Identify
Cyber Security is an ever evolving discipline where the current best practices are changing daily to meet the challenges posed by malicious actors. In the past we could be content that we understood the local threats to our organisation, This approach is no longer adequate.
In the modern world, not only are these threats now global but they are operating from a position of low cost to execute, often with anonymity on their side and jurisdictional protections.
Engineering a completely secure operational platform on which our organisation can safely go about their business is expensive and often undermined by simple things that range from misconfigurations, incorrectly chosen products, inappropriate controls and even poor implementations.
Often our IT staff are stretched between keeping the lights on and implementing new capability. The biggest issues they face when trying to develop and maintain a secure posture is limited experience outside their sphere of influence and knowledge of how malicious actors operate. Add to this the fact the majority of cyber security attacks are intangible or go un-noticed and you have a recipe for disaster.
Governance, Risk and Compliance
In order to develop a strong, cohesive and effective Governance, risk and compliance program the acceptable risk profile for the organisation needs to be determined.
This profile is determined by balancing the threats to resources and impacts of those threats being realised, against the corporate appetite for risk realisation and prevention costs.
The Identify function focuses on determining and mapping the resources, vulnerabilities, threats and impacts so a full and clear picture of true risk can be determined.
Understanding the situations and causes of how systems are impacted allows for the development of comprehensive mitigation strategies that align with the organisational risk appetite.
Resources and vulnerabilities
Our environments are increasingly complex and often poorly understood outside of those who support each part of the environment. Developing a cohesive and comprehensive understanding of the environment is difficult with so many competing pressures.
Determining the systems, configurations and overall architecture of the environment allows for the vulnerabilities of each system to be determined.
These vulnerabilites are often in a combination of the following forms:
- Misconfigurations.
- Unpatched Security vulnerabilities.
- Inadequate policies and procedures.
- Insecure linkages to other systems.
- Inadequate BCP Procedures.
Threats
Threats to an organisation come in many forms, from natural disaster to malicious activity and many combinations of these.
Threats are the pathways through which vulnerabilites are realised. Understanding the threat actors and how they are motivated helps to determine effective mitigation strategies.
These threats are often a combination of the following:
- System failures.
- Hardware
- Software
- Power
- Accidental data loss.
- Malicious actors.
- Motivated Insiders.
- Motivated Activist groups.
- Criminal entities.
- Insecure linkages to other systems.
Impacts
The Impacts of a threat being realised range from merely inconvenient through to Life threatening.
Understanding the likelihood and impact that an incident has on the organisation helps to determine the priority and focus that need to apply in developing mitigation strategies.
In the GRC methodology the likelihood and impact of an incident are used to determine what focus is placed on mitigations. The key here is that overall risk cant be determined without understanding the full complexity of the above mentioned factors.
Most organisations have poor understanding of their resources, vulnerabilities, threats and the impacts. This leads to inadequate development of relevant mitigations and results in an ineffective security posture.
The ACSC Essential 8
Covering the 8 most effective areas your organisation can target to minimise potential cyber security incidents, Have us perform an Essential 8 Maturity Assessment on your organisation and get a head start on defending your organisation.