IT governance is about managing information as an asset consistently with organisational strategy and organisational culture. It is about practices, supported by policies, processes, and procedures, that are subject to continuous improvement as new trends emerge internally and externally.
Security governance is a primary element of information governance. You might be more familiar with a ‘buzzier’ word: cybersecurity.
Your organisation probably has a higher level of awareness of cybersecurity than at any time before. It really is a buzzword. It is widely referred to in traditional and social media – every day, there’s reporting of a new attack, data breach, the compromise of personal information. Your organisation’s insurance brokers are almost certainly raising the prospect of cyber insurance and the risks of cyber attacks.
At heart, cybersecurity controls and directs IT security. It is a framework for accountability in mitigating security risks to data. That is, the techniques of protecting computers, networks, programs and data from unauthorised access or attacks aimed at theft or exploitation.
A quick Google will bring up myriad lists of the ‘top’ cybersecurity risks. You see that these risks change rapidly over time. The Federal Government’s Australian Cyber Security Centre has compiled The Essential Eight – a list of mitigation strategies as a starting point for organisations to improve their cyber resilience.
The Essential Eight are split into three categories of mitigation strategies:
- Preventing malware delivery and execution
- Limiting the extent of cyber security incidents
- Recovering data and system availability.
Mitigation strategies to prevent malware delivery and execution |
|
| Strategy | Why |
| Application whitelisting of approved programs to prevent execution of unapproved programs, including .exe, DLL, scripts and installers | Prevent any non-approved applications (including malicious code) from executing |
| Application patching of ‘extreme risk’ vulnerabilities within 48 hours using the latest application version | Prevent security vulnerabilities in applications being used to execute malicious code on systems |
| Configuring Microsoft Office macro settings to block macros from the Internet and allow vetted macros in ‘trusted’ locations with limited write access or digitally signed with a trusted certificate | Prevent Microsoft Office macros from delivering and executing malicious code on systems |
| User application hardening, eg, configuring web browsers to block Flash, ads and Java on the Internet and disabling unneeded features in Microsoft Office, web browsers and PDF viewers | Prevent popular ways (Flash, ads and Java) of delivering and executing malicious code on systems |
Mitigation strategies to limit the extent of cyber security incidents |
|
| Strategy | Why |
| Restricting administrative privileges to operating systems and applications based on user duties. Including regularly revalidating the need for privileges. Preventing the use of privileged accounts for reading email and web browsing. | Prevent adversaries using privileged accounts to gain full access to information and systems |
| Operating system patching (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours using the latest operating system version | Prevent security vulnerabilities in operating systems being used to further the compromise of systems |
Multifactor authenticating including for VPNs, RDP, SSH and other remote access and for users performing a privileged action or accessing a sensitive/high-availability data repository. |
Increase difficulty for adversaries to access sensitive information and systems |
Mitigation strategies to limit the extent of cyber security incidents |
|
| Strategy | Why |
| Restricting administrative privileges to operating systems and applications based on user duties. Including regularly revalidating the need for privileges. Preventing the use of privileged accounts for reading email and web browsing. | Prevent adversaries using privileged accounts to gain full access to information and systems |
| Operating system patching (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours using the latest operating system version | Prevent security vulnerabilities in operating systems being used to further the compromise of systems |
Multifactor authenticating including for VPNs, RDP, SSH and other remote access and for users performing a privileged action or accessing a sensitive/high-availability data repository. |
Increase difficulty for adversaries to access sensitive information and systems |
|
|
| Strategy | Why |
| Backing up daily important new/changed data, software and configuration settings, stored disconnected and retained for at least 3 months. Testing restoration initially, annually and when IT infrastructure changes | Ensure information can be access again following a cyber security incident |
Next week, we will look at the Maturity Model of The Essential Eight. The Maturity Model addresses how organisations who have implemented their desired mitigation strategies to an initial level can increase their implementation’s maturity. The aim being to eventually reach full alignment with the intent of each mitigation strategy.
Until then, stay safe.
Managed IT
