IT Support and Hardware for Clinics
35.9K views | +7 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

8 Questions Your Board Will Ask About Your Cybersecurity Program

8 Questions Your Board Will Ask About Your Cybersecurity Program | IT Support and Hardware for Clinics | Scoop.it

Cybersecurity coverage is a critical concern for every modern business. Whether you're a growing company or an established multinational business, your IT infrastructure needs to be secured against a growing range of threats. 

 

An effective cybersecurity program needs to be both robust and capable of change. All possible threats and risk tolerance levels must be clearly defined and managed from the outset. Active participation by all stakeholders is required to ensure the best possible outcomes. 

 

From setting the direction of the program to making operational decisions and providing oversight, the board of directors and all C-suite executives need to understand, engage with, and take ownership of the program.

 

Let's look at eight big questions you need to answer to give your board full confidence in your cybersecurity coverage.

1) What attributes define a complete cybersecurity strategy?

A comprehensive cybersecurity program needs to protect relevant corporate information and systems, both now and in the future. Cybersecurity is all about managing cyber risk.  To properly manage cyber risk, it is critical to have a basic understanding of the key components of a comprehensive and mature cybersecurity program.  By comprehensive and mature we mean broad and deep.  Broad – including all of the key components, and deep – ensuring that each key component is addressed to the degree that mitigates the cyber risk to the level that is acceptable to the Board and C-Suite.

 

Before you can protect the data that defines your organization, it's important to evaluate your current systems based on their structural integrity and ability to adapt. 

  • Maturity and consistency - Maturity is based on consistency over an extended period. This doesn't happen by accident, with effective security solutions adapted carefully to meet the specific needs of an organization. Your security architecture needs to be defined, your documentation needs to be thorough, and your working practices need to align with your security goals.
  • Flexibility and agility - Modern computer systems are changing all the time, and effective security solutions need to adapt to the wider world. Agility and flexibility are critical as security breaches often take place immediately after an update. If maturity is defined by the structural integrity of your security framework, then agility is defined as your ability to respond effectively at any given moment.

2) Have we got adequate review and training initiatives?

Effective cybersecurity solutions demand continual reviews, updates, and training initiatives. Whether it's buying new computers, updating network protocols, or training staff, security risk assessment is an ongoing process that helps to identify risk and ensure compliance at every turn.

 

Your cybersecurity program needs to be reviewed periodically by an independent and objective third party to ensure the relevance of hardware tools, systems and services, and human beings. Updates are not enough in isolation, with alignment between hardware and software, and software and staff also needed. 

 

Security risk assessments, ongoing testing, and awareness training are all required to mitigate risk and ensure safety. Employee training initiatives have a particularly vital role to play, with security breaches often the result of poorly trained staff or incomplete training methods that fail to align with technology updates. 

3) How do we ensure compliance?

Compliance is a critical element of IT security. Regulations put in place across industry sectors help to define appropriate levels of risk and protect information. Whether it's the CSF framework defined by the NIST, the HITECH Act legislation for health providers, or the HIPAA legislation to promote data privacy and security, your organization needs to ensure compliance at every level.

Active participation by all stakeholders is an essential part of the compliance process as well. To meet your obligations, you need to be aware of them first. From there, you can put appropriate measures in place to ensure your security and operational coverage. 

Compliance is about more than ticking boxes. It is an effective strategy and an essential part of your wider security stance.

Below are a few of the most important compliance standards:

  • NIST and CSF - The National Institute of Standards and Technology (NIST) promotes a Cyber Security Framework (CSF) to help organizations better manage and reduce their cybersecurity risk. This framework is used to create consistent standards and guidelines across industry sectors. It is also used to augment specific industry regulations like HIPAA.
  • HITECH and HIPAA - While HITECH and HIPAA are separate laws, they often reinforce each other and both apply to the health industry. The HITECH Act was created in 2009 to support the secure adoption of electronic health records, with HIPAA adopted in 1996 to protect the security and privacy of patient health data.     

Learn more about common compliance regulations here.

4) How do we establish an acceptable risk tolerance level?

While protecting your organization demands diligence at every turn, a no-compromise attitude is rarely effective. Zero risk is impossible as a realistic protection objective, with each organization needing to decide how much loss they can tolerate before a threshold of damage is breached. 

Defining an appropriate level of acceptance or tolerance to risk is one of the most important discussions you can have. To quantify these risks, you must identify likely threats and their potential financial impacts. Security breaches can be significant because they influence both productivity losses and the cost of cleanup.

Before you can set up a robust and effective cybersecurity program, it's important to establish an acceptable risk tolerance level. What value are you trying to protect? And what price are you willing to pay to protect it properly? The NIST Risk Management Framework (RMF) is one important framework used to measure risk tolerance. 

5) Are we aware of our existing vulnerabilities?

Professional vulnerability assessment is needed to measure risk and allocate resources effectively. To align the potential impact of each security incident with an acceptable level of risk, it's important to carry out a professional vulnerability assessment. By breaking down your current security infrastructure, you can find existing vulnerabilities and create solutions that protect your organization.

6) What is our incident response plan?

Incident response and management is an important part of every cybersecurity strategy. While proactive measures are critical, it's just as important to have a response plan in place if something does go wrong. A comprehensive cyber incident management plan involves dedicated recovery measures for specific breaches. This multi-pronged reactive process must begin immediately following an intrusion and be able to adapt to changing circumstances.

7) Have we thought of third-party risk management and insurance?

Cybersecurity is an essential part of every vendor relationship, with malware and other forms of malicious code often hidden in supply chain entry points. A vendor may include a cloud service provider, an IT consultant, a data processor, or even an accounting firm.

Vendor policy management and insurance need to be built into every relationship you have, with effective management programs helping to mitigate risk, and insurance providing protection if something does go wrong. You need to understand risk and ensure best practice at every turn and strengthen vendor indemnities by ensuring that all key risk categories are addressed.

Along with mechanisms for vulnerability assessment and incident response, it's also important to consider the contractual language and documentation used to define the vendor relationship. When it comes to insurance, you need to be protected against internal and vendor-based threats. It's important to mandate your company as an additional insured on all third-party insurance policies.

8) What is the roadmap towards comprehensive  coverage?

Robust and effective cybersecurity demands resources and funding, with an ongoing review of your current security program a great place to start. There is a roadmap involved with achieving comprehensive  coverage, from the initial security assessment through to ongoing testing procedures, incident response plans, equipment updates, and employee training. 

While asking questions is a great place to start, proactive measures, professional solutions, and insurance are needed to ensure comprehensive  coverage in the months and years ahead. 

Effective security measures demand diligence and constant engagement. From your technology and software systems to the people who use them every day, safety and compliance demand your full attention.

Cybersecurity and compliance is a team initiative that demands engagement at every level. From the board and C-suite executives who make the decisions to the people who work with the technology, security is everyone's responsibility.

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Report: Flaw Affects 12 Million Routers

Report: Flaw Affects 12 Million Routers | IT Support and Hardware for Clinics | Scoop.it

At least 12 million home and small-office routers from 50 manufacturers have a flaw that an attacker could remotely exploit to seize control of the device and intercept all data that it transmits, according to security firm Check Point Software Technologies. Among the devices at risk are at least 200 different products manufactured by such vendors as D-Link, Edimax, Huawei, TP-Link, ZTE and ZyXEL.

Check Point presented the findings of their research into what they've dubbed the "Misfortune Cookie" vulnerability at this week's 31st Chaos Communication Congress, or 31C3, in Hamburg, Germany.


The company says it has discovered two distinct vulnerabilities in RomPager, which is a Web server built by Allegro Software that gets embedded in the firmware that runs many router and gateway devices. And Allegro has confirmed the flaws. One vulnerability, CVE-2014-9222, allows an attacker to remotely bypass the device's authentication mechanism; this is the Misfortune Cookie flaw. A related vulnerability, CVE-2014-9223, allows an attacker to create a buffer overflow on a device, triggering a denial of service.

"The Misfortune Cookie vulnerability is due to an error within the HTTP cookie management mechanism present in the affected software, allowing an attacker to determine the 'fortune' of a request by manipulating cookies," the Check Point researchers say. "All an attacker needs in order to exploit Misfortune Cookie is to send a single packet to your public IP address. No hacking tools required - just a simple, modern browser."

The Check Point researchers say they have yet to see any in-the-wild attacks that exploit the vulnerability. But based on scans of the Internet looking for equipment that runs a vulnerable version of RomPager, they found at least 12 million devices currently being used - across 189 countries - that are vulnerable to related attacks.

Users of devices that sport the flaw are at risk of having their data intercepted, warns Dublin-based information security consultant Brian Honan, who heads Ireland's computer emergency response team. "The biggest risk would be for the attackers to be able to modify settings on the router, such as changing the DNS settings," he says. "This could allow the attackers to then redirect the users' Web traffic to phishing websites, malware-loaded websites, or to intercept their Internet traffic and capture sensitive information such as passwords and financial details."

Beyond consumers, remote employees are also at risk from vulnerable devices, says threat-intelligence firm iSight Partners. "Although the Misfortune Cookie vulnerability does not affect routers commonly used in larger enterprise environments ... compromised devices still pose a potential threat to enterprises, especially to those with employees that perform work on their computer or mobile devices through home routers," it says in a research note.

Flaws Patched in 2005

In a statement, Allegro Software, which is based in Boxborough, Mass., notes: "These vulnerabilities were discovered in the RomPager embedded Web server version 4.07, which was released in 2002." But the company says that the flaws were identified and fixed, and an update - RomPager version 4.34, which fixes the vulnerability - was released to customers in 2005. The most recent version of RomPager is version 5.40.

But Allegro Software says that some manufacturers are continuing to ship products that include a version of RomPager that is a decade or more out of date. "Unfortunately, not all manufacturers using Allegro Software products have updated their devices with the latest RomPager software component," it says. "In some cases, manufacturers continue to make and sell products with software components that are over 13 years old, which can expose products to security concerns."

Allegro Software notes that it's a third-party supplier of embedded Web servers, and that it's incumbent upon device manufacturers to patch their customers' equipment, by issuing updated firmware. "If you have a product that is affected by the above security concerns, please contact the product manufacturer to obtain a firmware update," it says.

Huawei's Product Security Incident Response Team tells Information Security Media Group that it has identified the vulnerability and published a security notice on its website. According to that security alert, both the Huawei Echolife HG530 and HG520c routers are vulnerable to the two vulnerabilities discovered by Check Point. Huawei on Dec. 24 released a related patch for each of those devices.

D-Link, Edimax, TP-Link, ZTE and ZyXEL did not immediately respond to requests for comment on Check Point's research.

Pinpointing Problems

German IT journalist Hanno Böck has created a free online tool that's designed to scan hostnames or IP addresses for the presence of equipment that contains either of the vulnerabilities identified by Check Point.

If vendors fail to issue patches for vulnerable devices, then consumers might be best served by throwing those devices away. "If old tech is no longer supported, then people should consider replacing them with newer and more secure devices," says Honan, who is also a cybersecurity adviser to Europol. "Tech should be treated like many other items we use in our homes. If your vacuum cleaner can no longer do the job properly and it cannot be repaired, you replace it. The same [goes for] the items our digital lives depend on."


more...
No comment yet.