Information Security Policy/Program

Hello all! Does anyone have an Information Security Program/Policy that they would be willing to share?

We restrict USB drives on most users desktops. Password policy restrictions. Browser restrictions like security levels and trusted sites.

Hi Neil

At the risk of giving away some industry ‘secrets’ I’ll just tell you what the number one risk factors are and how to address them.

I’m happy to provide some free advice below however if you would like some more assistance please feel free to reach out here:

  1. Passwords and MFA

Passwords are now useless. Yep. Chinese rigs can now crack 100B passwords a second. Users can give their passwords away to phishing attacks. They can also use the same username/password combo for third party sites that get breached.

So how do we combat this?

Changing passwords every 90 days? Nope, that’s so 1997. Microsoft research suggests password rotation actually just makes people choose less secure passwords. Oops.

Solution: use MFA to secure access to systems wherever possible (multi-factor-authentication by verifying with - preferably - a smartphone app). The easiest way to achieve this via business email is probably to use Microsoft 365.

This alone reduces password based breaches by 99.9% and should be #1 on your new policy.

  1. Phishing

90% of Cyber Attacks are estimated to start with a phishing attack. Use a third-party email filter (low cost) to help reduce the attacks markedly. But you won’t block all of them. Consider also using security awareness training (again low cost) to help train your users with simulated phishing attacks.

  1. Web Security
    80% of Malware attacks use DNS at some point of the kill chain. Adding an effective web security layer (preferably with protection against advanced threats) can therefore help protect against both phishing attacks and malware. Again, products like Cisco Umbrella or TitanHQ WebTitan are comparatively low cost.

  2. Endpoint Protection
    It’s important to have decent protection against malware etc especially on Windows PCs. Think of this as the final layer of protection (the goal keeper). The best ‘standard’ AV product on the market under independent testing - and again reasonably priced - is Bitdefender.

  3. Patch your software. Patch your software. Patch your software.
    Estimated 90% of attacks to use known software flaws by this year (according to Gartner). Microsoft Intune is great for automating Windows 10 patching including feature packs. Use third party RMM solutions such as Kaseya VSA (or Bitdefender Patch Management) to patch third party software.

  4. Consider implementing zero-trust policies where only approved devices can access your systems. Solutions like Microsoft Intune or Cisco Duo are great for this. This often also goes hand in hand with mobile security solutions (there has been a big increase in SMS phishing attacks for example).

  5. Application controls and whitelisting
    Consider restricting applications that can run on your network and perhaps removable media like USB drives too. A privilege elevation control solution such as Threatlocker or Auto Elevate can also allow you to remove local admin rights from your users. This (alongside application ringfencing) is really the ‘holy grail’ or security because removing admin and execution controls from your users also removes the ability for most malware to function.

You will note that the majority of the above is based on funnelling usage down a certain path. Self-serve policies are not sufficient in 2021. You need to find a way to:

a) reduce the ability for your staff to interact with malicious content in the first place - prevention is better than cure!

b) implement solutions that are known to reduce your attack surface once a threat does make it through - such as patch management and decent AV

c) enforce certain controls in your environment but in a way to do it gracefully for end users (which point 7 can help address).

And finally - remember that no matter what you do. Things can go wrong. Just ask SolarWinds and FireEye.

Therefore an effective data protection policy is a must. Control where your users store data, for example with folder redirection or OneDrive KFM - and shared drives or SharePoint etc. Then, ensure that you have a 3-2-1 backup strategy in place (three copies of data - original copy, an onsite backup, and a third one offsite). For cloud data (e.g. Microsoft 365) you should also have an external cloud-to-cloud backup.

I hope this helps!