A No Nonsense Approach to Objectively Evaluating Your Information Security

A No Nonsense Approach to Objectively
Evaluating Your Information Security
Readiness
Robert C. Covington
togoCIO
3/19/2015

A No Nonsense Approach to Objectively Evaluating Your
Information Security Readiness
© 2015, togoCIO. All rights reserved.
Page | 2
CONTENTS
The Problem____________________________________________________________________________________ 4
So, Why Worry About It? ______________________________________________________________________4
The Case for Taking Action ___________________________________________________________________5
How We Approach the Problem______________________________________________________________6
How Can You Do What We Do? _______________________________________________________________6
The Approach __________________________________________________________________________________ 7
The Checklist ___________________________________________________________________________________ 8
Security Policy __________________________________________________________________________________8
1) Does a Written Policy Exist?________________________________________________________________________ 9
2) Does an Update Process Exist? _____________________________________________________________________ 9
3) Is the Policy Available to Employees? _____________________________________________________________ 9
Employee Awareness __________________________________________________________________________9
4) Is A Security Training Program in Place for All Employees? _____________________________________ 9
5) Is The Training Program Reviewed and Updated At Least Yearly?_____________________________10
6) Are New Employees Given Training or Policy Documents When They Start?_________________10
Credential Management_____________________________________________________________________ 10
7) Are Minimum Password Standards Enforced?___________________________________________________11
8) Are Regular Password Changes Required?_______________________________________________________11
9) Is a Formal Offboarding Process in Place?________________________________________________________11
10) Is Employee Access Restricted to Only the Information Needed to Do Their Jobs? _________11
Server Security________________________________________________________________________________ 11
11) Have All Server Default Passwords Been Changed?____________________________________________12
12) Are Server Patches Up to Date?__________________________________________________________________12
13) Are Server Logs Routinely Monitored?__________________________________________________________12
14) Is Key Server Data Encrypted?___________________________________________________________________12
Workstation Security ________________________________________________________________________ 13
15) Is Anti-Virus Software Installed and Updated on EVERY Workstation? ______________________13
16) Is a Patch Management Process in Place?_______________________________________________________13
Network Security _____________________________________________________________________________ 13
17) Is a Firewall in Place with Current Firmware __________________________________________________14
18) Are Firewall Logs Regularly Reviewed?_________________________________________________________14
19) Is a Regular Penetration Test Performed? ______________________________________________________14
Wireless Security_____________________________________________________________________________ 15
20) Is Your Wireless Network Secured with Appropriate Encryption? ___________________________15
21) Are Guests Restricted From Accessing Organization Systems? _______________________________15
Physical Security _____________________________________________________________________________ 15

Page | 3
22) Can a Visitor Enter the Building Without Passing Through a Controlled Door? _____________16
23) Are Cameras Used in Key Areas? ________________________________________________________________16
24) Is an Intrusion Alarm System in Place, Using Unique Codes? _________________________________16
25) Are Confidential Documents Shredded Appropriately? _______________________________________16
Risk Management ____________________________________________________________________________ 17
26) Are Regular Backups Performed? _______________________________________________________________17
27) Are Backups Stored Offsite? _____________________________________________________________________17
28) Are Backups Regularly Tested?__________________________________________________________________17
29) Does a Bring Your Own Device (BYOD) Policy Exist? __________________________________________18
30) Does a Disaster Recovery Plan Exist? ___________________________________________________________18
In Summary __________________________________________________________________________________ 19
About togoCIO________________________________________________________________________________ 20
Table of Authorities_________________________________________________________________________ 22

Page | 4
The Problem
Businesses and organizations are under siege today, constantly being attached by
outside actors, who attempt to steal information, disable networks, and interrupt
business activities. According to the PwC US State of Cybercrime Survey study, in
2014, three in four (77%) respondents admitted having detected a security event in
the past 12 months, and more than a third (34%) said the number of security
incidents detected increased over the previous year. 1
Small and medium organizations suffer from a disproportionally large per capita
impact from such attacks, estimated to be $1,513 versus $517 2. A major part of the
problem relates to their poor adoption of security and risk management practices.
A recent McAfee study showed that more than 90% of such organizations did not
protect their data. 3
Why does this lack of security focus happen? According to government experts in
the UK, a quarter of small businesses think cyber security is too expensive. At the
same time, 20% admit that they don't know where to start. 4 At least somewhat
complicit in this problem is the fact that most such organizations don't have in
house staff devoted to information security to warn of the dangers, or to implement
controls. In many cases, they don't have in house technology staff at all.
So, to summarize expert opinion, the primary reasons for lack of information
security adoption in small businesses and organizations are:
 Too expensive
 Don't know where to start
 Lack of dedicated technology staff
The purpose of this white paper is to dispel those concerns, and to demonstrate how
much of an improvement in information security can be achieved simply with a bit
of focus.
Throughout this white paper, we will refer to Small and Medium Organizations as
SMO's, which we define as a business or not-for-profit organization with fewer than
100 employees.
So, Why Worry About It?
Statistics can be interesting and informative, but how do the above numbers really
impact your SMO? After all, Target, Anthem, Home Depot, etc all seemed to weather
their recent breaches without incident. Target just agreed to settle their

Page | 5
outstanding lawsuits for up to $10,000 each, totaling over $10 million 5. To them,
and the other behemoths, this amounts to a drop in the bucket.
Can your SMO afford a $10,000/customer settlement? Worse yet, can you afford the
loss of customers that would likely occur if you allowed their personal data to be
compromised?
The Case for Taking Action
Can you buy and install security products that will eliminate all of your information
security risks? In a word, no, at least, not completely. If the large enterprises with
huge IT budgets can't, it is unlikely that your SMO can. It seems like a lost cause
from the start, and thus, many SMOs just ignore the problem
We in the SMO world have some advantages over the big guys however:
1. We are small and nimble, adapting quickly to the need for change
2. Our IT infrastructures are simpler and easier to secure
3. We are far less visible to the hacking community
A recent article in Security Week 6 breaks intrusion threats down into three
categories:
1. Generic - Opportunistic, non-targeted threats. These are the drive bys of the
hacker world. Hackers are looking to break into something, and happen
upon your network.
2. Targeted - These attacks are aimed directly at you for one reason or another.
Hackers want something they think you have, and they are after you to get it.
3. Invasive - These attacks are the "in laws" of the hacking world. They come to
stay awhile. They want not only what you have today, but what they think
you will have next month. The work to hide the footprints indicating their
presence.
Large corporations are the primary victims for Targeted and Invasive attacks. They
are well known, very visible, and have many potential points of vulnerability.
As noted above, for the SMO world, our lack of visibility is a significant advantage.
We are unlikely targets for Targeted and Invasive attacks. Our primary concern is
Generic attacks, and to a much smaller degree, Targeted attacks.

Page | 6
So, in the midst of all of the scary statistics and disturbing news reports, the good
news is that we in the SMO world can eliminate much of our risks by following basic
security practices. We are not as good a match for a determined and well funded
hacking organization, but they are not very likely to come after us.
Don't underestimate the risk of a generic attack however. Much of the initial
discovery aspect of hacking is done via automation. Hackers write programs to
attempt access to IP addresses in sequence, utilizing standard techniques and
known vulnerabilities. Any responses are logged, and later used by a human for a
more in depth attack. If you have any doubt, a quick review of your server or
firewall log will remove any doubt. A SaaS company for which we managed security
was subject to almost continuous probes, primarily from outside the United States.
How We Approach the Problem
In our many years of experience securing SMOs, we have developed a scorecard to
aid in the objective evaluation of an organization's security posture. Our Business
Security Review service uses this scorecard to provide a quick and affordable
analysis of their current exposure. Based on our expertise and years of experience,
we can tell fairly quickly whether an SMO has a significant exposure, and just as
quickly advise them about the changes they need to make to resolve them. Using
this approach, a significant improvement can be achieved in a short time.
Another advantage we have lies in our experience recommending and implementing
cost-effective solutions. Fixing the problem does not have to cost a fortune. Many
recommended changes don't even involve writing a check.
How Can You Do What We Do?
The good news is that there is nothing magic in what we do for SMOs. Given our
concern for the victims of cybercrime, we willingly share what we have learned with
those who want it. Armed with our checklist, along with some objectivity, you can
do it for yourself.
The purpose of this white paper is to arm you with the criteria you need to make
such an evaluation of your own situation. If we have done our job right, you will be
able to review your information security (infosec) posture, and have a good idea
about where to start in correcting any deficiencies.

Page | 7
Should you do it yourself? In a perfect world, I would say no. You are up against a
well funded and highly trained hacking community, with their own marketplace,
tech support organizations, and in some cases, support from foreign powers. It is
also hard for you to be completely objective about your own situation. Realistically
however, funds are often tight, and most SMOs have grown up doing for themselves.
As such, it is critical that you conduct such an analysis, and doing it yourself is far
better than not doing it at all.
The Approach
First, you need to be prepared to forget for a time everything you know, or think you
know, about your infosec posture. You must be able to see your situation with the
eyes of an outsider. As an example, you may assume that since you pay for 100
copies of anti-virus software, that your workstations are protected. To succeed with
your analysis, you must be able to forget this, and check your workstations, like an
outsider with no knowledge of your anti-viruses would. It is not unlikely that you
will be surprised at what you find.
Next, you must be able to block out enough time to conduct the review in a
reasonable period of time. Since infosec is not your full time job, it is easy to get
distracted by other business. Such distractions can prevent you from completing
the project. Schedule some time, and knock it out quickly.
Third, when you reach your conclusions, act on them! I have worked with many
SMOs that have paid consultants to make recommendations, and then put the
documents on the shelf, never to be looked at again. Analysis is only half the battle.
You must follow through and correct the identified issues. These changes may seem
daunting, but you probably already have an origination or individuals handling
information technology functions for you, and they can generally be called upon to
implement the changes you decide on. Don't let your lack of hands on knowledge
dissuade you.
It is helpful to document your approach and findings as you go. This helps to make
sure you have covered everything, and that all identified issues have been
addressed. This process will need to be repeated regularly, and the documentation
you create will help you to do it efficiently in the future.

Page | 8
The Checklist
The checklist that follows represents over 20 years of combined infosec experience,
primarily focused on the SMO world. It is consistent with most current compliance
standards, including PCI, HIPAA, and SOX. The security infrastructure created using
this approach has withstood audits by large enterprises, and government and
private agencies. Note that what you see below is a slightly simplified version of the
one we use in practice.
The checklist that follows is broken down into major areas, and within each area, its
significant analysis points. Within a heading, individual points are shown in order of
importance, based on our experience. For each point, we attempt to tell you why it
is important, and how to correct deficiencies.
One caveat - Infosec is a world unto itself, meaning that you could read a 5,000 page
manual and still not have all of the information you need. As such, we cannot hope
to give the subject complete treatment in a short document. Our intent is to "hit the
high points", allowing you to address your major exposures. You need to consider
the specific needs dictated by your business and industry, and apply additional
standards and objectives as approach.
Now, without further interruption, the checklist:
Security Policy
Every organization, regardless of size, needs a written security policy. This is the
area where we usually get the most push back from SMOs. Such organizations often
assume that since they are small, this can be accomplished via "oral tradition". This
may work for an organization with just a few employees. The problem is that as
growth occurs, they never go back and write it all down. The result is a larger
number of employees playing by their own rules.
An additional justification relates to the supervision of contractors and vendors.
They must play by your rules as well, or you are just as exposed as you would be
from an employee's failure to follow policy. Your rules need to be written down and
provided to them, so that they know how to conduct business on your behalf.
There are many other justifications, including consistency, basis for disciplinary
action, awareness, and demonstration of management commitment. 7
If you don't have such a policy, don't despair. Templates are readily available in the
Internet, either free or for a small fee. With a little effort, you can build a policy out

Page | 9
of such a template. You can also hire an organization to customize a policy
document for you.
1) Does a Written Policy Exist?
This is an easy analysis point. Either it exists, or it doesn't. If not, you need
one. The process of producing one is a bit easier than it seems. There are a
variety of templates available on the Internet that you can download and
modify to meet the requirements of you organization. As an example,
Entrepreneur Magazine has a reasonable version. 8
2) Does an Update Process Exist?
Your business is not static, so your security policy cannot be either.
Resolving this can be as easy as making an entry on your calendar for every 6
months to review the document, and update as necessary.
3) Is the Policy Available to Employees?
Your policy accomplishes nothing sitting on your shelf. Make sure your
employees have access to it, and read it. Make it available to your vendors as
well, and let them know that they are expected to follow it.
Employee Awareness
Many security breaches result from inadvertent failures by employees. The Anthem
data breach, which resulted in a huge disclosure of personal information, is believed
to have been caused by employees following a counterfeit link to a fake domain in
an official-looking email. 9 You cannot assume
that your employees know what to do to keep
your organization safe. It is essential, through
formal training and other practices, to help them
understand the risks, and how they can address
them. A recent study by Carnegie Mellon
University 10 clearly demonstrated a reduction in
employees clicking on pfishing links after specific training.
4) Is A Security Training Program in Place for All Employees?
This is critical to your infosec program, whether you have 5 employees or
500. If you don't have such a program, you can find templates online, buy
pre-packaged programs, pay someone to handle the training for you, or do

Page | 10
train the trainer. One example is a complete program, including posters and
handouts, available for free from Sophos. 11
Here are a few training program tips learned from personal experience:
 Make it fun - you can use games, humor, etc to engage employees
 Make the case - help your employees understand how their
participation helps the organization, and how the lack of attention to
it increases risk
 Bring food - as Mary Poppins would say, "Just a spoon full of sugar..."
 Door prize - I always bring a door prize as an extra incentive for
people to attend
5) Is The Training Program Reviewed and Updated At Least Yearly?
Very simple - we live in a changing world. Your training program must grow
and evolve along with your company.
6) Are New Employees Given Training or Policy Documents When They Start?
Don't wait for the next round of training. Hand them your policy document
when they start, and put them through your training program as soon as
practical.
Credential Management
The lifeblood of any organization is the systems they use. These systems contain the
information necessary to run the business and keep track of customers. Such
systems are effectively the end game for any hacker. It is essential that you protect
and control access to such systems, and restrict employees to only the information
they need to do their jobs.
There is a relatively class of products, called identity management systems, that can
help with a number of aspects of credential management. They allow employees to
login to all web-based applications from a central portal. The also support
automation of employee onboarding and offbording, and can help to enforce
minimum password standards, as well as grouping employees for access rights. We
have been very successful in the use of one such product, Okta. 12

Page | 11
7) Are Minimum Password Standards Enforced?
I hate password standards as much as anyone, but a good password is
essential. According to security organization SplashData 13, the most common
password is still "123456". A good hacker always starts with the list of
common passwords, and many succeed without employing stronger
measures.
8) Are Regular Password Changes Required?
This item is obviously unpleasant, but none the less necessary. This
requirement should be enforced by your network and applications, where
possible.
9) Is a Formal Offboarding Process in Place?
A surprising number of organizations fail to disable system access when an
employee leaves the organization.
Given the growing number of
cloud-based systems in use, it is
very easy to miss one when
removing access. If for example,
you lose a sales person, their
continued access to your CRM
system could result in the loss of
customers. You need, at a
minimum, a checklist of all systems. When someone leaves the organization,
disable their access to any systems, and file the checklist in their personnel
file.
10) Is Employee Access Restricted to Only the Information Needed to Do Their
Jobs?
Don't provide blanket system access to employees. Give them just what they
need to do their jobs. We have had an old saying in the infosec world for
many years: "stinginess with privilege is kindness in disguise." That could
not be more true today.
Server Security
It is especially important to properly secure any servers in use within your SMO.
This seems like it goes without saying, but we continue to be amazed at how many

Page | 12
poorly secured servers we find. The material in this section applies to cloud-based
systems and servers as well.
11) Have All Server Default Passwords Been Changed?
No server should have the original or default passwords. Hackers read the
manuals, and they know the defaults. The same applies to passwords for any
network devices. In conducting a security analysis for a customer recently,
we broke into their wireless network within about 30 seconds because of the
default password being in use.
12) Are Server Patches Up to Date?
A large percentage of security breaches occur because a hacker who gets into
a network is able to access information on a server via known vulnerabilities.
HP's recent Cyber Risk Report 2015 14 showed that most of the vulnerabilities
exploited in 2014 were years or even decades old, with patches readily
available. Again, this recommendation applies to network devices. In just
the past few weeks, D-Link was forced to release patches for various network
devices for vulnerabilities rated 10 out of 10 by the United States Computer
Emergency Readiness Team (US-CERT). 15 Based on our experience, very few
device owners will ever apply these patches.
13) Are Server Logs Routinely Monitored?
In many cases, server logs will show you that hacking attempts are occurring
before they succeed. They can also be helpful in identifying server hardware
issues before they become serious. Sadly, most such logs never get opened.
There are a large number of products on the market to handle log
consolidation, and in some cases log analytics. 16 These systems gather
entries from logs on various systems, and consolidate them into a single log.
This makes log review quicker and easier. In some cases, there packages to
perform some analytics, allowing them to highlight the entries of particular
concern. One example of log consolidation products is Loggly 17, a cloud-
based system with free and purchased versions available.
14) Is Key Server Data Encrypted?
If you store Personal Identifying Information (PII) for customers or
employees, it needs to be encrypted, in case the server is compromised.

Page | 13
Fortunately, many server operating systems (including Windows) have some
encryption capabilities built in. These features just need to be enabled. 18
Workstation Security
Your PCs connect to your network and systems. A compromised PC can allow a
hacker to gain access to everything to which it is connected. Many vulnerabilities
result from web sites visited, or files downloaded, making PCs the front line of your
cyber war battle.
15) Is Anti-Virus Software Installed and Updated on EVERY Workstation?
This seems obvious, but is overlooked with surprising frequency. Don't
forget that even if a PC came with such protection, it usually expires after
some number of months, and must be renewed. According to a recent article
by Tom's Guide 19, expired anti-virus software is no better than none at all.
Buy a uniform package for all of your PCs, and make sure it stays deployed on
all PCs. For small organizations, Microsoft allows their Security Essentials
product to be used without charge for up to 10 workstations. 20
16) Is a Patch Management Process in Place?
New vulnerabilities are found in operating systems and software every week.
Even Apple, once considered immune to such issues, is now releasing
frequent patches. It is essential that each PC on your network have patches
applied as they are released. Some process must exist to check them
periodically to ensure this is happening. If this seems like a daunting
processes, you will be relieved to know that a variety of products exist to
simplify this process. As an example, ManageEngine offers such a product
with additional asset management features, which is free for up to 25
workstations. 21 Dell offers an express version of their excellent KACE asset
management product as a free download. 22
Network Security
You probably don't leave the front door to your house unlocked, and neither should
you fail to give proper attention to the security of your network., which is the front
door to your business technology. This is arguably the easiest part of this checklist
to address, because of the robust set of products available to do it.

Page | 14
17) Is a Firewall in Place with Current Firmware
If I was only able to make one recommendation,
it would be to install and maintain a good
firewall. This device provides strong protection
for your network, filtering outside attacks, and
in many cases blocking infected files and sites
your employees attempt to access. Do NOT rely
on the router provided by your Internet Service
Provider. In a recent blog post, we pointed out
that Comcast for some time has been allowing
public access to private customer routers. 23
Also, do NOT go to the office supply store and
buy the cheapest thing they have. This is the place to spend a major part of
your technology budget. While there are many good products on the market,
we have had good experience with the Dell SonicWall line of firewalls for the
SMO market (full disclosure - we do NOT sell products, so we have no
economic bias in our recommendations). Fortinet also makes a good firewall
series.
Just as you must change the oil in your car, you must keep your firewall
firmware up to date. Most firewall products can automatically download
new threat signatures, but firmware must normally be applied manually.
Add this to your calendar as a item to be regularly checked.
18) Are Firewall Logs Regularly Reviewed?
Firewall logging can be your attack early warning system. If you keep an eye
on these logs, you will know if attempts are made to attack your network.
Again, there are numerous products and services available to help simplify
this process.
We break out firewall logging as a separate item, because of its criticality.
Many of the products that perform log consolidation will incorporate firewall
logs as well. See the commentary on item 13 for more information.
19) Is a Regular Penetration Test Performed?
Despite your best efforts, your network may inadvertently be exposed to
outside attack. The only way to know for sure is to perform a penetration
test, which is a intentional attempt to break into your network, thereby
identifying any vulnerabilities. Such checks are a basic element of the major

Page | 15
compliance standards, including HIPAA and PCI. A variety of organizations
offer this as a service. There are also online tools to help with this. One of
my favorites is Pentest-Tools, which offers some basic checks without charge.
24 While we like the self-service tools for quick frequent checks, there is no
substitute for periodic professional checks.
Wireless Security
A wireless network can unintentionally be an invitation to the world to come on in,
probably not the message you intended to send when you set it up. A wireless
network can leave you very vulnerable, since it is readily accessible from outside of
your physical walls. It is essential to use a secure encryption standard and a strong
access password.
20) Is Your Wireless Network Secured with Appropriate Encryption?
A system known as WEP was a common wireless standard for some time,
and can still be found in use today. Sadly, it is an easily breached system. In
fact, you can readily find software online which can determine a WEP key. It
is essential that you use WPA2 or better encryption, with a strong password.
This may seem obvious, but don't post the password in your facility. One
major wireless router manufacturer generates a random default password
for their units (a good thing), and puts it on a label on the outside of the unit.
We found one customer recently who still had the label on the unit, for all
visitors to see.
21) Are Guests Restricted From Accessing Organization Systems?
If you allow visitors to access your wireless network, they need to be
restricted to accessing only the Internet. A rogue visitor with your primary
wireless password can continue to access your network after they walk out
the front door, and can use this to attack your systems. Many wireless access
points have the ability to provide restricted guest services. These features
just need to be enabled.
Physical Security
With all of our focus on infosec, it is easy to overlook basic physical security.
Someone gaining access to your office can easily bypass just about any infosec
control you put in place. A stolen laptop, server, or removable disk can provide a
wealth of saleable information to a hacker.

Page | 16
22) Can a Visitor Enter the Building Without Passing Through a Controlled
Door?
An unlocked door should have some form of entry control, be it a receptionist
(at a minimum), or badge or key access required beyond the lobby
(preferred). Years ago, a law office where my mom was employed was
robbed using a simple tactic. One thief distracted the receptionist, and the
other went through an open door, took items of value, and let unseen. Sadly,
this approach is still common today.
23) Are Cameras Used in Key Areas?
Cameras are an inexpensive approach to monitor your doors
and other key areas. They can be useful in preventing
intrusions, and an allow you to get details on an incident that
occurred. They are somewhat unique, in that they function
as deterrent, preventative, and detective controls, all at the
same time. Quite a bargain!
24) Is an Intrusion Alarm System in Place, Using Unique Codes?
This seems obvious, but it is overlooked by more organizations than you
might guess. In many cases, those who have one use a common code for
everyone. Unless you are religious about changing the code when someone
leaves, you are at risk. Systems with unique codes usually cost little, if
anything, more than a regular alarm system. Invest in such a system, and
remove individual codes as soon as an employee leaves. This also allows you
to use a unique code for cleaning personnel, and other contractors.
25) Are Confidential Documents Shredded Appropriately?
Your organization needs to have a policy in place defining which documents
are confidential, and must be disposed of appropriately. Such documents
must be shredded. At a minimum, a cross-cut shredder is required, as a
regular shredder does not sufficiently destroy
documents. We recommend a shredding company
that destroys documents while at your site. Some
years ago, a major Atlanta-based document
destruction company with a state contract to destroy
driver's licenses was found to be "losing" licenses on

Page | 17
their way back to the shredding facility. If you watch your documents being
destroyed, there is no such danger. The National Association for Information
Destruction (NAID) is a good resource for finding a vendor. They have a
certification program for destruction vendors, requiring that they meet
certain standards. 25
Risk Management
This category relates involves efforts to keep your organization operating, and to
restore operations in the case of an event. This is likely the most overlooked
category for SMOs.
26) Are Regular Backups Performed?
Backing up servers (local and cloud-based), PCs, and any other devices with
important company data, is essential to being able to recover from a device
failure, fire, etc. Many organizations fail to address this requirement for
servers, let alone PCs and mobile devices.
27) Are Backups Stored Offsite?
For backups made via magnetic tape, CD/DVD, or removable disk, it is
important that they be stored outside of the primary facility. If they remain
onsite and the primary facility is damaged or destroyed, you risk losing your
systems and the backups. This can be as simple as an organization official
taking them home, or can involve a service that stores your media at a
protected site. If they are taken home, we recommend this be done by a
company executive, and not an IT staff member.
Depending on your particular situation, cloud-based backup services can be a
good option, since they solve the offsite storage system by default. They do
add some data security exposures, so careful vendor selection is important.
28) Are Backups Regularly Tested?
Unfortunately, ignorance is not bliss in the risk management world. You may
think your backups are fine, when in fact they may be unusable. This is
particularly true for those still using magnetic tape as a backup medium,
because such media has a definite shelf life. The lifespan of a magnetic tape
is significantly impacted by handling and environmental conditions. If you
continue to use this medium, we recommend that you review the Council on
Library and Information Resources guidelines for care and handling

Page | 18
guidelines. 26 It is important to regularly attempt a file restore from
whatever media or service is used.
29) Does a Bring Your Own Device (BYOD) Policy Exist?
With the widespread presence of smart phones and tablets, employees use
their personal devices in many cases to perform activities on behalf of the
organization. This can be an advantage, as it can make the employee more
efficient, and extend their work hours. The use of such devices poses
significant risks however, particularly if such devices have confidential data,
passwords, or are used to connect to company systems. As an example of the
exposure, IBM in a recent study 27 found that over 60% of Android dating
apps were vulnerable to cyber attack, and 50% of enterprises reviewed had
such apps on employee devices, co-
existing with confidential company
data. It is important that you define
for employees what they can and
cannot do in terms of using their
devices for company work, requiring
anti-malware software, data
encryption, etc.
The use of a mobile device containing company information on a public
network is a significant and growing threat. Most mobile users access a
public network regularly, and their devices often connect to such a network
without them even realizing it. These networks are easily spoofed and
compromised by people with readily available hardware and software. 28
Your policy needs to fully address this risk.
As with the Security Policy, free BYOD templates are readily available. One
example is published by the Society for Human Resource Management. 29
30) Does a Disaster Recovery Plan Exist?
Few SMOs have done any significant disaster recovery planning. It is
important however for any organization, regardless of size, to do some
planning about how they would respond to a disaster, such as a building fire
or flood, loss of a key server, phone system failure, data breach, etc. This
does not have to be highly formal, but needs to be defined and documented
in some fashion before it happens. 30 31 As an example, many organizations
now use cloud-based systems almost exclusively. In these instances, an

Page | 19
Internet failure is a potentially-crippling event, which must be accounted for.
Internet redundancy is practically possible, and needs to be strongly
considered in these instances.
In Summary
Organizational exposures are often overlooked, and frequently at the bottom of the
list for resolution. The intent of this white paper is to highlight these exposures,
demonstrate the risks related to a failure to address them, and provide summary
guidance on how to address them. It is impossible in a short document to
completely cover this complex topic. Instead, our goal has been to discuss those that
are common, critical, and reasonably easy to address. It is our belief and experience
that such issues can be addressed and resolved by personnel within an SMO, with a
bit of focus and effort.
There are numerous exposures however that cannot be covered in this document,
many of which are unique to industries and organizations. As such, once the
potential exposures in this white paper are addressed, we recommend that a
professional be used to evaluate potential additional exposures, and recommend
approaches to remediate any found. Additionally, while you may be completely
satisfied with your current IT personnel or service provider, we recommend against
having them conduct such an analysis. It is generally difficulty for such people to be
completely objective in evaluating the systems and policies they themselves
maintain.
We welcome your comments and suggestions.

Page | 20
About togoCIO
togoCIO represents over 30 years of IT, risk management, and security experience,
primarily focused on the SMO world.
Small businesses and organizations are at a major disadvantage in today's business
world. Technology is critical to success, and grows increasingly complex every day.
At the same time, such organizations rarely have access to the experienced staff
needed to help them make good and cost-effective technology decisions. Our vision
is to help such organizations achieve a high standard of technology operations,
including:
•A secure network, with properly protected customer data and intellectual
property
•An efficient operation, with the best possible combination of hardware and
software products, backed up by documented procedures
•A low risk organization, prepared for a variety of challenges and risks
•A compliant organization, not only meeting regulatory requirements, but
doing so in a documented fashion
Our services include:
•Technology Evaluation and Recommendations
•Fractional CIO and CISO Services
•Security and Compliance Evaluation, and Staff Security Training
•Policy and Procedure Development
•Disaster Recovery Planning
•Data Center Design and Construction Management
•Assistance with IT Staff Selection
•Asset Management
•Firewall and Intrusion Prevention, Deployment, and Monitoring
We work with your team or service provider to implement specific
recommendations, or bring in one of our partners, as you prefer.

Page | 21
THANK YOU.
FOR MORE INFORMATION CONTACT:
Robert C. Covington
President
togoCIO
The Missing Piece to Your IT Puzzle
www.togocio.com
rcovington@togocio.com
678-341-3630 (voice)
678-907-9720 (cell)
678-261-0923 (fax)

Page | 22
Table of Authorities
1 PwC, "About the 2014 US State of Cybercrime Survey", June 2014
http://www.pwc.com/en_US/us/increasing-it-effectiveness/publications/assets/2014-us-
state-of-cybercrime.pdf
2 Ponemon Institute, “2014 Cost of Cyber Crime Study: United States,” Hewlett-Packard,
October 9, 2014,
https://ssl.www8.hp.com/us/en/ssl/leadgen/document_download.html?objid=4AA5-
5208ENW
3 Pando.com, " Big companies like Target aren’t the only ones leaving customer information
vulnerable to thieves", January 22, 2015,
http://pando.com/2015/01/22/big-companies-like-target-arent-the-only-ones-leaving-
customer-information-vulnerable-to-thieves/
4 The Telegraph, " SMEs failing to guard against cyber attacks, Government warns",
February 24, 2015
http://www.telegraph.co.uk/finance/businessclub/11430701/SMEs-failing-to-guard-
against-cyber-attacks-Government-warns.html
5 Reuters, "Target agrees to pay $10 million to settle lawsuit from data breach", March 19,
2015
http://www.reuters.com/article/2015/03/19/us-target-settlement-
idUSKBN0MF04K20150319
6 SECURITYWEEK, "Security, Know Thine Enemy", March 10, 2015
http://www.securityweek.com/security-know-thine-enemy
7 Tripwire, "Corporate Security Policies: Their Effect on Security, and the Real Reason to
Have Them", March 18, 2015
http://www.tripwire.com/state-of-security/security-awareness/corporate-security-
policies-their-effect-security/
8 Entrepreneur, http://www.entrepreneur.com/formnet/form/731
9 PC World, " Premera, Anthem data breaches linked by similar hacking tactics", March 17,
2015
http://www.pcworld.com/article/2898612/premera-anthem-data-breaches-linked-by-
similar-hacking-tactics.html
10 Cranor, Lorrie, et al, "Who Falls for Phish? A Demographic Analysis of Phishing
Susceptibility and Effectiveness of Interventions",

Page | 23
http://lorrie.cranor.org/pubs/pap1162-sheng.pdf
11 Sophos, http://www.sophos.com/en-us/security-news-trends/it-security-dos-and-
donts.aspx
12 Okta,
https://www.okta.com/
13 SplashData, " 'Password' unseated by '123456' on SplashData's annual 'Worst Passwords'
list"
http://splashdata.com/press/worstpasswords2013.htm
14 welivesecurity, " Top 10 breaches of 2014 attacked ‘old vulnerabilities’, says HP",
February 25, 2015
http://www.welivesecurity.com/2015/02/25/top-10-breaches-2014-attacked-old-
vulnerabilities-says-hp/
15 Softpedia, "D-Link Patches Against Critical Remote Command and Code Execution Flaws",
March 17, 2015, http://news.softpedia.com/news/D-Link-Patches-Against-Critical-Remote-
Command-and-Code-Execution-Flaws-475976.shtml
16 ProfirBricks, " Top 47 Log Management Tools", May 19, 2014,
https://blog.profitbricks.com/top-47-log-management-tools/
17 loggly, https://www.loggly.com/
18 Microsoft, BitLocker: "How to deploy on Windows Server 2012", August 30, 2012
https://technet.microsoft.com/en-us/library/jj612864.aspx
19 tom's GUIDE, " Expired Antivirus Protection Just as Bad as None", November 18, 2015
http://www.tomsguide.com/us/danger-stale-av-software,news-19928.html
20 Microsoft, http://windows.microsoft.com/en-us/windows/security-essentials-download
21 ManageEngine, https://www.manageengine.com/products/desktop-central/windows-
patch-management.html
22 Dell KACE Express,
http://www.kace.com/k1express
23 Covington, Robert, " Is Comcast Inviting the Public Into Your Home or Office?", September
24, 2014,
http://www.togocio.com/#!Is-Comcast-Inviting-the-Public-Into-Your-Home-or-
Office/c1eet/55BCE452-1A25-48B9-BB0F-E36FA149DCE5

Page | 24
24 Pentest-Tools, https://pentest-tools.com
25 National Association for Information Destruction (NAID),
http://www.naidonline.org/nitl/en/
26 Council on Library and Information Resources, " How Can You Prevent Magnetic Tape
from Degrading Prematurely?", June, 1995,
http://www.clir.org/pubs/reports/pub54/5premature_degrade.html
27 Security Intelligence, " A Perfect Match: Uniting Mobile Security With Your Employees’
Use of Online Dating Apps", February 11, 2015
http://securityintelligence.com/datingapps/#.VQx7vU10xet
28 De Correspondent , "Maybe Better If You Don’t Read This Story on Public WiFi", October
14, 2014
https://medium.com/matter/heres-why-public-wifi-is-a-public-health-hazard-
dd5b8dcb55e6?linkId=13028935
29 Society for Human Resource Management,
http://www.shrm.org/templatestools/samples/policies/pages/bringyourowndevicepolicy.
aspx
30 Covington, Robert, "Disaster Recovery for the SMB", ecember 30, 2014
http://www.togocio.com/#!Disaster-Recovery-for-the-SMB/c1eet/7FD1F3D6-E483-4747-
A90D-EA785107CE5E
31 Covington, Robert, " Disaster Recovery for the SMB - 7 Steps to Better Sleep", January 6,
2015
http://www.togocio.com/#!Disaster-Recovery-for-the-SMB-7-Steps-to-Better-
Sleep/c1eet/94B1DC7E-0735-4440-A6E7-13E9DD4054CA

A No Nonsense Approach to Objectively Evaluating Your Information Security

Recomendados

Recomendados

Más contenido relacionado

Destacado

Destacado (18)

Último

Último (20)

A No Nonsense Approach to Objectively Evaluating Your Information Security