Based on a true story:
A system administrator in local government who manages an application works in two environments: one live, the other for testing and development. In the testing environment he tries out new patches and releases for the application – making sure things work as intended without affecting the live environment.
A manager noticed that the developer’s work kept disappearing – even watching them enter data into the system. The sysadmin investigated and realized that changing the test color scheme within the testing environment had damaging consequences: the users couldn’t tell whether they were in live or test mode. All the data they were entering was in the test environment, but when they looked for it in live, it couldn’t be found.
Does this scenario sound familiar? It encompasses people, processes, and technology:
- People: the sysadmin, the developer, the employee and the manager
- Processes: the data entry, and use of the testing and staging environments
- Technology: the system used for said processes
By not restricting permissions to change preferences such as hue, the agency left itself vulnerable and increased its cyber risk. Implementing an effective information security management system (ISMS) would have addressed this and the situation most likely would have been avoided.
ISO 27001 applies the least privilege principle to control access to data and systems, granting rights based on functional responsibilities. Employees are given the lowest user rights level to function in their role.
What is an ISMS?
Any organization that processes the information of individuals has a responsibility to keep it secure from hackers, data breaches, and other compromises. An ISMS is a centrally managed framework used to accomplish information security by taking a comprehensive approach towards people, processes and technology. Policies, and physical and technical controls protect the confidentiality, availability, and integrity of information.
Implementing an ISMS that follows ISO 27001 – the international standard that defines ISMS best practice – will put your organization at an advantage and help you to avoid the above scenario.
This is because compliance with ISO 27001, the appropriate controls related to strict access control, user privileges and user responsibilities would have been implemented. ISO 27001 recommends a list of 114 controls that have been tried and tested to provide effective security across a range of scenarios, including the above one.
Attaining ISO 27001-accredited certification verifies that your organization is following established best practice to secure all types of data – personal, sensitive, confidential and intellectual property.
Roll out a staff awareness program to inform people
A report last year from IBM found that 60% of all cyberattacks occur because of insider fault – either malicious or inadvertent. All staff should regularly undergo training to increase their awareness of information security, and to understand the purpose of an ISMS and the consequences of not adhering to its policies.
Staff awareness training is a powerful method to give them the knowledge necessary to meet contractual, legal, and regulatory requirements for information security. Ensuring that employees are informed, up to date, and actively practicing these requirements can be costly, especially for larger organizations.
You may choose to outsource training professionals. If you have the training resources in place but need some direction or additional support, IT Governance has simple-to-use, effective e-learning staff awareness courses that are hassle-free and cost-effective.
Our ISO 27001 staff awareness courses improve ISMS awareness in a non-technical, easy-to-comprehend format. eLearning courses can be completed within the organization’s timeframe depending on its needs.
Processes are imperative for effective cybersecurity
An effective cybersecurity strategy relies on processes to mitigate information security risks. Although a policy is a guiding principle used to direct the activities within an organization, a procedure is more granular, and involves the established, repetitive steps needed to achieve consistent, targeted results.
Technology is crucial to address cyber risks
Technology and cyber safety are closely interconnected. Technology can prevent or reduce the impact of cyber risks, depending on your risk tolerance. Technical solutions will also help preserve business continuity if a data breach occurs. Assess what technical controls you need to put in place, then choose the appropriate solutions from what’s available.
IT assets are often affected by technical vulnerabilities, so penetration testing is vital. Unpatched software, insecure applications, and poor security hygiene can undermine your entire ISMS project.
Organization-wide awareness is crucial to ISO 27001 ISMS implementation
People, processes, and technology are nothing unless your organization knows how to execute the ISMS properly. For example, your organization can’t afford to deploy technology unless you have the right infrastructure in place, including:
- An adequate overall plan
- Competent people
- Efficient processes
How do you build an infrastructure that properly leverages people, processes, and technology?
Knowing the risks and information security needs of your organization and giving this knowledge to your employees is a good place to start. Our Security Awareness Program provides a comprehensive learning needs assessment and prescribes a range of awareness interventions that can be deployed.
Through the Security Awareness Program, you will benefit from a behavior evaluation of your organization from an information security perspective. Once the assessment is complete and you’ve undergone a learning needs analysis, we will empower you with the appropriate tools and resources to suit your organization’s needs and keep your audience engaged.