MATURITY – IDENTIFY
Q1. Do you know with confidence all locations that your critical information is stored? (i.e. USB drives, the email server, cloud storage (Dropbox/OneDrive etc), your intranet, business partners)
Context:
Securing critical or sensitive information environments effectively requires both behavioural change and technical solutions. However, before an organisation can effectively protect the critical or sensitive information, it has to know where it is. The reality is that very few organisations can directly answer “yes” or “no” to this question. The most common answer is likely to be the middle option that implies that the organisation knows where the critical information is, but also acknowledges that the undocumented use of things like USB drives, Dropbox or other cloud storage systems, or even local hard drives of staff, pointing to the fact that critical/sensitive information could indeed be elsewhere.
Q2. Do you have a good understanding of the different sensitivities of information your organisation holds (e.g. New IP, Customer Data, Financial Data, HR Records, etc), and the relative need to protect them from unauthorised access?
Context:
Along with knowing where information is (as in Q1), knowing what information is held, and its relative sensitivity is crucial to being able to protect it appropriately. In a large business, or government, this is formalised into classification levels – i.e. Public / Internal Use Only / Confidential / Restricted – and then each piece of information is categorised into one of those. Relatively few small to medium businesses will have that level of process maturity and will typically choose 3 classification levels.
The underlying question here is whether the business recognises that while it has hard drives upon hard drives’ worth of data, not all the information is equal in value / importance and that there is a mechanism to ensure that information that is particularly sensitive is treated with additional protective measures (e.g. using encryption when it is stored, or restricting access to this information through the use of two factor authentication).
Q3. Does your business have any measures in place to control what software is installed on its systems?
Context:
This question addresses the importance of having visibility of the software installed on company systems. Very few organisations will have full whitelisting in place – though it is a highly effective way to reduce the “attack surface” for cyber attackers to target.
The gold standard for application whitelisting, as described in ASD’s ‘Strategies to Mitigate Cyber Security Incidents,’ is to set up a pre-approved and known list of approved executables (i.e. programs). While the ASD rates it as highly effective, practical implementation of application whitelisting is known to be complicated and requires significant time and effort to get right. Very few organisations will really know all the software they have installed across their user base.
A more common approach would be restricting access to ‘admin’ level accounts so that users just can’t install software but have to ask for someone to install it for them and completing periodic reviews of the organisation’s computers to identify any unapproved applications.
Q4. How do you keep track of the IT equipment (systems and devices) and software you own and use in your business?
Context:
A lot of organisations will just track their IT equipment through the financial accounting asset register, but that’s rarely going to be a comprehensive list. Often it won’t include identifying information like serial numbers, or who holds the equipment, and often low-value purchases like USB drives or smartphones included as part of a broader phone contract, will not appear.
Having an up-to-date understanding of information assets owned will enable the organisation to verify whether the IT assets are covered by key protection controls such as anti-virus, patching and logging, as well as detection mechanisms such as penetration tests and vulnerability scans. It is also essential to be able to complete an effective staff ‘off-boarding’ process (i.e. when someone leaves, making sure you get back all the IT assets they hold).
Q5. Does anyone in your business have specific responsibility for making sure all your devices and hardware runs smoothly, and are replaced when needed?
Context:
This question follows on from Q4, by way of assigning responsibility to an appropriate individual or partner to manage the organisation’s IT devices. As previously established, the existence of an accurate IT asset register is crucial to ensuring ongoing smooth operations. Poorly maintained systems and devices can result in unexpected downtime which can affect a business’ ability to continue operating effectively on an ongoing basis.
Q6. Do you have a document that explains your business’ approach to cyber security?
Context:
Security related documentation is best structured in a layered manner. The top-level is often policy level documentation which covers governance and other aspects of management intent related to security, such as roles and responsibilities.
Ideally, the next layers progressively get more detailed, with the last layer at the bottom covering how security is applied to the most granular day-to-day operational aspects. Having the policy suite aligned with an industry standard like ISO 27001 is considered good practice to ensure that all the necessary elements are covered.
Furthermore, as part of pre-contractual vetting, it is increasingly the case that the quality of a business’ approach to cyber security is used by customers and potential business partners as a major factor in deciding whether to engage further. As a result, it has become increasingly important for businesses to not only have a good overall approach to cyber security but have sufficient information available that describes this approach in a way that is geared towards being shared with business partners and customers.
Q7. How do you keep up to date with any trends, regulations and ‘expectations’ in your industry that might affect your cyber security practices?
Context:
Keeping track of regulatory and compliance related developments can be a tedious but necessary task. Regulations such as GDPR (European legislation related to personal data protection) and the introduction of the Mandatory Data Breach Notification in Australia have a direct impact on how cyber security regulation is cultivated in any organisation that seeks to collect, store and process information.
Involvement in relevant industry associations and peer groups and attending professional development events around cyber security if the protection of data is also a good way of keeping up to date with relevant cyber security practices using internal resources.
Other ways of addressing this include having external support from a reputable advisory firm, subscribing to industry mailing lists, and maintaining a close relationship with regulatory bodies.
Q8. How comfortable are you that your business keeps up to date about security vulnerabilities in systems and software that you use, and applies patches to fix those problems as quickly as you need to?
Context:
Almost all security breaches are a direct result of the exploitation of out-of-date and vulnerable applications, operating systems and hardware. The exploitation mechanism of the vulnerable software might be delivered by email, or via the web, or a USB drive.
Many organisations will not have auto-updates enabled for every single piece of software they use; the reality is that a lot of applications – e.g. little things like WinZip – may not have that option. However, to be considered strong in this area organisations ideally should be making sure that key applications they rely on for day to day work and / or those that cyber attackers are most likely to target – such as Windows and Mac operating systems, web browsers, email applications and plug-ins like Adobe Flash and Acrobat – are updated regularly. The best way to do this to enable the auto-update feature (and not clicking ‘do it later’).
It’s also a very positive sign if a business has some level of awareness of any news about software vulnerabilities – e.g. by signing up to vendor alerts, general alert services (such as the Stay Smart Online Alert Service) or following IT news services, or through doing vulnerability scans.
MATURITY – PROTECT
Q9. How well do you think your organisation assigns responsibilities so that everyone, at all levels, knows their role when it comes to cyber security?
Context:
This question relates to the importance of assigning roles and responsibilities within the business when it comes to cyber security, and ensuring that everyone knows they have a role to play in preventing a potential attack – e.g. exercising vigilance to prevent a physical security breach or a malicious email compromising an organisation’s security.
User education, embedding security responsibilities in employment contracts, and showing commitment to security by the top management are a few ways of demonstrating this commitment. Having a person accountable for cyber security is an important first step.
Q10. For any external parties your business has a relationship with (e.g. suppliers), what steps do you take to make sure that your respective responsibilities are clear when it comes to cyber security?
Context:
Often third-party suppliers (such as IT service providers) can be assumed to be providing security services, when in fact they are not. A solid starting principle is that an organisation is always accountable for its own data security. Specific security tasks can be outsourced, but the accountability cannot.
Having a legal/commercial approach to this – and handling via contract – is acceptable, but the reality is that many suppliers may not themselves be sophisticated enough to really understand what they’re being asked to commit to. A more mature organisation will go beyond relying solely on general contractual clauses and look to proactively ensure they and their key suppliers are on the same page when it comes to understanding respective responsibilities when it comes to cyber security (e.g. in terms of how sensitive or critical data needs to be handled).
Q11. What cyber security awareness activities has your organisation rolled out in the last year?
Context:
Staff play a key role, in tandem with technology and process controls, in an organisation’s defence against cyber security threats. An education program that informs staff about the most relevant cyber security threats, and provides tips on how best to stay safe against these threats is the foundation of a security-aware workforce.
Making staff feel part of the effort to be more cyber secure is bound to increase the effectiveness of cyber security education. To get this type of buy-in from staff, the education methods need to be interesting, ongoing, immersive and evolving with real world threats. The use of gamification techniques, phishing simulations, “be a hacker for a day” type training and similar initiatives are all examples of an education program that provides an immersive experience.
Q12. Do you do any background screening when hiring employees to determine if they present a security risk to your organisation?
Context:
Conducting background checks of candidates as an additional mechanism for verifying their suitability to a job role is particularly beneficial in cases where the candidate, as part of their intended role, will have access to sensitive information or information processing facilities. Costs of police and full background checks can range from $50 to $500 per staff member depending on a range of factors like nationality, where they have lived, the complexity of the required assessment and so on.
Most organisations trust employees to do the right thing - however, the tenet of “trust, but verify” comes into play here. At least for a subset of sensitive roles within an organisation, full background checks are recommended to be conducted by a third party.
Q13. Does your business provide your employees with any guidance or instructions on how to ensure that any company devices or information they take outside of your offices (e.g. on travel) are kept safe?
Context:
When employees work from outside the office, they can be susceptible to many threats such as damage/loss/theft of equipment and eavesdropping. To counter these threats, organisations need to continuously educate members of staff who are mobile or work from outside the office occasionally on good practices that need to be followed when outside corporate premises.
Risks may vary considerably depending on the location, and the guidance should cover this aspect so that employees are empowered to make an educated decision on the types of precautions that need to be taken when working from each type of location. For instance, the risks that apply when working from a café are different to the risks that need to be considered when working from an employee’s own home or taking the company laptop on a quick trip to overseas.
Q14. How confident are you that each person in your organisation, as well as any external partners, have access only to the systems and data they need access to?
Context:
Enforcing the principle of “least privilege” is one of the key tenets of information security. This means that each person should only have access to the information and systems they need in order to do their job. While this requires more time and effort – firstly to figure out who needs access to what, and secondly to technically implement it – it is a significant demonstration of maturity.
Culturally, “least privilege” can sometimes be perceived as suggesting staff will do the wrong thing so it’s useful to prepare awareness messages around it that explain its importance and value.
Q15. Does your organisation have some sort of formal process for creating and periodically reviewing all the user accounts that have access to your key systems and networks?
Context:
The creation and allocation of user accounts need to be preapproved and kept track of. To maintain control over user accounts, there should be processes to:
- Promptly disable accounts when a staff member resigns; and
- Review access rights of existing accounts (generally involving at a minimum a quarterly review)
Assigning the responsibility of creating, changing and disabling user accounts to an employee or a department will ensure accountability and will increase the effectiveness of these processes.
Q16. How confident are you that staff (or any other parties) who have access to your business’ systems and applications use passwords that are secure?
Context:
Despite their weaknesses, when deployed properly, passwords are a valuable access control measure. The following are common requirements for password construction and handling:
- Unique (i.e. should not be reused for multiple accounts)
- Not shared or written down (sticky notes shouldn’t be an option)
- Easy for the owner to remember but difficult for a potential intruder to guess (the use of passphrases can help with this)
- At least 10 - 12 characters long. Note also that traditional wisdom that the use of special characters and symbols makes for more secure passwords is now somewhat outdated – nowadays, this is thought to just encourage password re-use by users since it becomes hard to remember passwords. Alternative options that are preferable include the use of passphrases or password managers:
- A passphrase is generally longer than the average password and uses whole words (or variations thereof) to create nonsensical sentences that are easier to remember but not easy for cyber attackers to guess. For example – “L!sten,Ch!ldr3n” or “Ign0r@nce is bl!ss”
- A password manager is a special software application that generates unique and strong passwords for each of your online accounts and stores them securely so that you don’t have to remember them – you simply need to remember a single “master password” to access the password store. Examples of popular password managers include LastPass, KeePass and OneLogin.
- Should be changed on a periodic basis. As a guide, requiring password changes daily or weekly may be too frequent –but every six months may not be frequent enough. Every 2-3 months is a good balance.
To further reduce the risk of a breach, a good approach is to lock a user out of their account temporarily (e.g. for a few minutes) if a maximum number of unsuccessful login attempts is exceeded, or to require an administrator to be contacted in order to reset the account. This can help flag accounts that may be in the process of being targeted by cyber attackers.
Q17. Does your organisation require the use of a 'second factor' of authentication in addition to passwords – e.g. a physical token or a one-time code sent to your phone – to verify the identity of users trying to access any of your critical systems, networks or information (whether on or offsite)?
Context:
Adding another layer of authentication to the use of passwords – such as the use of a one-time password delivered via a token or the use of SMS – will make it significantly more difficult for a malicious actor to gain access to a device, system or network. For this reason, it is increasingly being seen as a necessary practice for access to critical systems, applications and information stores to be controlled through the use of a second factor of authentication. This is especially important for where that access might involve performing privileged operations (such as changing system configuration or having the ability to modify critical data) or where the access is occurring via remote solutions (including cloud-based systems).
It is important to remember that the use of a second-factor of authentication does not diminish the need to still ensure that password practices within an organisation are strong.
Q18. Does your business ever provide staff with 'shared' user accounts, and/or accounts with administrative privileges, to do their job?
Context:
Typically, in any organisation, one or a group of people need to have elevated access privileges to systems to get certain things done (e.g. IT administrators in order to change system configuration parameters or install certain types of software). For cyber attackers (or malicious insiders), gaining control of an account with privileged access (typically known as ‘administrative accounts’) is the holy grail because the elevated access privileges enable them to cause more significant damage to an organisation than breaching an ordinary user account.
To be clear, the existence of administrative accounts in and of themselves is not poor practice – rather, it is the potential over-use or inappropriate use of these accounts that can cause problems. Good practice includes assigning separate, unique privileged accounts for each person who needs this type of access (but making sure that the number of accounts is limited to as low a number as possible), and making sure that normal business activities are not performed using privileged accounts i.e. for day-to-day job functions, people should have separate accounts that do not provide administrative access. The administrative access should only be used when absolutely necessary). There should also be frequent reviews of privileged access allocations to make sure they are still required.
In addition, it is far better practice for an organisation to make sure that each user in an organisation has their own separate user account, rather than using shared accounts across multiple staff members. The use of shared accounts can exacerbate the effects of a potential cyber security breach and make it more difficult to trace the origins of a breach to a specific source.
Q19. Do you have a policy in place for how your staff should send sensitive information to third parties?
Context:
While the exchange of information with third party entities is inevitable, a more mature organisation will ensure that any sensitive information is transmitted in a fashion that is as secure as possible to prevent the potential interception of that information by malicious third parties.
Files can be exchanged via USB keys, or any one of a dozen cloud services (e.g. Dropbox, Box.com, Google Drive, OneDrive and many others), via e-mail, FTP, and so on. All of these can be good or bad solutions depending on how they are configured and used in practice.
The important thing is having a clear organisational ‘standard’ for transferring sensitive data, and having confidence in the data being protected through encryption during transit.
Q20. Does your business develop any software applications in-house? If so, are you confident that your 'production' systems are kept separate from your 'non-production' systems?
Context:
A development / non-production environment is generally a separate area of an organisation’s IT environment where any systems involved in the development of software applications, as well as the applications themselves, are housed. Organisations may also have a separate environment where applications are tested for any problems prior to being made live within the business (which means they are released into production).
Segregation of development, testing and production environments reduces the likelihood of a weakness, bug or other issue in a non-production system being introduced leading to the compromise of production data / systems. Development and test systems, by their nature, are not as tightly controlled as production systems, and as such are much more likely to have weaknesses present.
If appropriate separation of environments is not enforced, the weakness and vulnerabilities that have been shared with the production system could be exploited, resulting in a breach.
Q21. If you do develop any software applications in-house, how confident are you that those applications are developed using practices that help ensure they will operate in a secure way?
Context:
All software has bugs – industry estimates are that something like 1 bug per 2,000 lines of code exists after all testing is completed. Most of those aren’t security issues, but some of them will be. Organisation therefore have to ensure that their developers are well trained in secure coding practices and testing techniques to minimise the risks posed during the process of development.
Integration of a secure development process in the software development lifecycle with references to external sources of good practice for secure coding provides an indication that security is part of the development process and not an afterthought (for example, the Open Web Application Security Project’s list of the Top 10 security risks for web-based applications).
The importance of developing applications securely extends to all of technology platforms (e.g. manufacturing systems and kiosks), and all types of code, whether firmware, control systems, or of course the obvious web applications.
Q22. Does your organisation take steps to keep its most important or mission-critical systems separated from the rest of your IT environment?
Context:
Network segregation refers to the use of more than one network to group systems of similar risk profiles together and the application of controls to govern connectivity and access between the networks. Such an approach can make it more difficult for a malicious cyber attacker to locate and gain access to a company’s most sensitive information/systems, and limit the effects of a potential breach as a breach of a low security risk system won’t necessarily allow access to higher security risk systems.
Signs to look for that indicate a good approach include splitting up networks so that Internet accessible servers, internal servers, workstations, and guests / visitor devices are separated onto different networks; ideally, firewalls should be in place, to protect the networks against unauthorised connection attempts. In addition, any guests who are given network access (e.g. for internet connectivity) should not have access to networks with systems that are mission-critical.
Q23. What steps, if any, does your business take to try and prevent and detect any malicious content passing through your networks?
Context:
Splitting up networks into smaller subnetworks (as addressed in Q22) is just one of the ways of approaching good network security. In addition to that, implementing extra layers of protection between networks can help to significantly limit the potential for a security breach in one part of an organisation’s IT environment to escalate to a breach that is much higher-impact and wider in scale.
Additional technical controls include the use of firewalls, as well as intrusion protection and detection systems (that can help to detect and prevent questionable or malicious traffic). These measures can also help in alerting the organisation where there is a potential security breach so that it can be identified, contained and investigated as rapidly as possible.
Q24. How confident are you that your organisation has a good overall understanding of the different cyber security risks it faces from both internal and external sources, and their relative importance?
Context:
Having a methodical and consistent process in place to identify and document the specific cyber risks a business faces is an important factor of a strong overall approach to cyber security. A risk assessment typically attempts to triage risks by evaluating their potential business impact and likelihood of their occurrence, and identifying methods to how the identified risks can be treated effectively
A periodic risk assessment done by an internal party or by an external consultant with security expertise will provide a point-in-time snapshot of the risk posture of the organisation and establish a repeatable process that can be tracked over time. Conducting periodic risk assessments (e.g. every six months or, at the very least, annually), agreeing on remediation items and then closely tracking them in an updated risk register until closure are all indications of a mature risk management process.
Q25. Would it be possible for someone who is not part of your organisation – such as a visitor – to gain physical access to areas of your premises where important systems or sensitive information are kept?
Context:
Physical access controls – such as the use of access passes, key codes or similar – are important to have in place to ensure only authorised staff have access to an organisation’s premises (and particularly critical systems and information). Guests should only be provided with supervised access to premises.
The existence of a ‘check in’ process through a reception area is useful to some extent but given the increasing propensity for businesses to operate in shared / co-working space environments, cannot be relied upon in isolation as an effective way of restricting access (particularly to locations where critical systems and information are situated). In addition, physical documents containing sensitive information should be kept in secured lockers or compartments within the premises when not being used by staff.
Q26. Do you have a process in place to set up systems in a pre-defined way, before you allow your staff to use them?
Context:
Setting up systems in a pre-defined, secure way (also known as “hardening”) is a valuable way of minimising potential exposure to threats. This involves the removal of all non-essential software applications or programs from systems and devices.
The premise of hardening is to minimise the opportunities available for malicious actors to compromise the security of systems within a business through exploiting unknown vulnerabilities. Typically, newly acquired systems will come installed with certain default applications – but it is important to check these to make sure they are all actually required for business purposes. If they are not, they should be removed.
MATURITY – DETECT
Q27. Does your organisation currently use any technology to try and prevent a malware infection in your IT environment?
Context:
The use of reputable software to prevent and detect malware infections on all of a business’ key systems is highly recommended practice in cyber security. In modern parlance this is known as anti-malware software, but some businesses may still refer to this synonymously as ‘anti-virus’ software.
Just as important as using anti-malware software is making sure that it is kept up to date, as new types of malware are constantly being produced. The best way to achieve this is by enabling auto-update in the anti-malware software itself. In terms of actual solutions, it is preferable for a business to make use of anti-malware software that is produced by reputable vendors (Symantec/Norton, McAfee, TrendMicro, BitDefender and Kaspersky are a few examples but by no means an exclusive list).
There are also next generation endpoint protection solutions available which adopt a different method to detecting malware than traditional products, relying more on observing software behaviour and attempting to identify suspicious patterns. This includes products produced by vendors such as Carbon Black, SentinelOne, CrowdStrike and Cylance. Use of these types of solutions is increasingly common and is a valuable method of attempting to avoid malware infections.
Q28. Does your business engage any external party to regularly test your systems and IT environment to try and find any security holes that exist?
Context:
Regular testing and reviews of the general IT environment to identify any potential security issues that might be exploited by cyber attackers is helpful to identify weaknesses that may exist. The use of vulnerability scans and/or assessments, as well as penetration testing is particularly valuable.
Vulnerability scans look for known security vulnerabilities in a system or a collection of systems. A vulnerability assessment goes further than a scan by assessing the potential risks of identified vulnerabilities to a particular business. A penetration test typically takes findings from a vulnerability assessment and attempts exploitation to demonstrate how damaging the vulnerability could be.
These types of tests can be conducted through the internal network to replicate a situation where a malicious insider attempts to damage a business, or where cyber attackers have gained access to the internal network, as well as externally on systems / applications that are visible to the outside world. The frequency of these tests should ultimately be dictated by the level of risk involved. Generally speaking, vulnerability scans are run quite frequently (e.g. monthly) whereas a penetration test is often an annual exercise.
Q29. How do you manage the potential cyber security exposure to your organisation from your suppliers? (e.g. Cloud service providers, Hosting companies, IT services partners, Law firms, Professional services firms, etc.)
Context:
When a third party has access to an organisation’s systems or data, that party becomes a potential entry point for someone seeking your systems or data. Before any third-party engagement is initiated and documents/information/data exchanged, an organisation should assess the risk that external party will introduce.
In particular, due diligence processes should be carried out to determine whether the third party fits the security requirements of the organisation prior to engagement. The level of assurance required should line up with the risk the organisation (or their system) poses: for example, a contracted accountant having access to an organisation’s cloud-based accounting system is probably low risk; but the use of a third-party middleware system that effectively controls an organisation’s valuable IP would be a high risk.
Common approaches to third party due diligence involve the use of questionnaires, and requests for documentation that outline the approach to security the third-party employs. In terms of managing the ongoing relationship, while having security requirements in contracts is certainly valuable, in high-risk situations in particular (e.g. where the third party will be hosting critical systems or information) this should also extend to carrying out periodic assessments of the third party to ensure they are complying with the security needs of the business using them.
MATURITY – RESPOND
Q30. What is your level of confidence that your organisation could respond to a security incident effectively?
Context:
A “good” response to a security incident will ultimately vary in the finer details based on the nature of the incident (e.g. a leak of sensitive information onto social media vs. a Denial of Service attack vs. a system being taken offline due to a compromise). However, at a higher level it’s important that an organisation has a solid, documented plan in place to respond to security incidents that consists of:
- A process for confirming an incident has occurred, understanding the scope of the incident and containing it so that it doesn’t escalate
- A process for remediation – taking steps to remove a security breach (this may include cleaning/removing malware infections, or restoring/rebuilding systems)
- Knowing who is responsible for doing/communicating what in the business when a security incident occurs;
- A list of key stakeholders external to the organisation who will be engaged when an incident occurs (including law enforcement authorities, legal and cyber security advisers, and incident response firms who may be able to assist in effective handling of the incident and evidence preservation);
- A regular process for reviewing incidents to identify any lessons learned that can be used to improve the incident response process for the future.
Q31. Does your organisation have measures in place to monitor and record any security events (i.e. attempted unauthorised access, or other strange behaviour) on your key systems and networks and make sure they are brought to the attention of the right people?
Context:
Having a process in place to ensure that key systems, hardware and networks are monitored, and any security events are logged and reviewed is important so that an organisation is able to quickly identify and investigate a potential security incident and implement responsive measures. For small organisations, it may be sufficient to rely on having a person in the business with some IT expertise to check logs from key hardware and systems (e.g. those produced by reputable security software). For organisations with larger IT environments, ensuring that not only all important systems and hardware have some form of logging in place, but ensuring that there is a process to identify events of interest is crucial.
Having a central log collection mechanism is a good starting point, and this will at least ensure that records exists to aid with security incident investigations.
The next step up from a log collection-only system is using a Security Incident and Event Management (SIEM) tool which can correlate events from various sources and produce actionable alerts. This can greatly simplify the process for recording, identifying and responding to security incident - although it would be unlikely that most businesses would have this level of sophistication in place. The key is ultimately to have a reliable process for collating logs and having someone review those logs/alerts from those logs regularly to identify potential incidents.
Q32. How long could you operate without access to your most critical IT system?
Context:
This question is designed to ascertain the level of resilience an organisation has to continue operating if a security incident (or some other event) affected the availability/operation of a critical IT system. To some extent there will be variability in the ability of different businesses to continue operating depending on their degree of reliance on their IT systems to function – but the signs of a “good” response here include evidence of contingency plans beyond this, such as evidence of alternate work sites where ‘warm’ or ‘hot’ backups (i.e., mirrors) of the critical system are maintained, or very recent backups that could be restored quickly to minimise system downtime and data loss.
MATURITY – RECOVER
Q33. How confident are you that you’ve got the processes and technologies in place to restore critical systems that might have been affected by a security incident? Have you ever tested this?
Context:
The key to facing a disruptive event that potentially affects critical system(s) is to have sufficient contingency plans that are already in place well in advance of a potential incident occurring (e.g. as part of a business continuity plan/disaster recovery plan). Strategies might include taking regular backups of key data and systems, processes for restoring systems (e.g. from pre-built images) and providing an option for employees to access alternative systems from home or a designated alternative work site (e.g. in the event of a natural disaster).
More mature organisations may attempt to understand the maximum tolerable downtime for key processes and systems through a formal Business Impact Analysis or other informal means. This understanding can then be used to build more complex contingency measures commensurate with the agreed tolerable downtimes. Naturally, more money and resources may be needed in these situations depending on whether the tolerable downtimes are short.
Q34. Further to the previous question, if one of your critical systems was taken down by cyber attackers, would you have a good idea of all the different stakeholders that need to be notified?
Context:
Having a good understanding of which stakeholders need to be engaged in the aftermath of a system going down is a crucial component for managing the effects of a security breach and making the recovery process more manageable. Ideally, an organisation should have a documented list in place that identifies the contact details of some or all of the following:
- External advisers (e.g. legal, incident response firms and cyber security firms)
- Law enforcement authorities
- Regulatory bodies
- External suppliers, partners or customers
Depending on the nature of the incident, some of these stakeholders may not need to be involved, while in other cases (e.g. involving data leaks) there may be broader implications, for instance the need to notify customers. The key is to make sure that, at least at a high level, a business has a good understanding of who they will likely need to engage with following an incident that affects system operations.
Q35. Does your business have a regular process to make sure that your most important systems and information key to you doing business are backed up?
Context:
Taking regular backups of key data and systems is a crucial component of helping an organisation successfully recover following a cyber security breach. This in particular requires a clear awareness of:
- where the organisation’s most sensitive/critical information is stored (i.e., what systems or locations);
- having a strategy in place to back that data up regularly (ideally daily, but at minimum, every few days); and
- checking the contents on the backups periodically – e.g. every few months – to make sure they are actually usable and working.
A backup strategy may be as simple as using an offline hard drive and keeping it stored in a separate location or using a cloud-based backup service/another form of off-site data storage. The important thing is that a business has considered backup as a key component to their business continuity plan and has a regular and reliable process in place for making sure critical data is backed up.