National Cyber Security Awareness Month presents an opportunity every year to engage public and private sector stakeholders – especially the general public – to create a safe, secure, and
resilient cyber environment. Everyone has to play a role in cybersecurity. Constantly evolving cyber threats require the engagement of the entire nation — from government and law enforcement to the
private sector and most importantly, the public.
National Cyber Security Awareness Month
A cyber security risk assessment is necessary to identify the gaps in your organization’s critical risk areas and determine actions to close those gaps. It will also ensure that you invest time and
money in the right areas and do not waste resources where there is no need for it.
Cyber security is not enough – you need to become cyber resilient Cyber Resilience Guidance Standards Kit
Even if you have implemented an ISO 27001 Information Security Management System, you may want to check if your cyber security hygiene is up to standard with the industry guidelines ISO 27032
Cyber Security ToolKit | Cyber Security
Standards | Cyber Security Books
Use an in house qualified staff or an experienced consultant(s), who will work with your team to examine each of the ten risk areas (described below) in sufficient detail to identify strengths and weaknesses of your current security posture. All this information can be consolidated and immediately usable action remediation plan that will help you close the gap between what you are actually doing and recognized good practice. It will enable you to ensure that your cyber risk management at least matches minimum industry guidelines.
The ten risk areas that will be examined are:
Do you have an effective risk governance structure, in which your risk appetite and selected controls are aligned? Do you have appropriate information risk policies and adequate cyber insurance?
Do you have a mobile and home-working policy that staff have been trained to follow? Do you have a secure baseline device build in place? Are you protecting data both in transit and at rest?
Do you have Acceptable Use policies covering staff use of systems and equipment? Do you have a relevant staff training program? Do you have a method of maintaining user awareness of cyber risks?
Do you have clear account management processes, with a strong password policy and a limited number of privileged accounts? Do you monitor user activity, and control access to activity and audit logs?
Do you have a policy controlling mobile and removable computer media? Are all sensitive devices appropriately encrypted? Do you scan for malware before allowing connections to your systems?
Do you have a monitoring strategy? Do you continuously monitor activity on ICT systems and networks, including for rogue wireless access points? Do you analyze network logs in real time, looking for evidence of mounting attacks? Do you continuously scan for new technical vulnerabilities?
Do you have a technical vulnerability patching program in place and is it up-to-date? Do you maintain a secure configuration for all ICT devices? Do you have an asset inventory of authorized devices and do you have a defined baseline build for all devices?
Do you have an appropriate anti-malware policy and practices that are effective against likely threats? Do you continuously scan the network and attachments for malware?
Do you protect your networks against internal and external attacks with firewalls and penetration testing? Do you filter out unauthorized or malicious content? Do you monitor and test security controls?
Do you have an incident response and disaster recovery plan? Is it tested for readily identifiable compromise scenarios? Do you have an incident forensic capability and do you know how to report cyber incidents?Contact DISC for Cyber Security Assessment.
Based on the Ten Steps To Cyber Security mentioned above DISC examines if you have appropriate measures in place for each of the ten critical information risk areas.Report with your assessment results can be presented to senior management. This report will assist you to put a business case together for implementing tighter security controls to ensure your business is protected and that you meet minimum industry compliance requirements.
The MITRE ATT&CK framework contains an enormous amount of data that can prove beneficial to organizations in a range of use cases, including but not limited
to phishing, threat hunting, incident response, vulnerability management and alert triage. The MITRE ATT&CK gives you in-depth descriptions of various methods used by cybercriminals and provides
you with ways to both detect and mitigate threats.
DISC makes the MITRE ATT&CK framework actionable using CALDERA cyber security framework.