cyber security - audit perspectives item 11a... · comhairle nan eilean siar internal audit final...
TRANSCRIPT
Comhairle nan Eilean Siar
Internal Audit Review
CYBER SECURITY – Audit Perspective
Final Report – 2017/18- 28
17 November 2017
COMHAIRLE NAN EILEAN SIAR
INTERNAL AUDIT FINAL REPORT
CYBER SECURITY – Audit Perspective 2017/18
17 November 2017
CONTENTS
Page
SECTION 1 - EXECUTIVE SUMMARY 1 - 6
SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS 7 - 13
SECTION 3 - ACTION PLAN 14
APPENDIX A - RESPECTIVE RESPONSIBILITIES OF MANAGEMENT AND
INTERNAL AUDIT 15
APPENDIX B - ISOLATED EXCEPTIONS 16
APPENDIX C - 10 SECURITY CONTROLS FOR CYBER DEFENCE (NCSC) 17 - 18
Date of Visit
September & October 2017
Draft Report Issued
23rd
October 2017
Management Response Received
16th
November 2017
Final Report Issued
17th
November 2017
Issued to:
Chief Executive Malcolm Burr
Director Robert Emmott
IT Manager Malcolm Nicol
HR Manager
Katherine Mackinnon
COMHAIRLE NAN EILEAN SIAR
INTERNAL AUDIT FINAL REPORT
CYBER SECURITY – Audit Perspective 2017/18
17 November 2017 1
SECTION 1: EXECUTIVE SUMMARY
Introduction
1.1 This report has been prepared following an internal audit review of Cyber Security from an IT
Audit Perspective as part of the operational annual internal audit plan for 2017/18. The purpose of
this report is to provide an overview of the Comhairle’s arrangements for managing cyber security
and in terms of the objectives noted below.
Background information
1.2 Police Scotland recently reported 47%+ of UK crimes as cyber related. These are defined as cyber -
enabled crime, or the use of the internet as a means to commit the crime and also as cyber-
dependent crime, where a digital system, infrastructure or ICT device is the target as well as the
principal or sole method of attack.
The latest Internet Security Report by WatchGuard for the second quarter of 2017 reports a common
theme of login access being a top priority for criminals. Credential theft can take different forms;
attack techniques include pass-the-hash, key logging, passing tickets, token impersonation, and
man-in-the-middle attacks. Malware not detected by older legacy antivirus also increased to 47%
during 2017 with Malicious JavaScript being used to deliver malware and create fake phishing sites
for example. Organisations are advised to harden exposed servers, consider multi-factor
authentication, train users to identify phishing attacks and implement advanced threat prevention
solutions to protect their data.
The government provides a Cyber Essentials scheme designed to help organisations protect
themselves against common cyber-attacks. This scheme includes 10 steps for improving protection
in cyberspace and mitigation of risk from common internet based threats1. These include
management of the cyber risk at Board level; secure configuration of systems; network security;
managing user privileges; user education and awareness; incident management; malware
prevention; system monitoring to confirm acceptable use policies are applied and awareness of any
unusual activity; removable media controls and controls on home and mobile working.
A number of these cyber essential areas overlap with the scope of assurance requirements for the
Comhairle’s certification to use the UK Wide Government Public Services Network or PSN. For
example, security requirements for connection to PSN include controls to ensure the Comhairle’s
technical security infrastructure meets PSN compliance, with adequate and appropriate procedures
in place to protect all Comhairle data. The Comhairle’s compliance certificate for PSN connection
covers the period 22 December 2016 to 22 December 2017. This certification provides assurance
through the PSN annual security IT health-checks and confirms compliance to Code of Connection
requirements for accessing the PSN through maintenance of appropriate security policies including
acceptable use and lockdown policies monitoring of controls on infrastructure security. Therefore,
1 10 Steps To Cyber Security is at https://www.ncsc.gov.uk/guidance/10-steps-executive-summary
COMHAIRLE NAN EILEAN SIAR
INTERNAL AUDIT FINAL REPORT
CYBER SECURITY – Audit Perspective 2017/18
17 November 2017 2
SECTION 1: EXECUTIVE SUMMARY (CONTINUED)
the scope of this cyber security review will primarily focus on the human resource element,
including user education and awareness.
Sources of information for best practice include guidance from Police Scotland, the National Cyber
Security Centre or NCSC, the HM Government Cyber security essentials scheme and CIIA and
ISACA cyber security and cyber risk information. The Information Commissioner’s Office also
offers guidance as the new General Data Protection Regulation (GDPR) coming into force in May
2018 specifically refers to aspects of cyber security in Article 32 Security of personal data.
Internal audit objective
1.3 In accordance with the remit outlined within the operational annual internal audit plan for 2017/18
and further documented within the agreed terms of reference, the internal audit work was designed
to obtain assurance on the Comhairle’s arrangements for cyber security from an auditor’s
perspective. The primary objectives in the review are risk awareness and assessment of emerging
cyber security threats and vulnerabilities; user training, skills and awareness of cyber threats
including advanced persistent threats, data breaches, hoax or phishing emails and ransomware;
guidance on social media; use of security controls and encryption and how to respond to any suspect
activity. As users have a critical role to play in their organisation’s security, security rules and
awareness training to enable users to do their job securely are vital.
In practice, we assessed whether the overall objective was being achieved by:
Ascertaining the management and risk assessment of cyber threats and security controls
Identifying user training and awareness of cyber security
Appraising front line staff processes to confirm cyber security awareness and best practice
in place
Reference is made to the Comhairle’s policies, including the IT Security Policy and the Code of
Practice on the use of internet, email and IT resources within the staff handbook.
Excluded from the cyber review are areas already covered in other audit work, including those
covered in the assurances provided by the Comhairle’s certification for connection to the Public
Sector Network or PSN. PSN accreditation includes assessment of controls to expected PSN
standards in areas including external network connections; wireless networks access controls;
patch management; boundary controls/ gateways, personnel security and education; access
controls; incident management processes; malware protection; removable media and mobile /
home working security controls. In addition, assurances from the Internal Audit Follow-Up
Review - Additional Follow-Up of Disaster Recovery Final Report – FU08 – 15/16 are not
repeated.
COMHAIRLE NAN EILEAN SIAR
INTERNAL AUDIT FINAL REPORT
CYBER SECURITY – Audit Perspective 2017/18
17 November 2017 3
SECTION 1: EXECUTIVE SUMMARY (CONTINUED)
1.4 Areas of good practice
Regular risk assessment with IT Manager advice to management;
IT Policies in the staff handbook;
Staff training to be rolled out ;
Alerts to staff by the IT Service; and
Public Services Network (PSN) connection certification until 22 December 2017
1.5 Concluding remarks
This is a high level review and findings are included in the body of this report. We would point
out that the most significant issue/s arising from our review which require management attention
are:
Policy on social media exists, however, speed of change in this environment (Para 2.3)
Specific cyber training for staff on cyber security has still to be rolled out (Para 2.4)
A benefit of the security controls found in this review is that security of personal data is
improved, as is recommended by the Information Commissioner's Office or ICO; some
aspects of cyber security get specific mention in Article 32 of the General Data Protection
Regulation (GDPR) which comes into force in May 2018, including encryption, disaster
recovery, testing and on-going monitoring.
COMHAIRLE NAN EILEAN SIAR
INTERNAL AUDIT FINAL REPORT
CYBER SECURITY – Audit Perspective 2017/18
17 November 2017 4
SECTION 1: EXECUTIVE SUMMARY (CONTINUED)
1.6 We have graded our detailed findings and recommendations, based on the likelihood of the
identified weakness occurring and the impact on the Comhairle if it should occur, using the
following criteria:
Grade 1
- “Critical” – High likelihood, High impact (HH)
“The weakness is almost bound to happen or is already happening
(likelihood) and could have a significant impact on the Comhairle’s services,
reputation, control, financial position, statutory, regulatory or constitutional
compliance if not contained”
Grade 2 - “Contingent/Insurable Risk” - Low likelihood, High impact (LH)
“The weakness is unlikely to happen, but would have a significant impact on
the Comhairle’s services, reputation, control, financial position, statutory,
regulatory or constitutional compliance if it did occur”
Grade 3 - “Housekeeping” – High likelihood, Low impact (HL)
“The weakness is almost bound to happen or is already happening but is
unlikely to have a material impact on the Comhairle’s services, reputation,
control, financial position, statutory, regulatory or constitutional compliance,
and can be contained”
Grade 4
- “Value for Money” – High likelihood, Value for money impact (HV)
“The weakness is almost bound to happen or is already happening but if
contained would have a positive impact on economy, efficiency and
effectiveness in the use of resources”
Where we have identified isolated exceptions in our sample testing, and we consider that: -
They are unlikely to recur; and
Would have no significant impact if they should occur,
We have classified them as low likelihood and low impact (LL), discussed them with relevant
officers and detailed them in Appendix B to this report.
COMHAIRLE NAN EILEAN SIAR
INTERNAL AUDIT FINAL REPORT
CYBER SECURITY – Audit Perspective 2017/18
17 November 2017 5
SECTION 1: EXECUTIVE SUMMARY (CONTINUED)
1.7 Our recommendations can be summarised and prioritised as follows:
Recommendation Overall grading
4 3 2 1
2.1 The Director of Finance and Corporate Resources
and the IT Manager should assess cyber risk and
consider if specific use of the term ‘cyber’ within IT
risk is necessary. This environment is constantly
evolving
2.2 The Director of Finance and Corporate Resources
and the IT Manager should assess cloud risk within
IT risk assessments
2.3 The Head of HR should regularly review policy and
user guidance for risks of social media.
Users to be reminded of the latest policy as this is
revised for social media responsibilities.
2.4 The IT Manager should ensure the training is rolled
out for Corporate users, with a process for
monitoring that all users complete this training. There
is also free introductory on-line training available
through the Open University - Introduction to cyber
security: stay safe online that could be promoted if
considered useful.
2.5 The Director of Finance and Corporate Resources,
Finance & IT Managers to continue to review
processes for managing suspect emails and notifying
IT Helpdesk.
2.6 The IT Manager should ensure cyber incident
response and communications planning is
documented within IT procedures.
Where this action overlaps with actions already
agreed and followed up in the Internal Audit Report
Follow Up Review - Additional Follow Up Disaster
Recovery, this can be noted and cross referenced.
COMHAIRLE NAN EILEAN SIAR
INTERNAL AUDIT FINAL REPORT
CYBER SECURITY – Audit Perspective 2017/18
17 November 2017 6
SECTION 1: EXECUTIVE SUMMARY (CONTINUED)
1.8 We would like to thank all staff for the co-operation and goodwill we received during the course
of our internal audit fieldwork.
For Comhairle nan Eilean Siar Internal Audit
Comhairle nan Eilean Siar
Sandwick Road
Stornoway
Isle of Lewis
HS1 2BW
17th
November 2017
COMHAIRLE NAN EILEAN SIAR
INTERNAL AUDIT FINAL REPORT
CYBER SECURITY – Audit Perspective 2017/18
17 November 2017 7
SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS
FINDINGS AND IMPLICATIONS RISK RANKING RECOMMENDATION GRADE MANAGEMENT
COMMENT L I
Control objective 1: Risk awareness and risk assessment of emerging cyber threats and security controls.
2.1 Risk awareness and assessment: The risk
of ‘Operational loss of data - FRCSIT01’ is
reported which covers potential cyber risk
areas; ‘cyber’ is not specifically included
as a risk. Cyber threats continue to evolve.
The latest Internet Security Report of the
top security threats for 2017 by
WatchGuard showed credential theft
increasing; attackers are stealing and
replacing Windows credentials using
malware. Although malware detections
increased, the total malware not detected
by older legacy antivirus also increased to
47%. Malicious JavaScript is increasingly
being used to deliver malware and create
fake phishing sites. To protect against the
use of Malicious JavaScript in email, the
report recommends that email security
controls block JavaScript attachments.
Web servers and clients are also continuing
to be targets; therefore security services of
web traffic should be a top priority2.
H L The Director of Finance and
Corporate Resources and the IT
Manager should assess cyber risk
and consider if specific use of the
term cyber within IT risk is
necessary. This environment is
constantly evolving.
3 The Director of Finance &
Corporate Resources and IT
Manager will review IT risks.
2 https://www.watchguard.com/wgrd-resource-center/security-report
COMHAIRLE NAN EILEAN SIAR
INTERNAL AUDIT FINAL REPORT
CYBER SECURITY – Audit Perspective 2017/18
17 November 2017 8
SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS (CONTINUED)
FINDINGS AND IMPLICATIONS RISK RANKING RECOMMENDATION GRADE MANAGEMENT
COMMENT L I
Control objective 1: Risk awareness and risk assessment of emerging cyber threats and security controls
2.2 IT Policy, Corporate alignment through IT
Service and the cloud:
CNES Policy requires users to include IT
Service in advance of using new
software/assets on the CNES network. In
practice increasing use of the cloud
presents new challenges to IT.
Key controls recommended by US-CERT
to protect against ransomware infection
include application white-listing so only
approved programs are run; maintain up to
date antivirus software and scan downloads
from the internet prior to executing;
restricting users’ ability to install and run
unwanted software applications and
applying the ‘least privilege’ principle;
avoid enabling macros from email
attachments; patch management of
software & operation systems; employing a
data backup & recovery plan for all critical
information
H
L The Director of Finance and
Corporate Resources and the IT
Manager should ensure cloud
risks are within IT risk
assessments
3 The review of IT security risks
will include cloud computing.
COMHAIRLE NAN EILEAN SIAR
INTERNAL AUDIT FINAL REPORT
CYBER SECURITY – Audit Perspective 2017/18
17 November 2017 9
SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS (CONTINUED)
FINDINGS AND IMPLICATIONS RISK RANKING RECOMMENDATION GRADE MANAGEMENT
COMMENT L I
Control objective 2: User awareness, training and skills
2.3 Policy and Social Media:
The Acceptable Use for Social Media
Policy in the staff handbook says staff
should not include comments on work on
social media personal accounts.
Police Scotland [PS] guidance on cyber
threats includes social media, LinkedIn and
online presence of staff as vulnerabilities3.
PS recommended for cyber-resilience that
staff be vigilant about information placed
on social media. Criminals can target staff
in the organisation with data on social
networks, for example to send a hoax
email to carry out an attack or introduce
malware into the system. Staff are named
on the website because of their work,
however, the more information posted on
the internet and social media sites, the
easier this is available for anyone to find,
including hackers and criminals.
L
H
The Head of HR should regularly
review policy and user guidance
for risks of social media.
Users to be updated on the latest
policy version as this is revised
for social media responsibilities.
2
The Policy relating to Social
Media will be reviewed as a
priority.
Employees will be advised of
the revised guidelines.
3 Vulnerabilities listed - Online presence of Company/Staff; LinkedIn; Website: Social Media; Social Engineering; RDP; Weak usernames and passwords; Lack
of awareness; Inside threat – Police Scotland presentation to SLACAIG CASG August 2017
COMHAIRLE NAN EILEAN SIAR
INTERNAL AUDIT FINAL REPORT
CYBER SECURITY – Audit Perspective 2017/18
17 November 2017 10
SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS (CONTINUED)
FINDINGS AND IMPLICATIONS RISK RANKING RECOMMENDATION GRADE MANAGEMENT
COMMENT L I
Control objective 2: User awareness training and skills
2.4 Training:
An online training module has been created
and planned for roll out in October 2017 to
Corporate users including teachers and
Education admin staff, but not pupils;
students have their own specialist training
processes. Training includes areas -
malicious software, email security,
hackers, password security, social
networks, physical security, wireless
networks, incident management and the
Comhairle’s policies.
Advice on social engineering risks includes
phone calls being made direct to users to
‘con’ them into volunteering personal
information such as passwords. Other risks
include divulging information on social
networking sites.
Cont.
L
H
The IT Manager should ensure
the training is rolled out for
Corporate users, with a process
for monitoring that all users
complete this training, if possible
within this financial year.
There is also free introductory on-
line training available through the
Open University - Introduction to
cyber security: stay safe online 4
that could be promoted if found
to be useful.
2
Training will be rolled out to
all system users.
4 http://www.open.edu/openlearn/science-maths-technology/introduction-cyber-security-stay-safe-online/content-section-overview
COMHAIRLE NAN EILEAN SIAR
INTERNAL AUDIT FINAL REPORT
CYBER SECURITY – Audit Perspective 2017/18
17 November 2017 11
SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS (CONTINUED)
FINDINGS AND IMPLICATIONS RISK RANKING RECOMMENDATION GRADE MANAGEMENT
COMMENT L I
Control objective 2: User awareness training and skills
2.4 Continued.
The Comhairle training module is a very
positive step and will be beneficial for all
online users to complete. The IT Manager
plans to ensure all new staff complete the
training before they are allowed to start
working on any council systems or work.
In addition, IT Service regularly provides
advice to users of risk areas including
ransomware and phishing emails.
The NCSC 10 steps to cyber security
include user education and awareness5.
NCSC suggests monitoring the
effectiveness and value of security training
to users.
5 https://www.ncsc.gov.uk/guidance/10-steps-user-education-and-awareness
COMHAIRLE NAN EILEAN SIAR
INTERNAL AUDIT FINAL REPORT
CYBER SECURITY – Audit Perspective 2017/18
17 November 2017 12
SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS (CONTINUED)
FINDINGS AND IMPLICATIONS RISK RANKING RECOMMENDATION GRADE MANAGEMENT
COMMENT L I
Control objective 3: Front line processes
2.5 Email usage policy and risks of phishing or
hoax emails:
There is an email usage policy for staff to
apply. An audit sample of users whose
work can include receiving email requests
to change bank accounts for payments, and
thus be potential targets of phishing and
hoax emails, found that different Finance
functions manage specific risks in different
ways with processes in place to manage
requests.
As in 2.1, the risk of Malicious JavaScript
in email is reported to be increasing during
2017.
H
L
The Director of Finance and
Corporate Resources, Finance &
IT Managers to continue to
review processes for managing
suspect emails and notifying IT
Helpdesk
3
This is incorporated into the
training module and specific
issues will be addressed as they
arise.
COMHAIRLE NAN EILEAN SIAR
INTERNAL AUDIT FINAL REPORT
CYBER SECURITY – Audit Perspective 2017/18
17 November 2017 13
SECTION 2 - DETAILED FINDINGS AND RECOMMENDATIONS (CONTINUED)
FINDINGS AND IMPLICATIONS RISK RANKING RECOMMENDATION GRADE MANAGEMENT
COMMENT L I
Control objective 3: Front line processes
2.6 Cyber incident Response Planning:
IT Team have planned processes to manage
IT incidents including cyber incidents but
not fully documented.
H
L
The IT Manager should ensure
that cyber incident response and
communications planning is
documented within IT
procedures.
Where this action overlaps with
actions already agreed and
followed up in the Internal Audit
Report Follow Up Review -
Additional Follow Up Disaster
Recovery, this can be noted and
cross referenced.
3
The IT Manager will address
this in Business Continuity
Arrangements and Disaster
Recovery Plans.
14
SECTION 3 - ACTION PLAN
Ref. RECOMMENDATION RESPONSIBLE
OFFICER
DATE OF
IMPLEMENTATION
3.1 The Director of Finance and Corporate
Resources and the IT Manager should assess
cyber risk and consider if specific use of the
term cyber within IT risk is necessary. This
environment is constantly evolving.
The Director of
Finance and
Corporate
Resources and the
IT Manager
December 2017
3.2 The Director of Finance and Corporate
Resources and the IT Manager should ensure
cloud risks are within IT risk assessments.
The Director of
Finance and
Corporate
Resources and the
IT Manager
December 2017
3.3 The Head of HR should regularly review policy
and user guidance for risks of social media.
Users to be updated on the latest policy version
as this is revised for social media
responsibilities.
The Head of Human
Resources
June 2018
3.4 The IT Manager should ensure the training is
rolled out for Corporate users, with a process
for monitoring that all users complete this
training, if possible within this financial year.
There is also free introductory on-line training
available through the Open University -
Introduction to cyber security.
that could be promoted if found to be useful
The IT Manager December 2017
3.5 The Director of Finance and Corporate
Resources and IT Manager to continue to
review processes for managing suspect emails
and notifying IT Helpdesk.
The Director of
Finance and
Corporate
Resources and the
IT Manager
December 2017
3.6 The IT Manager should ensure that cyber
incident response and communications
planning is documented within IT procedures.
Where this action overlaps with actions already
agreed and followed up in the Internal Audit
Report Follow Up Review - Additional Follow
Up Disaster Recovery, this can be noted and
cross referenced.
The IT Manager March 2018
15
APPENDIX A: RESPECTIVE RESPONSIBILITIES OF MANAGEMENT AND INTERNAL
AUDIT
Responsibility in relation to internal controls
It is the responsibility of the Comhairle’s management to maintain adequate and effective financial
systems and to arrange for a system of internal controls. Our responsibility as internal auditors is to
evaluate the financial systems and associated internal controls. In practice, we cannot examine every
financial implication and accounting procedure within an activity, and we cannot substitute for
management’s responsibility to maintain adequate systems of internal controls over financial systems.
We therefore may not identify all weaknesses that exist in this regard.
Responsibilities in relation to fraud and corruption
The prime responsibility for the prevention and detection of fraud and irregularities rests with
management. They also have a duty to take reasonable steps to limit the opportunity for corrupt
practices. It is our responsibility to review the adequacy of these arrangements, but our work does not
remove the possibility that fraud, corruption or irregularity may have occurred and remained
undetected.
We nevertheless endeavour to plan our internal audit work so that we have reasonable expectation of
detecting material fraud, but our examination should not be relied upon to disclose all such material
frauds that may exist.
16
APPENDIX B: ISOLATED EXCEPTIONS TO EXPECTED PROCEDURES AND
CONTROLS
ITEM ISOLATED EXCEPTION RESPONSIBLE
OFFICER
AGREED
Y/N
DATE OF
DISCUSSION
17
APPENDIX C: NCSC CYBER SECURITY CONTROLS
An overall 'defence in depth' approach is recommended by the National Cyber Security Centre or
NCSC. The 10 steps for improved protection for organisations in cyber-space are:
1 Management of the cyber risk at Board level
Pro-active management of the cyber risk at Board level is critical for protection of key information
assets. Questions to be considered include -.Does the Board receive regular intelligence from the Chief
Information Officer/Head of Security on who may be targeting our company, their methods and their
motivations? Does the Board encourage technical staff to enter into information-sharing exchanges
with other companies in our sector and/or across the economy in order to benchmark, learn from others
and help identify emerging threats?
2. Secure configuration of systems
Develop a strategy to remove or disable unnecessary functionality from systems, and to quickly fix
known vulnerabilities, usually via patching. Failure to do so may result in increased risk of
compromise of systems and information; unauthorised changes to systems; attackers may attempt to
exploit unpatched systems to provide them with unauthorised access to system resources and
information and An attacker could also exploit a system that has been poorly configured.
3. Network security
Defining a fixed network boundary is difficult as organisation's networks often span many sites, and
the use of mobile / remote working, and cloud services, makes this area complex. In addition to
physical connections, consider where your data is stored and processed, and where an attacker would
have the opportunity to interfere with it. Manage the perimeter with access to ports, protocols and
applications by filtering and inspecting all traffic at the network perimeter to ensure that only traffic
which is required to support the business is being exchanged. Control and manage all inbound and
outbound network connections and deploy technical controls to scan for malicious content. Protect the
internal network by segregating networks as sets; secure wireless access; enable secure administration;
configure the exception handling processes; Monitor the network with network intrusion detection and
prevention tools; Conduct regular penetration tests of the network architecture.
4. Managing user privileges
Users should be provided with a reasonable minimal level of system privileges and rights needed for
their role. The granting of highly elevated system privileges should be carefully controlled and
managed. Establish effective account management processes; establish policies and standards for user
authentication and access control; limit user privileges and the use of higher privileged accounts.
Monitor user activity, particularly access to sensitive information and the use of privileged account
actions; limit access to the audit system and the system activity logs; all users should be aware of the
policy regarding acceptable account usage.
5 User education and awareness
Users have a critical role to play in their organisation’s security so a systematic delivery of awareness
programmes and training help to establish a security-conscious culture. Develop a user security policy.
New users, including contractors and third party users should be made aware of their personal
responsibility to comply with the corporate security policies. Regular refresher training on the security
risks to the organisation will keep users up to date. Staff in security roles should be encouraged to
develop their skills. Test the effectiveness and value of the security training provided. Promote an
incident reporting culture and establish a formal disciplinary process.
18
6 Incident management
Establishing effective incident management policies and processes will help to improve resilience,
support business continuity, improve customer and stakeholder confidence and potentially reduce any
impact. Establish an incident response capability; provide specialist training; define the required roles
and responsibilities; establish a data recovery capability; test the incident management plans; decide
what information will be shared and with whom. Collect and analyse post-incident evidence and
complete a lessons learned review.
7. Malware prevention
Malicious software, or malware includes code or content that could have a malicious, undesirable
impact on systems. Exchange of information carries a degree of risk that malware might be exchanged.
The risk can be managed by developing and implementing anti-malware policies; scanning all data for
malicious content at the network perimeter; blacklisting malicious web sites; stand-alone workstations
can be equipped with appropriate anti-virus products; establish malware defences with end user device
protection. Users should understand the risks from malware and the day-to-day processes they can
follow to help prevent a malware infection from occurring
8. Monitoring to confirm acceptable use policies are applied
System monitoring provides a capability that aims to detect actual or attempted attacks on systems and
business services. Good monitoring is essential in order to effectively respond to attacks. In addition,
monitoring allows you to ensure that systems are being used appropriately in accordance with
organisational policies. Monitoring is often a key capability needed to comply with legal or regulatory
requirements. Develop and implement a monitoring strategy based on business need and an assessment
of risk. Ensure that all networks, systems and services are included in the monitoring strategy. This
may include the use of the use of network, host based and wireless Intrusion Detection Systems (IDS).
Monitor inbound and outbound network traffic. Monitor user activity. Establish a centralised collection
and analysis capability. Provide resilient and synchronised timing. Align the incident management
policies.
9. Removable media controls
Removable media provide a common route for the introduction of malware and the accidental or
deliberate export of sensitive data, therefore policies should be applied to control the use of removable
media. Limit the use of removable media to business need; scan all media for malware. Formally issue
media to users and encrypt information held on media. Actively manage the re-use and disposal of
removable media. Educate users and maintain awareness for following a removable media security
policy.
10. Controls on home and mobile working
Establish risk based policies and procedures that support mobile working or remote access to systems
that are applicable to users, as well as service providers. Assess the risks and create a mobile working
policy; educate users and maintain awareness. Apply a secure baseline build and configuration for all
types of mobile device used by the organisation. Protect data at rest and encrypt if possible. Protect
data in transit. Review the corporate incident management plans and ensure they have sufficient
flexibility to deal with security incidents that could occur.