Thursday, April 24, 2014
Thursday, April 17, 2014
Cyber Security
A few notes to consider to help protect your process, technology and people. Cyber security should feed into your existing risk management system, including the proper insurance coverage. It needs to include people, data and devices. It also needs to encompass how data files are transferred to employees when they are outside the office. Here is a list to start evaluating cyber risk;
IR 1 - Identification and Authentication Control
IR 2 - Use Control
IR 3 - System Integrity
IR 4 - Data Confidentiality
IR 5 - Restricted Data Flow
IR 6 - Timely Response to Events
IR 7 - Resource Availability
Each IR (Identified Risk) item needs to be defined according to your business. Next is the level of risk associated with each IR.
RL 1 - Low Risk - Coincidental - not much concern if the access is breached on simple programs that have shared passwords, no password protection or specific users name.
RL 2 - Low Motivation - something someone might view because of curiosity if something was open or accessible but there is no threat from an information breech.
RL 3 - Moderate - something someone would try to access to obtain. Confidential information for the purpose of personal or business gain.
RL 4 - High - Something someone would intentionally hack into a system for the sole purpose of monetary gain, either directly by selling it or indirectly through the destruction of property.
Each RL (Risk Level) needs to be addressed according to your business and added to your employee manuals so everyone with a company device or access knows your policy.
Following this simple guideline can help you focus on the biggest threats to your business to maximize the early effort.
IR 1 - Identification and Authentication Control
IR 2 - Use Control
IR 3 - System Integrity
IR 4 - Data Confidentiality
IR 5 - Restricted Data Flow
IR 6 - Timely Response to Events
IR 7 - Resource Availability
Each IR (Identified Risk) item needs to be defined according to your business. Next is the level of risk associated with each IR.
RL 1 - Low Risk - Coincidental - not much concern if the access is breached on simple programs that have shared passwords, no password protection or specific users name.
RL 2 - Low Motivation - something someone might view because of curiosity if something was open or accessible but there is no threat from an information breech.
RL 3 - Moderate - something someone would try to access to obtain. Confidential information for the purpose of personal or business gain.
RL 4 - High - Something someone would intentionally hack into a system for the sole purpose of monetary gain, either directly by selling it or indirectly through the destruction of property.
Each RL (Risk Level) needs to be addressed according to your business and added to your employee manuals so everyone with a company device or access knows your policy.
Following this simple guideline can help you focus on the biggest threats to your business to maximize the early effort.
Subscribe to:
Posts (Atom)