Every interface your organisation has with the outside world is theoretically vulnerable to data breaches and cyber attacks. These breaches and attacks can be damaging to your organisation, your clients and your reputation. Dealing with the consequences and fixing the problem can be expensive and time-consuming. So it’s worth thinking about how to protect your organisation.
Cyber security can be divided into 6 distinct domains, each of which requires its own response. You can assess your organisation's response using the table below.
1. Information classification & security
How your organisation classifies and stores and handles its information, especially information that is sensitive, private or confidential.
2. User device management
How all end-user devices in your organisation are protected, managed and monitored.
3. Network threat detection & alerting
How your organisation’s networks are firewalled and protected with anti-phishing, antivirus and intrusion protection features as well as alerts for suspicious activity.
4. Policies, user education & compliance
An organisation’s cyber security policies cover acceptable use of technology, incident response, staff education, testing schedules and regulatory compliance.
5. ACSC Essential 8
The Australian Cyber Security Centre’s Essential 8 is a series of security mitigation strategies organisations should implement to protect themselves against a range of cyber threats.
|Australian Cyber Security Centre Essential 8||We have not yet assessed ourselves against the ACSC’s Essential 8||
We fully meet Maturity Level One in at least six of the eight mitigation controls, the two exceptions being Application Controls and preventing privileged users from reading email/browsing the Web.
|We are at Maturity Level 2 or better in all Essential 8 mitigation controls.|
|User Education||We rely upon staff to educate themselves||
Staff receive appropriate security training that includes how to keep organisational data safe (save information in the correct area, spotting a phishing email, etc) when they first start. Staff also receive security refresher training on a regular basis.
|Staff consider security as one of their key responsibilities and actively consider how to keep organisational information safe.|
|Information Classification & Security||
We aim to keep sensitive data secure, but have limited formal controls that cover people, process and technology
We have the following:
|A combination of measures is used to protect information based on its classification level across the data lifecycle (e.g. staff education, sensitive data is encrypted at rest/in transit, data loss prevention controls are used, secure disposal, appropriate retention periods).|
|User Device Management||Our PCs have appropriate firewall and antivirus protection, but it is not centrally managed or monitored||
||All intermediate requirements, and any user devices which do not comply with organisational policies (encryption, remote wipe, etc) are blocked from connecting to organisational information stores.|
|Network Threat Detection & Alerting||
Network firewalls protect our internet connections.
Basic spam filtering reduces the risk of phishing.
Network firewalls and staff PCs are centrally managed with monitored alerting during business hours, with antivirus and appropriate intrusion protection features.
Advanced phishing protections are enabled for high-risk staff such as the CEO, CFO and accounts payable.
Suspicious user account activity (e.g., overseas logins) creates appropriate action.
Insecure network protocols that don’t support MFA (SMTP, IMAP etc) are disabled.
Network segmentation is employed as a measure to protect certain areas of the network based on information stored.
Web/URL filtering is used to restrict access to high risk or inappropriate sites
A contemporary Security Information and Event Management (SIEM) system collects and analyses security information from all devices and accounts, identifying risks, and required actions.
|Policies, Risk Management & Compliance||Limited (if any) IT security policies and risk management processes exist. Compliance is not well managed.||
Key security policies exist covering information classification, use of personal devices, keeping organisational information safe, password hygiene, privacy and cybersecurity incident response.
Regular security tests (phishing, network penetration, etc) are conducted to identify weaknesses.
User accounts / logins are not shared between people (or a limited number of shared accounts are used with strong risk management controls in place).
Single sign-on (SSO) enables users to securely authenticate with most core systems by using just one set of credentials.
Management understands their information security obligations, how their polices support these obligations and monitor organisational compliance.
Security risks are identified, prioritised, reviewed by executive management and actioned.
Bi-annual compliance testing identifies potential security risks.
Security education is reinforced regularly and available on demand, in a way that engages staff effectively and provides them the skills to secure organisational information.
We have been independently assessed and confirmed as compliant against an information security standard such as ISO 27001.