UNIT V

Cyber security Management, Compliance and Governance:

Cybersecurity Management Definition
Cybersecurity management refers to an organization's strategic efforts to safeguard information
resources. It focuses on the ways businesses leverage their security assets, including software and
IT security solutions, to safeguard business systems.
These resources are increasingly vulnerable to internal and external security threats such as
industrial espionage, theft, fraud, and sabotage. Cybersecurity management must employ a variety
of administrative, legal, technological, procedural, and employee practices to reduce organizations’
risk exposure.
Importance of Risk Management in Cybersecurity
Cybersecurity is crucial to operational processes because it guards against the theft and destruction
of data and IT systems, including personally identifiable information (PII), protected health
information (PHI), personal data, data pertaining to intellectual property, and information systems.
Your company cannot protect itself from data breaches without a cybersecurity strategy. In the
absence of effective cybersecurity management practices, your organization becomes a prime target
for cyber criminals.
Framework of Cybersecurity Management
While a commonly accepted framework for cybersecurity has not been established, there are some
guiding principles, precautions, and technologies that many organizations have chosen to adopt,
including:
• Open Web Application Security Project (OWASP) Top 10
• National Institute of Standards and Technology (NIST) program
• International Organization for Standardization (ISO) 27000 series
These serve as the de facto frameworks for cybersecurity management, and they outline techniques
and standards for protecting digital assets.
Cybersecurity Management Benefits
An effective cybersecurity management policy takes into account the risks that exist for an
organization's resources. Those that administer the program formalize processes and procedures.
Once vulnerabilities are found, the management policy will outline solutions to stop malicious code
from infiltrating the organization's perimeter defense systems, servers, and desktops. It also
describes how to deploy mitigation measures and who is in charge in the event of a breach.
A cybersecurity management program provides an organization with critical services, such as:
1. Designing and implementing an efficient enterprise security architecture
2. Mitigating advanced threats
3. Securing Internet-of-Things (IoT) devices
4. Identity and access management (IAM)
5. Providing security intelligence
Some external cybersecurity management services also provide IT security consulting to help
companies craft the best strategies to protect their environments now and in the future.
Difference Between Cybersecurity and Cybersecurity Management
What is cybersecurity management? A cybersecurity management system is different from
cybersecurity itself. Cybersecurity management focuses on ways to organize security assets, people,
and processes, while cybersecurity is a general label for protecting an organization’s digital
infrastructure.
In this cybersecurity management definition, the act of managing cybersecurity involves both
technical strategy and shaping company culture.
 6 Best Practices in Cybersecurity Management
Here are six tried-and-tested best practices for cybersecurity management.
1. Understand Your IT Assets and Environment
Effective cybersecurity management requires in-depth knowledge of the IT environments and
resources within your firm, including all data and other digital assets, BYOD devices, systems,
networks, third-party services, technologies, endpoints, and other relevant items.
Awareness of all the elements of your IT landscape is critical, especially because each facet of your
network can be used to penetrate your system. Also, it is imperative that you assess your assets and
monitor your IT environment continuously.
2. Deploy a Risk Management Strategy
Managing risk without a well-thought-out and effective cybersecurity risk management strategy is
counterproductive. Organizations must create sound strategies and plans to keep them up-to-date.
Prior to planning, determine your level of risk tolerance and then create a risk profile. Include roles
for all employees and key stakeholders, incident response and escalation strategies, and other
relevant information.
3. Make Cybersecurity Risk Management an Element of Company Culture
Even well-crafted cybersecurity risk management policies and processes are useless if they are not
properly implemented throughout the firm. So make sure to convey your ideas, plans, and
procedures to all parties involved. Integrate cybersecurity risk management within the values and
culture of the company. Each party involved in managing cyber threats needs to be aware of,
understand, and embrace their responsibilities.
4. Use Continuous, Adaptive, and Actionable Risk Assessments
Risk identification and assessment are two of the most crucial components of risk management.
Risks associated with cybersecurity are always changing. A change in company procedures or the
introduction of new technologies, for example, can change your risks significantly. As a result, the
organization's general risk assessment has to be adjusted. To ensure effective security, your
procedures must be continuously assessed for deficiencies—and improved.
Risk assessments are also critical because they provide the business with information about where
vulnerabilities currently exist, as well as which threats are on the horizon.
5. Implement Strict Security Protocols
Effective risk mitigation requires a security system that is both comprehensive and user-friendly.
Here are a few techniques:
1. Use a web application firewall (WAF) managed and situated at the network's edge to keep track of
traffic, offer immediate and actionable information, and continuously protect against known and
unknown threats.
2. Extend security to BYOD devices and all other hardware in your IT environment.
3. Implement stringent security procedures for remote employees.
4. When possible, use automatic patching to keep all security systems up-to-date.
5. Implement stringent access controls and authentication policies.
6. Consolidate systems and data whenever possible. Data that is segregated and dispersed is more
difficult to manage and secure.
7. Set up a consistent, reliable backup system.
6. Enhance Visibility into Your Network
Visibility into all areas of your network is critical to preventing and mitigating cybersecurity
incidents. Factors like insider threats, third-party components with built-in vulnerabilities, and
human error can endanger your environment. Real-time and trustworthy visibility into your
organization's risk profile is essential.
Cybersecurity Governance
Cybersecurity governance refers to the overall management and oversight of an
organization’s cybersecurity program. It involves setting policies, standards, and procedures for
protecting sensitive information and systems from unauthorized access, use, disclosure, disruption,
modification, or destruction.
The main goal of cybersecurity governance is to ensure the protection of an organization’s
sensitive information and systems while maintaining the availability, integrity, and confidentiality
of data. This is achieved through the implementation of a comprehensive set of security controls,
including technical, administrative, and physical controls, incident management procedures, and
security awareness training.
Cybersecurity governance also involves creating an organizational structure that clearly
defines roles and responsibilities for managing and implementing security controls, as well as
establishing a governance framework that aligns with the overall strategic objectives of the
organization. This framework should be regularly reviewed and updated to ensure that it remains
aligned with the current security threats and regulatory requirements.
Cybersecurity governance also involves oversight of compliance with the laws, regulations,
and standards that apply to the organization, and the communication of the cybersecurity program
with the organization’s board of directors and senior management.
Overall, Cybersecurity governance is critical to help organizations effectively manage the
risks associated with the use of technology and to ensure that they are able to protect sensitive
information, maintain business continuity, and comply with legal and regulatory requirements.
Seven principles for governance of cyber security risk

• In order to assist boards and investors, I propose seven principles for boards to adopt for the
governance of cyber security. Consideration of these principles would enable boards to:
• Structure their governance of cyber security risk;
• Debate and make the tough decisions required (both by management and boards) to build an
adequate response to cyber security threats;
• Challenge themselves and their executive management as to whether their response is
adequate and evolving sufficiently rapidly as the risk develops;
• Structure a discussion with investors as to the appropriateness of their management of cyber
security risk;
• Engage with investors to help them compare and contrast differing approaches to the
management of cyber security risk, and
• Facilitate a discussion as to what would be appropriate for companies to report publically
with regard to cyber security.

1. Real understanding of exposure

Many organisations fail to understand properly why they might be targeted; what might make them
vulnerable, and how a successful attack might impact them.
The understanding needs to extend beyond the enterprise. It must reflect relationships that could
make them a target and the complexity of digital connections that could cause them to be
vulnerable: suppliers, service providers, partners, cloud services, critical data feeds, staff and
customers to name a few. It must also reflect what data the organisation manages, why and where.
Building this understanding, and ensuring it stays current, is critical to ensuring that the response to
the risk is adequate.
2. Appropriate capability and resource
Effective cyber security requires capable skilled resource that is empowered and resourced to shape
an organisation to be secure. Boards need to be confident in the capability of their security function
and its leadership, their ability to drive a broad response to cyber security across the whole
enterprise, and rapid access to wider capability when required. Effective executive ownership is
critical, with the CEO taking an active role.
For boards to be effective in this area, they themselves require sufficient capability to probe,
challenge and support management. Board-level time needs to be devoted to drilling into detail,
since that is where significant issues can lie. Capable non-executives are required, potentially
supported by a board sub-committee with additional expertise.
3. Holistic framework and approach
A holistic approach to managing cyber security needs to not just build and operate effective cyber
security controls. It must also reduce the complexity of the technology and data estate to which
those controls are applied (inside and outside the organisation); address process and cultural/human
vulnerabilities that attackers are increasingly targeting, and embed cyber security consideration in
all business decision making.
Process vulnerabilities are often overlooked, but common targets. Examples include weak
registration processes to online services or distributing sensitive data to an inappropriate third party
for processing. A simple, but often exploited human vulnerability is poor password management,
such as reuse of credentials across applications.
Recognised frameworks, such as those published by the US National Institute of Standards and
Technology (NIST) and the International Organization for Standardization (ISO) can help define
required cyber security controls, but taking a broader approach is critical. Meaningful measurement
is crucial, not just of controls but also extent of exposure.
4. Independent review and test
As with other significant issues, boards require independent validation and testing of their believed
cyber security posture. This is achievable through independent expert review of cyber security
frameworks and approaches, and even certifications of specific elements.
Strength of individual critical controls and systems needs to be tested and techniques such as ‘red
team testing’ by skilled penetration testers can assess effectiveness of overall response to specific
likely attack techniques (but only at a point in time). The speed with which issues identified
through independent review and test are resolved should be measured.
5. Incident preparedness and track record
Cyber security incidents are inevitable. Governance of cyber security risk is important but effective
governance when the risk materialises is critical.
Ensuring that focussed, practiced plans exist to respond to, and recover from, the most likely
scenarios is essential. These need to consider not just technical resolution, but also business
management, reputation management and management of legal and regulatory risk. Incidents need
to be tracked, accurately reported, and lessons learnt.
In addition, organisations need to be able to respond appropriately to the reporting of vulnerabilities
that could make products, services or internal processes vulnerable to attack.
The approach to incidents and vulnerabilities needs to be considered through suppliers and service
providers, and not just within the ‘perimeter’ of the organisation itself. Exercising response at all
levels is crucial, including the executive committee and board.
6. Considered approach to legal and regulatory environment
Cyber security cuts across an increasingly complex legal and regulatory environment globally.
Industry regulation, data protection regimes, national security legislation, reporting requirements
and product liability are a few examples of legal and regulatory environments that need to be
understood, and a considered global response developed and maintained.
7. Active community contribution
No organisation can protect itself in isolation. Attackers commonly breach one organisation in
order to target another, and replicate successful attack techniques rapidly. Thus collaboration is
essential: between organisations within industries; through supply chains; between public and
private sectors; between companies and law enforcement/intelligence agencies, and even with
customers.

Cybersecurity Compliance
Cybersecurity compliance refers to the process of adhering to a set of rules and regulations
related to protecting sensitive information and systems from unauthorized access, use, disclosure,
disruption, modification, or destruction. This can include compliance with laws, industry standards,
and regulations related to data privacy, data security, and incident reporting.
Examples of regulations and standards include:
• The General Data Protection Regulation (GDPR) in the European Union
• The Health Insurance Portability and Accountability Act (HIPAA) in the United States
• Payment Card Industry Data Security Standards (PCI DSS) for businesses that accept credit card
payments
• The Federal Risk and Authorization Management Program (FedRAMP) in the United States
Cybersecurity compliance also includes regular audits, testing, and certifications to ensure that
an organization’s security controls are in place and functioning as intended. Compliance teams are
responsible for ensuring that the organization is following the relevant regulations and standards
and may also be responsible for creating and updating policies and procedures to meet the
requirements of these regulations.
Being compliant with these regulations is not only important for legal reasons, but also to
demonstrate that the organization has taken the necessary steps to protect its assets, clients, and
partners’ sensitive data, and to avoid reputational damage.
What is Cyber Security Compliance? With Examples
Cyber security compliance is all about ensuring that the companies adhere to all the important
regulatory requirements and follow the national and state-level cyber laws to protect sensitive
information. In simple terms, cybersecurity compliance is the risk management method that is
aligned with some pre-defined security measures and controls data confidentiality.
Organizations have to implement the systematic risk governance approach that combines with
the respective authorities, industry-relevant units, and laws to meet the data management
requirements.
An information security management system that adheres to the regulatory requirements to guide
companies about the precautionary measures that should be followed to minimize the possibility
of a breach.
Additionally, IT security compliance help in monitoring and accessing the process of devices,
systems, and networks that adheres to the regulatory compliance requirements.
Why Do You Need Cybersecurity Compliance?
Cyber security and data leakages can have a huge impact on organizations; for this, the
protection quality of cyber security defines the level of safety of businesses. Businesses should
adhere to cyber security rules and requirements or teach their employees about the best Ethical
Hacking certification.
This compliance not only helps businesses in sticking to regulations but also allows for security
management services. Here are a few other reasons why you need cybersecurity compliance:
1. Regulatory penalties avoidance
The organizations could face serious fines and penalties for not complying with the security
regulations. Establishing cyber security plans regarding regulations minimizes the possibility of
having a breach.
2. Risk management system
Cyber security compliance is a risk management system that allows data protection, activity
monitoring, the safety of network infrastructure, and security policies for authorization. These
security regulations provide a set of requirements for collecting, storing, managing, and sharing
sensitive data.
Types of Data Subject to Cybersecurity Compliance
Cyber security and data protection laws mainly focus on protecting sensitive data like protected
health information (PHI), personally identifiable information (PII), and financial information.
1. Personally Identifiable Information
When used, personally identifiable information helps identify an individual's relevant data. It
may include direct identifiers that help identify the person's unique identity, race, and other
factors. Try Knowledge Hut's cyber security training courses online to learn about personally
identifiable information.
Takeaways:
• PII used data to identify the individual's identity
• The PII includes full name, driver's license, financial information, and medical records.
• Non-sensitive personal information is easily accessible from public sources like gender,
code, zip code, and date of birth.
2. Personal Health Information (PHI)
Personal health information includes the data that is used to identify someone's details regarding
their treatment or health history:
• Record of information
• Medical record
• Information about medical appointments
• Prescription records
• Insurance records
3. Financial Data
Financial Data includes information about credit card numbers, payment methods, and other
details that could steal someone's identity. Sensitive data includes:
• Social security numbers
• Credit card number
• Bank account number
• Credit history and credit ratings
Some other sensitive data are subject to state, industry regulations, and regional include:
• Email addresses, passwords, usernames
• IP Addresses
• Authenticators include biometrics like voice prints, facial recognition data, and fingerprints.
• Race
• Religion
Significance of Cybersecurity Compliance
It is important to know that cyber security compliance is not just a collection of mandatory
requirements. Instead, it defines the consequences that define the overall success of your
business.
This compliance is, however, important for small enterprises that are the prime victim of cyber
criminals. Let's have a look at the 2020 Data Breach investigation report:
• Around 45% of breaches were because of hacking
• 22% of breaches include Social engineering
• 28% include small businesses
• 70% were outsiders
Cybersecurity Compliance Framework
Let's have a look at the cybersecurity compliance framework:
1. NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the
United States Department of Commerce 2014. Ideally designed for the private organizations of
the United States, the NIST framework is one of the biggest cyber security frameworks applied
to all organizations looking for a cyber security program. It works around five functions,
called:
• Protect
• Detect
• Identify
• Respond
• Recover
2. COBIT
Control Objective for Information and Related Technologies is a cyber security
framework created by the ISACA for IT management and governance. It's a highly processed-
oriented framework, COBIT's create links between businesses and IT goals to distribute
responsibilities to IT and businesses. COBIT follows the five processes
• Evaluate, Direct, and Monitor (EDM)
• Align, Plan and Organize (APO)
• Build, Acquire and Implement (BAI)
• Deliver, Service, and Support (DSS)
• Monitor, Evaluate, and Assess (MEA)
COBIT is also designed to cater to three objectives, viz. increased agility, increased earning
potential, and legal compliance
3. IASME Governance
Created by the Information Assurance of Small and Medium Enterprise (IASME) Consortium,
this governance was made to become an affordable and accessible alternative to the ISO/IEC
27001 standard.
IASME is unique because it's a partnership between British academics and Small/Medium
enterprises (SMEs) and is made to fulfill the needs of cyber security needs of small businesses.
The IASME also covers risk management, malware protection, vulnerability scanning, incident
management, risk management, firewalls, business continuity, and more.
4. TC Cyber
The technical Committee cyber division is one of the many technical groups that operate under
the European Telecommunications Standards Institute (ETSI). This activity focuses on cyber
security and compliance strategy security that has led the organization to work on different
aspects with different sets of standards. The ETSI is split into nine areas:
 • Protection of personal data and communications
• Cybersecurity tools
• EU legislative support
• Forensic
• Quantum-safe cryptography
• Enterprise cybersecurity
5. COSO
COSO means Committee of Sponsoring Organizations of the Treadway Commission. It's another
cybersecurity framework that is more holistic and targeted toward removing corporate fraud. As
COSO is all about auditing and accounting bodies, the COSO framework is built on the process
of 'internal control' that relates to risk management.
COSO contains five interrelated components:
• Risk assessment
• Control activities
• Information and communication
• Monitoring
• Control environment
6. CISQ
Consortium for IT Software Quality (CISQ) is a joint endeavor between the Object Management
Group (OMG) and Carnegie Mellon University's Software Engineering Institute (SEI). The
CISQ's international standards help automate software quality measurement, and the division of
reliable, secure, and trustworthy software is built around these areas:
• Structure Quality
• Technical Debt
• Software Size
7. TC Cyber
The technical Committee cyber division is one of the technical groups that operate under the
European Telecommunications Standards Institute. This activity is used to support the
development and testing of standards for ICT-enable systems.
ETSI TC Cyber has led to companies working on different security aspects with different
standards. The TC Cyber security work is divided into these areas:
• Enterprise/individual cybersecurity
• Cybersecurity tools
• EU legislative support
• Forensics
• Quantum-safe Cryptography
• Protection of personal data and communication
8. FedRAMP
Federal Risk and Authorization Management Program (FedRAMP) is a set of standardized
approaches that helps in security assessment, monitoring, and authorization for cloud products
and services. Introduced by the U.S. government, it is used by all departments and agencies.
Additionally, FedRAMP uses the NIST SP-800 and Cloud service providers (CSPs) to ensure
that companies must undertake the Federal Information Security Management Act (FISMA).
How to Create Cybersecurity Compliance Program
Here are the steps that you must keep in mind to ensure you are given a handsome security
compliance analyst salary for their work:
Step 1: Create a compliance Team
A compliance team is important for all types of businesses, and it doesn't exist in a vacuum. As
organizations are moving toward critical operations to the cloud, they need to create an
independent workflow and communicate across business and IT departments.
• Set Controls:
• Depending on the risk tolerance, you need to know how to transfer the risk. The set controls
include:
• Encryption
• Firewall
• Password Policies
• Vendor Risk Management Program
• Insurance
• Employee Training
Step 2: Establish a Risk Analysis Process
As more standards and regulations focus on taking a risk-based approach to comply with
organizations of all sizes to get into the risk analysis process. Here's the process that comes
along:
1. Identifying the risk: Identifying all information assets and information systems, networks,
and data they access.
2. Assess Risk: Review each level of data type and identify how risk information is stored,
collected, and transmitted.
3. Analyze risk: After accessing risk, you need to analyze the risk. For this, the companies
need the following formula:
4. Risk = (Likelihood of Breach x Impact)/Cost
5. Set Risk Tolerance: After analyzing the risk, you should determine whether to refuse,
accept, transfer or mitigate the risk.
6. Set Up Policies: Policies help document compliance activities and controls. These policies
are the foundation of necessary internal and external audits.
Step 3: Monitor and Respond
Most of the compliance requirements depend on how the threats are involved. Cybercriminals
continuously work to identify ways to get into the breach. They identify vulnerabilities called
Zero-Day Attacks and modify their strategies to work accordingly. Continuous monitoring of the
policies and procedures helps identify threats before they lead to data breaches.
Major Cyber Security Compliance Requirements
Various information security regulation requirements establish cybersecurity compliance
standards. While there are different methods, their target content combines with each other to
deliver a similar goal. So, create rules that are easy and simple to follow and adapt as per the
company's technological environment.
Some of the major cybersecurity compliance solutions and requirements are:
1. HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is a U.s Federal statute that
was signed in 1996. It includes health-related information that complies with HIPAA privacy
standards to process claims, share information and receive payments.
This cybersecurity compliance management ensures that Health Care Plan's and health care
clearinghouses and other businesses associated with this won't disclose any private and
confidential data without someone's consent.
The act is based on three fundamental parts Security rules, Breach notification, and Privacy
Rules for reporting an accident. This law isn't applied to companies that are not present in the
U.S.
2. FISMA
The Federal Information Security Management Act controls the federal U.S. system to protect
economic interest information, assets, and operations from the risk of breach. The FISMA
displays minimum requirements for security maintenance and threat prevention in the national-
level agency system. This act stick with the active laws and cyber security directives to address
the compliance and procedures within the information security programs.
Additionally, it covers the information system security plan and controls, conducts risk
assessment, and ensures continuous monitoring.
3. PCI-DSS
The payment card industry data security standard is a non-federal information security
requirement that implements credit card data protection and security controls. The main goal of
PCI-DSS is to protect the cardholder from any breach.
The PCI-DSS standard is applied to merchants that handle payment information irrespective of
handling the transactions that happen per month. Non-compliant entities often risk losing their
merchant license and may become a potential threat to cyber attacks.
4. GDPR
The General Data Protection Regulation (GDPR) is a data protection and privacy law that was
published in 2016 and covers the European Economic Area and European Union Countries. It
built a legal framework that guides EU-based employees' personal data protection and
collection.
GDPR allows companies to show clear policies and conditions regarding their customer data
collection policies and allow individuals to manage their data without restrictions.
5. ISO/IEC 27001
ISO/IEC 27001 is an international standard for implementing and managing the information
security management system that belongs to the International Electrotechnical Commission
(IEC) and the International Organization for Standardization (ISO) 27000 family of standards.
Businesses signify the adherence to compliance at all technological levels, including processes,
tools, employees, and systems, to ensure integrity and protection.
6. Avoid Regulatory Fines
Conducting sufficient practices that stick to the regulatory requirements helps to prevent the
regulatory penalties that happen during the breach. Also, in case of misconduct, regulatory
compliance cyber security companies investigate it, resulting in huge fines.
However, it sometimes sends a message to other companies that they need to protect their data
under all circumstances.
7. Risk Assessment Instrument
Important compliance obligations combine the collection of rules and regulations that helps
review the most important system and procedure required for securing and managing sensitive
data.
Establishing clear guidelines from cybersecurity compliance regulations or knowing about the
rules from cyber security training courses online helps in risk assessment and targeting the
vulnerabilities to focus on the important things required in the cybersecurity framework.
8. Industry Standard
Aligning security policies among other businesses helps IT professionals set a cyber security
check standard, avoid misinterpretations, and overlay complicated operations among other
companies.
The aligned procedure and the related framework for cybersecurity compliance certification can
be treated as a risk prevention measure for customers that don't have to research the company's
security standards. Also, unified policies are more secure and allow simplified and optimized
b2b and b2c transactions.
How to Implement Cybersecurity Compliance?
To simplify cybersecurity compliance, we have deconstructed everything into simple steps. So,
let's see how you can build a cybersecurity compliance plan with these easy steps:
1. Get a compliance team
Whether you are a big company or a small one, you must have a dedicated person with skills and
knowledge in accessing cyber security compliance. The ownership and responsibility help in
maintaining and updating the cyber security environment and creating a tough plan toward
threats and challenges.
2. Establish a Risk analysis process
Establish and review an analysis process to see where the organization is going and what needs
to be done. Break the process into:
• Identification: Helps distinguish assets, information systems, and networks they use to
access.
• Analysis: Helps determine the risk impact; you can use this formula:
• Risk= Likelihood of breach x impact/ cost
Setting the risk tolerance: Categorizing and prioritizing the risk by transferring, accepting, and
refusing or eliminating the risk.
3. Set security control
You must work on the security measures that your organization will handle the risk. Some of the
controls contain:
• Network firewall
• Password Policies
• Data encryption
• Network access control
• Employee training
• Incident response plan
• Insurance
4. Policies and procedures
Documenting the security-oriented operations will help to have clear instructions about cyber
security regulatory compliance programs. It helps align things systematically and revise and
audit the network security compliance of the company.
5. Monitor and respond
Actively monitoring the security methods, improvements, and other measures helps identify new
risks and respond by updating the required changes.
Cyber Security Compliance Best Practices
Compliance and security are interconnected, but compliance aims to keep up with government
policies, industry regulations, security frameworks, and clients' contractual terms. Here are some
of the best practices you must follow to keep with security compliance:
• Know your industry IT security regulatory complaint
• Develop a risk assessment plan
 • Identify risks and vulnerabilities to establish the security controls
• Keep reviewing your compliance practices
Benefits of Cyber Security Compliance
A) Avoid penalties and fines
Not fulfilling the latest rules and regulations governing their business can be expensive for
businesses that are not in compliance. Therefore as a cybersecurity compliance company, you
should be aware of the latest trends and legislations to avoid fines and penalties.
B) Build customer trust and brand reputation
Business threats are not just limited to business interruptions and financial losses but are also
damaging to the brand reputation and customer trust. Therefore, at the time of a data breach, an
instant response is important to protect brand reputation and customer loyalty.
C) Improved data management
Companies must keep track of the sensitive information they have about their customers and
where the data is stored. How do they handle, modify and access that information in a secure and
streamlined manner?
D) Enhanced security
The compliance regulations allow businesses to build a cyber-security program, create
organization-level cyber-security policies, and designate chief information security officers.
This will also minimize the risk, and you will be able to address the data breach.
E) Improved access control and accountability
Businesses should develop accountability for creating strategic management of security and
cyber risk that comply with the cyber security regulations. Organizations should use a suitable
risk management framework to regulate and monitor the security system and the client's
sensitive information.
Conclusion
The increase in cybercrime has increased the pace of implementing cybersecurity compliance.
However, more targeted frameworks and a strict environment can help identify cyber criminals
and minimize attacks. So, keep your cybersecurity compliance software updated and stay in
touch with experts
What is a Cyber Security Plan?
A cyber security plan is a written document comprising information about an Organization's
security policies, procedures, and remediation plan concerning countermeasures. This plan aims
to ensure the integrity of operations and the security of the Organization's critical assets.
It's a vital tool to protect customers, employees, and corporate confidential information. By
defining the current and future state of your cybersecurity space, cybersecurity best practices are
being provided as a plan for the Organization. A cybersecurity plan also empowers
the Information Technology team to communicate effectively with respect to the cybersecurity
structure and operations. Professional earned hacking can help organizations to create effective
cybersecurity plans.
Why is Cyber Security Plan/Strategy Important?
There are three (3) reasons why cyber security plans are important:
1. Cyber attacks are the new normal for organizations. Usually, industry-concentrated reports
may focus more on bigger corporations. However, small businesses are the new target for
cybercriminals. When a breach occurs in any Organization, disruptions may take a new high
if there is no proper cyber security plan. If an incident response plan is incorporated into the
cyber resilience strategy, damage can be reduced drastically. Hence, the earlier it detects,
the easier it is to deal with and secure the data.
 2. A quick response to cyber-bound threats will protect the Organization's Integrity and
safeguard critical information of employees, customers, and stakeholders. For instance, if a
critical asset (Laptop) of an Organization containing sensitive data is lost, a remote wipe can
be possible from the host, which will protect the organization's valuable
assets. A cyber security plan will encompass all necessary
procedures and countermeasures desirable against any cyber threat.
3. A cyber security plan that contains measures against information technology breaches could
help to prevent cyber attacks. Cyber security does not begin after an attack occurs. It's an
ongoing process that requires consistent maintenance and monitoring. It is a proactive and
preventive approach rather than a detective. A cyber attack prevention plan is a subset of a
cyber security plan and is intended to help the Organization from cyber attacks.
Objectives of Cyber Security Planning
Most business operations run on the internet, revealing their data and resources to various cyber
threats. Since the data and system resources are the pillars upon which the Organization
operates, it goes without saying that a threat to these entities is indeed a threat to the
Organization itself.
A threat can be anywhere from a minor bug in a code to a complex system hijacking liability
through various network and system penetration. Risk assessment and estimation of the cost of
reconstruction help the Organization to stay prepared and to look ahead for potential losses.
Thus, knowing and formulating a plan of cyber security precise to every Organization is crucial
in protecting critical and valuable assets. Hence, professionals trained in Ethical
Hacking certification courses are hired by Organizations for Incident Response roles.
Cyber security aims to ensure a risk-free and secure environment for keeping the data, network,
and devices secured against cyber threats.
Benefits of a Cybersecurity Plan
Small, medium and large organizations are prime targets, and they need to be prepared to
eliminate cyber security threats. A widespread cyber security plan has become the most
important factor for every business, or the organization will be at greater risk compared to
an organization with a cyber security business plan can help reduce risks to a
great extent. The benefits of a cyber security plan are listed down:
1. Better Understanding of Risks
Organizations have extensively used cloud computing technology, mobile devices, the Internet
of Things (IoT), Smart Wearables, and so on. This has led to substantial exposure to cyber-
attacks and threats. Hence, Organization needs to be more calculated in safeguarding themselves
than ever. A cyber security plan will help organizations understand the current IT environment,
allowing them to make the necessary amendments to secure it.
2. Enabling Proactive Protection
One of the main reasons that organizations become fall prey to cybercrime is their reactive
approach. It is important to defend against cyber-attacks and a cyber-attack prevention plan and
take proactive measures towards strengthening cyber security posture. The organization should
always be prepared for worst-case scenarios. A fundamentally strong cyber security plan can be
put in place, which comprises vulnerability analysis and penetration testing, security
vulnerability scans, business continuity, and disaster recovery, and managed security services as
a proactive approach.
3. Respond Promptly
No organization is entirely secure, even with the strongest security solutions. Some attacks
can breach the strongest defenses, and many organizations have witnessed that. That is why
having a cyber security plan can be helpful. Creating this plan means knowing exactly what
steps to take in the event of a cyber-attack and comprising the possible could take
place. A cyber-attack prevention plan also helps each employee in the Enterprise will
know their discrete role in how they should react to the catastrophe.
4. Necessary Compliance Requirements
In this highly regulated industry, relevant compliance standards and regulations are necessary to
comply. Some of these are GDPR (General Data Protection Regulation), PCI DSS (Payment
Card Industry Data Security Standards), HIPAA (Health Insurance Portability and
Accountability Act), and so on. Failure to do the same can lead to hefty penalties, lowered
profits, and reputational risk. A cyber security plan guarantees utmost compliance and
empowers the Enterprise to monitor all the best practices while consistently meeting industry
principles and protocols.
5. Prevent Insider Threats
Cyber security strategy and plan widen the horizon in helping organizations by repudiating
insider threats by implementing a more organized approach to security. In another way, it is
creating an impact to make cyber security a part of the organizational culture. Employees are
currently making cyber security a top priority by engaging themselves in awareness and training
sessions; hence, there is a declining trend for insider threats. In short, a cyber security
plan is a natural preventive against insider threats.
Elements of an Effective Cybersecurity Plan
Cyber security presents several obstacles to organizations today, and it can be problematic for
enterprises to keep up with the surge in cyber threats. Although it is essential to use technology
to provide an automated layered security approach, simply using technology is not enough. An
organization must incorporate protection into its organizational culture to protect itself against
the current threat. An effective cyber security plan would allow every part of an enterprise, from
its processes to technologies, to establish a robust cyber security environment. To create an
operative cyber security strategy, certain key elements are necessary to obtain. These are:
1. Working Within a Framework
The approach towards cyber defense must be custom-made to the types of data security and the
circumstances involved within its architecture. The agenda is an obvious component of cyber
security risk management. It includes governance for a 3P structure, which is essentially people,
processes, and technology within the company. The scope should cover all working procedures,
people inside and outside the Enterprise, including third-party vendors, and devices attached to
the corporate network.
2. Awareness with respect to Threat Intelligence
The more proactive decisions can be made during a cyber-attack, the better off the Enterprise
can be. Firstly, a cyber-attack prevention plan is essential to know the procedures and techniques
as a guide by predetermined indicators. Threat intelligence provides these metrics, background,
and actionable insights into current and emerging risks to corporate assets. The expertise
provided here is evidence-based, offering the keys to informed decision-making when a cyber
incident starts. Vulnerabilities such as shared administrative keys, unpatched applications,
operating systems, network configurations, or business operations and processes provide a
context for the threat. Effective Cyber Security certifications online programs can also help
employees upgrade and upskill their knowledge concerning Threat Intelligence.
3. Basics of CyberSecurity
Part of the cyber security planning guide process includes circumventing issues in the first
place. Basic security systems should run in top form to achieve
this goal or improve the chances of never having a disastrous breach. Security procedures are
also required to be fully implemented. These include the following:
• Firewalls.
• Systems for Intrusion Detection (IDS / IPS)
• Security Incident and Event Management Systems (SIEM)
• Spam Filter/Anti-Phishing.
• Identity and Access Management, including Privileged Access Management for
Administrative roles.
• Strong passwords
• Multi-Factor Authentication
• Device and Data Encryption
• Bring Your Device (BYOD) Policy
4. Collaborating with Internal Stakeholders
In the event of cybersecurity breaches, all employees belonging to IT, Sales, HR, Marketing, and
Finance of the Organization should be ready at the time of announcement. Everyone should have
a predetermined role to play in responding to an incident. The cyber security plan should
include collaboration with internal stakeholders as an essential and definitive action plan.
5. Comprehensive Risk Assessment
The most prevalent threat model is based on identified risks, their likelihood of occurrence,
and the damage they could have done. Risk assessment fine-tunes the cyber security
response and helps prevent attacks. It is an essential element for the pervasive cyber security
maturity model.
6. Incident Response Planning
Cyber security risks are growing day by day. That is why it is necessary to be proactive about
incidents and responses. The plan for incident response plans should be layered and preemptive.
Visibility is another critical factor in the event of an incident. It is best to see who has access to
the network and systems and at what time to gather as much information as possible.
7. Data Support and Operations
Data support and operations include the measures the Organization will implement for handling
each level of classified data. These are the three primary categories of data support operations:
1. Data protection regulations: Organizations must set standards to protect personally
identifiable information and other sensitive data. The standards with respect to data
protection regulation should follow an appropriate compliance standard along with local or
country-specific regulations. Most cyber security standards and compliance regulations
require data privacy standards, network, and firewall security components, and vulnerability
management protection.
2. Data backup requirements: Organization will also need to generate secure data backups.
The backup should be encrypted to store the media securely. Storing your backup data
securely in the cloud is a highly secure option.
3. Movement of data: An organization should ensure data security whenever it moves its
data. Transfer of data should be done through secure protocols.
8. Roles and Responsibilities
The component of the cyber security plan should outline the employee rights,
responsibilities, and duties regarding data protection. Provide responsibility to the employees by
nominating employees within internal control functions to perform access reviews, educate other
staff members, oversee change management protocols, pick up and review incidents,
and provide general oversight and implementation support for the cyber security policy.
How to Create an Effective Cyber Security Plan [Step-by-Step]
There are 8 lean steps to planning an operative cyber security plan, including Conducting
a Security Risk Assessment, Evaluating Systems, Applications and Tools, selecting a Security
Framework, Reviewing Security Policies, creating a Risk Management Plan,
Implementing Security Strategy, and Evaluating the Security Strategy.
Step 1: Conduct a Security Risk Assessment
A Cyber Security Risk Assessment requires an organization to determine its key business
objectives and recognize the Information Technology assets essential to those objectives. It
is then a case of classifying cyber-attacks that could adversely affect those assets. Cyber
Security Risk Assessment within a cyber-attack prevention plan also analyzes the likelihood of
those attacks occurring and their impact.
The assessment includes the following critical areas evaluated and documented accordingly:
• Identification of Assets - A list of physical and logical assets within the risk assessment
scope should be created. This list will help to preview the asset repository and help to
diagnose critical issues during a major incident
• Identify Threats - Threats are the tactics, techniques, and approaches used by threat actors
that have the potential to cause harm to the assets of the Organization. To help identify
potential threats for each asset, a threat library (MITRE ATTACK Knowledge Base) needs
to be implemented, as this will help determine the types of protection.
• Classification of Data - A data classification is important for risk assessment which
essentially separates between sensitive and non-sensitive information. Data can be classified
into:
• Public
• Private
• Confidential
• Restricted
• Internal Use Only
• Intellectual Property
• Risk Prioritization - Prioritization of Risk indicates an assessment of the landscape of
Enterprise Risk posture. A Business Impact Analysis (BIA) was conducted to identify the
critical systems and data to be performed and leverage the result for risk prioritization. A
risk register was created and maintained for all assets tagged as the highest risk
Step 2: Set Your Security Goals
The objective of Cyber Security is to safeguard information from theft, compromised or
attacked. Cyber security business plan can be measured by at least one of three goals
• Protect the Confidentiality of data (Confidentiality) - Keeping the sensitive data private and
accessible to only authorized users
• Preserve the Integrity of data (Integrity)
• Promote the Availability of data for authorized users (Availability)
The CIA triad is a security model that is designed to guide policies for Information Security
within the premises of an organization. Every Information Security Strategy Plan should include
a detailed model and guiding principle derived from CIA Triad. The following steps will help to
create cyber security goals:
• Categorizing the assets based on their importance and priority.
• Restraining the potential threats.
• Determining the method of each threat
• Monitoring any breaching activities and managing data at rest and data in motion.
 • Iterative maintenance and responding to any issues involved.
• Updating policies to handle risk based on the previous assessments
Step 3: Evaluate Your Technology
Cybersecurity is technology-centric and always depends upon the core systems of an Enterprise.
While the assets are to be segregated as per their criticality towards
business within the risk register, it is also important to understand and evaluate the
technology landscape for proactive mitigation of risk. Once the critical assets are identified and
segregated, it is essential to determine the functions evaluating the assets and the related
functions of technology. It is also imperative to mention that businesses should be involved
as a support function within the network. The below steps to be followed to evaluate
the technology:
• Identification of the Operating Systems (Servers / Desktop / Laptop) used within the entire
network
• Categorize devices nearing to End-of-Life period accordingly discontinue updates
• Deploy support personnel to maintain critical assets
• Remove duplication of services provided by different systems
Step 4: Select a Security Framework
• Cyber security business plan framework allows organizations to understand why Cyber
Security is significant and how the same can be dealt with. It also gives protection on how
organizations can lessen the risk of falling victim to any cyber-crimes. Execution of cyber
security business plan framework is important as:
• The framework provided is a maturity model that has been fully implemented. Therefore, no
additional build-up is required.
• The critical infrastructure of the framework can be implemented in various stages; hence, it
seems more effective in businesses. This enables the organization to implement
the framework in parts, starting from the lower level and slowly executing to the higher
level.
• It provides a measure of the cyber world's current situation and details how the same can be
improved with respect to the policies and practices in the Organization.
Based on the requirements of the Organization, different frameworks can be implemented. These
are:
• ISO 27001 - The International Organization for Standardization (ISO) Cyber Security
Framework suggests the best practices that an organization can follow to safeguard its
critical assets and data.
• PCI DSS - The Payment Card Industry Data Security Standard (PCI DSS) is one of the
categories of cyber security structures that emphasizes principles for online payments and
transactions. It is a set of procedures that aid Enterprises in thwarting fraud while
transacting through debit cards, credit cards, prepaid cards, or other forms of the card.
• NIST CSF - National Institute of Standards and Technology (NIST) is one of the
topmost industry-leading frameworks for augmenting the basic substance of cyber security
to recover the groundwork for supervising cyber security menaces by using standard
techniques and procedures. The five core elements of NIST, which most Organizations3
follow, are: Protect, Identify, Detect, Recover, and Respond.
• GDPR - The GDPR (General Data Protection Regulation) look around to create a
coordinated data protection law framework across the European Union (EU) and work
towards giving back to data subjects, being in charge of their data, during staggering strict
boundary rules on those hosting and processing this data, anywhere in the
 world. This framework is also important for controlling and protecting the data from cyber
perpetrators.
• HIPPA - The HIPAA cyber security rule standards and implementation specifications have
four major sections, essentially created to identify relevant security safeguards that help
achieve compliance. These are:
• Physical
• Administrative
• Technical
• Policies, Procedures, and Documentation Requirements
Step 5: Review Security Policies
The objective of cyber security policies within the Cyber security business plan is to address
security threats and implement a cyber security management plan. A thorough review of the
policies is recommended to ensure security policies are up to date and address emerging
threats. The steps toward reviewing security policies are as follows:
• Keep track of the policies in a centralized location
• Review the policies annually and/or when the business needs proper change with
justification
• Communicate policy changes accordingly within the Organization
• Ensure that every policy contains a revision and version information table
Step 6: Create a Risk Management Plan
One of the constructive ways to defend against a cyber security breach is to design a detailed
cyber security risk management plan, which needs to be amalgamated into a robust plan that is
responsible for all kinds of Organizational risk posture. The intention of the cyber security risk
management plan is to substantiate the Organization's posture towards cyber security with
respect to safeguarding data from being stolen or lost. The following 8 steps are a guideline for
creating a cyber risk management plan.
• Identifying the most valuable Digital Assets - The primary step in creating a cyber risk
management plan involves ascertaining the Organization's most valuable digital assets. A
list of critical assets to be created with the most susceptible at the highest and to prioritize
the most critical list items within the strategy.
• Audit Organization's Data and Intellectual Property – It is essential to perform an audit with
respect to Organization's digital assets and data. The audit result's outcome will help create
an effective cyber risk management plan.
• Perform a Cyber Risk Assessment - The following step in this process requires carrying out
a cyber risk assessment. This particular type of evaluation is designed to identify numerous
pieces of information that could be potentially affected by a cyber-attack. The principal goal
of a cyber risk assessment is to comprehend where weaknesses exist and curtail gaps in
cyber security.
• Analyze Security and Threat Levels - Conducting security and threat modeling can help
expose pertinent information regarding threat stages and help Enterprises better determine
their cyber security posture.
• Create an Incident Response Plan - An incident management and response plan are a
consolidated module of instructions configured toward different cyber security threats such
as cyber-attacks, data loss, service outages, and many other events that pessimistically
impact normal business operations. The plan can effectively help to detect, respond and
recover from cyber security incidents. The incident response plan eventually embeds the
cybersecurity recovery plan from a business continuity standpoint.
Step 7: Implement Your Security Strategy
Implementing the cyber security management plan is the most important task in the
entire strategy, and this comes with a layered approach. Internal teams discuss the plans in
detail and assign remediation tasks accordingly. A PMO will lead the project, create milestones
for every task, and track closure to complete the enactment accordingly.
Step 8: Evaluate Your Security Strategy
This last step in forming the cyber security strategy is to start ongoing support of the security
strategy. The security strategy must be monitored and tested frequently to ensure the goals of the
strategy align with the threat landscape. Below are steps to be followed to
maintain continuous and comprehensive oversight: start ongoing support of the security
strategy. It is imperative that the security strategy be monitored and tested frequently to ensure
the goals of the strategy align with the threat landscape. Below are steps to be followed to
maintain continuous and comprehensive oversight:
• Establish internal stakeholders from all the business functions for ongoing support
• To perform an Annual Risk Assessment
• Obtain regular feedback from internal and external stakeholders
What to Include in Your Cyber Security Plan Template for Small Business
A cybersecurity action plan template for small businesses outlines
everything the Organization needs to protect the business from cybersecurity threats. A
thorough cybersecurity project plan template includes preventative and reactive measures to
minimize business risk. The plan typically includes the following components:
1. Objectives
The cyber security management plan template aims to provide quick solutions when
required. It lists all the activities concerning the privacy of information, the correctness of data,
and access to authorized users. This brings us to focus on the 3 crucial aspects of security:
confidentiality, Integrity, and availability of data, collectively known as the CIA Triad.
2. Common threats
Cyber threats change at a fast pace. Strategies and attack methods are changing and improving
daily. Cybercriminals access a computer or network server to cause harm using several routes.
This is also called an attack vector. Based on these attack vectors, cyber threats institutionalized
their basis of attacks. Some of them are:
1. Malware
2. Ransomware
3. Distributed denial of service (DDoS) attacks
4. Phishing and Spam
5. Identity Theft
6. The template should include the plan and strategies to deal with cyber threats and their
remediation plan
3. Security policies
Cyber security policies serve as the framework of a cyber security management plan.
Policies outline the expectation of internal stakeholders to protect business assets and minimize
risk. The security policy should include the following:
• Limiting who accesses information
• Restricting internet browsing on the network
• Implementing a plan of action for suspicious email
4. Security Breach Response Plan
A breach response process allows Organization to quickly identify an attack and shut it down as
soon as possible. This minimizes damage to the business data and ensures that there is
a backup that is running in parallel. The breach response plan should include clear steps and a
timeline of how long the critical systems have to shut down while there is an attack
before the Organization is at risk.
5. Employee education plan
There can be the strongest cyber security policies in place, but if the employees don't know
them, the organization is still at risk. So, a small business cyber security management plan is not
complete without employee training. To be successful, the employees need to be aware and
updated with the cyber security policy. A cyber security training program also needs to be
designed to educate the employees periodically. KnowledgeHut's cyber security certifications
online program can also help employees to upgrade and upskill their knowledge.
How to Implement Cyber Security Plan for your Business and Best Practices
Having a cybersecurity implementation plan from the start and continuing it throughout the
development cycle is an industry best practice. However, the process is monotonous and requires
detailed planning before execution. Below are the steps to implement a cyber security plan:
1. Build a Cyber Security Team
The first step in a cyber security management plan is to build a dynamic team. This team designs
and builds the framework of the security program monitors the threats and responds to the
incidents.
2. Inventory and Manage Assets
The cyber security team's initial screening is to understand the assets that exist location of those
assets, make sure the assets are tracked, and secure them properly. In other words, it is time to
prepare a catalog of everything that could contain sensitive data, from hardware and devices
to applications and tools (both internally and third-party developed) to databases, shared folders,
and more. Once the list is prepared, the same is assigned to each asset owner, and then the same
is categorized by importance and value.
3. Assess the Risk
Thinking about risks, threats, and vulnerabilities is indispensable to evaluating risk. A list of
probable threats to the Organization's assets should be made ready, and then a numeric
score to designate these threats based on the likelihood and impact. The numeric score can
be classified and ranked accordingly based on potential impact. Vulnerabilities identified from
these assets can comprise people (employees, clients, and third parties), processes, and
technologies in place.
4. Manage Risk
As the ranking of the list that has been prepared by assessment, it can
be decided whether Organization wants to reduce, transfer, accept, or ignore each risk.
• Reduction of risk: Recognize and implement fixes to counter the risk (e.g., put in place a
firewall, set up local and backup locations, implement DLP tools to curb phishing emails,
etc.).
• Transferring risk: Buy an insurance policy for assets or collaborate with a third party to
transfer that risk.
• Accepting the risk: Accepting the risk when the value of countermeasures is greater than the
loss amount.
• Avoiding the risk: This occurs when Organization contradicts the existence or probable
impact of a risk, which is not recommended as it can lead to irreversible consequences.
5. Apply Security Controls
For the risks that have been identified, controls should be implemented. These controls will
alleviate or eradicate risks. They can be technical (e.g., encryption, intrusion detection and
prevention software, antivirus, firewalls, anti-malware, and phishing software) or non-technical
(e.g., policies, procedures, physical and logical security, and employees). Security
controls are to be implemented accordingly as per the technical / non-technical aspect.
6. Audit
A complete cyber security audit program should be in place to understand the standpoint with
respect to Organization's Threat Matrix. This can help the Organization identify the Root
Cause of the incident as well.
Common Pitfalls to Avoid When Implementing Your Cyber Security Strategy/Plan
The following list is the most common areas that should be avoided while implementing the
cyber security plan:
• Denial of Common Cyber Threats
• Neglecting Regular Software Updates
• Falling for Common Cyber Threats
• No Training for Employees
• Not Creating Strong Passwords
• No Cybersecurity Policy
• Not Protecting Business Data
Examples of Cyber Security Management Plan
Every Organization is unique, and its operating procedures are different. Hence, it is
important to understand the complete architecture of the systems and applications in scope
within the purview of the Organization. One of the examples of the heat map defining CIA for a
cybersecurity action plan template which defines risk assessment of the critical assets,
is attached below for reference:
Conclusion
The organization should not wait for a cyber incident before implementing a proactive cyber
security strategy across their business. With a strong cyber strategy, not only the business has a
fast recovery time, but it will also be cautioned and prepared for any cyber incidents in the
future.
Cybersecurity Policies
1. Acceptable Use of Data Systems Policy
The purpose of this policy is to stipulate the suitable use of computer devices at the
corporate/company. These rules protect the authorized user and therefore the company also.
Inappropriate use exposes the corporate to risks including virus attacks, compromise of network
systems and services, and legal issues.
2. Account Management Policy
The purpose of this policy is to determine a typical for the creation, administration, use, and
removal of accounts that facilitate access to information and technology resources at the
corporate.
3. Anti-Virus
This policy was established to assist prevent attacks on corporate computers, networks, and
technology systems from malware and other malicious code. This policy is meant to assist
prevent damage to user applications, data, files, and hardware. Antivirus software is a computer
program that detects, prevents, and takes action to disarm or remove malicious software
programs, such as viruses and worms. Most antivirus programs include an auto-update feature
that enables the program to download profiles of new viruses so that it can check for new viruses
as soon as they are discovered. Anti-virus software is a must and a basic necessity for every
system.
4. E-Commerce Policy
The frequency of cyber-attacks has been high in recent years. E-commerce security refers to the
measures taken to secure businesses and their customers against cyber threats. This e-commerce
policy is to be used as both a suggestion and a summary within the management of the E-
Commerce electronic services.
5. E-Mail Policy
Email security may be a term for describing different procedures and techniques for shielding
email accounts, content, and communication against unauthorized access, loss, or compromise.
Email is usually wont to spread malware, spam, and phishing attacks. Attackers use deceptive
messages to entice recipients to spare sensitive information, open attachments, or click on
hyperlinks that install malware on the victim’s device. Email is additionally a standard entry
point for attackers looking to realize an edge in an enterprise network and acquire valuable
company data. Email encryption involves encrypting, or disguising, the content of email
messages to guard potentially sensitive information against being read by anyone aside from
intended recipients. Email encryption often includes authentication. The purpose of this policy is
to determine rules for the utilization of corporate email for sending, receiving, or storing
electronic messages.
6. Hardware And Electronic Media Disposal Policy
The company-owned surplus hardware, obsolete machines, and any equipment beyond reasonable
repair or reuse, including media, are covered by this policy. This policy will establish and define
standards, procedures, and restrictions for the disposition of non-leased IT equipment and media
in a legal, cost-effective manner.
7. Security Incident Management Policy
This policy defines the need for reporting and responding to incidents associated with the
company’s information systems and operations. Incident response provides the corporate with the
potential to spot when a security incident occurs.
8. Information Technology Purchasing Policy
The reason for this strategy is to characterize norms, methods, and limitations for the acquisition
of all IT equipment, programming, PC-related parts, and specialized administrations bought with
organization reserves. Acquisition of innovation and specialized administrations for the
organization should be supported and facilitated through the IT Department.
9. Web Policy
The reason for this policy is to set up guidelines for the utilization of the organization’s Internet
for access to the Internet or the Intranet.
10. Log Management Policy
Log management is often of great benefit during a sort of scenario, with proper management, to
reinforce security, system performance, resource management, and regulatory compliance.
11. Network Security And VPN Acceptable Use Policy
The purpose of this policy is to define standards for connecting to the company’s network from
any host. These standards are designed to attenuate the potential exposure to the corporate from
damages, which can result from unauthorized use of the company’s resources. Damages include
the loss of sensitive or company confidential data, property, damage to critical company internal
systems, etc.
12. Password Policy
The concept of usernames and passwords has been a fundamental way of protecting our
information. This may be one of the first measures regarding cybersecurity. The purpose of this
policy is to determine a typical for the creation of strong passwords, the protection of these
passwords, and therefore the frequency of changing passwords must be followed.
13. Patch Management Policy
Security vulnerabilities are inherent in computing systems and applications. These flaws allow
the event and propagation of malicious software, which may disrupt normal business operations,
additionally placing the corporate in danger. To effectively mitigate this risk, software “patches”
are made available to get rid of a given security vulnerability.
14. Cloud Computing Adoption
The purpose of this policy is to make sure that the corporate can potentially make appropriate
cloud adoption decisions and at an equivalent time doesn’t use, or allow the utilization of,
inappropriate cloud service practices. Acceptable and unacceptable cloud adoption examples are
listed during this policy.
15. Server Security Policy
The purpose of this policy is to define standards and restrictions for the bottom configuration of
internal server equipment owned and/or operated by or on the company’s internal network(s) or
related technology resources via any channel.
16. Social Media Acceptable Use Policy
The use of external social media within organizations for business purposes is increasing. The
corporate faces exposure to a particular amount of data that will be visible to friends of friends
from social media. While this exposure may be a key mechanism driving value, it also can create
an inappropriate conduit for information to pass between personal and business contacts. Tools to
determine barriers between personal and personal networks and tools to centrally manage
accounts are only starting to emerge. Involvement by the IT Department in security, privacy, and
bandwidth concerns is of maximal importance.
17. Systems Monitoring And Auditing Policy
System monitoring and auditing are employed to work out if inappropriate actions have occurred
within a data system. System monitoring is employed to seem for these actions in real-time while
system auditing looks for them after the very fact.
18. Vulnerability Assessment
The purpose of this policy is to determine standards for periodic vulnerability assessments. This
policy reflects the company’s commitment to spot and implementing security controls, which can
keep risks to data system resources at reasonable and appropriate levels.
19. Website Operation Policy
The purpose of this policy is to determine guidelines with reference to communication and
updates of the company’s public-facing website. Protecting the knowledge on and within the
corporate website, with equivalent safety and confidentiality standards utilized within the
transaction of all the corporate business, is significant to the company’s success.
20. Workstation Configuration Security Policy
The purpose of this policy is to reinforce security and quality operating status for workstations
utilized at the corporate. IT resources are to utilize these guidelines when deploying all new
workstation equipment. Workstation users are expected to take care of these guidelines and to
figure collaboratively with IT resources to take care of the rules that are deployed.
21. Server Virtualization
The purpose of this policy is to determine server virtualization requirements that outline the
acquisition, use, and management of server virtualization technologies. This policy provides
controls that make sure that Enterprise issues are considered, alongside business objectives, when
making server virtualization-related decisions. Platform Architecture policies, standards, and
guidelines are going to be wont to acquire, design, implement and manage all server
virtualization technologies.
22. Wireless Connectivity Policy
The purpose of this policy is to secure and protect the knowledge assets owned by the corporate
and to determine awareness and safe practices for connecting to free and unsecured Wi-Fi, which
can be provided by the corporate. The corporate provides computer devices, networks, and other
electronic information systems for goals and initiatives. The corporate grants access to those
resources as a privilege and must manage them responsibly to take care of the confidentiality,
integrity, and availability of all information assets.
23. Telecommuting Policy
For the needs of this policy, a reference is formed to the defined telecommuting employee who
regularly performs their work from an office that’s not within a corporate building or suite.
Casual telework by employees or remote work by non-employees isn’t included herein. That
specializes in the IT equipment typically provided to a telecommuter, this policy addresses the
telecommuting work arrangement and therefore the responsibility for the equipment provided by
the corporate.
24. Firewall
A firewall is a software program or piece of hardware that helps screen out hackers, viruses, and
worms that try to reach your computer over the Internet. All messages entering or leaving the
Internet pass through the firewall present, which examines each message and blocks those that do
not meet the specified security criteria. Hence, firewalls play an important role in detecting
malware.
25. Malware scanner
This is software that sometimes scans all the files and documents present within the system for
malicious code or harmful viruses. Viruses, worms, and Trojan horses are samples of malicious
software that are often grouped together and mentioned as malware.

Cyber Crisis Management Plan means a framework for dealing with cyber related incidents for a
coordinated, multi-disciplinary and broad-based approach for rapid identification, information
exchange, swift response and remedial actions to mitigate and recover from malicious cyber related
incidents impacting critical processes.

WHAT IS A CYBER SECURITY BUSINESS CONTINUITY PLAN?

A cyber security business continuity plan is a form of Business Continuity planning. Business
Continuity Planning is the process of creating a plan to identify major risks to a business which
could cause significant disruption, preventing these where feasible, and planning to allow essential
processes to continue wherever possible.
A business continuity plan should outline a range of risks including physical events (e.g. fire,
flooding and natural disasters), supply chain disruption and cyber-attacks. Cyber risk is often
overlooked and the potential impact of business disruption regularly underestimated.
A cyber security business continuity plan (sometimes known as an incident response plan) can help
your business to identify a range of cyber risk and outline how to prevent or mitigate incidents
where possible. It should also outline the actions that should be taken to minimise business
disruption during a cyber emergency.
The benefits of an incident response plan or cybersecurity business continuity plan include;
lessening business disruption by providing clear steps, actions and responsibilities, and an increased
awareness of cyber risks across a business which can prevent incidents from occurring. By planning
incident response ahead of time, a business can also ensure their response is compliant with
regulators and GDPR.

WHAT IS DISASTER RECOVERY PLANNING?

A Disaster Recovery plan is an essential part of Business Continuity planning and outlines the steps
needed for a business to quickly resume work after a major incident. Whereas a Business
Continuity Plan outlines how to ensure a business remains operational during an incident, a
Disaster Recovery Plan focuses on the best strategies for recovery following a disaster.
For example in the case of a cyber attack, a Business Continuity plan may focus on ensuring
essential computer systems remain usable and securing important data to allow employees to
continue working. A Disaster Recovery plan may include instructions for recovering data or
making a website accessible following a Distributed Denial of Service attack.

CYBER BUSINESS CONTINUITY PLANNING

Business continuity and disaster recovery in cyber security should follow the same principles as any
business continuity or disaster recovery plan, but with an awareness of the specific risks of a cyber
attack or breach. Here are the steps you should take:
1. Assemble your team

The first step is deciding who to include in your team. This should include people from
across the business, including your IT team and Senior Leadership. Each member should
have clearly delegated roles and responsibilities, as this removes ambiguity and therefore
downtime in a crisis.
2. Conduct a cybersecurity risk assessment
This is where you will outline all the possible risks to your business that relate to a cyber-
attack or breach. It’s important to consider the impact that the different types of cyber-
attacks could have, and the potential regulatory implications of a data breach. It’s also
crucial to audit all parts of your supply chain for cyber risk, as a cyber breach from one of
your suppliers or partners could put your business at risk and vice versa.
3. Perform a Business Impact analysis
Once you have identified all the major cyber risks to your business, you should perform a
business impact analysis. This is an opportunity to identify each business impact that could
be caused by the disruption of business functions and processes. This analysis will help you
determine recovery strategies and which functions and processes should take priority –
typically the ones with the highest operational and financial impacts.
4. Test your systems
Once plans are in place, it’s important to test your systems to determine if you need to adapt
or review your current plans. This will allow you to refine your plans and systems before a
cyber breach or attack occurs.
5. Set up a continuous monitoring process
Cyber criminals are using increasingly sophisticated methods to breach businesses’
cybersecurity. Processes that may have been completely adequate only a few years ago may
now need to change. Continually monitoring your processes to determine any weak points,
 or improvements that can be made is one of the best ways you can protect your business
from large amounts of downtime and business disruption.

WHAT ELSE DO I NEED TO CONSIDER TO KEEP MY BUSINESS SAFE FROM

CYBER CRIMINALS?

Education and training

According to research conducted by IBM 95% of cyber breaches were caused by human error.
Therefore an important part of your Business Continuity planning should be regular employee
cyber training to stay ahead of the increasingly sophisticated methods used by cyber criminals.
Many comprehensive cyber insurance policies offer employee training as part of their cover to
reduce the risk of claims caused by human error.

Cybersecurity measures
Robust cybersecurity is essential to protect your business, and it’s important to invest in some
cybersecurity measures regardless of your business size or industry. It is also a requirement of
cyber insurance cover that the policyholder ensures there is adequate cybersecurity measures in
place, otherwise if an incident occurs claims may be voided.
There are many measures a business can take to protect against cyber attacks including keeping
antivirus software and firewalls up to date, using VPNs for encrypted data transfer and remote file
access, enforcing secure password policies and multifactor authentication.
Penetration testing can also be a useful tool to help you stay ahead of cyber criminals. By
identifying vulnerabilities in your IT Infrastructure, you can fix any issues before a hacker gains
access to your systems
Penetration testing can take the form of Black Box, White Box and Grey Box testing:
Black Box – a tester with no knowledge of the internal systems attempts to breach security, usually
using a brute force attack and trial-and-error to find vulnerabilities in the system.
White Box – the tester has knowledge of the IT architecture and systems, and will use these to test
and analyse any potential weaknesses.
Grey Box – the tester has some knowledge of the systems, and will use the limited information
they have to find potential vulnerabilities or security holes.
Cyber insurance
Even with robust cybersecurity and the best business continuity plans in place, a cyber breach or
attack may still occur leaving your business liable to pay out-of-pocket for a range of costs and
liabilities including data and system recovery, notification costs, reputational damage and even
legal liabilities.
Both cyber liability and cyber crime insurance cover will help your business offset the costs of
recovery after a cyber-related security breach, loss of data, a ransomware attack or a similar event.
A comprehensive cyber insurance policy will provide financial compensation for the direct costs
incurred, and any liabilities payable to third parties following a cyberattack, a data breach or loss of
data.
Many insurers’ policies also offer significant additional value in terms of Cyber Breach Response
Support which is an invaluable resource when dealing with cyber-attacks.
These services can include crisis containment, PR and reputation management and independent
legal advice. Many policies also offer the services of forensic investigation consultants to identify
the point of entry and extent of potential system damages, recover data wherever possible, and
advise on how to improve vulnerabilities in your current cyber security framework.

What is Cyber Risk?

Cyber risk is the likelihood of suffering negative disruptions to sensitive data, finances, or business
operations online. Cyber risks are commonly associated with events that could result in a data
breach.
Cyber risks are sometimes referred to as security threats. Examples of cyber risks include:
• Ransomware
• Data leaks
• Phishing
• Malware
• Insider threats
• Cyberattacks
There are practical strategies that you can take to reduce your cybersecurity risk.
Though commonly used interchangeably, cyber risks and vulnerabilities are not the same. A
vulnerability is a weakness that results in unauthorized network access when exploited, and a cyber
risk is the probability of a vulnerability being exploited.
Cyber risks are categorized from zero, low, medium, to high-risks. The three factors that
impact vulnerability assessments are:
• What is the threat?
• How vulnerable is the system?
• What is the reputational or financial damage if breached or made unavailable?

UpGuard's risk profile feature categorizes discovered risks by impact factor.

Using this simple methodology, a high-level calculation of cyber risk in an IT infrastructure can be
developed:

Cyber risk = Threat x Vulnerability x Information Value

Imagine you were to assess the risk associated with a cyber attack compromising a particular
operating system. This operating system has a known backdoor in version 1.7 of its software that is
easily exploitable via physical means and stores information of high value on it. If your office has
no physical security, your risk would be high.
However, if you have good IT staff who can identify vulnerabilities and they update the operating
system to version 1.8, your vulnerability is low, even though the information value is still high
because the backdoor was patched in version 1.8.
A few things to keep in mind is there are very few things with zero risk to a business process or
information system, and risk implies uncertainty. If something is guaranteed to happen, it's not a
risk. It's part of general business operations.
The process of quantifying cyber risks is a function of potential risks, risk tolerance, your specific
cybersecurity threats, and other risk mitigation factors. To learn more about this process, refer to
this post.

What is a Cyber Risk Assessment?

NIST defines cyber risk assessments as risk assessments used to identify, estimate, and
prioritize risk to organizational operations, organizational assets, individuals, other
organizations, and the Nation, resulting from the operation and use of information
systems.
The primary purpose of a cyber risk assessment is to keep stakeholders informed and support
proper responses to identified risks. They also provide an executive summary to help executives
and directors make informed security decisions

The information security risk assessment process is concerned with answering the following
questions:
• What are our organization's most important information technology assets?
• What type of data breach would have a significant impact on our business, whether from
malware, cyber attack, or human error? Think customer information.
• Can all threat sources be identified?
• What is the level of the potential impact of each identified threat?
• What are the internal and external vulnerabilities?
• What is the impact if those vulnerabilities are exploited?
• What is the likelihood of exploitation?
• What cyber attacks, cyber threats, or security incidents could affect the business's ability to
function?
• What is the level of risk my organization is comfortable taking?
If you can answer those questions, you can decide what is important to protect. This means you can
develop IT security controls and data security strategies for risk remediation. Before you can do
that, though, you need to answer the following questions:
• What is the risk I am reducing?
• Is this the highest priority security risk?
• Am I reducing the risk most cost-effectively?
This will help you understand the information value of the data you are trying to protect and better
understand your information risk management process in the scope of safeguarding business needs.
There are several risk management frameworks available. Your choice depends on your industry,
your risk appetite, and any applicable regulations - like the GDPR. If you’re unsure which security
assessment framework to choose, the NIST Cybersecurity Framework is popular for most general
cybersecurity program requirements.

Why Perform a Cyber Risk Assessment?

There are several reasons you want to perform a cyber risk assessment and a few reasons you need
to. Let's walk through them:
• Reduction of Long-Term Costs - Identifying potential threats and vulnerabilities and then
mitigating them can prevent or reduce security incidents, saving your organization money
and/or reputational damage in the long term.
• Provides a Cybersecurity Risk Assessment Template for Future Assessments - Cyber
risk assessments aren't one of the processes; you need to update them continually; doing a
good first turn will ensure repeatable processes even with staff turnover.
• Better Organizational Knowledge - Knowing organizational vulnerabilities gives you a
clear idea of where your organization needs to improve.
• Avoid Data Breaches - Data breaches can have a huge financial and reputational impact on
any organization.
• Avoid Regulatory Issues - Customer data that is stolen because you failed to comply with
HIPAA, PCI DSS, or APRA CPS 234.
• Avoid Application Downtime - Internal or customer-facing systems must be available and
functioning for staff and customers to do their jobs.
• Data Loss - Theft of trade secrets, code, or other critical information assets could mean you
lose business to competitors.
Beyond that, cyber risk assessments are integral to information risk management and any
organization's broader risk management strategy.
Who Should Perform a Cyber Risk Assessment?
Ideally, organizations should have dedicated in-house teams processing risk assessments. This
means having IT staff with an understanding of how your digital and network infrastructure works,
executives who understand how information flows, and any proprietary organizational knowledge
that may be useful during the assessment.
Organizational transparency is key to a thorough cyber risk assessment.
Small businesses may not have the right people in-house to do a thorough job and must outsource
assessment to a third party. Organizations are also turning to cybersecurity software to monitor
their cybersecurity score, prevent breaches, send security questionnaires, and reduce third-party
risk.

How to Perform a Cyber Risk Assessment

We'll start with a high-level overview and drill down into each step in the following sections.
Before you start assessing and mitigating risks, you must understand your data, infrastructure, and
the value of the data you are trying to protect.
You may want to start by auditing your data to answer the following questions:
• What data do we collect?
• How and where are we storing this data?
• How do we protect and document the data?
 • How long do we keep data?
• Who has access internally and externally to the data?
• Is the place we are storing the data properly secured? Many breaches come from poorly
configured S3 buckets; check your S3 permissions, or someone else will.
Next, you'll want to define the parameters of your assessment. Here are a few good primer
questions to get you started:
• What is the purpose of the assessment?
• What is the scope of the assessment?
• Are there any priorities or constraints I should know about that could affect the assessment?
• Who do I need access to in the organization to get all the information I need?
• What risk model does the organization use for risk analysis?
A lot of these questions are self-explanatory. What you want to know is what you'll be analyzing,
who has the expertise to assess them appropriately, and whether there are any regulatory
requirements or budget constraints you need to be aware of.

The 3 Types of Security Controls

Security controls play a foundational role in shaping the actions cyber security professionals
take to protect an organization.
There are three main types of IT security controls including technical, administrative, and
physical. The primary goal for implementing a security control can be preventative, detective,
corrective, compensatory, or act as a deterrent. Controls are also used to protect people as is
the case with social engineering awareness training or policies.
The lack of security controls place the confidentiality, integrity, and availability of
information at risk. These risks also extend to the safety of people and assets within an
organization.
What Is A Security Control?
Security controls are countermeasures or safeguards used to reduce the chances that a threat
will exploit a vulnerability.
For example, implementing company-wide security awareness training to minimize the risk
of a social engineering attack on your network, people, and information systems. The act of
reducing risk is also called risk mitigation.
 While it’s next to impossible to prevent all threats, mitigation seeks to decrease the risk by
reducing the chances that a threat will exploit a vulnerability.

Risk mitigation is achieved by implementing different types of security controls depending

on:

• The goal of the countermeasure or safeguard.

• The level to which the risk needs to be minimized.
• The severity of damage the threat can inflict.
 What Are The Goals Of Security Controls?
• The overall purpose of implementing security controls as previously mentioned is to
help reduce risks in an organization.
• In other words, the primary goal of implementing security controls is to prevent or
reduce the impact of a security incident.
• The effective implementation of a security control is based on its classification in
relation to the security incident.

The common classifications types are listed below along with their corresponding description:

• Preventive controls attempt to prevent an incident from occurring.

• Detective controls attempt to detect incidents after they have occurred.
• Corrective controls attempt to reverse the impact of an incident.
• Deterrent controls attempt to discourage individuals from causing an incident.
• Compensating controls are alternative controls used when a primary control is not feasible.

Implementing the controls listed is no trivial matter.

For example, an organization that places a high priority on reducing risk usually has a risk
profile, which illustrates the potential cost of a negatively impacting risk and the human
resources required to implement the control(s).
Layering Security Controls
Layering is an approach that combines multiple security controls to develop what’s called
a defense-in-depth strategy.
Defense-in-depth is a common security strategy used whereby multiple layers of controls are
implemented.

By combining controls into multiple layers of security you ensure that if one layer fails to
counteract a threat that other layers will help to prevent a breach in your systems.
Each layer of security works to counteract specific threats, which requires cyber security
programs to invest in multiple technologies and processes to prevent systems or people from
being compromised.
For example, Endpoint detection and response solutions are great at preventing viruses and
malware from infecting computers and servers.
 However, endpoint detection is not equipped to log and monitor traffic on a network like a
SIEM, or detect and prevent an attack in real-time like an IPS.

Understanding The Basics Of Risks & Threats

Before we dive into control types, it’s important to first understand the cyber risks and
threats they help to mitigate.
Risks
Risks in cyber security are the likelihood that a threat will exploit a vulnerability resulting in
a loss. Losses could be information, financial, damage to reputation, and even harm customer
trust.
Threats
Threats are any event with the potential to compromise the confidentiality, integrity, and
availability (CIA) of information.
Threats come from outside an organization and from anywhere in the world connected to the
internet. Insiders such as a disgruntled employee with too much access, or a malicious insider
also pose a threat to businesses.
Note, insider threats are not always malicious. For example, an employee clicking on a
phishing email that installs malware does not mean the employee intended to cause harm.
Finally, threats may also take the form of a natural disaster or be a manmade risk such as a
new malware variant.

Vulnerabilities
Vulnerabilities are a weakness or flaw in the software, hardware, or organizational processes,
which when compromised by a threat, can result in a security incident.

Security Incidents
Security incidents are an occurrence that actually or potentially jeopardizes the
confidentiality, integrity, or availability of an information system or the information the
system processes, stores, or transmits or that constitutes a violation or imminent threat of
violation of security policies, security procedures, or acceptable use policies.
Now that we have a better understanding of basic risk concepts let’s explore how security
controls are implemented.

Technical Security Controls

At the most basic level, technical controls, also known as logic controls, use technology to
reduce vulnerabilities in hardware and software. Automated software tools are installed and
configured to protect these assets.

Examples of technical controls include:

• Encryption
• Antivirus And Anti-Malware Software
• Firewalls
• Security Information And Event Management (SIEM)
• Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
 Technical Control Types And Implementation Methods
Below are two common examples of technical control types:
• Access Control Lists (ACL) – Network traffic filters that can control incoming or outgoing
traffic. ACLs are common in routers or firewalls, but they can also be configured in any
device that runs in the network, from hosts, network devices, and servers.
• Configuration Rules – Instructional codes that guide the execution of the system when
information is passing through it. Network equipment vendors have proprietary
configuration rules that manage the operation of their ACL objects.

Administrative Security Controls

Administrative security controls refer to policies, procedures, or guidelines that define
personnel or business practices in accordance with the organization’s security goals.
Many organizations today implement some type of onboarding process to introduce you to
the company and provide you with a history of the organization.
During the onboarding process, you may be instructed to review and acknowledge the
security policy of the organization.
By acknowledging that you have read the policies of the organization as a new hire, you are
then accountable to adhere to the corporate policy of the organization.
In order to implement the administrative controls, additional security controls are necessary
for continuous monitoring and enforcement.
The processes that monitor and enforce the administrative controls are:
Management controls: The security controls that focus on the management of risk and the
management of information system security.
• Operational controls: The security controls that are primarily implemented and executed by
people (as opposed to systems).

For example, a security policy is a management control, but its security requirements are
implemented by people (operational controls) and systems (technical controls).

An organization may have an acceptable use policy that specifies the conduct of users,
including not visiting malicious websites. The security control to monitor and enforce could
be in the form of a web content filter, which can enforce the policy and log simultaneously.

The remediation of a phishing attack is another example that employs a combination of

management and operation controls.

Security controls to help thwart phishing, besides the management control of the acceptable
use policy itself, include operational controls, such as training users not to fall for phishing
scams, and technical controls that monitor emails and web site usage for signs of phishing
activity.

Physical Security Controls

Physical controls are the implementation of security measures in a defined structure used to
deter or prevent unauthorized access to sensitive material.

Examples of physical controls are:

• Closed-circuit surveillance cameras
• Motion or thermal alarm systems
• Security guards
• Picture IDs
• Locked and dead-bolted steel doors
• Biometrics (includes fingerprint, voice, face, iris, handwriting, and other automated methods
used to recognize individuals)

Preventative Controls
Examples of preventative controls include:

• Hardening
• Security Awareness Training
• Security Guards
• Change Management
• Account Disablement Policy
Hardening
Is the process of reducing security exposure and tightening security controls.

Security Awareness Training

The process of providing formal cybersecurity education to your workforce about a variety of
information security threats and your company’s policies and procedures for addressing
them.

Security Guards
A person employed by a public or private party to protect an organization’s assets. Security
guards are frequently positioned as the first line of defense for businesses against external
threats, intrusion and vulnerabilities to the property and its dwellers.

Change Management
The methods and manners in which a company describes and implements change within both
its internal and external processes. This includes preparing and supporting employees,
establishing the necessary steps for change, and monitoring pre- and post-change activities to
ensure successful implementation.

Account Disablement Policy

A policy that defines what to do with user access accounts for employees who leave
voluntarily, immediate terminations, or on a leave of absence.

Detective Controls
Examples of detective controls include:

• Log Monitoring
• SIEM
• Trend Analysis
• Security Audits
• Video Survillance
• Motion Detection
Log Monitoring
Log monitoring is a diagnostic method used to analyze real-time events or stored data to
ensure application availability and to access the impact of the change in state of an
application’s performance.
SIEM
Security Information and Event Management (SIEM) is a set of tools and services offering a
holistic view of an organization’s information security by of operational logs from various
systems.

Trend Analysis
The practice of gathering information and attempting to identify a pattern in the information
gathered from an application’s log output. The output of the trend analysis is usually in a
graph or table form.

Security Audit
A measurement that focuses on cyber security standards, guidelines, and procedures; as well
as the implementation of these controls. The security audit is usually conducted by trained
3rd party entities, or by internal resources in preparation for an external audit.

Video Surveillance
A system that is capable of capturing digital images and videos that can be compressed,
stored or sent over communication networks for onsite or remote monitoring.
Motion Detection
A device that utilizes a sensor to detect nearby motion. Such a device is often integrated as a
component of a surveillance system that automatically performs a task or alerts a monitoring
analyst of detected movement.

Corrective Controls
 Examples of corrective controls include:
IPS
• Backups And System Recovery

IPS
A network security technology that monitors network traffic to detect anomalies in traffic
flow. IPS security systems intercept network traffic and can quickly prevent malicious
activity by dropping packets or resetting connections.

Backups and System Recovery

Backups and system recovery is the process of creating and storing copies of data that can be
used to protect organizations against data loss.
Deterrent Controls
Deterrent controls reduce the likelihood of a deliberate attack and is usually in the form of a
tangible object or person.
Example of deterrent controls include:

• Cable Locks
• Hardware Locks
• Video surveillance & guards

What’s The Difference Between Preventative And Detective Controls?

A preventive control is designed to be implemented prior to a threat event and reduce and/or
avoid the likelihood and potential impact of a successful threat event.

A detective control is designed to detect errors and locate attacks against information systems
that have already occurred.
 The routine analysis of the detective control output provides input to further enhance the
preventative control. The goal of continuous analysis is to prevent errors and irregularities
from occurring in the first place.

Compensating Controls
An alternative method that is put in place to satisfy the requirement for a security measure
that cannot be readily implemented due to financial, infrastructure, or simply impractical to
implement at the present time.

The compensating control should meet the following criteria:

• Meet the intent of the original control requirement

• Provide a similar level of assurance

Examples of compensating controls include:

• Time-based One Time-Password (TOTP) – A temporary passcode generated by an algorithm

that uses the current time of day as one of its authentication factors. Providing a new hire
with a TOTP until authentication is fully delivered is an example of a compensating control.
• Encryption – Database security applications, e-mail encryption and other tools. An
organization cannot encrypt all electronic data in a PCI assessment. To compensate, they may
use other existing tools to implement encryption.

Performing A Security Control Assessment

A Security Control Assessment is a critical component to measure the state and performance
of an organization’s security controls.

Note the following definition of the Security Control Assessment:

The testing and/or evaluation of the management, operational, and technical security controls
in an information system to determine the extent to which the controls are implemented
correctly, operating as intended, and producing the desired outcome with respect to meeting
the security requirements for the system.

Testing of security controls is a critical component of the overall governance of an

organization’s Information Security Management System.

Depending upon the organization type, regulatory requirements mandate consistent and
continuous assessments, whereas, non-public organizations are not held to regulatory
requirements.

Today, it is not only best practice to monitor security controls, but a necessary requirement in
order to keep systems secure and free from target practice of hackers, looking to penetrate
any network that has weak security at the perimeter and internally.

Common Security Assessments

 Examples of security assessments include:

• Risk Assessment
• Vulnerability Assessment
• Penetration Testing

Security Risk Assessments

A security risk assessment involves many steps and forms the backbone of your overall risk
management plan.

Risk assessments are important because they are used to identify assets or areas that present
the highest risk, vulnerability, or exposure to the enterprise. It then identifies the risks that
could affect those assets.

Vulnerability Assessments
A vulnerability assessment refers to the process of identifying risks and vulnerabilities in
computer networks, systems, hardware, applications, and other parts of the IT ecosystem.
Vulnerability assessments are a critical component of the vulnerability management lifecycle,
helping protect systems and data from unauthorized access and data breaches.
Vulnerability assessments typically leverage tools like vulnerability scanners to identify
threats and flaws within an organization’s IT infrastructure that represents potential
vulnerabilities or risk exposures.
Penetration Testing

Penetration testing is a method for testing a web application, network, or computer system to
identify security vulnerabilities that could be exploited.
The primary objective for security as a whole is to prevent unauthorized parties from
accessing, changing, or exploiting a network or system. It aims to do what a bad actor would
do.
The main reason penetration tests are crucial to an organization’s security is that they help
personnel learn how to handle any type of break-in from a malicious entity.
Pen tests serve as a way to examine whether an organization’s security policies are genuinely
effective. They serve as a type of fire drill for organizations.
Penetration tests can also provide solutions that will help organizations to not only prevent
and detect attackers but also to expel such an intruder from their system in an efficient way.

Conclusion
In this article, we have examined the three basic security controls – technical, administrative,
and physical.
A review of various critical sub controls was also reviewed – deterrent, corrective, and
compensating.

Although it is important for security professionals to understand the definition of the

controls, they must also recognize that the ultimate goal of implementing the controls is to
strengthen their organization’s defenses in order to reduce risk.
Information security must be treated as a program which requires continuous monitoring in
order to defend and protect its most valuable assets.

Remain vigilant by incorporating the controls listed in this article, and you will be equipped
to support and contribute to the success of your organization’s risk management program.
 Introduction to Cyber Security
Cybersecurity is a fast-growing industry in this era, where the main aim is to reduce cyberattacks.
Cybersecurity professionals are responsible for protecting IT infrastructure and controlling devices,
networks, and data. So what is cybersecurity? Why is it so important? What are the effective
controls used to oppose cyberattacks? Let us learn in detail in this article.
Cybersecurity is a technique that protects internet-connected systems such as computers, servers,
mobile devices, and networks from malicious activity. Cyber refers to technology that includes
networks, programmes, systems, and data. And security refers to safeguarding all the above-
mentioned cyber assets.
Cybersecurity is also called electronic information security or information technology security.

Types of Cyber Security

Every organization wants to have an advantage when it comes to securing the systems and
information. So the systems should contain strong security features that should keep the
organization's data secure.
Therefore, cyber security provides the following domains:

• Network security: It implements hardware and software devices in a system to secure its computer
network from unauthorised entry, intruders, attacks, disruption, and misuse. Network security helps
an organization protect its data from internal and external threats.
• Application security: It protects software and devices from unwanted threats. This security
function can be used frequently by updating the apps and ensuring they are free from attacks.
Effective security begins in the design stage, with the writing of source code, verification, threat
modeling, etc. before deploying the program or a device.
• Information or data security: implementation of a strong data mechanism to maintain the
integrity and privacy of data, both in storage and in transit, i.e., (in transformation)
• Identity management: It determines the level of access that each individual has within an
organization.
• Operational Security: This cyber security type processes and makes decisions to handle data and
secure resources.
• Mobile security: It secures the regular incoming and personal data stored on mobile devices.
• Cloud security: It protects the information stored in a digital environment or data in the cloud for
the organization. Cloud security uses various service providers known as AWS, Azure, Google,
etc., to verify security against multiple threats.
• Disaster Recovery and Business Continuity Planning: It reviews the monitoring process, alerts,
and plans of an organization responding to any malicious activity causing loss of data or operations.
This security deals with policies that instruct to resume lost operations after any disaster takes place
to the same operating capacity as before the event.
The above-discussed types are essential to bringing cyber security to life.

Why is Cyber Security Important?

We live in a digital era where all of our lives revolve around the computer and other electronic
devices. All of the critical infrastructures like a banking system, healthcare, financial institutions,
governments, and manufacturing industries use internet-connected devices, to perform core
operations.
 Some of their important information, such as intellectual property, financial data, and personal data,
can be sensitive. To protect that data from intruders and threat actors who would want financial
gain, cyber security is implemented.
Cyber-attacks have now become an international concern because hacking, and all other security
attacks will endanger the global economy. Hence, it is important to have an excellent cyber security
strategy, to protect sensitive information from high-profile security breaches.
Governments around the world are paying more attention to cybercrimes. GDPR i.e. General data
protection regulation is the best example of how changes are made in cyber security.
Cybersecurity contains essential security goals, which makes it more effective. Let us learn about
cyber security goals in the following sections.

Cyber Security Goals

The main objective of cyber security is to ensure data protection. Cyber security offers three related
principles to protect data from breaches; the principle is called the CIA triad. CIA can be broken
into three parts,
• Confidentiality: It gives access to only authorized users, unauthorized users will be blocked. An
example of this is Data encryption.
• Integrity: This principle makes sure that the data is authentic, accurate, and safeguarded from
unauthorized modification or accidental user modification.
• Availability: Information will be made available only to authorized users. It ensures that
malfunctions and cyberattacks are blocked to secure the system.
To secure data from malicious activities Cybersecurity contains essential controls, let us know in
the following what it has to offer in detail.
Read more about cyber security and the best protocols used for cyber-attacks.

What is Cyber Security Control?

The controls are created to ensure the CIA triad i.e. confidentiality, integrity, and availability of an
organization’s information and technology assets. And controls revolve around four essentials of
people, technology, processes, and strategy.
Cyber security control is a mechanism that is used to prevent, detect and reduce cyber-attacks and
threats. Cyber security controls are every organization's need, as it is used to manage the security
program of a company/organization.
Cyber security is the top priority of organizations, where they determine what control they need.
Here are some of the effective smaller controls used by every organization,
Update OS: when a threat or intrusion is found in the software, the technical staff try to work on it
and will provide an updated version of the software. Keeping the system updated will help control
the threats and security features will get better.
Granted applications: Meaning that a computer is configured to only run an application that is
permitted by the organization. This control is hard to manage application in cyber security if done,
there will be no cyber-attacks or data breaches taking place.
Reinforce system’s security: Being aware of the programmable settings in the OS i.e. operating
system and applications are configured for security. And it is recommended to regularly re-install
parts of the OS that will never be used.
Implement Multi-factor authentication: adding two-step verification is going to do good, to keep
your data secure. The best example is Gmail, where you can set two-step verification so that no one
can get into your mail details.
Suggestion: get CISM certification and become a certified security manager
 Need for Cyber Security Controls
All systems contain weaknesses where some might be simple and some are complex. If a cyber
attacker gets to know about the weak points in the system they will try to exploit it. Measures taken
by an organization to stop these threats are known as security control.
Cyber security controls are the countermeasures taken up to reduce the chances of a data breach or
system attack. The essential and tough work to do in cyber security is to select the right control, but
most organizations do it wrong.
Cyber threats are automated and aimed at by cyber attackers. The attacks can be in the forms of
malware, formjacking, Cryptojacking, Domain name system attacks, and in various ways they try
to get into the system. It becomes a challenge to face all these, cyber security controls help to
mitigate most of the threats. Reducing the threats is always a need, errors that happen in the system
can be controlled using essential cyber controls like,
• Applying antivirus solutions.
• Emphasize employee training and awareness
• Maintain secure portable devices
• Securely encrypt and backup data
Controls in cyber security contain different classes that split up the types of controls, which are
considered based on their importance and classification.

Types of Cyber Security Controls

The essential cyber security controls are divided into three types, technical, administrative, and
physical. The main goal of implementing security control is preventative, detective, corrective,
compensatory, or deterrent. Let us understand each of them in the following,

Technical Controls
Technical controls are also known as logical controls. That is used to reduce attacks on both
hardware and software. And automated software tools are installed to protect the system.
Examples of technical controls that are used to protect the system are as follows,
• Encryption
• Antivirus and anti-malware software
• Firewalls
• Security information and event management (SIEM)
• Instruction Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
Technical control is implemented using two methods,
Access Control Lists (ACL): ACL is a network traffic filter that controls incoming and outgoing
traffic. They are commonly used in routers or firewalls, but they can also be programmed in any
device that runs on the network, from hosts to servers.
Configuration Rules: It is a set of instructional codes used to guide the execution of the system
when information is passed through it.
Administrative controls: Administrative security controls refer to policies, procedures, and
guidelines that define the roles or business practices of an organisation’s security goals.
To implement administrative controls, additional security controls are necessary for monitoring and
enforcement. The controls used to monitor and enforce them are as follows,
Management controls: This control is used to mainly focus on risk management and information
security management.
 Operational controls: The security controls that are primarily implemented, like technical and
managerial controls executed by people, are saved by operational controls.
Physical controls: Physical security controls in cyber security are implemented based on cyber
measures in a defined structure. That is used to detect or prevent unauthorized access to sensitive
data.
Examples of physical controls are as follows:
• Closed-circuit surveillance cameras
• Motion or thermal alarm systems
• Security guards and picture IDs
• Locked and dead-bolted steel doors
• Biometrics

Preventative controls
These controls are used to prevent loss or errors. Examples of preventative controls are as follows,
• Hardening: It’s a process of reducing attacks and tightening security controls.
• Security awareness training: is the process of providing formal cyber security education to
employees and stakeholders about security threats and the organization's policies and procedures.
• Change management: Measures taken by an organization to describe and implement changes both
internally and externally in the system that include preparing and supporting employees to take the
necessary steps for change.
• Account disable policy: This policy will disable the account when an employee leaves the
organization.

Detective controls
It is an accounting term, that uses internal control to find errors within the organization. Examples
of detective controls are as follows:
• Log monitoring – analyzing real-time data.
• SIEM- A set of tools and services are offered to analyze various system operational logs.
• Trend Analysis – Identifying the pattern from an application’s log output, to gather relevant
information.
• Security Audits- set of measures that focus on cyber security standards and guidelines.
• Video Surveillance - Digital images and videos that are sent over communication networks are
monitored.
• Motion Detection – Sensors are attached to detect nearby motions.

Corrective controls
After a system malfunction, corrective controls are used to make the system more effective to use.
Examples of corrective controls include,
• IPS: detection of anomalies in traffic flow to quickly prevent malicious activity.
• Backups and system recovery: the Process of creating and storing data copies that can be used as
backups when data is lost.

Deterrent controls
Deterrent controls are used to reduce deliberate attacks, which are usually in the form of a tangible
object or person. Examples of deterrent controls include
• Cable locks
• Hardware locks
• Video surveillance and guards

Compensating controls
Compensating control is an alternative method that is used to satisfy the requirement for security.
And certain security measures can’t be implemented due to financial or simple impractical reasons
at the time.
Example of Compensating control,
Time-based OTP- One of the best examples for compensating control is OTP, i.e., One-time
password, where a code is generated by an algorithm that uses the current time of day as one of its
authentication factors.

What is a Cyber Security Audit?

Overview
A cyber security audit is a comprehensive evaluation of an organization's security posture,
processes, and policies to identify vulnerabilities and ensure compliance with industry standards
and regulations. It helps organizations identify and address any weaknesses in their security
defenses and improve their overall security posture.
Introduction
A cyber security audit is an assessment of an organization's security posture and processes to
identify vulnerabilities and ensure compliance with industry standards and regulations. It helps
organizations identify and address any weaknesses in their security defenses, improve their overall
security posture, and demonstrate their commitment to protecting sensitive data. Cybersecurity
audits can be conducted internally or by an independent third-party auditor, and they typically cover
areas such as network security, access control, incident management, and compliance with relevant
regulations. With the increasing sophistication of cyber threats, organizations need to conduct
regular cyber security audits to protect their sensitive data and maintain the integrity of their
systems.
What is a Cyber Security Audit?
A cybersecurity audit is a comprehensive evaluation of an organization’s cybersecurity posture.
The purpose of the audit is to identify any vulnerabilities or risks that could compromise the
integrity of the organization’s data and systems. The audit process involves a thorough examination
of the organization’s technology infrastructure, policies, and procedures to determine if they align
with industry best practices and regulatory requirements.
The audit process typically includes a review of the organization’s network architecture, software
and hardware configurations, access controls, and incident response plan. It also includes a review
of the organization’s policies and procedures for data management, incident response, and
employee awareness training. This information is used to identify potential vulnerabilities, assess
the effectiveness of existing security controls, and recommend improvements to the organization’s
cybersecurity posture.
Certain industries are bound by regulations that require them to comply with specific standards to
protect sensitive information. These standards include the EU General Data Protection
Regulation (GDPR), California Consumer Privacy Act (CCPA), Payment Card Industry Data
Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA),
and ISO 27001. To ensure compliance with these regulations, organizations will need to engage
with an external auditor who will conduct an audit to verify compliance and issue a certification.
The choice of which type of audit to conduct depends on the organization’s specific needs and
resources. Internal IT staff can conduct a self-assessment audit, which is a good way to identify
vulnerabilities within the organization. However, an external cyber security audit conducted by a
third-party consultant can provide an unbiased assessment of the organization’s cybersecurity
posture and can provide valuable insights into industry best practices.
For example, if your organization handles payment card data and is subject to the PCI DSS, you
will need to hire an external auditor who is certified by the Payment Card Industry Security
Standards Council (PCI SSC) to conduct a PCI DSS compliance audit. The auditor will review
your organization’s compliance with the standard and issue a report that verifies compliance. This
report is required to be submitted to the payment card brands (such as Visa, Mastercard, etc.) on an
annual basis.
Similarly, if your organization is subject to the GDPR, you will need to hire an external auditor
who is certified by the relevant accreditation body to conduct a GDPR compliance audit. This
cybersecurity audit will assess the organization’s compliance with the regulation and provide a
report that verifies compliance.
It’s important to note that compliance with these regulations is not optional and non-compliance
can result in hefty fines and penalties, reputation damage, and potential lawsuits. Therefore,
organizations must take compliance seriously and regularly conduct cybersecurity audits to verify
compliance and identify any potential vulnerabilities or non-compliant areas that need to be
addressed.
What does a Cybersecurity Audit Cover?
The audit process involves a thorough examination of the organization’s technology infrastructure,
policies, and procedures to determine if they align with industry best practices and regulatory
requirements.
One of the key components of a cybersecurity audit is an assessment of the organization’s network
architecture. This includes a review of the organization’s network topology, firewall configurations,
and network segmentation. The auditor will also review the organization’s router and switch
configurations, as well as any virtual private networks (VPNs) that are in place. This component of
the audit is intended to identify any vulnerabilities that could be exploited by an attacker to gain
unauthorized access to the organization’s network.
Another component of a cyber security audit is a review of the organization’s software and
hardware configurations. This includes a review of the organization’s operating systems,
applications, and servers. The auditor will also review the organization’s patch management
procedures to ensure that all systems are up-to-date with the latest security patches. This component
of the audit cyber security is intended to identify any vulnerabilities that could be exploited by an
attacker to gain unauthorized access to the organization’s systems.
A key component of a cybersecurity audit is a review of the organization’s access controls. This
includes a review of the organization’s user authentication and authorization procedures, as well as
a review of the organization’s role-based access controls. The auditor will also review the
organization’s password policies and procedures to ensure that they align with industry best
practices. This component of the audit cyber security is intended to identify any vulnerabilities that
could be exploited by an attacker to gain unauthorized access to the organization’s systems and
data.
Another important component of a cybersecurity audit is a review of the organization’s incident
response plan. This includes a review of the organization’s procedures for identifying, responding
to, and recovering from cybersecurity incidents. The auditor will also review the organization’s
procedures for reporting incidents to law enforcement and regulatory agencies. This component of
the cybersecurity audit is intended to ensure that the organization is prepared to respond to a
cybersecurity incident effectively and efficiently.
Finally, a cyber security audit includes a review of the organization’s policies and procedures for
data management and employee awareness training. This includes a review of the organization’s
procedures for classifying and protecting sensitive data, as well as a review of the organization’s
procedures for training employees on cybersecurity best practices. This is to ensure that the
organization’s employees are aware of the risks associated with cybersecurity and are prepared to
take appropriate measures to protect the organization’s data and systems.
It is important to note that this is a high-level overview of the components of a cybersecurity audit
and the process may vary depending on the specific requirements of the organization. Also, the
auditor may use different methods, including automated and manual testing, as well as on-site and
remote evaluations.
How Cybersecurity Audit will be Helpful for Your Business?
A cybersecurity audit is a critical tool for ensuring the integrity of an organization’s data and
systems. It provides a comprehensive evaluation of an organization’s cybersecurity posture,
identifies vulnerabilities, and recommends improvements to the organization’s cybersecurity
defenses. The following are some of the key ways in which a cyber security audit can be beneficial
for your business:

1. Identifying Vulnerabilities
One of the key benefits of a cybersecurity audit is the ability to identify vulnerabilities in an
organization’s systems and networks. A vulnerability is a weakness in the organization’s systems
and networks that could be exploited by an attacker to gain unauthorized access to sensitive
information.
Once vulnerabilities are identified, the auditor will classify them based on their severity and
recommend steps to mitigate them. This can include applying security patches, configuring security
controls, or implementing new security controls. The auditor will also prioritize the vulnerabilities
based on the level of risk they pose to the organization. This allows the organization to focus its
efforts on mitigating the most critical vulnerabilities first.
Identifying vulnerabilities is an essential step in protecting an organization’s data and systems.
Without identifying vulnerabilities, an organization is blind to the risks it faces and cannot take
steps to mitigate them. A cyber security audit provides organizations with the visibility they need to
identify vulnerabilities and take the necessary steps to protect their systems and data.
2. Assessing the Effectiveness of Existing Security Controls
A cybersecurity audit can provide an organization with insight into the effectiveness of its existing
security controls. The auditor will review and evaluate the organization’s security controls to
determine if they are providing adequate protection. This includes reviewing the organization’s
network architecture, software and hardware configurations, access controls, incident response
plan, and data management policies.
By assessing the effectiveness of existing security controls, the auditor can identify any areas where
the organization’s defenses are weak and recommend improvements. This can include updating
security controls, implementing new security controls, and strengthening the organization’s incident
response plan. The auditor will also recommend best practices for the organization to follow to
improve its security posture.
The assessment of the effectiveness of existing security controls is critical for an organization’s
cybersecurity posture. Without this assessment, an organization may be under the false impression
that its defenses are adequate, when in fact they are not. This can lead to a false sense of security
and can ultimately put the organization at risk of a data breach.
3. Compliance with Regulatory Requirements
Many industries are subject to specific regulations that require organizations to maintain certain
levels of cybersecurity. A cybersecurity audit can help an organization demonstrate compliance
with these regulations and avoid hefty fines and penalties for non-compliance.
By reviewing the organization’s compliance with regulatory requirements, the auditor can identify
any areas where the organization is non-compliant and recommend steps to address them. This can
include updating policies and procedures, implementing new security controls, and training
employees on the requirements of the regulations that apply to the organization.
4. Building Trust with Customers and Stakeholders
An audit of cyber security can help an organization build trust with its customers and stakeholders
by demonstrating that it is taking the necessary steps to protect sensitive information. This can be
especially important for organizations that handle sensitive information, such as financial
institutions, healthcare providers, and e-commerce businesses.
Additionally, many organizations are required to disclose their cybersecurity practices and control
to customers, clients, and stakeholders, such as through the annual report, security questionnaires,
and other regulatory requirements. An independent cybersecurity audit can provide a third-party
certification that the organization’s controls are in place, and the organization can use this
certification to demonstrate its commitment to cybersecurity and to comply with regulatory
requirements.
5. Improving Incident Response Capabilities
During a cybersecurity audit, the auditor will review the organization’s incident response plan to
ensure that it aligns with industry best practices and regulatory requirements. The auditor will also
review the organization’s procedures for identifying, responding to, and recovering from
cybersecurity incidents. This includes reviewing the organization’s procedures for reporting
incidents to law enforcement and regulatory agencies.
The auditor will also assess the organization’s ability to respond to a cybersecurity incident
effectively and efficiently. This includes assessing the organization’s incident response team and
their ability to quickly and effectively respond to an incident. The auditor will also review the
organization’s incident response procedures to ensure that they are clear, concise, and easy to
follow.
By identifying weaknesses in the organization’s incident response plan and procedures, the auditor
can recommend improvements that will help the organization to respond to a cybersecurity incident
effectively and efficiently. This can include updating the incident response plan, training incident
response team members, and implementing new incident response procedures.
Having an effective incident response plan and procedures is critical to an organization’s ability to
respond to a cybersecurity incident. By identifying weaknesses in the organization’s incident
response plan and procedures, a cyber security audit can help organizations to improve their
incident response capabilities and ultimately reduce the impact of a cybersecurity incident.
6. Employee Awareness and Training
The auditor will review the organization’s procedures for monitoring employee behavior to ensure
that employees are following cybersecurity best practices. This can include monitoring employees’
email, internet usage, and access to sensitive information.
By identifying gaps in employees’ cybersecurity knowledge, the auditor can recommend changes to
the organization’s employee awareness and training program to better educate employees on
cybersecurity best practices. This can include incorporating new training materials, implementing
new training methods, and providing ongoing training to ensure that employees are up to date on
the latest cybersecurity threats and trends.
Employee awareness and training are essential components of an organization’s cybersecurity
posture. Cybersecurity threats such as phishing, social engineering, and malware are often
successful because of employee mistakes, such as clicking on a malicious link or entering sensitive
information into a phishing website. By providing employees with the necessary training and
education, organizations can reduce the risk of a cybersecurity incident and improve their overall
cybersecurity posture.
7. Cost Savings
A cybersecurity audit can help organizations identify areas where they can reduce costs by
consolidating or eliminating unnecessary security controls and spending on areas that are most
critical to their business. This includes identifying any areas where the organization can reduce
costs while still maintaining an effective incident response capability.
By identifying areas where the organization can reduce costs, a cyber security audit can help
organizations to allocate resources more effectively. This can help organizations to stay within
budget while still maintaining an effective cybersecurity posture.
How often do you Need Security Audits?
The frequency of security audits depends on the nature of the organization and the level of risk it
faces. Generally speaking, it’s recommended to conduct a cybersecurity audit at least once a year,
but more frequent audits may be necessary for organizations that handle sensitive information, are
subject to regulatory requirements, or operate in a high-risk industry.
It’s also important to conduct regular security audits after major changes to the organization, such
as mergers and acquisitions, changes in the IT environment, such as the adoption of new
technologies or the increase of remote working, and after significant incidents like data breaches, to
identify any vulnerabilities that may have been exploited during the incident.
Internal vs External Cybersecurity Audit
An internal cybersecurity audit is an assessment of an organization’s IT systems and security
controls that are conducted by the organization’s staff or an internal audit team. The goal of an
internal audit is to identify vulnerabilities and to assess the effectiveness of existing security
controls. The audit will examine the organization’s IT infrastructure, including hardware, software,
and networks, to ensure that they are configured securely. The audit will also review the
organization’s security policies and procedures, such as incident response plans, to ensure that they
are up-to-date and effective.
The main advantage of an internal cybersecurity audit is that it allows organizations to identify
vulnerabilities and assess the effectiveness of existing security controls cost-effectively. Internal
auditors already have knowledge of the organization’s IT systems and security controls, which can
make the audit process more efficient. Additionally, internal auditors will have the ability to access
sensitive information without the need for external approval.
However, internal audits may not be as effective as external audits in identifying vulnerabilities and
assessing compliance with regulatory requirements. Internal auditors may not have the same level
of expertise or objectivity as external auditors. They may also be less likely to identify
vulnerabilities that are not easily visible, such as those related to security policies and procedures.
This can make it difficult for organizations to identify and address vulnerabilities that could put
their systems and data at risk.
On the other hand, an external cyber security audit is an assessment that is conducted by an
independent third party. The goal of an external audit is to provide an independent assessment of
the organization’s IT systems and security controls. The auditor will review the organization’s
compliance with regulatory requirements and industry standards and will provide certification if the
organization meets the requirements. This certification can be used to demonstrate compliance and
to build trust with customers and stakeholders.
The main advantage of an external cybersecurity audit is that it provides an independent assessment
of the organization’s IT systems and security controls. External auditors have the necessary
expertise and objectivity to identify vulnerabilities that might be overlooked by internal auditors.
They also can assess the organization’s compliance with regulatory requirements and industry
standards, which can be crucial for organizations that are subject to these regulations.
Moreover, external audits are often preferred by organizations that are subject to regulatory
requirements, and that want to demonstrate compliance with these regulations. External audits are
also preferred by organizations that want to build trust with their customers and stakeholders by
demonstrating that they are committed to protecting sensitive information. By obtaining a
certification from a reputable third-party auditor, organizations can demonstrate to customers,
clients, and stakeholders that they have met certain security standards and they take cybersecurity
seriously.
Additionally, external auditors bring in fresh perspectives and a thorough understanding of the
latest security threats and trends, which can help organizations to stay ahead of the evolving threat
landscape. They can also provide recommendations for improvements and best practices that
organizations can implement to improve their overall cybersecurity posture.
In summary, both internal and external cybersecurity audits have their advantages and
disadvantages. Organizations should consider their specific needs and requirements when deciding
which type of audit to conduct. For organizations that are subject to regulatory requirements, an
external cybersecurity audit is a must to demonstrate compliance and avoid penalties. It is also
important to note that both internal and external cybersecurity audits should be conducted regularly
to maintain an effective cybersecurity posture.
Benefits of a Cybersecurity Audit
1. Identifying and Fixing Vulnerabilities
One of the primary benefits of IT security audits is that they can help organizations identify and
address weak spots in their IT systems and security controls. This includes identifying
vulnerabilities in network configurations, software vulnerabilities, and outdated security controls.
By identifying these weak spots, organizations can take steps to mitigate the risk of a data breach or
cyber attack and strengthen their defenses.
2. Comprehensive Evaluation of Internal and External Security Measures
IT security audits provide a comprehensive analysis of an organization’s internal and external
security practices. This includes reviewing the organization’s security policies and procedures,
incident response plans, and testing the effectiveness of security controls. The auditor also
examines the organization’s IT infrastructure and assesses the organization’s compliance with
regulatory requirements and industry standards.
3. Uncovering Shortcomings in Your Security Defenses
IT security audits can identify any gaps in an organization’s defense, which can include areas
where the organization’s defenses are weak, or where existing security controls are not working as
intended. Identifying these gaps can be critical for organizations that want to maintain an effective
cybersecurity posture.
4. Determine the Need for Improvement in the Overall Security Stance
IT security audits can help organizations determine whether they need to enhance their security
posture. By identifying vulnerabilities and assessing the effectiveness of existing security controls,
organizations can decide whether they need to implement additional security controls or make
changes to their existing controls to better protect their IT systems and data.
5. Advising on Utilizing Technology for Business Security
IT security audits can recommend ways for organizations to leverage technology to improve their
business security. This can include recommendations for new security controls, such as firewalls,
intrusion detection systems, or encryption, or recommendations for ways to improve the
configuration of existing security controls. The auditor may also recommend ways for
organizations to improve their incident response capabilities, such as implementing incident
response plans or incident response training for employees.
6. Evaluating the Effectiveness of Security Measures
IT security audits also include testing the organization’s security controls to ensure that they are
working as intended. This includes testing the organization’s incident response plan and
procedures, as well as testing the organization’s security controls to identify any vulnerabilities or
weaknesses.
7. Keeping Up with the Latest Threats
IT security audits can help organizations stay ahead of cybercriminals by identifying vulnerabilities
and assessing the effectiveness of existing security controls. By identifying vulnerabilities and
addressing them, organizations can reduce the risk of a data breach or cyber attack. Additionally, by
staying up-to-date with the latest security threats and trends, organizations can take steps to protect
themselves from new and emerging threats.
8. Building Trust and Reputation Through Security
A successful IT security audit can demonstrate to customers, clients, and stakeholders that an
organization is committed to protecting sensitive information. This can be especially important for
organizations that handle sensitive information, such as financial institutions, healthcare providers,
and e-commerce businesses. A strong reputation for security can help organizations to build trust
with customers and stakeholders and can be a competitive advantage in the marketplace.
9. Providing Peace of Mind to Staff, Customers, and Partners
IT security audits can assure employees, clients, and vendors that an organization is committed to
protecting sensitive information and that the organization’s IT systems and security controls are
effective. This can be especially important for organizations that handle sensitive information, such
as financial institutions, healthcare providers, and e-commerce businesses.
10. Improving Overall Technology and Security Performance
IT security audits can help organizations to improve the performance of their technology and
security controls. This can include identifying and addressing vulnerabilities, improving incident
response capabilities, and implementing new security controls and best practices. By improving the
performance of their technology and security controls, organizations can better protect their IT
systems and data and reduce the risk of a data breach or cyber attack.
Best Practices for a Cybersecurity Audit
1. Defining the Scope of the Audit
One of the first and most important steps in conducting a cyber security audit is clearly defining the
scope of the audit. This includes identifying all assets that are critical to the organization, such as
sensitive data and computer equipment. The audit scope should also include defining the security
perimeter, which outlines which assets will be audited and which will not.
When defining the scope of the audit, it is important to consider the different types of assets that the
organization has and their relative importance. For example, the organization’s financial records,
customer information, and intellectual property may be considered more critical assets than less
sensitive data such as employee records. Once the assets have been identified, the auditor should
then segment the assets by criticality, with the most critical assets being audited first. This allows
the auditor to focus on the areas that pose the greatest risk to the organization, and to address any
vulnerabilities or weaknesses that are found as quickly as possible.
It is also important to define the security perimeter, which outlines the boundaries of the audit. This
includes identifying the assets that will be audited and those that will not be audited, as well as the
methods that will be used to access the assets. This will help ensure that the auditor has the
necessary resources and access to complete the audit effectively.
2. Preparing Resources
Before the audit begins, it is important to provide the auditor with the necessary resources. This
includes providing access to subject matter experts who can provide insight into the organization’s
IT infrastructure and cybersecurity practices, as well as any necessary tools that the auditor may
need to access the organization’s network.
It is also important to organize all relevant documents and policies in an easy-to-access format. This
includes cybersecurity policies, incident response plans, and any compliance-related documents
such as certifications or compliance reports. This will help the auditor to understand the
organization’s overall security posture and quickly identify any areas that need improvement.
It is also important to arrange a meeting where the auditor can meet the subject matter experts and
be introduced to the necessary tools they would need to access the network. This will help to
smooth out the audit process and save time. By providing the auditor with the necessary resources,
the auditor will be able to conduct a comprehensive review of the organization’s IT infrastructure
and identify any vulnerabilities or weaknesses that need to be addressed.
3. Reviewing Compliance Standards
Before the audit begins, it is important to review the compliance standards that apply to the
organization and industry. This includes laws, regulations, and industry standards such as the
EU General Data Protection Regulation (GDPR), California Consumer Privacy Act
(CCPA), Payment Card Industry Data Security Standard (PCI DSS), Health Insurance
Portability and Accountability Act (HIPAA), or ISO 27001.
It is important to understand the compliance regulations that apply to the organization as it will help
to align the audit with the requirements of the company. The auditor will be able to check the
company’s compliance posture and see if there are any gaps or shortcomings that need to be
addressed.
For example, if the organization is subject to HIPAA regulations, the auditor will check if the
organization has implemented the necessary controls to protect patient health information, such as
encrypting sensitive data and implementing access controls.
Understanding the compliance regulations also helps the auditor to identify potential risks and
vulnerabilities that could result in non-compliance fines or penalties. By reviewing compliance
standards, the auditor can ensure that the organization is compliant with relevant laws and
regulations and recommend any necessary changes to the organization’s security posture.
4. Detailing the Network Structure
One of the main goals of a security audit is to identify vulnerabilities and security gaps in the
organization’s IT infrastructure. Providing the auditor with a detailed diagram of the organization’s
network structure can help to accomplish this goal. This should include an overall view of the
organization’s assets, how they are connected, and what protections are in place between them.
The detailed network structure should include information such as the types of devices and
operating systems that are in use, the number and location of servers, and the different types of
networks that are in use (e.g. LAN, WAN, DMZ). It should also include information about the
organization’s security controls such as firewalls, intrusion detection systems, and antivirus
software.
By providing the auditor with a detailed network structure, the auditor will have a clear
understanding of the organization’s IT infrastructure and will be able to identify vulnerabilities and
security gaps more quickly and effectively. This will allow the auditor to focus on the areas that
pose the greatest risk to the organization and to recommend any necessary changes or
improvements.
Additionally, it will also help the auditor to understand the complexity of the network and the
organization’s dependencies on the network, which can help the auditor to understand the risk and
impact of a potential security incident.
5. Identifying and Recording Risks and Vulnerabilities
A critical step in the cybersecurity audit process is identifying and recording all vulnerabilities that
could potentially affect the organization. This includes understanding the risks and threats that the
organization faces, as well as the compliance risks associated with each process.
The auditor should assess the likelihood of each potential attack, the motivation behind it, and the
potential impact on the organization. This information can be used to prioritize the vulnerabilities
and to determine which ones need to be addressed first.
To identify vulnerabilities, the auditor will use a combination of tools and techniques such as
vulnerability scanning, penetration testing, and manual assessments. This will help the auditor to
identify any weaknesses in the organization’s IT infrastructure, such as unpatched software, weak
passwords, and misconfigured devices.
Once the vulnerabilities have been identified, the auditor should document them in a report,
including the potential impact of each vulnerability, the likelihood of it being exploited, and any
recommended remediation steps. This information will be used to prioritize the vulnerabilities and
to determine which ones need to be addressed first.
Overall, this step helps to identify the weaknesses of the current security posture of the
organization, which is crucial to understand the organization’s risk profile and to make strategic
decisions to mitigate them.
6. Assessing Existing Cyber Risk Management Performance
Once the vulnerabilities have been identified, the next step is to evaluate the performance of the
organization’s current cyber risk management measures. This includes assessing the effectiveness
of the organization’s security policies, as well as the performance of the employees who are
responsible for implementing and maintaining them.
During this step, the auditor should evaluate the performance of the current security measures, such
as vulnerability scanning tools and incident response plans. The auditor should also assess the
effectiveness of employee training programs, such as those that focus on cybersecurity awareness
and best practices.
It is also important to evaluate the overall security culture of the organization. This includes
assessing whether employees understand the importance of cybersecurity and are motivated to
follow best practices.
It is important to note that an internal audit may be biased, as the auditor is an employee of the
company, this is why an external auditor plays a major role in auditing. By assessing the
organization's existing cyber risk management performance, the auditor can identify any areas that
need improvement and recommend changes that will help to strengthen the organization's security
posture.
7. Prioritizing Risk Responses
The final step in a cybersecurity audit is to prioritize the risks and vulnerabilities that were
identified in the previous steps and to determine the best course of action for addressing them. This
includes assessing the potential impact of each vulnerability and determining which ones pose the
greatest risk to the organization.
To prioritize risks, the auditor will consider factors such as the likelihood of the vulnerability being
exploited and the potential impact on the organization. The auditor will also consider the feasibility
of implementing different risk response options, such as implementing new security controls,
updating existing controls, or implementing a new incident response plan.
After prioritizing the risks, the auditor will recommend specific actions that the organization should
take to address the vulnerabilities. These recommendations may include implementing new security
controls, updating existing controls, or implementing a new incident response plan.
The auditor will also provide a timeline for implementing the recommended actions, along with a
plan for monitoring and testing the effectiveness of the new controls. This is crucial to ensure that
the organization is taking the necessary steps to mitigate the identified risks and to make sure that
the organization is prepared for future risks.
8. Ensuring Regular Audits
A cybersecurity audit is not a one-time event, it is an ongoing process. New types of cyber risks and
attacks are constantly emerging, and the organization needs to stay ahead of them by conducting
regular audits. This helps the organization to identify new vulnerabilities and to ensure that their
security measures are up-to-date and effective.
It is generally recommended that organizations conduct in-depth security audits at least twice a
year. The frequency of the audits may vary depending on the size of the organization and the level
of risk that it faces. For example, a small organization may conduct an audit annually, while a large
organization may conduct an audit on a quarterly or monthly basis.
The organization may also conduct audits on specific departments or areas of the business, such as
the IT department or a specific application or service. This will help the organization identify any
vulnerabilities or weak spots that are specific to that area of the business.
Regular audits are crucial to ensure that the organization is aware of the current state of its security
posture and to take timely actions to improve it. It also helps to stay ahead of cybercriminals by
detecting and addressing vulnerabilities before they can be exploited.
9. Communicating the Results and Follow-up Actions
Once the cybersecurity audit is complete, the auditor needs to communicate the results and any
recommendations to the appropriate stakeholders within the organization. This includes the senior
management, the IT department, and any other relevant departments or teams.
The auditor should present the findings of the audit clearly and concisely, highlighting any areas of
concern and providing detailed recommendations for addressing them. The auditor should also
provide a plan for implementing the recommended actions, including a timeline and a budget.
It is also important for the auditor to follow up on the progress of the recommended actions. This
includes monitoring the progress of the implementation and testing the effectiveness of the new
controls. The auditor should also schedule regular meetings with the relevant stakeholders to
provide updates on the progress and to address any issues that arise.
Overall, this step is crucial to ensure that the audit results are understood and acted upon by the
relevant stakeholders in the organization. It also ensures that the recommendations are implemented
effectively and that the organization is continuously improving its cybersecurity posture.
10. Continuously Monitoring and Improving the Cybersecurity Posture
A cybersecurity audit is not a one-time event, it is an ongoing process. The organization must
continuously monitor and improve its cybersecurity posture to stay ahead of emerging threats. After
the audit, the organization should establish a process for regularly reviewing and updating its
security policies and procedures.
This includes monitoring the effectiveness of existing security controls, identifying new
vulnerabilities, and implementing new security measures as needed. The organization should also
conduct regular employee training and awareness programs to ensure that employees understand
the importance of cybersecurity and know how to identify and report potential security incidents.
It is also important for the organization to stay informed about the latest cybersecurity threats and
trends by regularly monitoring industry news and alerts. By staying informed, the organization can
proactively address new threats and vulnerabilities.
Overall, this step is crucial to ensure that the organization is continuously improving its
cybersecurity posture and is prepared to face any emerging threat. It also helps to ensure that the
organization is always aware of the current state of its security posture and takes timely actions to
improve it

What is a Cybersecurity Compliance Audit?

To set you up to get the most out of this post, let us first cover some basic information. Firstly:
What is a cybersecurity compliance audit?
A cybersecurity compliance audit is a process by which a third-party agency assesses whether or
not you have the proper security systems in place while also ensuring regulatory compliance. the
best way to prepare for an external audit is to conduct a comprehensive internal audit in-house.
Conducting an internal audit allows you to review all the cybersecurity risks your organization
faces. Additionally, you’ll be able to review your current defenses to see how your policies,
procedures, and technologies stack up against the threats you’re facing.
Conducting an internal cybersecurity compliance audit comes with numerous benefits. Firstly, it
enables you to self-evaluate the current state of your data security efforts. Through this self-
evaluation, you’ll be able to discover and remediate vulnerabilities before an attacker leverages
them in the form of a breach.
A self-compliant audit is also a great opportunity to stress-test your software and
hardware against possible breaches. During your audit, you will also demonstrate and document
your organization’s compliance with existing regulations. As a result, your team will have the
necessary processes and documentation in place should you face an external audit.
If you decide not to conduct a cybersecurity compliance audit, you can open your organization up
to several risks:
• Increased Breach Risk: If you have not evaluated your system for vulnerabilities, you
leave your organization open to an increased risk of attack.
• Damaged Organizational Reputation: In the event of a breach, your organization can face
reputation damage and lost customer trust.
• Lack of Preparedness: If you do not take the time to conduct a self-audit, you miss the
opportunity to prepare your processes, systems, and team for an external audit.
With this foundational understanding of the importance of cybersecurity compliance audits, we are
now ready to examine the six steps necessary to conduct your own internal audit.

1. Identify Stakeholders
Step one of your audit is to identify your stakeholders. Who is responsible for cybersecurity
compliance in your organization? If your organization is a small business, you may only have one
or two stakeholders. However, enterprises may have a full team of stakeholders spread across
multiple departments across the business.
Once you have identified the parties who must be involved in your audit, establish each person’s
responsibilities in writing. Ensure you are prepared to hold teams and individuals accountable to
the responsibilities assigned.
Lastly, you should use this opportunity to identify which employees may influence your
organization’s ability to remain compliant. Which staff members have access to data that may
expose your organization to a compliance issue if mishandled or breached? You may choose to
engage in cybersecurity training with these employees to ensure they understand their role in
maintaining compliance
Once you have identified all the people in your organization who can and should influence your
compliance efforts, you are ready to examine your existing policies.

2. Evaluate Existing Policies

What policies do you currently have in place regarding your information security processes? Take
this opportunity to review all active policies, searching for areas where they are insufficient or
outdated.
Watch out for any policies that exist in their current form because “that’s the way we’ve always
done things.” Use your cybersecurity compliance audit as a chance to make positive changes in
your organization’s processes, enacting and updating policies to reflect modern cybersecurity
threats and challenges.
You will also want to consider the scope of your audit at this point. If you are conducting an audit
surrounding a specific regulation or requirement, you may choose to review only the policies
concerning that regulation. Alternately, you may choose to examine all policies related to
cybersecurity compliance.
Once you have established an understanding of your current policies and developed a plan to update
them where necessary, you may inventory your IT assets.

3. Inventory IT Assets
What counts as IT assets? In this step, you will want to examine hardware, software, databases,
and services. Additionally, ensure you account for any third-party data storage solutions or
cloud services your organization uses.
If your network is accessible from personal computers or mobile devices, you must also account for
those devices in this step. Take special note of this piece if your workforce includes remote or
hybrid workers.
With your key players, policies, and devices accounted for, you are now ready to conduct a security
risk assessment.

4. Conduct a Security Risk Assessment

Begin your security risk assessment by examining current cybersecurity threats. Consider trends,
past cybersecurity events in your organization, and more.
You will also want to consider critical assets at your organization in this stage. What data or
resources are most likely to be targeted in a breach? Center your assessment around securing these
assets.
Thirdly, you will want to examine your current defenses. Compare your defenses against the
severity and sophistication of the threats you’re likely to face. How do they stack up? Take this
opportunity and plan to shore up any defenses that seem likely to fall short.
Note that a security risk assessment is not a “one and done” process. You will want to conduct this
type of assessment on a regular basis.

5. Remediate Identified Risks

In all likelihood, your compliance audit will reveal weak spots and vulnerabilities. Take note of
these risks and use step five of your audit to remediate those risks.
Create and implement practices and policies to close gaps with your team’s data access. You may
also note new technologies you need to solve these challenges and help make compliance more
seamless for your team.
You want your cybersecurity practices to be proactive rather than reactive, so ensure you are not
simply remediating active risks at this stage: Instead, build a long-term compliance strategy to help
your maintain continuous compliance in the future.
Ensure you keep record of all implemented changes at this stage, as a log of cybersecurity
improvements and compliance efforts will be vital in the face of an external audit.

6. Create an Incident Response Plan

Regardless of how much effort you put into preventing a cybersecurity incident from occurring,
there is always the possibility that an attacker will manage to breach your defenses. In the event of a
breach, you will need a robust incident response plan to minimize the impact.
What is the National Cyber Security Policy
National Cyber Security Policy is a policy framework by Department of Electronics and
Information Technology (DeitY) It aims at protecting the public and private infrastructure from
cyber attacks. The policy also intends to safeguard “information, such as personal information (of
web users), financial and banking information and sovereign data”. Ministry of Communications
and Information Technology (India) defines Cyberspace as a complex environment consisting of
interactions between people, software services supported by worldwide distribution of information
and communication technology.
Need for a cybersecurity policy
• Before 2013, India did not have a cybersecurity policy. The need for it was felt during the
NSA spying issue that surfaced in 2013.
• Information empowers people and there is a need to create a distinction between
information that can run freely between systems and those that need to be secured. This
could be personal information, banking and financial details, security information which
when passed onto the wrong hands can put the country’s safety in jeopardy.
• This Policy has been drafted in consultation with all the stakeholders.
• In order to digitise the economy and promote more digital transactions, the government
must be able to generate trust in people in the Information and Communications
Technology systems that govern financial transactions.
• A strong integrated and coherent policy on cybersecurity is also needed to curb the menace
of cyber terrorism.
National Cyber Security Policy Vision
To build secure and resilient cyberspace for citizens, businesses and Government.

National Cyber Security Policy Mission

• To protect information and information infrastructure in cyberspace.
• To build capabilities to prevent and respond to cyber threats.
• To reduce vulnerabilities and minimize damage from cyber incidents through a combination
of institutional structures, people, processes, technology and cooperation.
To know how Upgrading India’s cybersecurity architecture will boost national security for India,
visit the linked article.
National Cyber Security Policy Objectives
• Encouraging the adoption of IT in all sectors of the economy by creating adequate trust in
IT systems by the creation of a secure cyber ecosystem.
• Creating an assurance framework for the design of security policies and for the promotion
and enabling actions for compliance with global security standards and best practices
through conformity assessment.
• Bolstering the regulatory framework for ensuring a secure cyberspace ecosystem.
• Enhancing and developing national and sectoral level 24 x 7 mechanisms for obtaining
strategic information concerning threats to ICT infrastructure, creating scenarios for
response, resolution and crisis management through effective predictive, preventive,
protective, response and recovery actions.
• Operating a 24×7 National Critical Information Infrastructure Protection Centre (NCIIPC)
to improve the protection and resilience of the country’s critical infrastructure information.
• Developing suitable indigenous security technologies to address requirements in this field.
• Improving the visibility of the ICT (Information and Communication Technology)
products/services’ integrity by having testing and validation infrastructure.
• Creating a workforce of 500,000 professionals skilled in cybersecurity in the next 5 years.
• Providing businesses with fiscal benefits for adopting standard security practices and
processes.
• Safeguarding of the privacy of citizen’s data and reducing economic losses due to
cybercrime or data theft.
• Enabling effective prevention, investigation and prosecution of cybercrime and
enhancement of law enforcement capabilities through legislative intervention.
• Developing a culture of cybersecurity and privacy.
• Developing effective public-private partnerships and collaborative engagements by means
of technical and operational cooperation.
• Promoting global cooperation by encouraging shared understanding and leveraging
relationships for furthering the cause of security of cyberspace.
National Cyber Security Policy

Cyberspace is a complex environment consisting of interactions between people, software and

services, supported by worldwide distribution of information and communication technology (ICT)
devices and networks.
In the light of the growth of IT sector in the country, ambitious plans for rapid social transformation
& inclusive growth and India’s prominent role in the IT global market, providing right kind of
focus for creating secure computing environment and adequate trust & confidence in electronic
transactions, software, services, devices and networks, has become one of the compelling priorities
for the country. Such a focus enables creation of a suitable cyber security eco-system in the
country, in tune with globally networked environment.
Cyberspace is vulnerable to a wide variety of incidents, whether intentional or accidental, manmade
or natural, and the data exchanged in the cyberspace can be exploited for nefarious purposes by
both nation-states and non-state actors. The protection of information infrastructure and
preservation of the confidentiality, integrity and availability of information in cyberspace is the
essence of a secure cyber space.
The "National Cyber Security Policy" has hence been prepared in consultation with all relevant
stakeholders, user entities and public. The policy aims at facilitating creation of secure computing
environment and enabling adequate trust and confidence in electronic transactions and also guiding
stakeholders actions for protection of cyber space.
Vision
To build a secure and resilient cyberspace for citizens, businesses and Government
Mission
To protect information and information infrastructure in cyberspace, build capabilities to prevent
and respond to cyber threats, reduce vulnerabilities and minimize damage from cyber incidents
through a combination of institutional structures, people, processes, technology and cooperation.
Objectives
• To create a secure cyber ecosystem in the country, generate adequate trust & confidence in
IT systems and transactions in cyberspace and thereby enhance adoption of IT in all sectors
of the economy.
• To create an assurance framework for design of security policies and for promotion and
enabling actions for compliance to global security standards and best practices by way of
conformity assessment (product, process, technology & people).
• To strengthen the Regulatory framework for ensuring a Secure Cyberspace ecosystem.
• To enhance and create National and Sectoral level 24 x 7 mechanisms for obtaining
strategic information regarding threats to ICT infrastructure, creating scenarios for response,
resolution and crisis management through effective predictive, preventive, protective,
response and recovery actions.
• To enhance the protection and resilience of Nation’s critical information infrastructure by
operating a 24x7 National Critical Information Infrastructure Protection Centre (NCIIPC)
and mandating security practices related to the design, acquisition, development, use and
operation of information resources.
• To develop suitable indigenous security technologies through frontier technology research,
solution oriented research, proof of concept, pilot development, transition, diffusion and
commercialisation leading to widespread deployment of secure ICT products / processes in
general and specifically for addressing National Security requirements.
• To improve visibility of the integrity of ICT products and services by establishing
infrastructure for testing & validation of security of such products.
• To create a workforce of 500,000 professionals skilled in cyber security in the next 5 years
through capacity building, skill development and training.
• To provide fiscal benefits to businesses for adoption of standard security practices and
processes.
• To enable protection of information while in process, handling, storage & transit so as to
safeguard privacy of citizen's data and for reducing economic losses due to cyber crime or
data theft.
• To enable effective prevention, investigation and prosecution of cyber crime and
enhancement of law enforcement capabilities through appropriate legislative intervention.
• To create a culture of cyber security and privacy enabling responsible user behaviour &
actions through an effective communication and promotion strategy.
• To develop effective public private partnerships and collaborative engagements through
technical and operational cooperation and contribution for enhancing the security of
cyberspace.
• To enhance global cooperation by promoting shared understanding and leveraging
relationships for furthering the cause of security of cyberspace Strategies
1. Creating a secure cyber ecosystem
o To designate a National nodal agency to coordinate all matters related to cyber
security in the country, with clearly defined roles & responsibilities.
o To encourage all organizations, private and public to designate a member of senior
management, as Chief Information Security Officer (CISO), responsible for cyber
security efforts and initiatives.
o To encourage all organizations to develop information security policies duly
integrated with their business plans and implement such policies as per international
best practices . Such policies should include establishing standards and mechanisms
for secure information flow (while in process, handling, storage & transit), crisis
management plan, proactive security posture assessment and forensically enabled
information infrastructure.
o To ensure that all organizations earmark a specific budget for implementing cyber
security initiatives and for meeting emergency response arising out of cyber
incidents.
o To provide fiscal schemes and incentives to encourage entities to install, strengthen
and upgrade information infrastructure with respect to cyber security.
o To prevent occurrence and recurrence of cyber incidents by way of incentives for
technology development, cyber security compliance and proactive actions.
o To establish a mechanism for sharing information and for identifying and
responding to cyber security incidents and for cooperation in restoration efforts.
o To encourage entities to adopt guidelines for procurement of trustworthy ICT
products and provide for procurement of indigenously manufactured ICT products
that have security implications.
2. Creating an assurance framework
o To promote adoption of global best practices in information security and compliance
and thereby enhance cyber security posture.
o To create infrastructure for conformity assessment and certification of compliance to
cyber security best practices, standards and guidelines (Eg. ISO 27001 ISMS
certification, IS system audits, Penetration testing / Vulnerability assessment,
application security testing, web security testing) .
o To enable implementation of global security best practices in formal risk assessment
and risk management processes, business continuity management and cyber crisis
management plan by all entities within Government and in critical sectors, to reduce
the risk of disruption and improve the security posture.
o To identify and classify information infrastructure facilities and assets at entity level
with respect to risk perception for undertaking commensurate security protection
measures.
 o To encourage secure application / software development processes based on global
best practices.
o To create conformity assessment framework for periodic verification of compliance
to best practices, standards and guidelines on cyber security.
o To encourage all entities to periodically test and evaluate the adequacy and
effectiveness of technical and operational security control measures implemented in
IT systems and in networks.
3. Encouraging Open Standards
o To encourage use of open standards to facilitate interoperability and data exchange
among different products or services.
o To promote a consortium of Government and private sector to enhance the
availability of tested and certified IT products based on open standards.
4. Strengthening the Regulatory framework
o To develop a dynamic legal framework and its periodic review to address the cyber
security challenges arising out of technological developments in cyber space (such
as cloud computing, mobile computing, encrypted services and social media) and its
harmonization with international frameworks including those related to Internet
governance.
o To mandate periodic audit and evaluation of the adequacy and effectiveness of
security of information infrastructure as may be appropriate, with respect to
regulatory framework.
o To enable, educate an d facilitate awareness of the regulatory framework.
5. Creating mechanisms for security threat early warning, vulnerability management
and response to security threats
o To create National level systems, processes, structures and mechanisms to generate
necessary situational scenario of existing and potential cyber security threats and
enable timely information sharing for proactive, preventive and protective actions by
individual entities.
o To operate a 24x7 National Level Computer Emergency Response Team (CERT-In)
to function as a Nodal Agency for coordination of all efforts for cyber security
emergency response and crisis management. CERT-In will function as an umbrella
organization in enabling creation and operationalization of sectoral CERTs as well
as facilitating communication and coordination actions in dealing with cyber crisis
situations.
o To operationalise 24x7 sectoral CERTs for all coordination and communication
actions within the respective sectors for effective incidence response & re solution
and cyber crisis management.
o To implement Cyber Crisis Management Plan for dealing with cyber related
incidents impacting critical national processes or endangering public safety and
security of the Nation, by way of well coordinated, multi disciplinary approach at
the National, Sectoral as well as entity levels.
o To conduct and facilitate regular cyber security drills & exercises at National,
sectoral and entity levels to enable assessment of the security posture and level of
emergency preparedness in resisting and dealing with cyber security incidents.
6. Securing E - Governance services
 o To mandate implementation of global security best practices, business continuity
management and cyber crisis management plan for all e-Governance initiatives in
the country, to reduce the risk of disruption and improve the security posture.
o To encourage wider usage of Public Key Infrastructure (PKI) within Government for
trusted communication and transactions.
o To engage information security professionals / organisations to assist e - Governance
initiatives and ensure conformance to security best practices.
7. Protection and resilience of Critical Information Infrastructure
o To develop a plan for protection of Critical Information Infrastructure and its
integration with business plan at the entity level and implement such plan. The plans
shall include establishing mechanisms for secure information flow (while in process,
handling, storage & transit), guidelines and standards, crisis management plan,
proactive security posture assessment and forensically enabled information
infrastructure.
o To Operate a 24x7 National Critical Information Infrastructure Protection Centre
(NCIIPC) to function as the nodal agency for critical information infrastructure
protection in the country.
o To facilitate identification, prioritisation, assessment, remediation and protection of
critical infrastructure and key resources based on the plan for protection of critical
information infrastructure.
o To mandate implementation of global security best practices, business continuity
management and cyber crisis management plan by all critical sector entities, to
reduce the risk of disruption and improve the security posture.
o To encourage and mandate as appropriate, the use of validated and certified IT
products.
o To mandate security audit of critical information infrastructure on a periodic basis.
o To mandate certification for all security roles right from CISO / CSO to those
involved in operation of critical information infrastructure.
o To mandate secure application/software development process (from design through
retirement) based on global best practices.
8. Promotion of Research & Development in cyber security
o To undertake Research & Development programs for addressing all aspects of
development aimed at short term, medium term and long term goals. The Research
& Development programs shall address all aspects including development of
trustworthy systems, their testing, deployment and maintenance throughout the life
cycle and include R&D on cutting edge security technologies.
o To encourage Research & Development to produce cost-effective, tailor-made
indigenous security solutions meeting a wider range of cyber security challenges and
target for export markets.
o To facilitate transition, diffusion and commercialisation of the outputs of Research
& Development into commercial products and services for use in public and private
sectors.
o To set up Centres of Excellence in areas of strategic importance for the point of
security of cyber space.
o To collaborate in joint Research & Development projects with industry and
academia in frontline technologies and solution oriented research .
9. Reducing supply chain risks
 o To create and maintain testing infrastructure and facilities for IT security product
evaluation an d compliance verification as per global standards and practices.
o To build trusted relationships with product / system vendors and service providers
for improving end-to-end supply chain security visibility.
o To create awareness of the threats, vulnerabilities and consequences of breach o f
security among entities for managing supply chain risks related to IT (products,
systems or services) procurement.
10. Human Resource Development
o To foster education and training programs both in formal and informal sectors to
support the Nation’s cyber security needs and build capacity.
o To establish cyber security training infrastructure across the country by way of
public private partnership arrangements.
o To establish cyber security concept labs for awareness and skill development in key
areas.
o To establish institutional mechanisms for capacity building for Law Enforcement
Agencies .
11. Creating Cyber Security Awareness
o To promote and launch a comprehensive national awareness program on security of
cyberspace.
o To sustain security literacy awareness and publicity campaign through electronic
media to help citizens to be aware of the challenges of cyber security.
o To conduct, support and enable cyber security workshops / seminars and
certifications.
12. Developing effective Public Private Partnerships
o To facilitate collaboration and cooperation among stakeholder entities including
private sector, in the area of cyber security in general and protection of critical
information infrastructure in particular for actions related to cyber threats,
vulnerabilities, breaches, potential protective measures, and adoption of best
practices.
o To create models for collaborations and engagement with all relevant stakeholders.
o To create a think tank for cyber security policy inputs, discussion and deliberations.
13. Information sharing and cooperation
o To develop bilateral and multi-lateral relationships in the area of cyber security with
other countries.
o To enhance National and global cooperation among security agencies, CERTs,
Defence agencies and forces, Law Enforcement Agencies and the judicial systems.
o To create mechanisms for dialogue related to technical and operational aspects with
industry in order to facilitate efforts in recovery and resilience of systems including
critical information infrastructure.
14. Prioritized approach for implementation
To adopt a prioritized approach to implement the policy so as to address the most critical areas in
the first instance.
Operationalisation of the Policy
This policy shall be operationalised by way of detailed guidelines and plans of action at various
levels such as national, sectoral, state, ministry, department and enterprise, as may be appropriate,
to address the challenging requirements of security of the cyberspace.
n 2020, the National Cyber Security Strategy was conceptualised by the Data Security Council
of India (DSCI) headed by Lt General Rajesh Pant. The report focused on 21 areas to ensure a
safe, secure, trusted, resilient, and vibrant cyberspace for India.
▪ However, amid a surge in cyberattacks on India’s networks, the Centre is yet to
implement the National Cyber Security Strategy.
What is the Need for a National Cyber Security Strategy?
▪ Increasing Number Of Cyber Attacks: As per American cybersecurity firm Palo Alto
Networks’ 2021 report, Maharashtra was the most targeted state in India — facing
42% of all ransomware attacks.
o The report stated that India is among the more economically profitable regions for
hacker groups and hence these hackers ask Indian firms to pay a ransom, usually
using cryptocurrencies, in order to regain access to the data.
o One in four Indian organisations suffered a ransomware attack in 2021 —
higher the the global average of 21%.
▪ Cyber Warfare Offensives:
o The US is just one of many countries that have invested significant amounts of
money in developing not just defences against attack, but the ability to
mount damaging cyber warfare offensives.
o The countries which are believed to have the most developed cyber warfare
capabilities are the US, China, Russia, Israel and the United Kingdom.
▪ Increased Digital usage Post-Covid:
o Critical infrastructure is getting digitised in a very fast way — this includes
financial services, banks, power, manufacturing, nuclear power plants, etc.
▪ For Protecting Critical Sectors:
o It is particularly significant given the increasing interconnectedness of sectors and
proliferation of entry points into the internet, which could further grow with
the adoption of 5G.
o There were 6.97 lakh cyber security incidents reported in the first eight months of
2020, nearly equivalent to the previous four years combined, according to
information reported to and tracked by the Indian Computer Emergency Response
Team (CERT-In).
▪ Recent Cyber Attacks:
o There has been a steep rise in the use of resources like malware by a Chinese group
called Red Echo to target “a large swathe” of India’s power sector.
o Red Echo used malware called ShadowPad, which involves the use of a backdoor
to access servers.
o The Chinese hacker group known as Stone Panda had “identified gaps and
vulnerabilities in the IT infrastructure and supply chain software of Bharat Biotech
and the Serum Institute of India.
▪ For Government:
o A local, state or central government maintains a huge amount of confidential data
related to the country (geographical, military-strategic assets etc.) and citizens.
▪ For Individuals:
o Photos, videos and other personal information shared by an individual on social
networking sites can be inappropriately used by others, leading to serious and even
life-threatening incidents.
 ▪ For Businesses:
o Companies have a lot of data and information on their systems.
o A cyber attack may lead to loss of competitive information (such as patents or
original work), and loss of employees/customers’ private data resulting in complete
loss of public trust in the integrity of the organisation.
What are the Main Components of the National Cyber Security Strategy?
▪ Large Scale Digitisation of Public Services: Focus on security in the early stages of design
in all digitisation initiatives.
o Developing institutional capability for assessment, evaluation, certification, and
rating of the core devices
o Timely reporting of vulnerabilities and incidents.
▪ Supply Chain Security: Monitoring and mapping of the supply chain of the Integrated
Circuits (ICT) and electronics products.
o Leveraging the country’s semiconductor design capabilities globally at strategic,
tactical and technical levels.
▪ Critical Information Infrastructure Protection: Integrating Supervisory Control And
Data Acquisition (SCADA) security
o Maintaining a repository of vulnerabilities.
o Preparing an aggregate level security baseline of the sector and tracking its
controls.
o Devising audit parameters for threat preparedness and developing cyber-
insurance products.
▪ Digital Payments: Mapping and modelling of devices and platforms deployed, supply
chain, transacting entities, payment flows, interfaces and data exchange.
▪ State-Level Cyber Security: Developing state-level cybersecurity policies,
o Allocation of dedicated funds,
o Critical scrutiny of digitization plans,
o Guidelines for security architecture, operations, and governance.
▪ Security of Small And Medium Businesses: Policy intervention in cybersecurity granting
incentives for a higher level of cybersecurity preparedness.
o Developing security standards, frameworks, and architectures for the adoption of
the Internet of Things (IoT) and industrialisation.
What steps does the report suggest?
▪ Budgetary Provisions: A minimum allocation of 0.25% of the annual budget, which can
be raised upto 1% has been recommended to be set aside for cyber security.
o In terms of separate ministries and agencies, 15-20% of the IT/technology
expenditure should be earmarked for cybersecurity.
o It also suggests setting up a Fund of Funds for cybersecurity and providing
Central funding to States to build capabilities in the same field.
▪ Research, Innovation, Skill-Building And Technology Development: The report
suggests investing in modernisation and digitisation of ICT, setting up a short and long
term agenda for cyber security via outcome-based programs and providing investments in
deep-tech cyber security innovation.
o DSCI further recommends creating a 'cyber security services’ with cadres chosen
from the Indian Engineering Services.
▪ Crisis Management: For adequate preparation to handle a crisis, DSCI
recommends holding cybersecurity drills which include real-life scenarios with their
ramifications.
▪ Cyber Insurance: Cyber insurance being a yet to be researched field, must have an
actuarial science to address cybersecurity risks in business and technology scenarios as
well as calculate threat exposures.
▪ Cyber Diplomacy: Cyber diplomacy plays a huge role in shaping India’s global relations.
Hence cyber security preparedness of key regional blocks like Bay of Bengal Initiative for
Multi-Sectoral Technical and Economic Cooperation (BIMSTEC) and Shanghai
Cooperation Organisation (SCO) must be ensured via programs, exchanges and industrial
support.
o To further better diplomacy, the government should promote brand India as a
responsible player in cyber security and also create ‘Cyber envoys’ for the key
countries/regions
▪ Cybercrime Investigation: With the increase in cybercrime across the world, the report
recommends unburdening the judicial system by creating laws to resolve spamming and
fake news.
o It also suggests charting a 5-year roadmap factoring possible
technology transformation, setting up exclusive courts to deal with cybercrimes and
removing the backlog of cybercrime.
o Moreover, DSCI suggests advanced forensic training for agencies to keep up in the
age of AI/ML, Blockchain, IoT, Cloud, Automation.