Cybersecurity Considerations

Organizations must take a risk management approach to security. Physical security and cybersecurity have been discrete functions that must now be converged in order to formulate an effective risk based organizational security policy.

The integration of physical security devices into the business network is also on the rise. This includes security cameras, identity management and card access readers and even air conditioning and ventilation controls. However, security standards for these peripheral devices are not at par with corporate computers and servers. Similarly, the rapid adoption Internet of Things (IoT) and Cyber Physical Systems (CPS) devices that collect information and feed it to the network expose the organization to increasing risks and vulnerabilities.  

The following is an essential questionnaire that security professionals of an organization must consider at the minimum:

Physical Security:

·     Is access to buildings and sensitive areas controlled, monitored and logged?

·     Do visitors require a temporary access badge? Are the visits logged and escorted when necessary?

·     How often are CCTV and access alarms tested and scanned for malware? Is the testing part of the security policy?

·     Are staff identification cards easily recognizable and is it a requirement to display the cards at all times?

·     Is security staff trained in detecting and addressing tailgating?

Network and Critical Systems:

·     Has the organization identified critical business systems that are crucial for business continuity and aligned with the confidentiality, integrity and availability principles?

·     Are network and host firewalls installed and tested?

·     Are the processes and policies for configuration and patch management clearly defined?

·     Is there an accurate running list of all IoT devices connected to the network?

·     Are IoT devices secured with two-factor-authentication, masking of ports and update with latest firmware and security patches?

·     Is the clean-up policy after employee termination quick and stringent?

Data:

·     Is critical data identified and encrypted?

·     Are at-rest and in-motion data encryption policies in place?

·     Is traffic monitored for inconsistencies? Is there a policy in place to address irregularities?

·     Is a data backup and Disaster Recovery (DR) policy in place? What modes are utilized, data centers, cloud or a hybrid?

·     Are third party cloud storage vendor and service level agreements (SLAs) in line with company’s cybersecurity and physical security policy?