Mitigating cyber risks comprehensively
A truly robust cyber security regime is founded on a comprehensive cyber risk assessment programme to identify the gaps in an organisation’s critical risk areas and to determine the right actions to close those gaps. If you are embarking on a cyber security improvement programme, a cyber health check will help you identify your weakest security areas and recommend appropriate measures to mitigate your risks.
Why do you need a cyber health check?
A cyber health check is essential in establishing a solid foundation on which to build your security infrastructure. A cyber health check will help you identify your weakest security areas and recommend appropriate measures to mitigate your risks. It includes vulnerability scans of critical infrastructure IPs and websites/URLs, as well as internal wireless scans.
A cyber health check helps establish a secure infrastructure, which is a requirement of regulatory initiatives and compliance standards such as ISO 27001, the General Data Protection Regulation (GDPR), Cyber Essentials and others.
What a cyber health check does
A cyber health check will provide you with an incisive and detailed report describing your current cyber risk status and critical exposures, and will draw on best practice – such as ISO 27001, 10 Steps to Cyber Security, CIS 20 Critical Controls, NCSC guidance and Cyber Essentials – to provide recommendations for reducing your cyber and compliance risk.
The report provides feedback in the following areas:
- Cyber risk governance
- Cyber asset management
- Cyber risk management
- Legal, regulatory and contractual obligations
- Policies, procedures and information security management
- Roles and responsibilities
- Business continuity and incident management
- Training and awareness
- Cyber security controls
- Vulnerability assessment
- Staff awareness assessment
The difference between a cyber health check and a cyber security audit
A cyber security audit is a one-day consultancy service offering a high-level cyber review of the organisation and its IT estate. It identifies key areas of cyber risk.
A cyber health check, however, is more exhaustive in scope. Aside from the audit and the technical cyber security controls included in the cyber security audit service, a cyber health check also conducts vulnerability scans of critical infrastructure IP and website addresses, an internal wireless scan and an online staff questionnaire that determines employees’ actual cyber security practices.
A cyber security audit provides a snapshot, or an overview, of an organisation's IT security posture at a particular moment. A cyber health check, however, delves deeper and looks at the policies and procedures that have contributed to that IT security posture. In that sense, a cyber health check is more concerned with the security processes that describe how people and technology interact to determine whether it is contributing to or hampering overall cyber security.
Receive a prioritised action plan
In each of these areas, the health check identifies cyber risks and assesses your current response to those risks. This service includes:
- On-site interviews with key managers;
- An on-site physical security assessment;
- External vulnerability scans;
- Online staff awareness questionnaires; and
- High-level analysis and expert recommendations for next steps.
The result is a prioritised action plan to mitigate those risks effectively and in line with your business objectives.
Ask yourself these questions...
- Does your board receive regular reports on the status of your company’s cyber security governance? If so, how often are the reports received?
- Have you identified your key information assets and thoroughly assessed their vulnerability to attack?
- Has responsibility for cyber risk been allocated appropriately? Is it on the risk register?
- Do you have an effective risk governance structure that your risk tolerance and controls are aligned with?
- Do you have appropriate information risk policies and adequate cyber insurance?
If you answered ‘no’ to any of the questions, you could suffer considerably from an attack, especially if you are a public sector organisation or handle large volumes of personal data.
The NIS Directive
The EU Directive on security of network and information systems (NIS Directive) requires operators of essential services (OES) and digital service providers (DSPs) to implement appropriate security measures to protect services that are essential to the national infrastructure, with the view to ensure continuity of those services.
The NIS Directive is aimed at bolstering cyber security across sectors that rely heavily on information and communications technology. Certain businesses operating in critical sectors are known as OES. The sectors affected by the NIS Directive are:
- Digital infrastructure
Due to the sensitive nature of these sectors, you will often find that the first requirement towards compliance with the NIS Directive is a Cyber Health Check.
IT Governance has more than 15 years’ experience helping organisations get their cyber security right, working with boards and senior managers to identify and manage cyber risks in line with the organisation’s risk appetite and commercial business drivers.