Mitigating cyber risks comprehensively
A truly robust cyber security regime is founded on a comprehensive cyber risk assessment programme to identify the gaps in an organisation’s critical risk areas and to determine the right actions to close those gaps. If you are embarking on a cyber security improvement programme, a cyber health check will help you identify your weakest security areas and recommend appropriate measures to mitigate your risks.
Why do you need a cyber health check?
A cyber health check is essential in establishing a solid foundation on which to build your security infrastructure. A cyber health check will help you identify your weakest security areas and recommend appropriate measures to mitigate your risks. It includes vulnerability scans of critical infrastructure IPs and websites/URLs, as well as an internal wireless scan.
A cyber health check helps establish a secure infrastructure, so it is often a requirement of regulatory initiatives and compliance standards such as ISO 27001, the General Data Protection Regulation (GDPR), Cyber Essentials and others.
What a cyber health check does
A cyber health check will provide you with a incisive and detailed report describing your current cyber risk status and critical exposures, and will draw on best practice – such as ISO 27001, 10 Steps to Cyber Security and Cyber Essentials – to provide recommendations for reducing your cyber and compliance risk. The report provides feedback in the following four areas:
- Basic cyber hygiene
- Cyber governance framework
- Policies, procedures and technical controls
- Continuity, recovery and resilience
The difference between a cyber health check and a cyber security audit
A cyber security audit is a one-day consultancy service offering a high-level cyber review of the organisation and its IT estate. It identifies the threats, vulnerabilities and risks the organisation faces, and the impact and likelihood of such risks materialising.
A cyber health check, however, is more exhaustive in scope. Aside from the audit and the technical cyber security controls included in the cyber security audit service, a cyber health check also conducts vulnerability scans of critical infrastructure IP and website addresses, an internal wireless scan of router security settings, and an online staff questionnaire that determines gaps between corporate cyber security policy and employees’ actual cyber security practices.
A cyber security audit provides a snapshot, or an overview, of an organisation's IT security posture at a particular moment. A cyber health check, however, delves deeper and looks at the policies and procedures that have contributed to that IT security posture. In that sense, a cyber health check is more concerned with the security processes that describe how people and technology interact to determine whether it is contributing to or hampering overall cyber security.
Receive a prioritised action plan
In each of these areas, the health check identifies your actual cyber risks, assesses your responses to those risks, and analyses your risk exposure. This service includes:
- On-site interviews with key managers;
- An on-site security assessment;
- External vulnerability scans;
- Online staff awareness questionnaires; and
- High-level analysis and expert recommendations for next steps.
The result is a best-practice action plan to mitigate those risks effectively and in line with your business objectives.
Ask yourself these questions...
- Does your board receive regular reports on the status of your company’s cyber security governance? If so, how often are the reports received?
- Have you identified your key information assets and thoroughly assessed their vulnerability to attack?
- Has responsibility for cyber risk been allocated appropriately? Is it on the risk register?
- Do you have an effective risk governance structure that your risk tolerance and controls are aligned with?
- Do you have appropriate information risk policies and adequate cyber insurance?
If you answered ‘no’ to any of the questions, you could suffer considerably from an attack , especially if you are a public sector organisation or handle large volumes of personal data.
The NIS Directive
The EU Directive on security of network and information systems (NIS Directive) requires operators of essential services (OES) and digital service providers (DSPs) to implement appropriate security measures to protect services that are essential to the national infrastructure, with the view to ensure continuity of those services.
The NIS Directive is aimed at bolstering cyber security across sectors that rely heavily on information and communications technology. Certain businesses operating in critical sectors are known as OES. The sectors affected by the NIS Directive are:
- Digital infrastructure
Due to the sensitive nature of these sectors, you will often find that the first requirement towards compliance with the NIS Directive is a Cyber Health Check.
Free download: The EU Directive on Security of Network and Information Systems – UK compliance guidance
Receive compliance guidance from the NIS Directive experts in this free green paper that will you get to grips with the Directive's requirements and the UK government's implementation guidelines.
Why choose IT Governance?
IT Governance has more than 15 years’ experience helping organisations get their basic security hygiene right, working with boards and senior managers to identify and manage cyber risks in line with the organisation’s risk appetite and commercial business drivers.
IT Governance is also recognised under the following frameworks:
- UK government CCS-approved supplier of G Cloud 9 services
- CREST certified as ethical security testers
- Certified under Cyber Essentials Plus, the UK government-backed cyber security certification scheme
- Certified to ISO 27001:2013, the world’s most recognised cyber security standard