This year has seen an unprecedented number of highly visible cybersecurity events, entire countries disappear from internet during riots and revolts (North Africa, Egypt, Libya), metropolitan underground e-mails and phones obscured (San Francisco) by the authorities to “protect us”.
Reportedly the hacker group Anonymous has now threatened to take down the New York Stock Exchange‘s computers in what we at Riskope would see as a “logical” development of the Men against Machines War we described in a recent posting in this blog.
A new report from the Georgia Tech Information Security Center warns that the trend will accelerate, and based on our own experience, they are not the only ones to believe so.
Several related studies we are performing are indeed pinpointing risks linked to search poisoning, Mobile Web-based attacks, more conventional hijacked computers (botnets) etc.
Although many believe common sense is the best defence, we are of the opinion that private, institutional and corporate clients should take things way more seriously. Thus, we happy yo see that some of our clairvoyant clients have asked us to perform holistic and full scope risk assessments on their informational systems, as they were feeling the pressure raising in this area.
Today we have decided to publish a short post on a specific aspect of our work, namely third-party review jobs on proposed (Information Security, Information Risk Management, etc. Guidelines).
But before going there, we’d like to point out that Information Security Guidelines and methodologies are the subject of numerous web-based resources, such as for example ANSSI (French), which leads to a qualitative, colour based obsolete risk assessment, or the US-CERT (American) “software”, which apparently only works on Windows based systems (sorry for all the other ones like Apple, Linux, Android) and guides its users to what we consider excessively “light, unfocused and very superficial” reporting.
Well, going back to our Third Party Review Report , which has of course been censored to protect client confidentiality and is based on our client’s new proposed Information Security Guidelines,
we raised the following general four major points:
- It is essential that all employees clearly understand the value of the Company’s Information and their individual and collective responsibility to protect it. Awareness constitutes the first line of defence
- Riskope encourages our clients to “break-up the information silos” as Information Security should cover all activities and tasks, including selection, hiring, etc. of personnel, subcontractors and suppliers.
- Riskope encourages the compilation of several versions of Information Security/Risk Management Guidelines tailored towards the needs of various layers of users.
- Guidelines should include formal and well structured reference to assessment and resulting protection from physical man-made or natural hazards, business continuity plans, resumption plans, backup capabilities etc.
In the third party review report you will find many more points, bearing on specific Information Security themes.
As you can hopefully “feel” from the reading, unbalanced or weak guidelines can give a wrong sense of security to their users, and actually totally miss their goal.
With our group of experts in Cyber Defence (CYD), Cybersecurity, Riskope can perform audits and penetration tests on your company’s systems, write well-balanced Security Guidelines, review and support your efforts.