An overview of cyber security capabilities to protect your organisation’s information
Every interface your organisation has with the outside world is theoretically vulnerable to data breaches and cyber-attacks. These breaches and attacks can be damaging to your organisation, your clients, and your reputation. Dealing with the consequences and fixing the problem can be expensive and time-consuming. So, it’s worth thinking about how to protect your organisation.
Cyber security can be divided into 5 distinct domains, each requiring its own response.
1. User access and authentication
Ensure only authorised people (users) have access to the organisation’s systems, applications, and data.
2. Information classification and security
How your organisation classifies and stores and handles its information, especially information that is sensitive, private, or confidential.
3. Device and network management
How all end-user devices (computers and mobile devices) and network equipment in your organisation are protected, managed, and monitored. This includes how your organisation’s networks are firewalled and protected with anti-phishing, antivirus and intrusion protection features and alerts for suspicious activity.
4. Policies, risk management, and compliance
An organisation’s cyber security policies, standards, and compliance processes ensure information security is managed and appropriately governed. It includes acceptable use of technology, incident response, testing schedules, and regulatory compliance.
5. User education
An organisation’s cyber security policies cover acceptable use of technology, incident response, staff education, testing schedules and regulatory compliance.
The table below can help you assess your organisation's response and identify gaps to attend to. It describes three capability levels, Basic, Intermediate and Advanced. The appropriate level and what you need to do will depend on your organisation’s size, the sophistication of the systems and technology you manage, and sensitivity of the information you hold and use.
For starters, every organisation must implement these fundamental security measures: Cyber Security Essentials. This basic level of cyber security capability might be sufficient for small, virtual organisations that use only a few cloud systems such as Google Workspace, and don’t own and manage desktop or laptop computers, or for that matter servers.
Many non-profit organisations will have some infrastructure to manage and/or hold sensitive data. They will likely want to progress to an intermediate level of cyber security capability: Achieving intermediate cyber security.
Where significant risks or obligations require further mitigation, and resources permit, organisations that have achieved intermediate capability might work towards advanced capability. This will include consideration of Maturity Level 2 or 3 compliance with the ASD’s Essential Eight, and of an external certification such as ISO 27001. See Achieving advanced cyber security.
| Category | Challenged | Basic | Intermediate | Advanced |
|---|---|---|---|---|
| User access and authentication |
User accounts are not well managed. |
MFA is effectively configured on Microsoft 365/Google Workspace & sensitive internet-facing systems. Administrative access is minimised. Shared user accounts are minimised & effectively managed (e.g. password mgr). System access is reviewed on a scheduled basis. |
Strong passwords are required. Processes exist to manage account breach risk – e.g. alerts, lockouts and/or log review. Admin rights are minimised, requires approval, time limited & protected (via MFA, VPN, SSH, etc.) |
Access to important IT systems/applications employs Single-Sign on a secure, core authentication service. |
| Information classification and security |
Information is not classified and the backup approach for information stores has not been thought through. |
Data backup has been considered and configured as appropriate for all important information stores. A simple data recovery test is performed annually. |
Information categories are defined (sensitive, confidential, public, etc.) and implemented (e.g. sensitive data is encrypted). A system register records approved information categories for each system. Backups are reliable, secure and meet retention / recovery requirements. A significant restore is performed annually. |
Technical controls restrict staff from storing or transmitting sensitive data incorrectly. Data retention requirements are known and addressed in line with organisational needs and compliance obligations |
| Device and network management |
Device security and network threats are not managed. |
Windows PCs have antivirus protection. Only vendor-supported operating systems & applications are used. Device OS & applications are reliably patched through manual or automated processes. Default infrastructure admin passwords have been changed. |
User devices have appropriate, centrally monitored firewall & antivirus software. Sensitive information is securely encrypted & can be remote-wiped. Patch management is undertaken centrally. Critical patches are deployed rapidly. Perimeter firewall and wifi configuration minimises security risk. |
A process to identify, prioritise & manage technical vulnerabilities exists. A vulnerability scanner is used effectively. Devices that don’t comply with policies (encryption, patching, etc.) are blocked. Devices are built & maintained to best practices standards (least privilege access, secure baselines, logging, etc.) |
| Policies, risk management, and compliance |
Policies and compliance processes are not well established. |
Responsibility for cyber security protections is assigned. Policies cover staff obligations & organisational cyber security protections. Third parties with access to organisational information are required to keep information safe. A cyber security improvement plan exists. The executive review cyber security protections/issues at least twice annually. |
An assessment against the ACSC’s Essential 8 has been performed with maturity level 1 or better. An effective security risk management process exists. Annual security tests identify & remediate risks. A security incident response process is defined. Appropriate steps are taken to meet all legal, regulatory & contractual obligations. |
The organisation has been independently assessed and confirmed as compliant against an information security standard such as ISO/IEC 27001. |
| User education |
Staff educate themselves. |
Induction & annual refresh training effectively covers staff obligations, security risks BYOD, good password practice, sensitive information & who to contact for help. |
Quizzes or phishing tests check staff knowledge annually. Specific training & processes support high-risk staff (accounts, CEO, CFO, IT, etc.) – e.g. phone call required to verify bank account changes. |
Training is engaging, tailored by role, available on demand & effective. A strong security culture exists – staff actively consider it their responsibility. |
Status message
Thanks for rating this guide.