Cyber Readiness Program Presented by: Henry Vido, Program Director, CRI Mohamed Mahdy, Information Technology & Administration Director, IBAG
The Cyber Readiness Institute empowers small and medium- sized organizations with practical tools and resources to improve their cybersecurity. Our first offering is the free, validated Cyber Readiness Program . Our Co-Chairs and Members are cyber experts and business leaders – from across sectors and regions – who have come together to secure global value chains.
The Cyber Readiness Program • A free, self-driven Cyber Readiness Program • Enabling small and medium-sized companies to be more cyber resilient • Addressing top issues – phishing, patching, authentication, and USBs – and providing guidance for incident response and going to the cloud • Web-based guided program featuring content, resources, tools and metrics
The CRI Program focuses on four key issues . USBs Authentication Patching Phishing USBs and A weak password Patches are Phishing is an removable is an easy access updates to your email-borne media devices point to your software and attack that are easy most sensitive systems that attempts to use gateways for information and contain your email malware to systems. important account to do infect your computer. security something remedies. malicious. The Program also provides guidance on moving to the Cloud.
Cyber Readiness Program: 5 Stages The CRI Approach • Get Started: prepare organization and select Cyber Readiness Leader. Tips on being an effective Cyber Readiness Leader. Commitment • Preventive measures. letter between CEO and the Leader. • Organizational culture • Assess & Prioritize: learn about the four key of cyber readiness. issues: Authentication, Patching, Phishing, and USB use. Prioritize what to protect and what to • Practical tools that can move to the cloud and when. Establish baseline be customized for each metrics. organization. • Agree & Commit: Access and modify policy • Self-guided, led by an templates so they are practical for internal Cyber Leader. organization. Develop incident response plan from template. • Roll Out: Introduce the Cyber Readiness Program to workforce. Access training and communication kit. Workforce commitment letter. • Measure Success: Re-do baseline metrics to measure impact. Obtain a certificate from the Cyber Readiness Institute.
Key Elements of the Program Baseline Prioritization Incident Response Worksheet Metrics Plan • This document • These metrics • This document allows the SMB allow the SMB to allows the SMB to create a gauge their to create a checklist of the level of cyber roadmap for what information most readiness by to do when critical to the examining their responding to a organization. current policies security inciden t. and procedures.
IBAG Prioritization Worksheet What do we have? Network infrastructure Workstations list Servers list Types of information What is the most important? Network infrastructure Workstations list Servers list Types of information
IBAG Baseline Metrics Results • Some departments are Cyber ready • Received some resistance against security measurements from some employees Spot check • Meetings with department managers • Short interviews Decision with some HQ employees We should run security awareness program (During and after the program)
IBAG IRP • Prepare • Backup • IT training • Respond • Identify the type of incident (CRI Policy ) • Immediately get the device off the network • Call IT team • Recover • Notification • Clean infected systems • Restore data
How to Manage the Risk of USBs Develop Educate Provide Alternatives a Policy Employees • Control the use of • Most people • Define USBs in your won’t know about appropriate organization by the true dangers alternatives to developing a of unknown USBs. storing, strong company Train your transporting, policy either workforce to and sharing prohibiting USB make proper use information in use or at a a priority. your minimum monitoring organization. their use.
Disable USB port remotely Disable USB port using Domain using Registry editor ( GPO ( HQ & CSC) Branches) IBAG USB Policy • IBAG prohibits the use of USBs, except in defined circumstances as outlined below • IT team is responsible for scanning USBs on a computer not connected to the network, to verify that there is no malware or malicious code present. This applies even to new USBs • IT team is responsible for distributing USBs to employees who will routinely find themselves in situations where information needs to be shared with a trusted party and there is no access to a secure network • After an employee uses a USB to share information with a trusted party, or receives a USB from a trusted party, the USB must be re-scanned on a computer not connected to the network by the Cyber Leader or designated IT person, to check for malware or malicious code • Employees of IBAG must never accept or use a USB received from anyone other than a trusted party (i.e., received at a trade show, given to them by a vendor, picked up in a parking lot) or the Cyber Leader or designated IT person
How to Change a Culture of Weak Passwords Change the Reinforce the Use Two-Factor Narrative Message Authentication • Educate your • Use visual • If an workforce to the resources, like application or dangers of weak posters, to piece of passwords, both remind your software has professionally workforce of the two-factor and personally. importance of authentication, strong make sure your passwords. employees are using it.
IBAG Authentication Policy • Use passwords or PINs on all devices, including your personal phone and tablet. • Never use the same Password for business or personal purposes. • Passwords must be changed if there has been a cyber incident. • Never use or reuse the same Password on two (or more) systems at the same time. • Never share accounts among multiple people. • Always enable two-factor authentication if it is supported and offered on any application used on company devices or personal devices used for business. • Password should have a minimum of 12 characters Passphrases must be at least 64 characters in • Password should contain Uppercase letters, Lowercase letters and numbers length. They do not need to include numerals, special characters, or a combination of lower • Access to our data and systems is limited to the people that need it to do their job. and upper case • Long enough to be hard to guess • Hard to guess by intuition—even by someone who knows the user well • Easy to remember
IBAG Status • Authentication, USB, Patching and fishing policies were applied • Security training for IT staff has been done • Security awareness program for employees still under development • Security awareness posters are used in HQ, CSC and some branches • Incident response plan (Response processes will be updated after the awareness program) • NOW WE ARE CYBER READY
Thank you! Henry Vido hvido@cyberreadinessinstitute.org Sign up today at www.cyberreadinessinstitute.org
Recommend
More recommend