The first element of IT Governance’s Cyber Resilience Framework involves managing your defences and protecting your organisation from cyber threats.
It should cover:
Software and other technical measures should protect your computer systems and information from a broad range of malware (including computer viruses, worms, spyware, botnet software and ransomware).
Information and security policies
You should document how your organisation plans to protect its physical and information assets. Policies should be communicated to, and understood by, all staff and contractors.
Formal information security management programme
There should be a structured approach to securing information assets across your organisation, taking account of people, processes and technology. This approach should unify the other processes.
Identity and access control
Measures should be implemented to ensure that people attempting to access information and information systems are who they say they are and that they are authorised to access that information. This needs to include physical access as well as logical access.
Security team competence and training
Security teams should be suitably qualified and regularly trained on how to respond to cyber security incidents. There should also be processes for developing security teams and identifying the necessary skills.
Staff awareness training
Employees should receive regular cyber security awareness training and be aware of security threats and procedures. This might include supplementary aids such as posters, briefings, etc.
Your organisation should have a documented process that defines when and how encryption is applied to protect information, taking account of information both in transit and at rest.
Physical and environmental security
Physical and environmental security controls should be implemented to reduce the risk posed by threats within the physical environment, including natural or environmental hazards, and physical intrusion by unauthorised individuals.
Your organisation should have a process defining how software on computers and network devices is kept up to date. Patch management processes might also affect procurement policies to ensure that software is supported and will continue to receive any necessary patches, and to retire software that is no longer supported.
Network and communications security
Your organisation’s network infrastructure should be secured with appropriate technologies and processes, such as switches, firewalls, segregation and DMZs. This might include securing physical communications assets such as cabling.
Systems should be designed to be secure, including both internal- and external-facing systems such as web applications and databases.
Assets (both information and physical) should be logged, tracked and managed throughout their lifecycle. Each asset should have a defined ‘owner’ who is responsible for it.
Supply chain risk management
Your organisation should have measures in place to secure information throughout the supply chain, such as security requirements in contracts, non-disclosure agreements and rules for information sharing. These should cover the whole supply chain, including physical suppliers, software vendors and Cloud service providers.
The extent to which you implement these measures will depend on your environment and compliance requirements.