Sector Forensics provides a professional, discreet service that has provided guidance on how small business to large enterprises can protect themselves in cyberspace.
50% of the worst breaches recorded have been due to human error.
A large proportion of attacks happen where the security policy is poor or poorly understood by staff.
72% of companies where the security policy was poorly understood had staff related breaches.
Pro-active management of the cyber risk at Board Level is critical. Two thirds of bosses in Britain’s biggest businesses not trained to deal with a cyber attack
If your business is not prepared to deal with a cyber attack, then we will be happy to conduct a ‘cyber health check‘ on your company.
Introduction to Cyber Security
10 Steps: Executive Summary
Risk Management Regime
Embed an appropriate risk management regime across the organisation. This should be supported by an empowered governance structure, which is actively supported by the board and senior managers. Clearly communicate your approach to risk management with the development of applicable policies and practices. These should aim to ensure that all employees, contractors and suppliers are aware of the approach, how decisions are made, and any applicable risk boundaries.
Having an approach to identify baseline technology builds and processes for ensuring configuration management can greatly improve the security of systems. You should develop a strategy to remove or disable unnecessary functionality from systems, and to quickly fix known vulnerabilities, usually via patching. Failure to do so is likely to result in increased risk of compromise of systems and information.
The connections from your networks to the Internet, and other partner networks, expose your systems and technologies to attack. By creating and implementing some simple policies and appropriate architectural and technical responses, you can reduce the chances of these attacks succeeding (or causing harm to your organisation). Your organisation's networks almost certainly span many sites and the use of mobile or remote working, and cloud services, makes defining a fixed network boundary difficult. Rather than focusing purely on physical connections, think about where your data is stored and processed, and where an attacker would have the opportunity to interfere with it.
Managing user privileges
If users are provided with unnecessary system privileges or data access rights, then the impact of misuse or compromise of that users account will be more severe than it need be. All users should be provided with a reasonable (but minimal) level of system privileges and rights needed for their role. The granting of highly elevated system privileges should be carefully controlled and managed. This principle is sometimes referred to as ‘least privilege’.
User education and awareness
Users have a critical role to play in their organisation’s security and so it's important that security rules and the technology provided enable users to do their job as well as help keep the organisation secure. This can be supported by a systematic delivery of awareness programmes and training that deliver security expertise as well as helping to establish a security-conscious culture.
All organisations will experience security incidents at some point. Investment in establishing effective incident management policies and processes will help to improve resilience, support business continuity, improve customer and stakeholder confidence and potentially reduce any impact. You should identify recognised sources (internal or external) of specialist incident management expertise.
Malicious software, or malware is an umbrella term to cover any code or content that could have a malicious, undesirable impact on systems. Any exchange of information carries with it a degree of risk that malware might be exchanged, which could seriously impact your systems and services. The risk may be reduced by developing and implementing appropriate anti-malware policies as part of an overall 'defence in depth' approach.
System monitoring provides a capability that aims to detect actual or attempted attacks on systems and business services. Good monitoring is essential in order to effectively respond to attacks. In addition, monitoring allows you to ensure that systems are being used appropriately in accordance with organisational policies. Monitoring is often a key capability needed to comply with legal or regulatory requirements.
Removable media controls
Removable media provide a common route for the introduction of malware and the accidental or deliberate export of sensitive data. You should be clear about the business need to use removable media and apply appropriate security controls to its use.
Home and mobile working
Mobile working and remote system access offers great benefits, but exposes new risks that need to be managed. You should establish risk based policies and procedures that support mobile working or remote access to systems that are applicable to users, as well as service providers. Train users on the secure use of their mobile devices in the environments they are likely to be working in
10 Steps: A Board Level Responsibility
Why protecting your information is a board-level responsibility.
Cyberspace has revolutionised how many of us live and work. The internet, with its more than 3 billion users, is powering economic growth, increasing collaboration and innovation, and creating jobs.
Protecting key information assets is of critical importance to the sustainability and competitiveness of businesses today. Companies need to be on the front foot in terms of their cyber preparedness. Cyber security is all too often thought of as an IT issue, rather than the strategic risk management issue it actually is.
Companies benefit from managing risks across their organisations - drawing effectively on senior management support, risk management policies and processes, a risk-aware culture and the assessment of risks against objectives. There are many benefits to adopting a risk management approach to cyber security, including:
Corporate decision making is improved through the high visibility of risk exposure, both for individual activities and major projects, across the whole of the organisation.
Providing financial benefit to the organisation through the reduction of losses and improved “value for money” potential.
Organisations are prepared for most eventualities, being assured of adequate contingency plans.
We have therefore produced a set of questions for you which we believe will assist and support your existing strategic-level risk discussions, specifically how to ensure you have the right safeguards and cultures in place.
Key questions for CEOs and boards
Protection of key information assets is critical
- How confident are we that our company’s most important information is being properly managed and is safe from cyber threats?
- Are we clear that the Board are likely to be key targets?
- Do we have a full and accurate picture of:
- the impact on our company’s reputation, share price or existence if sensitive
- internal or customer information held by the company were to be lost or stolen?
- the impact on the business if our online services were disrupted for a short or sustained period?
Exploring who might compromise our information and why
- Do we receive regular intelligence from the Chief Information Officer/Head of Security on who may be targeting our company, their methods and their motivations?
- Do we encourage our technical staff to enter into information-sharing exchanges with other companies in our sector and/or across the economy in order to benchmark, learn from others and help identify emerging threats?
Pro-active management of the cyber risk at Board level is critical
The cyber security risk impacts share value, mergers, pricing, reputation, culture, staff, information, process control, brand, technology, and finance. Are we confident that:
- we have identified our key information assets and thoroughly assessed their vulnerability to attack?
- responsibility for the cyber risk has been allocated appropriately? Is it on the risk register?
- we have a written information security policy in place, which is championed by us and supported through regular staff training? Are we confident the entire workforce understands and follows it?
Common Cyber Attacks: Reducing the Impact
The threat landscape
Before investing in defences, many organisations often want concrete evidence that they are, or will be targeted, by specific threats. Unfortunately, in cyberspace it is often difficult to provide an accurate assessment of the threats that specific organisations face.
However, every organisation is a potential victim. All organisations have something of value that is worth something to others. If you openly demonstrate weaknesses in your approach to cyber security by failing to do the basics, you will experience some form of cyber attack.
Reducing your exposure to cyber attack
Fortunately, there are effective and affordable ways to reduce your organisation’s exposure to the more common types of cyber attack on systems that are exposed to the Internet. The following controls are contained in the Cyber Essentials, together with more information about how to implement them:
- boundary firewalls and internet gateways - establish network perimeter defences, particularly web proxy, web filtering, content checking, and firewall policies to detect and block executable downloads, block access to known malicious domains and prevent users’ computers from communicating directly with the Internet
- malware protection - establish and maintain malware defences to detect and respond to known attack code
- patch management - patch known vulnerabilities with the latest version of the software, to prevent attacks which exploit software bugs
- whitelisting and execution control - prevent unknown software from being able to run or install itself, including AutoRun on USB and CD drives
- secure configuration - restrict the functionality of every device, operating system and application to the minimum needed for business to function
- password policy - ensure that an appropriate password policy is in place and followed
- user access control - include limiting normal users’ execution permissions and enforcing the principle of least privilege
If your organisation is likely to be targeted by a more technically capable attacker, give yourself greater confidence by putting in place these additional controls set out in the 10 Steps to Cyber Security:
- security monitoring - to identify any unexpected or suspicious activity
- user training education and awareness - staff should understand their role in keeping your organisation secure and report any unusual activity
- security incident management - put plans in place to deal with an attack as an effective response will reduce the impact on your business
Raising your cyber defences
The Internet can be a hostile environment. The threat of attack is ever present as new vulnerabilities are released and commodity tools are produced to exploit them. Doing nothing is no longer an option. Protect your organisation and your reputation by establishing some basic cyber defences to ensure that your name is not added to the growing list of victims.
10 Steps: Risk Management Regime
How can the risk be managed?
Establish a governance framework: A governance framework needs to be established that enables and supports a consistent and empowered approach to risk management across the organisation, with ultimate responsibility residing at board level;
Determine what risks an organisation is willing to tolerate and what is unacceptable: Agree what risks you are prepared to tolerate in pursuit of your business objectives. Produce guidance and statements that helps individuals throughout the organisation make appropriate risk based decisions.
Maintain board engagement: The board should regularly review risks that may arise from an attack on technology or systems used. To ensure senior ownership and oversight, the risks resulting from attack should be documented in the corporate risk register and regularly reviewed. Entering into knowledge sharing partnerships with other companies and law enforcement, and joining the CiSP Information Sharing Platform, can help you understand new and emerging threats as well as share approaches and mitigations that might work.
Produce supporting policies: An overarching technology and security risk policy should be created and owned by the board to help communicate and support risk management objectives, setting out the risk management strategy for the organisation as a whole.
Adopt a lifecycle approach to risk management: Technology changes, as does the threat and therefore risks change over time. A continuous through-life process needs to be adopted to ensure security controls remain effective and appropriate.
Apply recognised standards: Consider the application of recognised sources of security management good practice, such as the ISO/IEC 27000 series of standards.
Make use of endorsed assurance schemes: Consider adopting the Cyber Essentials Scheme. It provides guidance on the basic controls that should be put in place to manage risk of online cyber attack to enterprise technology and offers a certification process that demonstrates your commitment to cyber security.
Educate users and maintain awareness: All users have a responsibility to help manage security risks. Provide appropriate training and user education that is relevant to their role and refresh it regularly. Encourage staff to participate in knowledge sharing exchanges with peers across your organisation and beyond.
Promote a risk management culture: Risk management needs to be organisation-wide, driven by corporate governance from the top down, with user participation demonstrated at every level of the business.
10 Steps: Secure Configuration
How can the risk be managed?
Organisations need to ensure that they have put in place measures to minimise the risk of poor system configuration. The following security controls should be considered:
Use supported software: Use versions of operating systems, web browsers and applications that are vendor (or community) supported.
Develop and implement policies to update and patch systems: Implement policies to ensure that security patches are applied in an appropriate time frame, such a 14 days for critical patches. Automated patch management and software update tools might be helpful. In cases where it is not possible to patch a vulnerability steps should be taken to make it very difficult to exploit. This might include making it difficult for an attacker to communicate with the system.
Create and maintain hardware and software inventories: Create inventories of all authorised hardware and software used across the organisation. Ideally the inventory should capture the physical location, business owner and purpose of hardware together with the version and patch status of all software. Tools can be used to help identify unauthorised hardware or software.
Manage your operating systems and software: Implement a secure baseline build for all systems and components, including hardware and software. Any functionality or application that does not support a user or business need should be removed or disabled. The secure build profile should be managed by a configuration control process and any deviation from the standard build should be documented and approved.
Conduct regular vulnerability scans: Regularly run automated vulnerability scanning tools against all networked devices and remedy or manage any identified vulnerabilities within an agreed time frame.
Establish configuration control and management: Implement policies that set out a configuration control and change management process for all systems.
Disable unnecessary peripheral devices and removable media access: Assess the need for access to peripheral devices and removable media. Disable ports and system functionality that does not support a user or business need.
Implement white-listing and execution control: Create and maintain a whitelist of authorised applications and software that can be executed. In addition, systems should be capable of preventing the installation and execution of unauthorised software by employing process execution controls.
Limit user ability to change configuration: Provide users with the permissions that they need to fulfil their business role. Users with ‘normal’ privileges should be prevented from installing or disabling any software or services running on the system.
Limit privileged user functionality: Ensure that users with privileged system rights (administrators) have constrained internet and email access from their privileged account. This limits exposure to spear phishing and reduces the ability of an attacker to achieve wide system access through exploiting a single vulnerability.
10 Steps: Network Security
How can the risk be managed?
Produce, implement and maintain network security designs and policies that align with the organisation’s broader risk management approach. It may be helpful to follow recognised network design principles (eg ISO 27033) to help define an appropriate network architecture including both the network perimeter, any internal networks, and links with other organisations such as service providers or partners.
Manage the network perimeter: Manage access to ports, protocols and applications by filtering and inspecting all traffic at the network perimeter to ensure that only traffic which is required to support the business is being exchanged. Control and manage all inbound and outbound network connections and deploy technical controls to scan for malicious content:
- Use firewalls: Use firewalls to create a buffer zone between the Internet (and other untrusted networks) and the networks used by the business. The firewall rule set should deny traffic by default and a whitelist should be applied that only allows authorised protocols, ports and applications to exchange data across the boundary. This will reduce the exposure of systems to network based attacks. Ensure you have effective processes for managing changes to avoid workarounds.
- Prevent malicious content: Deploy malware checking solutions and reputation-based scanning services to examine both inbound and outbound data at the perimeter in addition to protection deployed internally. The antivirus and malware solutions used at the perimeter should ideally be different to those used to protect internal networks and systems in order to provide some additional defence in depth.
Protect the internal network: Ensure that there is no direct routing between internal and external networks (especially the Internet), which limits the exposure of internal systems to network attack from the Internet. Monitor network traffic to detect and react to attempted or actual network intrusions.
- Segregate networks as sets: Identify, group and isolate critical business systems and apply appropriate network security controls to them.
- Secure wireless access: All wireless access points should be appropriately secured, only allowing known devices to connect to corporate Wi-Fi services. Security scanning tools may be useful to detect and locate unauthorised or spoof wireless access points.
- Enable secure administration: Administrator access to any network component should properly authenticated and authorised. Make sure default administrative passwords for network equipment are changed.
- Configure the exception handling processes: Ensure that error messages returned to internal or external systems or users do not include sensitive information that may be useful to attackers.
- Monitor the network: Network intrusion detection and prevention tools should be deployed on the network and configured by qualified staff. The capabilities should monitor all traffic for unusual incoming and outgoing activity that could be indicative of an attack. Alerts generated by the system should be promptly managed by appropriately trained staff.
- Assurance processes: Conduct regular penetration tests of the network architecture and undertake simulated cyber attack exercises to ensure that security controls have been well implemented and are effective.
10 Steps: Managing User Privileges
How can the risk be managed?
Organisations should determine what rights and privileges users need to effectively perform their duties and implement a policy of 'least privilege'.
Establish effective account management processes: Manage user accounts from creation, through-life and eventually revocation when a member of staff leaves or changes role. Redundant accounts, perhaps provided for temporary staff or for testing, should be removed or suspended when no longer required.
Establish policies and standards for user authentication and access control: A corporate password policy should be developed that seeks an effective balance between security and usability as set out in our password guidance. For some accounts an additional authentication factor (such as a token) may be appropriate.
Limit user privileges: Users should be provided with the reasonable minimum rights and permissions to systems, services and information that they need to fulfil their business role.
Limit the number and use of privileged accounts: Strictly control the granting of highly privileged system rights, reviewing the ongoing need regularly. Highly privileged administrative accounts should not be used for high risk or day to day user activities, for example web browsing and email. Administrators should use normal accounts for standard business use.
Monitor: Monitor user activity, particularly access to sensitive information and the use of privileged account actions. Respond where activities are outside of normal, expected bounds (such as access to large amounts of sensitive information outside of standard working hours).
Limit access to the audit system and the system activity logs:Activity logs from network devices should be sent to a dedicated accounting and audit system that is separated from the core network. Access to the audit system and the logs should be strictly controlled to preserve the integrity of the content and all privileged user access recorded.
Educate users and maintain their awareness: All users should be aware of the policy regarding acceptable account usage and their personal responsibility to adhere to corporate security policies.
10 Steps: User Education and Awareness
How can the risk be managed?
Produce a user security policy: Develop a user security policy, as part of the overarching corporate security policy. Security procedures for all systems should be produced with consideration to different business roles and processes. A 'one size fits all' approach is typically not appropriate for many organisations. Policies and procedures should be described in simple business-relevant terms with limited jargon.
Establish a staff induction process: New users (including contractors and third party users) should be made aware of their personal responsibility to comply with the corporate security policies as part of the induction process. The terms and conditions for their employment, or contract, should be formally acknowledged and retained to support any subsequent disciplinary action.
Maintain user awareness of the security risks faced by the organisation: All users should receive regular refresher training on the security risks to the organisation. Consider providing a platform for users to enquire about security risks and discuss the advice they are given. On the whole, users want to do the right thing, so giving them guidance to put security advice into practice will help.
Support the formal assessment of security skills: Staff in security roles should be encouraged to develop and formally validate their security skills through enrolment on a recognised certification scheme. Some security related roles such as system administrators, incident management team members and forensic investigators may require specialist training.
Monitor the effectiveness of security training: Establish mechanisms to test the effectiveness and value of the security training provided to all users. This will allow training improvements and the opportunity to clarify any possible misunderstandings. Ideally the training provided will allow for a two-way dialogue between the security team and users.
Promote an incident reporting culture: The organisation should enable a security culture that empowers staff to voice their concerns about poor security practices and security incidents to senior managers, without fear of recrimination. This should be reciprocated with a culture where security professionals acknowledge that security-related effort by non-security staff is time away from their work, and is helping to protect the organisation.
Establish a formal disciplinary process: All staff should be made aware that any abuse of the organisation’s security policies will result in disciplinary action being taken against them. All sanctions detailed in policy should be enforceable at a practical level.
10 Steps: Incident Management
How can the risk be managed?
Establish an incident response capability: Identify the funding and resources to develop, deliver and maintain an organisation-wide incident management capability. Resources could be in house or you might pre-establish a relationship with an specialist incident management company. This should address the full range of incidents that could occur and set out appropriate responses. The supporting policy, processes and plans should be risk based and cover any legal or regulatory reporting requirements.
Provide specialist training: The incident response team may need specialist knowledge and expertise across a number of technical (including forensic investigation) and non-technical areas. You should identify recognised sources (internal or external) of specialist incident management training and maintain the organisation’s skill base.
Define the required roles and responsibilities: Appoint and empower specific individuals (or suppliers) to handle incidents and provide them with clear terms of reference to make decisions and manage any incident that may occur. Ensure that the contact details of key personnel are readily available to use in the event of an incident.
Establish a data recovery capability: Data losses can occur and so a systematic approach to the backup of essential data should be implemented. Where physical backup media is used this should be held in a physically secure location, ideally offsite. The ability to recover archived data for operational use should be regularly tested.
Test the incident management plans: All plans supporting security incident management (including business continuity and disaster recover plans) should be regularly tested. The outcome of the tests should be used to inform the future development of the incident management plans.
Decide what information will be shared and with whom: For services or information bound by specific legal or regulatory reporting requirements you may have to report incidents. All internal and external reporting requirements should be clearly identified in the incident management plan.
Collect and analyse post-incident evidence: The preservation and analysis of the sequence of events that led up to the incident is critical to identify and remedy the root cause. The collected evidence could also potentially support any follow on disciplinary or legal action and the incident management policy should set out clear guidelines to follow.
Conduct a lessons learned review: Log the actions taken during an incident and review the performance of the incident management process post incident (or following a test) to see what aspects worked well and what could be improved. Review the organisational response and update any relevant policies or user training that could have prevented the incident from occurring.
User awareness: Users should be aware of their responsibilities and how they can report and respond to incidents. Users should be encouraged to report any security weaknesses or incident as soon as possible, without fear of recrimination.
Report criminal incidents to law enforcement: It is important that potential or actual cyber crime is reported to Action Fraud or other relevant law enforcement agency.
10 Steps: Malware Prevention
How can the risk be managed?
Develop and implement anti-malware policies: Develop and implement corporate anti-malware policies and standards and ensure that they are consistently implemented across your infrastructure. The approach should be applicable and relevant to all business areas.
Manage all data import and export: All data should be scanned for malicious content at the network perimeter, whether that's internet gateways or facilities to introduce removable media.
Blacklist malicious web sites: Ensure that the perimeter gateway uses blacklisting to block access to known malicious web sites.
Provide dedicated media scanning machines: Stand-alone workstations can be provided and equipped with appropriate anti-virus products. The workstation should be capable of scanning the content contained on any type of media and inspect recursive content within files. Ideally every scan should be binded to a known user.
Establish malware defences: Malware can attack any system process or function so a technical architecture that provides multiple defensive layers (defence in depth) should be considered. This should include the following controls.
- End user device protection: On many platforms host based malware protection is provided by using antivirus applications. However several platforms (such as some smartphones) meet the need to protect against malware using other mechanisms such as application whitelisting.
- Deploy antivirus and malicious code checking solutions to scan inbound and outbound objects at the network perimeter. Where host based antivirus is used it may be sensible to use different products to increase overall detection capability. Any suspicious or infected malicious objects should be quarantined for further analysis.
- Deploy a content filtering capability on all external gateways to try to prevent attackers delivering malicious code to common desktop applications such as the web browser.
- Install firewalls where appropriate, configuring them to deny traffic by default.
If the business processes can support it, consider disabling certain browser plugins or scripting languages.
- Where possible, disable the autorun function to prevent the automatic execution of malicious code from any type of removable media. Equally, if removable media is introduced, the system should automatically scan it for malicious content.
- Ensure systems and components are well configured according to the secure baseline build and kept up to date.
User education and awareness: Users should understand the risks from malware and the day-to-day processes they can follow to help prevent a malware infection from occurring. The user instructions should contain the following:
- Try to stop and think before clicking on links, but don't worry if you think you've clicked on something harmful. Tell your security team as soon as possible and they will help.
- Do not connect any unapproved removable media or personally owned device to the network.
- Report any strange or unexpected system behaviour to the appropriate security team.
- Maintain awareness of how to report a security incident.
10 Steps: Monitoring
How can the risk be managed?
Establish a monitoring strategy and supporting policies: Develop and implement a monitoring strategy based on business need and an assessment of risk. The strategy should include both technical and transactional monitoring as appropriate. The incident management plan as well as knowledge of previous security incidents should inform the approach.
Monitor all systems: Ensure that all networks, systems and services are included in the monitoring strategy. This may include the use of the use of network, host based and wireless Intrusion Detection Systems (IDS). These solutions should provide both signature-based capabilities to detect known attacks, and heuristic capabilities to detect unusual system behaviour.
Monitor network traffic: Inbound and outbound traffic traversing network boundaries should be monitored to identify unusual activity or trends that could indicate attacks. Unusual network traffic (such as connections from unexpected IP ranges overseas) or large data transfers should automatically generate security alerts with prompt investigation.
Monitor user activity: The monitoring capability should have the ability to identify the unauthorised or accidental misuse of systems or data. Critically, it should be able to tie specific users to suspicious activity. Take care to ensure that all user monitoring complies with all legal or regulatory constraints.
Fine-tune monitoring systems: Ensure that monitoring systems are tuned appropriately to only collect events and generate alerts that are relevant to your needs. Inappropriate collection of monitoring information and generation of alerts can mask the detection of real attacks as well as be costly in terms of data storage and investigatory resources required.
Establish a centralised collection and analysis capability: Develop and deploy a centralised capability that can collect and analyse information and alerts from across the organisation. Much of this should be automated due to the volume of data involved, enabling analysts to concentrate on anomalies or high priority alerts. Ensure that the solution architecture does not itself provide an opportunity for attackers to bypass normal network security and access controls.
Provide resilient and synchronised timing: Ensure that the monitoring and analysis of audit logs is supported by a centralised and synchronised timing source that is used across the entire organisation to support incident response and investigation.
Align the incident management policies: Ensure that policies and processes are in place to appropriately manage and respond to incidents detected by monitoring solutions.
Conduct a 'lessons learned' review: Ensure that processes are in place to test monitoring capabilities, learn from security incidents and improve the efficiency of the monitoring capability.
10 Steps: Removable Media Controls
How can the risk be managed?
Produce corporate policies: Develop and implement policies and solutions to control the use of removable media. Do not use removable media as a default mechanism to store or transfer information. Under normal circumstances information should be stored on corporate systems and exchanged using appropriately protected mechanisms.
Limit the use of removable media: Where the use of removable media is required to support the business need, it should be limited to the minimum media types and users needed. The secure baseline build should deny access to media ports by default, only allowing access to approved users.
Scan all media for malware: Removable media should be automatically scanned for malware when it is introduced to any system. The removable media policy could also require that any media brought into the organisation is scanned for malicious content by a standalone machine before any data transfer takes place.
Formally issue media to users: All removable media should be formally issued to individual users who will be accountable for its use and safe keeping. Users should not use unofficial media, such as USB sticks given away at conferences.
Encrypt information held on media: Sensitive information should be encrypted at rest on media. If encryption is not employed then appropriate physical protection of the media is critical.
Actively manage the reuse and disposal of removable media: Where removable media is to be reused or destroyed then appropriate steps should be taken to ensure that previously stored information will not be accessible. The processes will be dependent on the value of the information and the risks posed to it and could range from an overwriting process to the physical destruction of the media by an approved third party.
Educate users and maintain awareness: Ensure that all users are aware of their personal responsibilities for following the removable media security policy.
10 Steps: Home and Mobile Working
How can the risk be managed?
Assess the risks and create a mobile working policy: Assess the risks associated with all types of mobile working and remote access. The resulting mobile security policy should determine aspects such as the processes for authorising users to work off-site, device provisioning and support, the type of information or services that can be accessed or stored on devices and the minimum procedural security controls. The risks to the corporate network or systems from mobile devices should be assessed and consideration given to an increased level of monitoring on all remote connections and the systems being accessed.
Educate users and maintain awareness: All users should be trained on the use of their mobile device for the locations they will be working in. Users should be supported to look after their mobile device and operate securely by following clear procedures. This should include direction on:
- secure storage and management of user credentials
- incident reporting
- environmental awareness (the risks from being overlooked, etc.)
Apply the secure baseline build: Develop and apply a secure baseline build and configuration for all types of mobile device used by the organisation. Consider integrating the security controls provided in the End User Device guidance into the baseline build for mobile devices.
Protect data at rest: Minimise the amount of information stored on a mobile device to only that which is needed to fulfil the business activity that is being delivered outside the normal office environment. If the device supports it, encrypt the data at rest.
Protect data in transit: If the user is working remotely the connection back to the corporate network will probably use the Internet. All information exchanged should be appropriately encrypted.
Review the corporate incident management plans: Mobile working attracts significant risks and security incidents will occur even when users follow the security procedures. The incident management plans should be sufficiently flexible to deal with the range of security incidents that could occur, including the loss or compromise of a device. Ideally, technical processes should be in place to remotely disable a device that has been lost or at least deny it access to the corporate network.
The aformentioned data was written by the National Cyber Security Centre a part of GCHQ who have produced a great resource for Cyber Security that can be found at: https://www.ncsc.gov.uk/guidance
Sector Forensics follows industry approved policies and procedures and pride ourselves on maintaining externally audited quality standards ISO 9001:2008 and ISO 2700:2705 to ensure compliance with the latest rules and regulations.