Leadership creates a legally binding corporate IT Policy focused on employee and data protection. All users, vendors, contractors, and partners must legally adhere to these policies. Follow a Framework for best results.
Risk Assessment and Business Impact Analysis determine truly important resources and data. Output determines budget and guidelines for Disaster Recovery, Business Continuity, Incident Response, and other Contingency Planning. Data and battery backups are discussed here.
Institute Change, Incident, and Configuration Management to ensure no condition is unexpected. Preventing unauthorized or untimely changes also manages faults and ensures patch management. This step includes Disaster Response.
Preparedness Planning for Your Business
FEMA National Disaster Recovery Framework
Cybersecurity & Infrastructure Security Agency (CISA) Configuration and Change Management Guide
Multifactor Authentication (MFA) requires more than a password to ensure user identity. MFA is always required for remote and escalated logins.
Outbound internet traffic is limited to a business case whitelist, all other traffic is blocked.
All network devices must use a hard-coded certificate, when available, and access is controlled by a central identity service. This allows regular audits of all devices, users, and policies.
Passwords must be complex and updated regularly. Elevated permissions require separate logins.
Network devices and applications are segmented to reduce threat surface area. Prevents unauthorized access between networks and devices at the fabric level.
No company data on mobile devices. Data can be viewed on mobile devices only after identity has been verified and workflow is encrypted, but not downloaded. Prevents data breaches through theft.
Privacy and Security Compliance – Mobile Devices
NIST Guidelines for Managing the Security of Mobile Devices in the Enterprise
Regular Penetration Testing inside and out to stay within Compliance and insurance regulations.
Ensure all users are properly trained on corporate policy and sign the Acceptable Use Policy (AUP). Don’t forget the remote users.
Ensure vendors, partners, and anyone with access to company data has been properly trained and accepts corporate policy in writing.
IT staff should have industry and vendor training on technologies they support. Regular training informs of the latest threats. Give employees time to fully learn new technologies before they are deployed into production. Celebrate those who maintain certifications
Train IT staff to perform tasks outside their normal duties to ensure proper coverage during extenuating circumstances.
Take time to investigate even minor errors and alerts. They typically are precursors to major outages and misconfigurations.
Hold table readings to ensure involved parties know their role and expected actions in the event of an outage or disaster. Require IT to restore backup data to determine usability and required time.
Scrub public-facing sources of open source intelligence (OSINT) data. Engage a security professional to demonstrate how this data is used against your company.
Train all users to avoid social engineering scams on the phone and by using phishing campaigns. Train EVERYONE how to stay safe when traveling.
Incentivize employees for to follow security protocols, like wearing their badge.
Have a security expert demonstrate to security, IT, and users how easy it is to clone a badge, steal a password, or convince them to give out personal/confidential information.
Cloud services require firewalled, encrypted access, preferably through a software-defined wide area network (SD-WAN) to implement a zero trust secure access service edge (SASE). Prevents unauthorized and unsolicited access. Encryption prevents man-in-the-middle attacks and outside infiltration.
Outbound internet traffic is limited to business use cases is whitelist, all other traffic is blocked.
Integrated DNS-Layer Protection
Endpoints and users provide the most numerous and common entry point for threat actors and malicious programs. Stop unwanted applications and social engineering attempts in their tracks.
Top 5 Tips for CISOs choosing endpoint protection
Minimize failure risks through redundant layers of technology, configuration, and personnel. Ensure Business Continuity Policies are enacted in the real world.
Software Development Lifecycle (SDLC) protections ensure code is free from defects and impervious to outside threats. Adding protections for Docker, Kubernetes, and other Cloud-based containers ensures Secure Application Development (SecAppDev).
Sandboxing for Safety and Profit
Everything is monitored and logged, starting with a complete baseline of the network to establish “normal” traffic. Abnormal and excessive traffic then stands out to AI and Human watchers.
Single Pane of Glass (SPOG) Monitoring
Multifactor Authentication (MFA) requires more than a password to ensure user identity. MFA is always required for remote and escalated logins.
All network connectivity is certificate-based and controlled by an Identity Service. Regularly audit all devices, users, policies – Aligning devices and users with the correct policies ensures only required access. Forcing all devices to authenticate with hardened certificates minimizes spoofing and privilege elevation, both inside and outside.
IoT and RFID systems cannot be neglected. Multiple layers of security ensure inventory, WIP, and supply chain management stay within reach.
Environmental and telemetry sensors help maintain temperature and humidity balance with electronics. Ensuring video surveillance, access control, and other premise monitoring tools and equipment are secure prevents physical tampering.