© White Hack | Privacy Policy
Background.
This cheat sheet was initially prepared as part of our participation in the international association of privacy professional’s recent event, ‘The Hacker, the Lawyer, the Client’.
We’ve decided to share the cheat sheet with anybody who is interested. It’s primarily designed as a set of questions or topics that one would ask their CIO or IT manager in a small or medium sized enterprise to help better understand the situation you’re in.
What would a serious cyber security incident cost your company?
Is the behaviour of your staff enabling a strong security culture?
The key takeaway from this article is the importance of security awareness at all levels needs to be demonstrated, bullet points suggest methods of doing so.
Secure Deployments – How is your organisation vetting code, applications and equipment being deployed?
A large portion of IT purchases are made outside the IT department, consider how this impacts their ability to fill their role in ensuring your security.
Patch Management
Data Loss Prevention
Vulnerability and Threat Management –What is your process for vulnerability tracking and management of risks to your particular environment?
Credential Management and Tracking
Password Management
Strong Access Control –
What is the process taken when accessing private information? Are you using a single factor of authentication?
Network Security Controls
It is known that sometimes one can circumvent SPF by simply making a mail chimp account, for example.
Ensure that anti-spam is filtering incoming email messages for spam and malicious content.
Vendor Controls
Is security a major deciding factor in assessment processes for engaging with providers?
Security Awareness – Most companies with highly sophisticated access controls and well developed security measures will still fall victim to phishing attacks. Consider a Security Awareness training program coupled with an audit of what protections are in place.
Cyber Insurance’ – If your conduct business online, you need to make sure you’re covered for both ‘cyber outages’ caused by malicious attackers, and for equipment failures. You may need to expand your current level of insurance.
Incident Response Teams – Prepare for an incident, your IT, HR, and Legal departments should be involved at a minimum.
the OAIC considers preparation and implementation of a data breach policy and response plan a ‘reasonable step.’
BYOD & Mobile Tech – [Bring your own device (destruction!)] is a big challenge, how are you facing it?