Blog

Control 19: Data Recovery Capability

Develop a written plan that identifies all business owners and the processes needed by them to restore normal operations. Interview the business owners to better understand the dependencies needed to do their normal activities. Conduct annual tabletop exercises with each business process owner. Use mock scenarios that consider availability loss of people, facilities and technology. […]

Control 18: Incident Response Capability

Enlist all employees to report suspicious activities to the Incident Response Team (IRT). Create a dedicated phone number and email address they can use to report issues to your team. Security awareness training to enable all employees to contact help desk with suspicious issues. Monthly IRT team member training that covers the steps in the […]

Control 17: Penetration Tests and Red Team Exercises

Penetration testing is often confused with vulnerability assessments, as mentioned in Control 10. Penetration testing differs in that it involves attempted exploitation. Just like in Control 10, penetration testing should occur in each network zone to ensure adequate coverage. Track all open issues and document through confirmed remediation of all issues to be corrected. Determine […]

Control 16: Secure Network Engineering

Secure networks do not appear by accident. It starts with thoughtful planning and sound engineering principles. Seek out flaws in the current network design as an attacker would and correct all of the faults found in its design. By being intentional and meticulous, a true design can emerge and more importantly it will persist. A […]

Control 15: Data Loss Prevention

Data Loss Prevention (DLP) is a new trend in Information Security, but really should not be. DLP may have been a missed opportunity when Network Intrusion Detection (NIDS) was first introduced. Is it all of a sudden that data exfiltration has become important? How was this missed as a priority for so long? Define what […]

Control 14: Wireless Device Control

Wireless network access allows for better collaboration and mobility. With this relatively new medium comes an extra risk. Be sure to handle this administratively through the use of policy and user education to set clear expectations of appropriate use. Specific policy reference should be made that prohibits the use of peer to peer wireless networking. […]