The actions and measures detailed in our security advice blogs collectively represent a good foundation for effective information risk management.  This blog focuses on creating a secure and standard configuration of the technology you have in the business.

Summary

Introduce policies and processes to develop a secure baseline, and manage the configuration and use of your technology systems. Remove or disable unnecessary functionality from technology systems, and keep them patched against known vulnerabilities. Failing to do this will expose your business to threats and vulnerabilities, and increase risk to the confidentiality, integrity and availability of systems and information.

What’s the risk of not having a secure configuration?

Organisations that fail to produce and implement security policies that manage the secure configuration and patching of their technology systems are subject to the following risks:

1. Unauthorised changes to systems
2. Exploitation of unpatched vulnerabilities
3. Exploitation of insecure system configurations
4. Increases in the number of security incidents

How can you manage the risk?

1. Develop corporate policies to update and patch systems.  Use the latest versions of operating systems, web browsers and applications.
2. Create and maintain hardware and software inventories.  Create inventories of the authorised hardware and software that constitute technology systems across the organisation.
3. Lock down operating systems and software.  Consider the balance between system usability and security and then document and implement a secure baseline build for all technology systems, covering clients, mobile devices, servers, operating systems, applications and network devices such as firewalls and routers.
4. Conduct regular vulnerability scans.  Organisations should run automated vulnerability scanning tools against all networked devices regularly and remedy any identified vulnerabilities within an agreed time frame.
5. Establish configuration control and management.  Produce policies and procedures that define and support the configuration control and change management requirements for all ICT systems, including software.
6. Disable unnecessary input/output devices and removable media access.  Assess business requirements for user access to input/output devices and removable media (this could include MP3 players and Smart phones).
7. Implement whitelisting and execution control.  Create and maintain a whitelist of authorised applications and software that can be executed on technology systems.
8. Limit user ability to change configurations.  Provide users with the minimum system rights and permissions that they need to fulfil their business role.

Our IT security package includes a comprehensive range of IT security solutions designed to stop an attack from occurring. It also includes training and education for your staff so they are alert to possible cyber attacks. If you’d like to find out more please give us a call on 01392 207194.

Dave