Update 5th July 2015, 28th June 2015
Where does a business or organisation start if they want to improve their information security stance?
Here are some ideas. The links are at the bottom of the post.
Council on CyberSecurity Critical Security Controls
- "The Council's Technology practice area is built upon the Critical Security Controls (the Controls), a recommended set of actions for cyber defense that provide specific and actionable ways to thwart the most pervasive attacks"
The council also has its "First Five Quick Wins"
- application whitelisting (found in CSC 2);
- use of standard, secure system configurations (found in CSC 3);
- patch application software within 48 hours (found in CSC 4);
- patch system software within 48 hours (found in CSC 4); and
- reduced number of users with administrative privileges (found in CSC 3 and CSC 12).
SANS Institute Critical Security ControlsThe SANS institute maintains a list of the top 20 critical security controls.
- The Critical Security Controls focuses first on prioritizing security functions that are effective against the latest Advanced Targeted Threats, with a strong emphasis on "What Works" - security controls where products, processes, architectures and services are in use that have demonstrated real world effectiveness
Australian Signals Directorate Top 4
- "At least 85% of the intrusions that ASD responded to in 2011 involved adversaries using unsophisticated techniques that would have been mitigated by implementing the Top 4 mitigation strategies as a package.
- Application Whitelisting
- Patching Systems
- Restricting Administrative Privileges
- Creating a defence-in-depth system
Here are a number of programs from the The UK Government.
Cyber security guidance for businessThis guidance is aimed at business in general and starts off with board level responsibilities.It then describes the "10 steps" to cyber security" which cover the following topics
- Information Risk Management Regime
- Home & Mobile Working
- User Education & Awareness
- Incident Management
- Managing User Privileges
- Removable Media Controls
- Security Configuration
- Malware Protection
- Network Security
Cyber Street WiseCyber street wise has the following "five essential tips for cyber safety" for your business
- Install Updates and antivirus software
- Use strong passwords
- Only download from trusted sites and organisations
- Beware of phishing emails
- Review and protect your business' information
Cyber EssentialsFirst comes "Cyber Essentials" which "is a government-backed, industry supported scheme to help organisations protect themselves against common cyber attacks."
This is more technical and covers the following five areas.
- Boundary firewalls and internet gateways
- Secure configuration
- Access control
- Malware protection
- Patch management
"From 1 October 2014, [UK] government requires all suppliers bidding for certain sensitive and personal information handling contracts to be certified against the Cyber Essentials scheme."
- Council on CyberSecurity Critical Controls
- SANs Institute Critical Security Controls
- Australian Signals Directorate Top 4 Mitigation Strategies
- Cyber Street Wise
- Cyber security guidance for business
- Cyber Essential Scheme