Whenever our team works on a project for one of our clients, we are most likely performing a risk assessment for a single information system. The purpose of this is for the organisation’s leadership to understand if that system falls within their risk appetite and to approve that system’s use. It’s like a warrant of fitness for your car – where the risk assessment is the development of items that need to be checked, and then when we audit the system, we’re playing the role of the mechanic checking each one of the items on that list. Then the organisation can approve the system for use (like when you get your WoF sticker and drive your car legally).
However, as organisations grow and set up more and more business units to achieve all kinds of functions, so too does the number of information systems that get used to assist those new goals. It can be too costly both in terms of time and money to perform risk assessments on every single system, but organisations still need to ensure a base level of safety and risk assurance for them. You wouldn’t get a warrant of fitness for your bicycle or skateboard, but it’s still important to have them checked before riding them down a steep hill!
Recently, one of our larger customers decided that they needed some assurance that their noncritical business information systems were within their cybersecurity risk appetite. Since they had 40 of these to review – performing individual risk assessments for each system was not going to be achievable. We approached this project by conducting a common cyber security controls review – a previously unused method of assurance gathering. Here’s how it worked:
Top Seven Controls for Information Systems
Firstly, we selected the most frequently recommended cyber security controls. By leveraging recommendations from CERT NZ, the Australian Cyber Security Centre, the Centre for Internet Security as well as Axenic IP, we identified a list of the top seven controls for information systems. These were
- Patch and vulnerability management: are system updates applied in a timely manner in order to protect against known technical vulnerabilities and prevent malicious attacks?
- Backup and restore: is data stored in the system backed up so that it can be retrieved in the event of data loss?
- Hardening of systems, network devices and applications: are systems configured to exclusively perform the tasks they are designed for, are any unnecessary features or communication standards disabled, and are system defaults removed?
- Secure authentication: are systems accessed by uniquely identifiable users with secure credentials and multifactor authentication?
- Event logging alerting and auditing: are system activities recorded and saved, and are records of these activities reviewed for suspicious behaviour? Can unusual behaviour be determined automatically?
- Malware protection: is suitable antimalware protection running on the system and is it updated and scanned regularly?
- Privileged access management: is elevated access within the system restricted to those who are explicitly authorized to have that access? Do privileged staff members have separate privileged accounts?
Next, we wrote several questions for each of these controls and using our risk management tool Archer we submitted a survey to each of the system owners for our client’s 40 systems. After giving them suitable time to respond and offering a few drop-in sessions to guide some of the participants through the process – we gathered a large amount of feedback and consolidated the results.
Common Cyber Security Controls Review Findings
The findings were interesting to say the least. We found that every system was failing at least one basic cybersecurity hygiene aspect. The report was an opportunity for the client to improve their cybersecurity hygiene, as in the summary we noted some actionable items that they could do based on their new awareness of their security landscape.
By actioning these items – they will substantially increase their cybersecurity posture and culture throughout the organisation -a rising tide lifts all boats!
Axenic’s cybersecurity hygiene check enables you to do a quick validation of your systems and services’ essential security controls effectiveness. The insights and oversights provided can help your organisation identify quick and effective cybersecurity wins. Periodically redoing the assessment provides your organisation with confidence and shows the progress (or regress) of your essential security controls.
Contact Axenic if you are interested in exploring how this can benefit your organisation.