The company should never proceed 'on sight', but use specific skills to achieve its goals, such as Fractional CISO in Information Security, to design, plan and coordinate the Information Security Program, that is the documented set of policies, guidelines, procedures, standard And security checks of the Company.
The goal is to guarantee the security of information in terms of:
-CONFIDENTIALITY
-INTEGRITY'
-AVAILABILITY'
Confidentiality:
ensure that data, objects and resources are protected so that only authorized users can view and access them.
IT systems store, process or transmit data and information and why information is valuable, are threatened by attacks (social engineering, phishing, theft, etc.), but also by accidental breaches caused by employees.
Some of the countermeasures available to ensure the confidentiality I am:
- Passwords
- Authentication procedures
- Access control lists
- Software controls
- Security policy
- Staff training
Integrity:
when theintegrity data is protected information is accurate.
The data must not only be protected from prying eyes, but must also be protected from being altered without authorization.
To keep theintegrity data, it is necessary to control both access to the system and the user's ability to alter the information (if not authorized).
As the confidentiality, the protection ofintegrity not only repels malicious attacks, but also unintentional alterations such as errors or data loss, which can be significant problems.
The security programs use a variety of countermeasures to maintainintegrity data, including:
- Access controls
- Strict authentication
- Digital signatures
- Administrative checks
- Staff training
Availability:
authorized users must be able to access the systems and resources they need.
The measures of availability they ensure that the right users are able to access a system in a timely manner and without interruption.
Many of the problems of availability they have no impact on data, often stemming from infrastructure issues such as hardware failures, bandwidth issues, and software downtime.
The attacks Denial of Service (DoS) or Ransomware however, they are not a rare occurrence.
For businesses, few things are more important than availability and the responsiveness of the online services with which they operate on a daily basis.
Even if the downtime is minimal, it can still have a significant impact on your bottom line and reputation.
Countermeasures include:
- Hardware redundancy
- Backup server
- Additional data storage
- System performance monitor
- Network traffic monitoring
- Firewall
- Router
- Content Delivery Network (CDN)
The Information Security Program
The main points that the Fractional CISO has on the agenda are:
1. Get the involvement and support of the Company who will be responsible for defining the mission, program objectives and promoting and enforcing security policies throughout the organization.
2. Building the Information Security Team (creating the security program is not a one-person job) consisting of: IT professionals (internal and / or external to the company) responsible for managing day-to-day IT security operations, assessing threats and vulnerabilities, and of IT controls.
3. Build or upgrade theinventory of? assets?: information, processes, technology and people (see 2. What do we need to protect?).
4. Determine with the Company if e for which regulations compliance is required.
5. Identify threats, vulnerabilities and risks (you see 3. The importance of analyzing the risks.)
6. Risk management (you see 4. Risk management, 5. Mitigation of cyber risks)
7. Create a incident management plan (you see 7. The management of security incidents) and disaster recovery (see 8. Business continuity).
8. Apply security checks (you see 6. The main sources of cyber attacks)
9. Train all staff to make him aware and responsible for the safety of the company.
10. Lead periodic audits and measure the effectiveness of the measures taken.
