IT governance is about managing information as an asset consistently with organisational strategy and organisational culture. It is about practices, supported by policies, processes, and procedures, that are subject to continuous improvement as new trends emerge internally and externally.
Security governance is a primary element of information governance. You might be more familiar with a ‘buzzier’ word: cybersecurity.
Your organisation probably has a higher level of awareness of cybersecurity than at any time before. It really is a buzzword. It is widely referred to in traditional and social media – every day, there’s reporting of a new attack, data breach, the compromise of personal information. Your organisation’s insurance brokers are almost certainly raising the prospect of cyber insurance and the risks of cyber attacks.
At heart, cybersecurity controls and directs IT security. It is a framework for accountability in mitigating security risks to data. That is, the techniques of protecting computers, networks, programs and data from unauthorised access or attacks aimed at theft or exploitation.
A quick Google will bring up myriad lists of the ‘top’ cybersecurity risks. You see that these risks change rapidly over time. The Federal Government’s Australian Cyber Security Centre has compiled The Essential Eight – a list of mitigation strategies as a starting point for organisations to improve their cyber resilience.
The Essential Eight are split into three categories of mitigation strategies:
- Preventing malware delivery and execution
- Limiting the extent of cyber security incidents
- Recovering data and system availability.
Mitigation Strategies to Prevent Malware Delivery and Execution
Application whitelisting of approved programs to prevent execution of unapproved programs, including .exe, DLL, scripts and installers.
Application patching of ‘extreme risk’ vulnerabilities within 48 hours using the latest application version.
Configuring Microsoft Office macro settings to block macros from the Internet and allow vetted macros in ‘trusted’ locations with limited write access or digitally signed with a trusted certificate.
User application hardening, eg, configuring web browsers to block Flash, ads and Java on the Internet and disabling unneeded features in Microsoft Office, web browsers and PDF viewers.
Mitigation Strategies to Limit the Extent of Cyber Security Incidents
Restricting administrative privileges to operating systems and applications based on user duties. Including regularly revalidating the need for privileges. Preventing the use of privileged accounts for reading email and web browsing.
Operating system patching (including network devices) with ‘extreme risk’ vulnerabilities within 48 hours using the latest operating system version.
Multifactor authenticating including for VPNs, RDP, SSH and other remote access and for users performing a privileged action or accessing a sensitive/high-availability data repository.
Mitigation Strategies to Recover Data and System Availability
Backing up daily important new/changed data, software and configuration settings, stored disconnected and retained for at least 3 months. Testing restoration initially, annually and when IT infrastructure changes.