Cybersecurity

A cybersecurity risk assessment looks at threats to confidentiality, integrity and availability of information managed by the organization, and compares these threats against the in-place safeguards to determine which risks to expend effort on mitigating. Threat modeling looks at specific threats to the organization that may be unique based on culture, nature of work, or other criteria. 

An effective cybersecurity plan is done annually, at a minimum, and includes a timeline for implementation of any changes, a plan for communicating and supporting the change and support for new security measures. 

Vulnerability scanning is software which scans computers, networks and applications for weaknesses. Note that this is question is only applicable to organizations with offices, and with networks within those offices. Organizations that work out of co-working environments or are completely distributed do not require vulnerability scanning at the network level and should choose the N/A option for their response.

An access control is a restriction of access to a resource or system. Active system, application and service accounts are reviewed monthly or quarterly and updated to reflect current state. Permissions to restricted information are checked to verify accuracy. 

Unified Threat Management (UTM) monitors inbound and outbound network traffic for malware and signs of intrusion or attempted intrusion. Only applies to organizations with networks used by multiple staff. Not applicable to organizations that are completely distributed. 

WPA2, at a minimum. 

If, for example, our organization uses Salesforce for CRM and Google for Email and Document Management, we have read and understood the privacy and data protection policies of Salesforce and Google. 

The Antivirus solution should provide notifications of malware detection on any device and also notifications on update failures or Antivirus service stoppage. 

Especially important for mission-critical hardware such as servers, firewalls and mission-critical software. 

Backup systems should be both physically and logically distinct from primary systems. For example, if sensitive data exists on an in-house server, the backup should be offsite and on a separate system (such as a cloud-based backup). Restores should also be performed, at a minimum, once every three months (quarterly). 

Shadow IT is when staff use personal versions of tools like Dropbox, Google Drive and Slack without involvement or knowledge or organizational IT to work remotely and/or collaborate with colleagues in the manner that best supports their work.

Organizations can reduce shadow IT through policy and communication but most of all by leveraging cloud-based applications to provide staff with a high degree of flexibility to collaborate, work remotely and with various devices. 

Examples of Password Management/SSO systems include LastPass, KeePass, 1Password & Okta. 

Having access to reliable technology support is important to cybersecurity because without this access, staff may allow risks to perpetuate or engage, unknowingly, in risky digital behavior. 

There is an ongoing security awareness training program in place for staff to help them with best practices for information security.

This is important because if staff, interns and volunteers do not know how to use the systems, they may use their own tools instead or may misuse organization technology in ways that compromise security. 

Example: A current network diagram, server roles, documentation of vendors, SaaS, etc. Optimally IT staff verify and update the documentation periodically. 

An access control is a restriction of access to a resource or system. Having documentation of who has access to sensitive information within the organization is important to ensure that access controls are properly managed. 

Cybersecurity insurance may help mitigate financial risk should your organization suffer a breach or other cybersecurity-related incident. 

• Bring Your Own Device (BYOD) policy

• Remote and travel policy

• Data sharing policy

• Acceptable Use policy

• Onboarding/Offboarding (Provisioning and Deprovisioning)

For example, which accounts are created when new staff come in, how access is revoked and how information is protected when staff leave.

An effective incident response plan includes, at a minimum:

1. Guidelines for declaration of an incident and activation of the incident response
2. A defined incident response team with contact information
3. A communications plan
4. A recovery plan
5. Lessons learned and changes