Cyber Protection and Data Security, Processes and Procedures

Thank you for reading my latest blog on NIST standards and the Protect function. In this blog I will look at how Data Security falls under the Protect function. User access control starts the ball rolling on this so it’s all about knowing what the criticality and sensitivity of your data is. Assess your data’s criticality to the business. Know what you data assets are.

Having identified these you need to understand their level of criticality. Make sure you have user access control in place. Are you encrypting all the data in your databases, is it appropriate for you to do so, will it provide protection if you do? What is the level of encryption and what about data at rest?
What standards have you set around data encryption? Is it all data for example or is it only personal identifiable information that is encrypted? Or is no data encrypted? There may be a perfectly acceptable business reason for that but it needs to be highlighted and sense checked.

INFORMATION PROTECTION PROCESSES AND PROCEDURES

I have covered elements of Information Protection Processes and Procedures in previous blogs but essentially it means organisations committing to placing cyber security at the heart of their organisation. This commitment should extend across the business. Certainly within the IT department as a minimum there needs to be standard processes and procedures that have security at their heart.

Patch management should be in place for all organisations, ensuring that servers are updated to the appropriate levels of software, and security patches released by operating system and software makes applied. Microsoft for example have patch Tuesday. Make sure that you have processes and procedures in place to implement updates and patches safely. Do not just take it for granted that Microsoft have done their job, or that your software or configuration is slightly different. So applying the patches or updates in a test environment before being applied to your live servers is the correct and best practice approach.

Not applying patches promptly can mean that your organisation may be at risk of hackers utilising flaws that have already been fixed. The release of a security patch can act as a press release to hackers, who can look at the software released and understand the nature of vulnerability, they can then target un-patched computers, or perhaps just create a “virus” that gets spread, but will only be able to attack un-patched computers.

An often underplayed part of protection is an organisation’s polices. Having the appropriate policies in place and ensuring that there is a good understanding of what these are; ensuring that they are reviewed regularly to ensure that they have the right level of information and cyber security protection for your organisation as it exists today, can make the difference between your organisation being the victim of an attack, or having a near miss.