How to document your information security policy

| December 12, 2018

article image
Information security policies play a vital role in organisational security. Getting your policy right will give you an excellent framework to build on, making sure that all your efforts follow a single goal. But if you get it wrong, you risk neglecting key issues and exposing yourself to data breaches. To make sure you get off on the right track, we’ve taken some advice from Alan Calder and Steve Watkins’ IT Governance – An International Guide to Data Security and ISO27001/ISO27002 and Calder’s Nine Steps to Success: An ISO27001 Implementation Overview. As renowned experts in ISO 27001, the international standard for information security, their guidance is invaluable for any organisation that’s serious about security. Information security policy basics. An information security policy is a set of documents explaining an organisation expects its employees to do in order to prevent security incidents. It doesn’t need to be lengthy, but it must capture senior staff’s ideals and objectives for the organisation.

Spotlight

Black Hat Ethical Hacking

Ethical hackers use the same methods and techniques to test and bypass a system’s defenses as their less-principled counterparts, but rather than taking advantage of any vulnerabilities found, they document them and provide actionable advice on how to fix them so the organization can improve its overall security.

OTHER ARTICLES

A 4 Step Guide to Stronger OT Cybersecurity

Article | April 14, 2020

Security and risk management leaders at organizations around the world are increasingly concerned about cybersecurity threats to their operational technology (OT) networks. A key driver behind this is that cyberthreats, like disruptionware, are increasing in quantity and sophistication all the time. Industrial control system (ICS) networks are categorized as high risk because they are inherently insecure, increasingly so because of expanding integration with the corporate IT network, as well as the rise of remote access for employees and third parties. An example of an IT network within a control system is a PC that’s running HMI or SCADA applications. Because this particular PC wasn’t set up with the initial intention of connecting to IT systems, it typically isn’t managed so can’t access the latest operating system, patches, or antivirus updates. This makes that PC extremely vulnerable to malware attacks. Besides the increased cyberthreat risk, the complexity resulting from IT–OT integration also increases the likelihood of networking and operational issues.

Read More

Ryuk: Defending Against This Increasingly Busy Ransomware Family

Article | April 14, 2020

On December 16, 2019, the U.S. Coast Guard disclosed a security incident at a facility regulated by the Maritime Transportation Security Act (MTSA). Forensic analysis suggests that the incident might have begun when an employee clicked on a link embedded in a phishing email.This action enabled a threat actor to set Ryuk ransomware loose on the facility’s network. Ultimately, the infection spread to all IT network files, leading Ryuk to disrupt the corporate IT network and prevent critical process control monitoring systems from functioning properly. Phishing is one of the primary infection vectors for most ransomware families, but there’s an interesting twist with this particular family. As noted by Malwarebytes, a typical Ryuk attack begins when a user opens a weaponized Microsoft Office document attached to a phishing email. Opening the document causes a malicious macro to execute a PowerShell command that attempts to download the banking trojan Emotet. This has the ability to download additional malware onto an infected machine that retrieves and executes Trickbot.

Read More

5 Benefits of Investing in Cyber Security & IT solutions in 2021

Article | April 14, 2020

Cyber Security has quickly evolved from being just an IT problem to a business problem. Recent attacks like those on Travelex and the SolarWinds hack have proved that cyber-attacks can affect the most solid of businesses and create PR nightmares for brands built painstakingly over the years. Investing in cyber security training, cyber security advisory services and the right kind of IT support products, has therefore, become imperative in 2021. Investing in cyber security infrastructure, cyber security certification for employees and IT solutions safeguards businesses from a whole spectrum of security risks, ransomware, spyware, and adware. Ransomware refers to malicious software that bars users from accessing their computer system, whereas adware is a computer virus that is one of the most common methods of infecting a computer system with a virus. Spyware spies on you and your business activities while extracting useful information. Add social engineering, security breaches and compromises to your network security into the mix, and you have a lethal cocktail.

Read More

Work From Home: Cyber Security During Covid-19

Article | April 14, 2020

COVID-19 has significantly affected individuals and organizations globally. Till this time more than 1.7 million people in 210 countries have bore the brunt of this mysterious virus. While this crisis is unparalleled to the past crises that have shaken the world and had lasting impacts on different businesses, economies and societies but the one domain that had remained resilient through all the past crises and is going solid in COVID-19 as well is Cyber security. While most of the sectors globally have been affected, Cybersecurity’s importance to organizations, consumers and home users have not only remained strong but have been increased drastically.

Read More

Spotlight

Black Hat Ethical Hacking

Ethical hackers use the same methods and techniques to test and bypass a system’s defenses as their less-principled counterparts, but rather than taking advantage of any vulnerabilities found, they document them and provide actionable advice on how to fix them so the organization can improve its overall security.

Events