Information Security Basics
Apply security patches – Patch everything! This includes operating systems, devices, and application software.
Information security training – Have a formal ongoing security training and phishing testing program for everyone, employees, management and contractors.
Activate Anti-Virus technology – Whether it is built-in or purchased third-party for servers, workstations, and mobile devices.
Backup business data and key systems - Keep multiple copies online and offline (geographically diverse).
Remediate Compromised Devices - Be prepared to re-image & recover compromised devices.
Deploy a Next-Generation application aware firewall with TLS (SSL) decryption and traffic inspection – Manage and inspect all traffic using application detection and control. Configure the firewall to detect DNS exploits.
Information Security Policy – Business defined controls for managing, protecting, and sharing sensitive information and a framework for security operations.
Identify business applications and priority – Identify and prioritize key business applications and cloud services. Plan appropriate systems reliability and operations management.
Identify business data resources – Know what data and data repositories you have, where it resides and who has access. Periodically audit user access to data and systems.
Identify IT assets – Know what is connected to your network, this includes servers, workstations, printers, routers, switches, phones, time clocks, alarm systems, sensors, IoT devices, or any device with communication capability.
Enable logging on all capable devices – Logs do not provide real time detection, but are vital for a post incident analysis.
Investigate production system failures for root cause – Identify either security compromise or system failure.
Have an Incident Management plan – Have a documented plan for managing security issues from small events to large incidents. Include internal and external communications plans for escalation.
Have an Information Systems Business Recovery Plan – Have a plan for managing business systems interruption, and how you will recover in an emergency, with timelines that fit the business.
Have Cyber Insurance – Be prepared to have help when larger incidents occur.
Revisit all of the above, at minimum, annually - Technology and the threats are constantly changing, confirm that your protections are still relevant.
This workshop-based review provides a forum to discuss development of a security vision and strategy with respect to current cyber security trends. It covers a broad spectrum of current cyber security industry trends and helps identify what is most relevant to your organization.
This security assessment is an in-depth review of 198 security controls. The assessment can be adapted to align with the most common security frameworks (ISO 27001/2, GDPR, NIST 800-53, NIST 800-171, PCI DSS, COBIT, PIPEDA, HIPAA, or the Canadian Baseline Cyber Security Controls).
Information Security and Operations Scorecard
Social Engineering: the "con" to beat security measures. Social engineering risks are keeping business leaders up at night! In the Business Continuity Institute 2018 Horizon Scan Report, four of the top 10 threats identified by business leaders are most often the result of a social engineering exploit. In a recent ....more
Organizations historically believed that security software and tools were effective at protecting them from hackers. Today, this is no longer the case, as modern businesses are now .... more