set of reports for audit and certification purposes, the most important being the SoA (Statement of Applicability) and the RTP (risk treatment plan).

7. Review, monitor and audit

ISO 27001 requires your organisation to continually review, update and improve the ISMS to make sure it is working optimally and adjusts to the constantly changing threat environment.

Learn more about risk assessments

We provide a more detailed breakdown of these steps in our free green paper: Risk Assessment and ISO 27001. It also explains:

  • The relationship between ISO 27001 and ISO 31000, the international standard that describes best practices for risk management;
  • Things to avoid when performing a risk assessment;
  • The importance of risk assessments to the ISO 27001 Statement of Applicability; and
  • How to make your risk assessments as cost-effective as possible.

Those looking for hands-on help conducting a risk assessment should take a look at our risk assessment software, vsRisk™. It provides a simple and fast way to identify relevant threats, and delivers repeatable, consistent assessments year after year.

Its integrated risk, vulnerability and threat database eliminates the need to compile a list of potential risks, and the built-in control helps you comply with multiple frameworks.


A version of this blog was originally published on 19 September 2017.

The post 7 steps to a successful ISO 27001 risk assessment appeared first on IT Governance Blog.

Why risk assessments are essential for GDPR compliance

Any organisation that’s required to comply with the GDPR (General Data Protection Regulation) must conduct regular risk assessments.

This isn’t just because the Regulation says so; it’s because risk assessments are essential for effective cyber security, helping organisations address an array of problems that, if left unchecked, could cause havoc.

Organisations might assume that the only risks they face are from cyber criminals trying to break into their systems.

However, the GDPR is clear that data is also vulnerable to accidental or unlawful destruction, loss or disclosure. The ways in which these could happen need to be identified at every stage of the data handling process.

The GDPR risk assessment methodology

The goal of any information security risk assessment methodology is to make sure everybody conducting the assessment or interpreting its findings are on the same page.

You must have a methodology – i.e. a set of rules defining how the conduct the risk assessment – to make sure the risks are evaluated consistently, enabling you to adequately compare your priorities.

Methodologies also outline specific terms for an organisation’s:

  • Baseline security criteria: the minimum set of defences to fend off risks;
  • Risk scale: a universal way of quantifying risk;
  • Risk appetite: the level of risk the organisation is willing to accept; and
  • Scenario- or asset-based risk management: the strategies to reduce the damage caused by certain incidents or that can be caused to certain parts of the organisation.

You can find out more about the risk assessment process by following ISO 27001’s guidance. The international standard for information security contains a best-practice framework for evaluating risks and is closely aligned with the GDPR.


See also:


Get started with vsRisk

The complexity of risk assessment auditing, along with the repercussions of getting it wrong, means that most organisations benefit from getting expert advice.

Our risk assessment software tool vsRisk™ helps organisations conduct an information security risk assessment efficiently and easily, eliminating the need for spreadsheets, which are prone to user input errors and can be difficult to set up and maintain.

The software tool is:

  • Easy to use. The process is as simple as selecting some options and clicking a few buttons.
  • Able to generate audit reports. Documents such as the Statement of Applicability and risk treatment plan can be exported, edited and shared across the business and with auditors.
  • Geared for repeatability. The assessment process is delivered consistently year after year (or whenever circumstances change).
  • Streamlined and accurate. Drastically reduces the chance of human error.

DPIA risk assessments

There is more to the GDPR and risk assessments than the threat of data breaches. There are also times when you must also complete a specific type of risk assessment, called a DPIA (data protection impact assessment), to review the way you process personal data.

DPIAs are necessary whenever personal data processing is “likely to result in a high risk” to the rights and freedoms of individuals.

The GDPR doesn’t define what ‘high risk’ is, but it does provide a few examples:

  • Systematic and extensive profiling with significant effects
  • Large-scale processing of personal information
  • Public monitoring.

The ICO (Information Commissioner’s Office) adds that you must conduct a DPIA if you plan to:

  • Use innovative technology (in combination with any of the criteria from the European guidelines);
  • Use profiling or special category data to decide on access to services;
  • Profile individuals on a large scale;
  • Process biometric data (in combination with any of the criteria from the European guidelines);
  • Process genetic data (in combination with any of the criteria from the European guidelines);
  • Match data or combine datasets from different sources;
  • Collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’);
  • Track individuals’ location or behaviour;
  • Profile children or target marketing or online services at them; or
  • Process data that might endanger the individual’s physical health or safety in the event of a security breach.

How to conduct a DPIA

The GDPR doesn’t specify a framework for completing an DPIA, which can make it tricky for those getting started.

This is where our DPIA Tool comes in. Our experts created this software to guide you through the assessment process.

It’s suitable no matter how familiar you are with the GDPR’s requirements. We show you the questions you need to ask and how to find the answers, and even provide links to the relevant sections of the GDPR so you can learn more about why each process is necessary.


A version of this blog was originally published on 4 April 2018.

The post Why risk assessments are essential for GDPR compliance appeared first on IT Governance Blog.

Understanding the GDPR

The European Union’s Parliament approved and adopted the General Data Protection Regulation (GDPR) in April 2016. This regulation will take effect after a two-year transitional period, meaning it will be fully enforced on May 25, 2018. At this time, if organizations are non-compliant, they will face hefty fines. There is a tiered approach to these fines; however, at a maximum an organization can be charged 4% of annual global turnover or 20 million euros ($23,554,200).

The GDPR applies to all organizations that process and hold the personal information of EU residents, regardless of the company’s location. To exemplify, the regulation pertains to all organizations located within the EU, as well as organizations that are located outside of the EU that offer good, services, or observe the behavior of EU citizens. These rules also apply to both controllers and processors of information, meaning that the cloud and other technologies are not exempt from the GDPR.

If information can be used to identify a person, directly or indirectly, it is protected under the GDPR. This includes but is not limited to names, email addresses, financials, medical data, and computer IPs.

Steps to take to prepare for the GDPR:

  1. Perform a compliance audit against the GDPR legal framework to identify where gaps exist, then work to remediate these shortcomings.
  2. Classify the personal data your organization possesses that is protected by the GDPR and implement the appropriate security measures. This includes understanding what information you have, where it came from, who it is shared with, and who has access to it.
  3. Appoint a data protection officer for your organization.
  4. Document all processes and keep a record for the Data Protection Association (DPA) in the country or countries your organization conducts business.
  5. Make sure the appropriate contracts are in place to protect your organization and ensure that the businesses you engage with are employing the same security measures.

Infringements of the GDPR include:

  • Not having sufficient customer consent to process personal information.
  • Not having records in order.
  • Violating the “Privacy by Design” and “Privacy by Default” concepts.
  • Failing to notify the data subject and the supervising authority about a breach or incident.
  • Not conducting an impact assessment.

Altogether, the GDPR is the most important change to data privacy regulations in decades. It is intended to make organizations more secure and accountable to their data subjects during all stages of their interactions. For more questions or to implement GDPR standards in your organization, please CONTACT US.

Patch Management

Cyber security controls are only effective if there are no means of bypassing them. If a vulnerability exists that enables someone or something to circumvent your organization’s existing set of security standards, your whole network could then be compromised. With the rise of cybercriminals targeting known vulnerabilities on unpatched systems, especially through worms and malicious code, implementing a patch management system in your organization is critical to maintaining a strong security posture.

Patch management is the routine procedure of administering updates for all technologically based products and programs, primarily applications and operating system versions. The goal is to create a securely configured digital environment in your organization that is consistently protected against all known vulnerabilities.

To be successful, patch management must be an ongoing process in which your system administrator or managed services provider:

  1. Maintains knowledge of available patches.
  2. Determines what patches are appropriate for the specific systems.
  3. Prioritizes the patches and protects your most critical vulnerabilities first.
  4. Tests the patches on non-critical systems before installation.
  5. Performs backups before installing a patch.
  6. Installs patches and makes sure they work properly.
  7. Tests the systems after installation.
  8. Documents all installed patches and the processes utilized.

Patch management is a critically important aspect of cyber security risk management because outbreaks like WannaCry occur because of unpatched vulnerabilities being exploited. In an organization with hundreds of systems, it only takes one compromised system to then harm the entire network. Altogether, in the technological world, there is rarely, if ever, a software or application that is developed without having to be modified or upgraded. As a result, a process must be implemented to distribute patches and remediate known vulnerabilities.

If you would like to discuss patch management in your organization, please CONTACT US.

National Cyber Security Awareness Month

Although National Cyber Security Awareness Month is coming to a close, COMPASS maintains a commitment to raising cyber security awareness throughout the year. The following are this year’s top blog posts that demonstrate ways to implement cyber security risk management in your organization and minimize the threats you may face.

  1. A Risk Manager’s Approach to Cyber Security 

Cyber security threats arguably pose the greatest danger to an organization’s risk management strategy. Risk managers should leverage their organization’s existing risk governance processes and methodologies to effectively analyze and manage cyber threats.

  1. Top 10 Assessment Findings

Although COMPASS’ client base is highly diverse, there are common findings we encounter on almost every single engagement. They are grouped by our approach to cyber security risk management which focuses on the 3 pillars of cyber security – people, policy and technology.

It is important for organizations to regularly assess not only their technical infrastructure, but also their organizational security awareness and policies. Organizations that fail to perform periodic assessments risk leaving themselves exposed to hackers who can exploit these vulnerabilities or negligent insiders who expose data unintentionally.

  1. 5 Steps to Develop a Security Program

Developing a practical and effective cyber security plan is vital to incorporating security into your organization’s risk management strategy. A common misconception is that a cyber security plan is lengthy and difficult to follow. However, that does not have to be the case. COMPASS recommends 5 steps for your cyber security plan.

  1. Business Email Compromise

BECs remain a prominent threat and will continue to be used in targeted scams. The victims of BEC attacks range from small business to large corporations and all employees should be aware of the dangers. Organizations that utilize robust prevention techniques have proven highly successful in recognizing and deflecting BEC attempts.

 

If you have any questions or would like to discuss the unique cyber threats your organization faces, please CONTACT US.

Employee Security Awareness Training

Because humans are often the weakest link when it comes to cyber security, it is critically important to integrate employee security awareness training into your cyber security action plan. By educating employees on best practices, policies, procedures, popular attack methods and trends, organizations can significantly reduce their risk of a data breach.

Increasing your investment in cyber security awareness training can decrease the threat of a cyberattack by 45% to 70%. Common and effective employee training methods include:

  • On-boarding – When a new employee joins your organization, immediately make them aware of cyber security best practices your organization requires. This will create a strong cyber security posture throughout the employee’s lifespan.
  • Mock phishing exercises – Phishing attacks are one of the most common forms of social engineering that can harm businesses. By employing these exercises organizations can test their email platform and see how their employees would react in a real-life scenario.
  • Webinars – Webinars on cyber security trends give employees a chance to ask questions and hear firsthand of the importance of keeping data secure. These interactive sessions empower employees with the information necessary to support the organization’s goal of protecting its sensitive data.
  • Policy check surveys – Regularly testing the knowledge of employees is important to their understanding of company policies and procedures. These can identify and prioritize gaps that should be addressed in further employee training sessions. In addition, these surveys and their results will be important if your organization is audited or breached.
  • Regularly discuss cyber security with employees – Make cyber security part of your workplace culture so that employees are regularly acting with the organization’s best interests in mind. Proactively address employee negligence as it is one of the top causes of security incidents.
  • Incident response plan –Ensure employees are aware of their role in the company’s incident response plan. Practice this plan quarterly so in the event of a breach your organization can respond quickly and comprehensively to minimize the impact and associated costs.
  • Onsite training – Providing face-to-face security awareness training on cyber best practices and company policies and procedures gives employees an opportunity to ask questions and learn from experienced personnel.

Proactively training employees before an information security incident is critical to protecting the future of your business. Create policies and guidelines that assume your company will be targeted by cybercriminals and make sure employees know the appropriate actions that are necessary to keep the company’s data safe. Implementing employee training in your organization at least quarterly is one of the best and most cost-effective ways to reduce cyber security risks.

For more information on employing training in your workplace, please contact us.

Mobile Device Management

Mobile Device Management (MDM) is a great method to ensure that your employees remain productive and do not violate any corporate policies. In the ever-expanding Bring Your Own Device (BYOD) world, more organizations are allowing employees the freedom to work from their own mobile devices. Tablets, smart phones, and personal laptops are taking a larger and larger space on corporate networks.

While there are numerous advantages to a BYOD environment, allowing personal devices onto a corporate network introduces a variety of security threats. A Mobile Device Management solution helps in securing that environment.

Here are 5 Tips you should implement when securing your devices with a MDM approach:

  1. Require standards for password strength – Make sure that your MDM is configured to require device passcodes that meet or exceed guidelines concerning length, complexity, retry and timeout settings for the appropriate device.
  2. Device Update Compliance – Set a minimum required version for employee mobile devices. This will require that employee devices are kept updated and restrict devices that do not comply with this setting.
  3. Prevent Jail-breaking – Prevent jail-broken or ‘rooted’ mobile devices. Allowing these devices could add an additional attack vector as many ‘rooted’ or jail-broken devices install third-party app stores that may contain malicious apps. Preventing these devices helps secure access to company data.
  4. Require usage of signed apps and certificates – Use your MDM to screen any mobile devices for suspicious applications before allowing access to company resources. These could be email programs, mobile apps, and networks (Wi-Fi or company VPN access). As with jail-broken devices, unsigned apps and certificates may allow malware to infect the device.
  5. Seek Employee BuyIn – Prior to allowing a user device onto your network, require the user acknowledge and accept basic corporate policies. Make sure that the user understands that company administrators will be able to revoke and/or restrict access to devices that don’t comply with company policy.

The best idea is to decide your corporate strategy and then choose a MDM solution that fits your project. For more information on mobile device security, download our iPhone and Android Security Guides. If you would like to begin a conversation about Mobile Device Management, please CONTACT US.

COMPASS Cyber Security Mobile Application

As a part of COMPASS Cyber Security’s ongoing commitment to raising cyber security awareness in the community, we are excited to announce the launch of our very own mobile application! By downloading this app, users will be provided with real-time cyber security threat alerts, best practice tips, and applicable guidance, so they can be prepared for the cyber security risks they may face. It is COMPASS’ mission to “shift the world’s data to be safe and secure” and this app is a testament to that by offering businesses and consumers valuable content they can use to protect their data.

Download the COMPASS Cyber Security app in the iTunes and Google Play stores to begin improving your cyber security posture!

Back to School Cyber Security

As schools open their doors for a new academic year, it is evident that education is becoming increasingly dependent on technology.  As a result, cyber security is a critically important component to the risk management strategies in schools.

Having worked with dozens of schools internationally, COMPASS understands the unique threats they face. Fall is the best time to set the tone for your school’s cyber security posture, here is how:

  • Perform a risk assessment of your school’s IT infrastructure to identify critical vulnerabilities and remediate them.
  • Segment your network so if one part of your network is compromised, it does not affect the integrity of the rest of your network. For example, put students on a network separate from the faculty and staff.
  • Limit the number of privileged users to only administrators with a legitimate need as defined by management protocol.
  • Implement quarterly cyber security awareness training. It is important that the faculty as well as the students are cognizant of cyber best practices so they have a strong digital safety background.
  • Review all policies to make sure they are current with the technologies and procedures within your organization.
  • Conduct a security configuration review of the central image from which all of the faculty devices are copied to provide maximum security.

With a variety of diverse user profiles traversing the network and a treasure trove of sensitive personal and financial information, it is often difficult to balance cyber security in an open learning environment. However, by implementing these cyber security strategies in your school you will greatly reduce your risk of an incident.

For more information on school security, download our Back to School Security Guide. To discuss your school’s unique cyber security posture please, CONTACT US.