Environmental Engineering Reference
In-Depth Information
understanding, risk cannot be properly assessed and protection strat-
egies may not be sufficient. Documenting the information security
architecture and its components is critical to understanding the over-
all protection strategy and identifying single points of failure.
14.
Establish a rigorous, ongoing risk-management process
. A thorough under-
standing of the risks to network computing resources from denial-
of-service attacks and the vulnerability of sensitive information to
compromise is essential to an effective cyber security program. Risk
assessments form the technical basis of this understanding and are
critical to formulating effective strategies to mitigate vulnerabilities
and preserve the integrity of computing resources. Initially, perform
a baseline risk analysis based on current threat assessment to use for
developing a network protection strategy. Due to rapidly changing
technology and the emergence of new threats on a daily basis, an
ongoing risk-assessment process is also needed so routine changes
can be made to the protection strategy to ensure it remains effective.
Fundamental to risk management is identification of residual risk
with a network protection strategy in place and acceptance of that
risk by management.
15.
Establish a network protection strategy based on the principle of defense
in depth
. A fundamental principle that must be part of any network
protection strategy is defense in depth. Defense in depth must be
considered early in the design phase of the development process and
must be an integral consideration in all technical decision-making
associated with the network. Utilize technical and administrative
controls to mitigate threats from identified risks to as great a degree
as possible at all levels of the network. Single points of failure must
be avoided, and cyber security defense must be layered to limit and
contain the impact of any security incidents. Additionally, each layer
must be protected against other systems at the same layer. For exam-
ple, to protect against the inside threat, restrict users to access only
those resources necessary to perform their job functions.
16.
Clearly identity cyber security requirements
. Organizations and com-
panies need structured security programs with mandated require-
ments to establish expectations and allow personnel to be held
accountable. Formalized policies and procedures are typically used
to establish and institutionalize a cyber security program. A formal
program is essential to establishing a consistent, standards-based
approach to cyber security through an organization and eliminates
sole dependence on individual initiative. Policies and procedures
also inform employees of their specific cyber security responsibili-
ties and the consequences of failing to meet those responsibilities.
They also provide guidance regarding actions to be taken during a
cyber security incident and promote efficient and effective actions
