IT governance is about managing information as an asset consistently with organisational strategy and organisational culture. It is about practices, supported by policies, processes, and procedures, that are subject to continuous improvement as new trends emerge internally and externally. 

Security governance is a primary element of information governance. You might be more familiar with a ‘buzzier’ word: cybersecurity. 

Your organisation probably has a higher level of awareness of cybersecurity than at any time before. It really is a buzzword. It is widely referred to in traditional and social media – every day, there’s reporting of a new attack, data breach, the compromise of personal information. Your organisation’s insurance brokers are almost certainly raising the prospect of cyber insurance and the risks of cyber attacks. 

At heart, cybersecurity controls and directs IT security. It is a framework for accountability in mitigating security risks to data. That is, the techniques of protecting computers, networks, programs and data from unauthorised access or attacks aimed at theft or exploitation. 

A quick Google will bring up myriad lists of the ‘top’ cybersecurity risks. You see that these risks change rapidly over time. The Federal Government’s Australian Cyber Security Centre has compiled The Essential Eight – a list of mitigation strategies as a starting point for organisations to improve their cyber resilience. 

The Essential Eight are split into three categories of mitigation strategies: 

  • Preventing malware delivery and execution 
  • Limiting the extent of cyber security incidents 
  • Recovering data and system availability. 

Mitigation strategies to prevent malware delivery and execution 

Strategy  Why 
Application whitelisting of approved programs to prevent execution of unapproved programs, including .exe, DLL, scripts and installers  Prevent any non-approved applications (including malicious code) from executing 
Application patching of ‘extreme risk’ vulnerabilities within 48 hours using the latest application version 
Prevent
security vulnerabilities in applications being used to execute malicious code on systems 
Configuring Microsoft Office macro settings to block macros from the Internet and allow vetted macros in ‘trusted’ locations with limited write access or digitally signed with a trusted certificate 
Prevent Microsoft Office macros
from delivering and executing malicious code on systems 
User application hardening, eg, configuring web browsers to block Flash, ads and Java on the Internet and disabling unneeded features in Microsoft Office, web browsers and PDF viewers 
Prevent popular ways
(Flash, ads and Java) of delivering and executing malicious code on systems 

Mitigation strategies to limit the extent of cyber security incidents

Strategy  Why 
Restricting administrative privileges to operating systems and applications based on user duties. Including regularly revalidating the need for privileges. Preventing the use of privileged accounts for reading email and web browsing.  Prevent adversaries using privileged accounts to gain full access to information and systems 
Operating system patching (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours using the latest operating system version 
Prevent security vulnerabilities in operating systems being used to further the compromise of systems
 

Multifactor authenti
cating including for VPNs, RDP, SSH and other remote access and for users performing a privileged action or accessing a sensitive/high-availability data repository.

Increase difficulty
for adversaries to access sensitive information and systems

 

Mitigation strategies to limit the extent of cyber security incidents 

Strategy  Why 
Restricting administrative privileges to operating systems and applications based on user duties. Including regularly revalidating the need for privileges. Preventing the use of privileged accounts for reading email and web browsing.  Prevent adversaries using privileged accounts to gain full access to information and systems 
Operating system patching (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours using the latest operating system version 
Prevent security vulnerabilities in operating systems being used to further the compromise of systems
 

Multifactor authenticating
including for VPNs, RDP, SSH and other remote access and for users performing a privileged action or accessing a sensitive/high-availability data repository. 

Increase difficulty for adversaries to access sensitive information and systems
 


Mitigation strategies to
recover data and system availability

Strategy  Why 
Backing up daily important new/changed data, software and configuration settings, stored disconnected and retained for at least 3 months. Testing restoration initially, annually and when IT infrastructure changes  Ensure information can be access again following a cyber security incident 

Next week, we will look at the Maturity Model of The Essential Eight. The Maturity Model addresses how organisations who have implemented their desired mitigation strategies to an initial level can increase their implementation’s maturity. The aim being to eventually reach full alignment with the intent of each mitigation strategy. 

Until then, stay safe. 

Managed IT