This guide is split into ten (10) simple sections and assumes the following:
- You want to take reasonable steps expected of someone responsible for protecting corporate digital assets.
- You will be using this guide to implement mainly software-based approaches to protect data and will apply this standard in principle.
- You will apply security controls as a continuous process and working in the best interest of the business.
- You will think critically and will implement specific solutions that are reputable, sensible, affordable, effective, and fit well with the target business’ operations.
- You are solution focused, dislike procrastination and bureaucracy and aim to get things done.
1. Take Responsibility
1.1.1 Lead- Business Leaders (e.g. senior management, directors, owners) must create a policy that clearly communicates what the business’s expectations of everyone using its computer systems. This policy must be shared with staff and relevant third-parties, be simple to read and tailored to each target audience.
The policy must communicate senior management's requirements to:
- Protect Users
- Protect Applications
- Protect Server Systems
- Protect Client Systems
- Protect Networking Devices
- Protect Data
- Enforce Compliance (Laws and Regulations)
- Manage Security Vulnerabilities
- Respond to Incidents
1.1.2 Guide - Document procedures to communicate how users must apply the policy to their daily work activities.
1.1.3 Promote a culture of scepticism and ownership - Management must encourage a business-wide culture to be professionally sceptical, support security efforts and to reject unethical requests at all levels. Such culture bans discrimination, especially against those who report security incidents appropriately, despite any negative impact on the business.
2. Defend in layers
2.1 Defence in depth principle
2.1.1 Protect back-to-back - Implement security controls that directly and indirectly support each other at different layers, ultimately making a successful attack more difficult and likely to be blocked or detected.
3. Know your network, systems, and data
3.1 Document and update
3.1.1 Illustrate - Build an accurate diagram of your network and update it alongside network changes.
3.1.2 Identify - Frequently scan the network using automated tools to identify active computer systems and installed applications.
3.1.3 Update - Frequently update the records of all authorised computer systems and software.
4. Protect your network, systems, and data
4.1 Malicious Traffic and Software
4.1.1 Filter untrusted network-level traffic - Restrict harmful or suspicious traffic to and from the network using a network level firewall. Create firewall rules that only allow trusted content.
4.1.2 Filter untrusted application-level traffic - Restrict harmful or suspicious traffic to and from applications using an application level firewall. Create firewall rules that only allow trusted content.
4.1.3 Filter user actions - Known risky or harmful user actions must be restricted on users' workstations/systems.
4.2 Intentional Attacks (Internal and External Sources)
4.2.1 Allow only trusted connections - Only allow authorised network connections, whether by cable or wireless. Disable all unneeded connection points.
4.2.2 Restrict network traffic - Allow only trusted traffic to enter and leave the network. Filter untrusted traffic. Untrusted traffic often includes:
- Domains and IPs with poor reputations or high-risk categories (e.g., porn, gambling, streaming, file share)
- Files with embedded code
- Unusual file types (e.g., files in storage)
- Suspicious email content (e.g., message body and attachments)
- Unusual protocols
4.2.3 Allow List - systems - Only allow authorised computer systems to connect to the corporate network.
4.2.4 Allow List - applications - Only allow authorised software to be installed or run on computer systems.
4.2.5 Investigate rogue systems - All unauthorised assets identified must be investigated and blocked where necessary.
4.2.6 Isolate risky software - Risky software that needs to run must be isolated to minimise any negative impact on the business.
4.2.7 Validate communications - Verify the integrity of all communications between systems in the local network and with external sources. For example, use or enforce:
- Valid certificates
- Anti-spoofing controls
4.2.8 Minimise access - Restrict access to unneeded software and functions based on a user’s job functions. Also, scrutinise functions included by default with an Operating System or application.
4.2.9 Centralise authentication - All user accounts must use a central policy for authenticating throughout the network.
4.2.10 Use multi-factor authentication - Require users to log in using multi-factor authentication where it is both feasible and available.
4.2.11 Auto lock idle sessions - Unattended user sessions must be locked after a reasonably short time.
4.2.12 Restrict guest access - Do not allow guests to connect to the corporate network. Guests that require internet access, especially Wi-Fi, must be assigned to a completely separate internet connection which must also be monitored and protected against abuse. Third-party business access requirements must be vetted, monitored and disabled when unneeded.
4.2.13 Encrypt stored credentials - User credentials being stored must be encrypted to prevent unauthorised access and disclosure.
4.2.14 Change default credentials - Do not use default credentials (e.g., username and password. Default credentials must either be changed or disabled.
4.2.15 Upgrade End of Life software - Do not use any software no longer supported by its vendor.
4.2.16 Synchronise time - All systems must share the same time across the network.
4.2.17 Minimise Loss - Use Data Loss Prevention software where feasible to help protect against data theft and leakage. Also, consider:
- Blocking access to cloud storage
- Blocking access to removable storage
4.3 Minimise User Access
4.3.1 Give minimum access - Only give users access to computer systems and data needed to complete their job functions.
4.3.2 Review user rights often - Frequently review each user’s access rights. Minimise or remove unneeded access rights. Immediately disable access of separated employees.
4.4 Data Disclosure, Loss and Theft
4.4.1 Encrypt data on storage media - Encrypt sensitive data stored on all media. Media must include:
- Portable drives (e.g., flash drives, portable HDs, Memory cards)
- Fixed drives (Internal system drives, smartphones, and tablets)
4.4.2 Encrypt sensitive communication channels - encrypt channels transmitting sensitive data, especially network management communication.
4.4.3 Encrypt sensitive data - encrypt sensitive data if the communication channel is not already encrypted.
4.4.4 Backup regularly - Backup all important data at regular intervals so they can be restored when needed.
4.4.5 Isolate Backup files - Store backup files at a separate location from the systems being backed-up so that in case of a disaster it’s unlikely both copies would not be damaged. E.g., physically offsite or in cloud storage.
4.4.6 Test backups - Periodically restore a backup copy to test that everything runs smoothly. This will give a realistic idea of whether a backup will be useful when needed and any issues to expect.
4.4.7 Restrict access to backup files - Preserve the integrity of backup data by limiting which users and processes can make changes to them. For example:
- Require authentication
- Lock physical media in a good safe
4.4.8 Do background checks - Do a background check on all employees, especially those requiring access to computer systems as part of their job.
4.4.9 Shred - Digitally shred unwanted sensitive data to make it hard to recover.
4.5 Administrative/ Privileged Users
4.5.1 Educate security team - Periodically train security staff and encourage them to stay up-to-date and prepared to handle various security incidents.
4.5.2 Isolate Administrators - Administrators must use separate systems for security tasks versus casual daily tasks to minimise exposing their privileged systems to external attacks. Separation could be logical (e.g., VMs, Remote Desktops) or physical (separate PCs)
4.6 Harden Computer Systems
4.6.1 Create secure baselines - Document baseline configurations, protect them from unauthorised changes and track all changes.
4.6.2 Deploy secure baselines - Create hardened operating systems and applications and use for all new installations.
4.6.3 Update secure baselines - Promptly update baseline configurations in line with discoveries of security weaknesses and improved industry practices.
4.7.1 Use anti-malware software - Install, centrally manage, and frequently update anti-malware on clients and servers.
4.7.2 Hunt threats - Configure anti-malware protections to scan for threats in real time and on an automated schedule. Scans must cover:
- Network traffic
- Files in storage (portable and fixed drives)
- Applications running (on boot, start-up, in memory)
4.7.3 Automatically notify - Configure automatic alerts, block or quarantine flagged threats.
4.7.4 Install on client and servers - Use both host-based and network-based Anti-Malware, Intrusion Prevention and Detection systems.
4.8 Software Development
4.8.1 Software Development - Adopt a secure software development framework and build security into each phase of the process to guide the end product.
4.8.2 Commercial software - Assess commercial software for security compliance before adopting.
4.9 Junk and Hoarding
4.9.1 Use central storage - Store files centrally as much as possible. E.g., on a file server.
4.9.2 Minimise unnecessary items - Disable or remove unneeded services, ports, user accounts, files, applications, and processes across all systems. Only keep items necessary for business, legal or regulatory purposes.
5. Know your Users
5.1 Identify and track
5.1.1 Track users - Centrally keep an accurate record of all user accounts across the network. Accounts of administrators are more sensitive and must be monitored more keenly than those of regular users to identify compromises and malicious abuse promptly.
5.1.2 Track people - All staff and third-parties authorised to use a computer system or access to areas with computer systems must be able to identify themselves in person. E.g., Company issued IDs and temporary passes. These persons must include:
5.1.3 Report unauthorised persons - Unauthorised persons using computer systems must be reported to the security team who must assess the incident, take appropriate action, and create an incident report.
6. Protect your Users
6.1.1 Train users - Frequently educate users on good computer security habits and how they can identify computer-based and interpersonal attacks that seek to deceive them to disclose confidential data. This training is referred to as Security Awareness Training.
6.1.2 Customise training - Security awareness training must be customised for each category of users. E.g., Staff, customers, third-party suppliers. Security awareness training must prepare users to:
- Understand the business’s cyber security policy
- Execute their daily tasks responsibly
- Identify and report Social Engineering attacks (e.g., Phishing, Smishing, Vishing, Tailgating)
- minimise accidents that compromise security
- Browse the internet wisely
- Be professionally sceptical
- Think and behave ethically
- Care about cyber security on a personal level
7. Find and Manage Vulnerabilities
7.1 Search for weaknesses
7.1.1 Scan for vulnerabilities - Frequently scan the network for security vulnerabilities (and issues) and remediate promptly based on the risk to the business.
7.1.2 Simulate attacks - Periodically simulate malicious attacks against owned computer systems, applications and users test the resilience of controls against being exploited by malicious sources.
7.1.3 Dedicate accounts for standalone applications - Applications running automatic activities such vulnerability scans must use dedicated accounts.
7.1.4 Patch promptly - Review and install software updates promptly to protect against publicly known vulnerabilities.
7.1.5 Test before and after launch - Check for vulnerabilities across all systems and application before making them available for official use and periodically check while they are in use.
7.2 Implement solutions timely
7.2.1 Track solution progress - Always track the progress from identifying a security issue until it is fixed/minimised.
7.2.2 Monitor news and trends - Stay up-to-date with developments in Cyber Security and proactively address security threats.
8. Monitor activities
8.1 Track and analyse activity
8.1.1 Track - Log important activity at multiple layers (e.g., operating system and application layer) to create a reliable audit trail. Logs must have enough details to create a reliable audit trail if there is a security incident. Logged details must be able to answer the following questions:
- Who executed the activity? (e.g., User, system name, service)
- What are the details of the activity? (e.g., description of the event)
- When did the activity happen? (e.g., date and time)?
- Where did the activity happen? (e.g., IP, system name, domain name)?
8.1.2 Analyse - Analyse logs frequently to help detect suspicious activity, attacks, and breaches.
8.1.3 Store - Store logs on dedicated, restricted systems to preserve their authenticity.
8.1.4 Automatically trigger alerts - Create automatic triggers that notify administrators of sensitive, unusual and suspicious system activities. Such activities often include:
- Configuration changes
- New or deleted users
- Changes in user permissions
- Unusual increases in network traffic
- Multiple failed access attempts
- Server room abnormalities (increased temperatures)
- Communication errors
9. Respond to Incidents
9.1.1 Organise a team - Create a team who will actively handle all security incidents and breaches through its phases.
9.1.2 Adopt a methodology - Be strategic when responding to incidents. A smart Incident response process can flow as follows:
- Detect and Analyse
- Contain, Eradicate, and Recover
9.1.3 Laws and regulations - Educate incident response staff on local laws covering Cyber Crime and data protection.
9.1.4 Embrace reports - Facilitate people who try to report security incidents.
9.1.5 Log and track - Log all suspicious computer systems activities.
9.1.6 Emergency contact - Provide security teams with contact details of escalation contacts including any national Cyber Security Response Teams.
10. Continuously improve
10.1.1 Analyse data - Use data from internal and external sources to make smarter decisions and improve the effectiveness of the cyber security function.
10.1.2 Minimise recurring issues - Learn from previous mistakes and record solutions to common problems.
10.1.3 Capitalise on data - Use data from internal logs, and public threat maps to make smarter business decisions to protect computer systems across the business.
10.1.4 Improve- Tweak business decisions to protect computer systems across the business.
- “Computer Incident Response and Forensics Team Management” by Leighton R. Johnson III
- “Computer Security Fundamentals” by Chuck Easttom
- “Cyber Security Essentials” by iDefense® Security Intelligence Services
- “Guide to Computer Network Security “ by Joseph Migga Kizza
- CIS Controls - Center for Internet Security - https://www.cisecurity.org
Share the link to this standard with the management in your company to help them with their due diligence responsibilities.