Scribd
Upload
12 views

Action Plan For Implementing Cyber Essentials

Uploaded by

Gere Tassew
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
12 views

Action Plan For Implementing Cyber Essentials

Uploaded by

Gere Tassew
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

A Comprehensive Action Plan for Implementing Cyber Essentials:

Building a Culture of Cyber Readiness and Resilience.


1. Drive cybersecurity strategy, investment and culture

• Approach cybers as a business risk. Determine the potential operational, financial


and reputational impacts of cyber incidents.
• Invest time and resources into cybersecurity, including training and awareness for
staff.
• Build relationships with sector partners, government agencies, and associations to
stay up to date on threats and best practices.
• Lead development of cybersecurity policies and procedures for the organization.
• Conduct a risk assessment to identify top cyber threats and vulnerabilities. Prioritize
addressing the highest risks.
• Set clear, measurable goals and metrics for the cybersecurity program. Report
progress to leadership regularly.
• Dedicate a specific portion of the IT budget to cybersecurity tools, services and
training. Scale investment to risk level.
• Appoint a Chief Information Security Officer or Director of Cybersecurity to lead the
program, if feasible.
• Participate in industry Information Sharing and Analysis Centers (ISACs) to collaborate
and benchmark your efforts.
• Align cybersecurity strategy with overall business objectives and risk management
framework.
• Obtain buy-in and support from executive leadership and the board of directors.
• Incorporate security requirements and testing into project planning, budgeting and
vendor management processes.
• Foster a culture of openness and learning from mistakes rather than blame.
• Celebrate successes and recognize employees who demonstrate exceptional security
practices.

2. Develop security awareness and vigilance in employees

• Provide basic cybersecurity training to all employees on concepts, terminology and


best practices.
• Educate employees on prevalent risks like phishing and business email compromise.
Encourage reporting of suspicious activity.
• Identify and leverage existing training resources from professional associations,
government, academia and private sector.
• Promote a culture of awareness and good cyber hygiene habits.
• Require completion of security awareness training by all new hires before granting
system access.
• Conduct simulated phishing tests to assess employee awareness and reinforce
training.
• Incentivize and reward employees for reporting suspicious emails or behavior. Share
anonymized examples.
• Hold annual refresher training sessions and provide micro-learning content
throughout the year.
• Hang posters, distribute handouts and send newsletters on cybersecurity topics
regularly.
• Tailor training content to specific roles and departments to make it more relevant
and engaging.
• Use a variety of training formats like in-person, computer-based, games and hands-on
labs to reinforce learning.
• Encourage reporting of not just obvious threats, but also subtle anomalies that could
indicate an attack.
• Teach employees how to secure their home networks and personal devices, as these
can be entry points to company systems.
• Establish an open-door policy for employees to ask security questions and report
concerns without fear of judgement.

3. Protect critical assets and applications

• Inventory all hardware, software and data assets. Monitor network activity.
• Keep all systems and software up-to-date and patched. Remove unauthorized or
unsupported assets.
• Implement secure configurations on all devices.
• Use email and web browser security settings to prevent spoofed emails and block
malicious sites.
• Allow only approved software to run on systems.
• Establish a formal change management process to review security before
implementing any system changes.
• Perform vulnerability scans at least monthly and promptly remediate critical flaws.
• Encrypt data at rest on servers, in transit over networks, and on portable devices like
laptops and phones.
• Segment networks to isolate critical systems. Restrict inbound and outbound traffic
to only necessary ports/protocols.
• Disable unnecessary services, software and accounts. Restrict administrative
privileges.
• Implement application allowlisting to prevent execution of unauthorized software,
especially on critical servers.
• Perform regular vulnerability scanning and penetration testing to identify and
remediate security weaknesses.
• Use file integrity monitoring to detect unauthorized changes to critical system files
and directories.
• Deploy web application firewalls and database activity monitoring to protect against
application-layer attacks.
• Implement Data Loss Prevention (DLP) solutions to detect and prevent unauthorized
data exfiltration.
4. Ensure only authorized users access systems

• Require multi-factor authentication for all accounts, especially privileged ones.


• Grant access based on the least privilege - only what each user needs for their role.
• Use unique, strong passwords for all accounts. Manage changes in user status
promptly.
• Monitor user activity for anomalous behavior.
• Implement Single Sign-On and user provisioning/deprovisioning processes to
streamline account management.
• Restrict access to privileged accounts and sensitive data repositories to the minimum
required.
• Enforce password complexity, expiration and history requirements. Don't allow
commonly used/compromised passwords.
• Review user access privileges at least quarterly to identify and remove any
inappropriate access.
• Monitor failed login attempts, disabled accounts, new devices and other potential
indicators of unauthorized access.
• Implement risk-based authentication that requires stronger authentication methods
for higher-risk scenarios.
• Use privileged access management solutions to secure and monitor use of
administrative accounts.
• Implement network access control to ensure only authorized devices can connect to
the network.
• Monitor user activity for signs of compromise, like logins from unusual locations or
times, or large data transfers.
• Use security information and event management (SIEM) tools to correlate logs and
detect potential threats.

5. Backup data and system configurations

• Identify critical data and systems required for operations.


• Employ automatic, continuous data backup solutions.
• Follow the 3-2-1 rule - 3 copies of data, 2 different media types, 1 copy offsite.
• Protect backups with encryption, physical security and offline copies. Test recovery
capabilities.
• Determine Recovery Time Objectives and Recovery Point Objectives for critical
systems to align backup schedules.
• Implement backup redundancy and separation so backups aren't susceptible to the
same incident as production.
• Perform periodic test restores of backups to an alternate location to verify data
integrity and usability.
• Store copies of backups offline or on write-once media to protect against ransomware
encryption.
• Retain backups for a sufficient period to recover from incidents that may go
undetected for months, like data exfiltration.
• Consider using a cloud-based backup solution for scalability, reliability and
geographic separation from on-premises systems.
• Implement write once, read many (WORM) backup storage to create immutable
backups that can't be altered or deleted.
• Use different backup software for online and offline backups to mitigate the impact
of a flaw or compromise in one solution.
• Encrypt backup data at rest and in transit, and ensure encryption keys are securely
managed and accessible when needed.
• Define a data destruction policy to securely dispose of backup media that has
reached the end of its retention period.

6. Plan for incident response and continuity

• Develop, test and update an incident response plan with clear roles and
communications guidelines.
• Use business impact assessments to prioritize systems to restore first.
• Establish relationships with external incident response support providers.
• Contain incidents quickly to limit damage. Communicate transparently.
• Define criteria for declaring an incident and activating the response plan. Include
both technical and business factors.
• Identify forensic data sources like system logs and network packet captures to aid
investigation.
• Prepare communication templates for notifying internal and external stakeholders,
including law enforcement if applicable.
• Practice incident response procedures via tabletop exercises and live simulations at
least annually.
• Conduct a "lessons learned" review after major incidents to identify areas for
improvement.
• Predefine incident severity levels and corresponding response actions,
communication requirements and escalation paths.
• Identify and train an incident response team with representation from IT, security,
legal, HR and public relations.
• Establish relationships with external incident response firms and legal counsel before
an incident occurs.
• Create an incident response "playbook" with step-by-step procedures for common
incident types.
• Conduct "lessons learned" reviews after incidents and tests to identify areas for
improvement in detective and preventive controls.

With committed leadership driving a security-aware culture and implementation of these


essential practices, organizations can build a strong foundation of cyber readiness and
resilience. Regular testing, training and improvements should be part of an ongoing
process.

You might also like