SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Similar documents
Defending Against Data Beaches: Internal Controls for Cybersecurity

Guide to Vulnerability Management for Small Companies

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

BCS IT User Syllabus IT Security for Users Level 2. Version 1.0

Critical Security Controls

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

CNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

The Protection Mission a constant endeavor

Cybersecurity Health Check At A Glance

Stable and Secure Network Infrastructure Benchmarks

Section 12 MUST BE COMPLETED BY: 4/22

Cisco Advanced Services for Network Security

The Business Case for Security Information Management

Cyber Security Metrics Dashboards & Analytics

Security Management. Keeping the IT Security Administrator Busy

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE NETWORK RESOURCES POLICY

Protecting Your Organisation from Targeted Cyber Intrusion

Critical Controls for Cyber Security.

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

PROTECT YOUR COMPUTER AND YOUR PRIVACY!

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Internet threats: steps to security for your small business

Consensus Policy Resource Community. Lab Security Policy

Network Security: Introduction

A Systems Engineering Approach to Developing Cyber Security Professionals

THE BUSINESS CASE FOR NETWORK SECURITY: ADVOCACY, GOVERNANCE, AND ROI

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Cyber Self Assessment

Best Practices For Department Server and Enterprise System Checklist

How a Company s IT Systems Can Be Breached Despite Strict Security Protocols

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

How-To Guide: Cyber Security. Content Provided by

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

F G F O A A N N U A L C O N F E R E N C E

Network Security and the Small Business

PCI Data Security Standards (DSS)

INFORMATION SECURITY FOR YOUR AGENCY

ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS

Cybersecurity: What CFO s Need to Know

Managing internet security

Protecting Organizations from Cyber Attack

The Ministry of Information & Communication Technology MICT

A GUIDE TO SECURITY AND PRIVACY IN A HOSTED EXCHANGE ENVIRONMENT TECHNICAL DOCUMENT

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

Data Management Policies. Sage ERP Online

Managing IT Security with Penetration Testing

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

ICTN Enterprise Database Security Issues and Solutions

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

WIRELESS LOCAL AREA NETWORK (WLAN) IMPLEMENTATION

External Supplier Control Requirements

Global Partner Management Notice

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

SANS Top 20 Critical Controls for Effective Cyber Defense

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

Windows Operating Systems. Basic Security

Security Controls What Works. Southside Virginia Community College: Security Awareness

The self-defending network a resilient network. By Steen Pedersen Ementor, Denmark

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

ABB s approach concerning IS Security for Automation Systems

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How

Ovation Security Center Data Sheet

Universities and Schools Under Cyber-Attack: How to Protect Your Institution of Excellence

Jumpstarting Your Security Awareness Program

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Looking at the SANS 20 Critical Security Controls

Information Technology Risk Management

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Closing Wireless Loopholes for PCI Compliance and Security

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

Server Protection Policy 1 1. Rationale 1.1. Compliance with this policy will help protect the privacy and integrity of data created by and relating

Office of Inspector General

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

Ovation Security Center Data Sheet

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

OCT Training & Technology Solutions Training@qc.cuny.edu (718)

Course Title: Penetration Testing: Network & Perimeter Testing

Host/Platform Security. Module 11

Best Practices for Information Security and IT Governance. A Management Perspective

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers Your Interactive Guide to the Digital World

How To Audit The Mint'S Information Technology

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Transcription:

SECURING YOUR SMALL BUSINESS Principles of information security and risk management

The challenge Information is one of the most valuable assets of any organization public or private, large or small and the protection of that information is critical. This brief guide provides an overview of the key terms and principles that every business needs to understand to reduce its risk exposure and protect its future. Between 2008 and 2009, U.S. businesses lost more than $1 trillion worth of intellectual property to cyber attacks. Source: Obama Administration. Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure. May 2009.

What is information security? Information security is the discipline of ensuring the confidentiality, integrity and availability of information. There are 3 drivers of information security Risk management Regulatory compliance Business continuity planning Assets to secure Physical premises Networks Devices (hardware) Application software (client and cloud-based) Operating systems Databases Key defenses User authentication Secure remote access Vulnerability testing Intrusion detection/prevention Web and email security Internal processes and policies

Information security 101 Terms you need to know A risk is the likelihood that something bad will happen that causes harm to an informational asset (or the loss of the asset). A vulnerability is a weakness that could be used to endanger or cause harm to an informational asset. A threat is anything (man made or act of nature) that has the potential to cause harm. Nearly 40 percent of IT security breaches are perpetrated by people inside the company. Source: U.S. Computer Emergency Response Team (CERT)

Information security 101 Common internal/external threats (defined) Bot/botnet: a type of malware which allows an attacker to gain complete control over the affected computer. Denial of service (DoS): an attack aimed at making a computer resource (commonly websites) unavailable to its intended users. Disgruntled employees: research conducted by the U.S. Computer Emergency Response Team (CERT) estimates that almost 40 percent of IT security breaches are perpetrated by people inside the company. Malware: a catch-all term used to refer to various types of malicious software. Phishing/spoofing: a type of scam aimed at obtaining a user s personal or confidential information. It typically involves some sort of spam email designed to lure a user to a spoofed web site. Spam: unwanted or unsolicited email that is typically sent in bulk to millions of email addresses at once; spam can contain viruses, worms or phishing scams.

Information security 101 Common internal/external threats (defined) Trojan: a virus used to infiltrate a computer without the user s knowledge or consent by disguising itself as something else. Example: a Trojan virus falsely claiming to be a Microsoft application update. Virus: a computer program or script that attempts to spread from one file to another on a single computer and/or from one computer to another, using a variety of methods, without the knowledge and consent of the computer user. Worm: a specific type of virus that propagates itself across many computers, usually by creating copies of itself in each computer s memory. Zero-day threat: a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or the software developer.

McAfee Labs identified more than 6 million unique malware samples in the first quarter of 2011, far exceeding any previous quarter. Source: McAfee Labs. McAfee Threats Report. January 2011.

More telecommuting = more risk One recent technology survey reports that 44 percent of small businesses allow their employees to work remotely. 1 While offering potential benefits, telecommuting introduces new vulnerabilities and increased risk. Careless use of Wi-Fi and accessing unsecured networks Letting family and friends use work issued devices Altering security settings to view blocked sites Leaving work issued devices in an insecure location Backing up corporate data to a home computer Emailing corporate data to your personal email account Reducing the risk of telecommuting Develop clear telecommuting guidelines Use VPN systems access to encrypt traffic between the remote client computer to your network Use network access control (NAC) systems to check laptops to make sure they are hardened, secure and comply with your information security policies Make sure clients are patched, up-to-date and have protection like antivirus software installed 1 2010 NSBA Small Business Technology Survey

Stolen or lost laptops and mobile devices are one of the most common ways businesses lose critical data. According to the FBI, a stolen or lost laptop usually resulted in an average loss of $30,570. Source: FBI/CSI. Computer Crime and Security Survey. 2006.

Managing risk: assessment All organizations have limited resources, and risk can never be eliminated entirely. Understanding risk and classifying it through a risk assessment helps organizations to prioritize scarce resources and cost effectively improve their security posture. Elements of an info-sec risk assessment 1. System documentation Summarize system architecture and components, and its overall level of security. 2. Risk determination List threats, vulnerabilities, current security controls, and risk levels (likelihood and potential impact). 3. Response determination Based on likelihood and potential impact, choose how to respond to identified risks: accept, mitigate, deny, or transfer. 4. Safeguard determination Recommend safeguards, and describe the expected level of risk that would remain if these safeguards were put in place.

According to Gartner, the cost of mitigating a data breach is likely to be vastly greater than the cost of preventing the breach beforehand by as much as a 70-to-1margin. Source: Gartner. Gartner Predicts 2011: Infrastructure Protection is Becoming More Complex, More Difficult and More Business-Critical Than Ever. November 2010.

Managing risk: action Specific steps for reducing your risk exposure Strengthen authentication credentials and management Inventory authorized and unauthorized devices Inventory authorized and unauthorized software applications Secure configurations for hardware and software on laptops, workstations, and servers Secure configurations for network devices such as firewalls, routers, and switches Maintain, monitor, and analyze audit logs Control use of administrative privileges and access Assess vulnerabilities on a routine basis Monitor account access and control Control and secure wireless devices Protect your business from insider or disgruntled employee threats Divide critical functions and responsibilities among employees within the organization (to limit any single individual s ability to inflict harm) Change passwords every 90 days

Conclusion: managing risk with scarce resources Small businesses cannot always justify an extensive security program or a single full-time IT security expert. Nonetheless, small businesses confront serious security challenges that must be addressed. The difficulty for these organizations is to identify needed security mechanisms that are practical and cost effective, so that limited security resources are well applied to meet the most serious risks. The first step is to understand the threat environment and learn the core principles of information security and risk management. We hope this guide has given you good start. Contact us today for help addressing your security challenges.

Resources NIST: Information Security Handbook: A Guide for Managers http://csrc.nist.gov/publications/nistpubs/800-100/sp800-100-mar07-2007.pdf Twenty Critical Controls for Effective Cyber Defense http://csis.org/files/publication/twenty_critical_controls_for_effective_cyber_defense_cag.pdf Top Cyber Security Risks http://www.sans.org/top-cyber-security-risks/

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information