Image
Icon

Directory

IconAppraisers and Valuers
IconAssociations and Institutes
IconBBBEE Consulting and Verification Agencies
IconConsumer Protection
IconCorporate Governance
IconCredit Bureaus
IconDefensive Driver Training
IconEmergency Medical Rescue
IconInsurance Brokers - Alphabetical Listing
IconInsurance Brokers by Type of Product or Service Needed
IconInsurance Companies
IconInsurance Consultants
IconLightning Damage & Surge Protection Specialists
IconOmbud
IconOnline Quotes and Cover
IconPremium Financing
IconPublic Loss Adjustors
IconPublications
IconRating Agencies
IconRegulatory Authorities
IconRisk Finance
IconRisk Management
IconRisk Surveyors
IconSalvage Operators
IconTelephone Quotes
IconVehicle Accident Management
IconVehicle and Household Risk Inspection Services
IconVehicle Tracking
IconWellness Programs
Image
  Subscribe To »

Companies and organisations must review critical security controls - expert

Published

2017

Wed

19

Apr

Recent incidents have highlighted the need for all companies and organisations to review the safety and security of their data and their IT systems, as standard approaches no longer protect against myriad vulnerabilities, an expert says.

“Even the highest judicial office in the land, that of Chief Justice, Mogoeng Mogoeng, is not immune. Regardless of the source of the attack, about which there is much speculation, the fact remains that the office, which has security and cameras on the premises, suffered a major setback recently when several computers - containing highly sensitive information - were stolen,” notes Wonga Ntshinga, Senior Head of Programme: Faculty of ICT at The Independent Institute of Education, SA’s largest private higher education provider.

Ntshinga says many companies and organisations may be under the impression that its data and systems are adequately secured, when in fact that is not the case at all. It is therefore important for business leaders to take some time to ensure that arguably their most important non-human assets and resources are effectively protected against a range of potential attacks – both internal and external.

“The challenge is that it is very difficult to quantify the value of assets when we consider reputational loss and other intangibles, much less predict the rate of occurrence without large volumes of historical data. Besides the obvious steps, such as getting a comprehensive inventory of all network devices and software, leaders should also ensure that critical security controls are in place to protect sensitive data, and make provision for scenarios in which the security control itself is compromised,” says Ntshinga.

He says it is crucial that sensitive information is protected at three stages: at rest (data needs to be protected whilst being stored on the storage device), in transit (data needs to be protected as it is being transported) and in process (when the data is being processed).

Ntshinga says that in order to ensure a comprehensive protection strategy, companies must consider incorporating the following approaches to safeguard intellectual property:

  • Vulnerability Management

This service is intended to perform live monitoring of the environment for emerging vulnerabilities and also to execute regular in-depth assessments to identify new weaknesses, for instance insufficient or weak security controls.

  • Access Control

Complex access control is needed to enforce separation of duties through assigned access authorisations. The principle of separation of duties is intended to minimise errors and make it more difficult to exploit access privileges for personal gain. This can even go into the level of whether a specific user has updated access to a particular file while executing a specific programme from a workstation at a specific network address.

  • Information Security Policy

Policies are essential as they set the foundation and tone for a security programme. Documents such as the Information Security Policy or an associated standard needs to be set in order to better understand the real exposure and the real problem – i.e. what is or could become the root cause for attacks?

  • Acceptable Risk

Risk can be defined as the expected loss of confidentiality, integrity, availability, or accountability. You need to understand that not all risks are the same, hence it is important to evaluate them so as to decide which to prioritise. Look at your organisation through the lens of “acceptable risk” and continuously measure the efficiency and effectiveness of your security programme, which is comprised of the following building blocks: policies, standards, guidelines, procedures and baseline.

  • Risk-Based Model

Risk-based models provide direction for focusing on most critical exposures and also prioritising risk mitigation. If you don’t already have a risk model, immediately adopt a simple qualitative risk model and start prioritising your risk activities (Low, Moderate, High). Set up an organisational risk committee to assess risks across the entire organisation. The committee must look into deviations of any security risk management programmes that have been implemented and, if needs be, propose some corrective measures to address the deviations.

“Risk management can be an overwhelming task if tackled using only one methodology and ideally requires a strategy which addresses the entire scope of risks within an organisation,” says Ntshinga.

“Additionally, critical security controls can be costly and therefore they require funding through annual security operating budgets. Ultimately, the security professionals need to understand what each service provider does in order to mitigate the risks, and data security should not be approached in checklist fashion.”

Ntshinga says while it is unfortunate that not every risk can be pre-empted and disarmed, attempts to holistically tighten controls can unravel some of the risks that organisations face.

“Most importantly, senior leaders of organisations – whether public or private – must take ownership of security, even (or perhaps especially) where there is a perception that adequate protections are in place.

“They must ensure that they thoroughly identify and analyse potential risk, and then put in place adequate mitigation. Additionally, it is important to be well versed on the current legal environment in order to minimise an organisation’s liability and reduce risks from electronic and physical threats, including losses from legal actions.”

 
Source: Meropa Communications
 
« Back to previous page Print this page » |
 

Breaking News »

‘Due observance’ and ‘condition precedent’ policy terms

      Patrick Bracher, Director Norton Rose Fulbright South Africa Inc.   A Singapore High Court held that a clause in a policy that ‘due observance and ...
Read More »

  

MiWay: forensic audit proves offensive mail is fake

Independent forensic auditors, Cyanre - The Digital Forensic Lab, have concluded that a racist and offensive email alleged to have originated from a MiWay staff member is a fake. MiWay launched an immediate ...
Read More »

  

Gulf Cooperation Council Banks Urged to Fine-tune Liquidity Management

By Coface, the international trade credit insurance company Weak energy prices and lower government spending across the GCC region put pressure on lending opportunities Despite current business ...
Read More »

  

When the heat is on, stay adequately insured

Bertus Visser, Chief Executive of Distribution, PSG Insure   Last month’s storms around the Western Cape, as well as the devastating fires in and around Knysna, were a painful reminder of the importance ...
Read More »

 

More News »

Image

Healthcare »

Image

Investment »

Image

Life »

Image

Retirement »

Image
Image
Image
Image
Image
Image
Advertise Here

From The Glossary »

Icon

Catastrophe (Short-Term):

Fire, earthquake, windstorm, explosion, and other similar events that result in substantial losses. Catastrophe losses (the whole loss of an insurance company arising out of a single catastrophic event) are usually protected by excess of loss reinsurance in order to limit any one such loss to a specific amount.
More Definitions »

 
 
By using this website you agree to the Terms of Use.
Copyright © Stoker Risk & ICT (Pty) Ltd 2004 - 2017.
All Rights Reserved.
Icon

Advertise

  Icon

eZine

  Icon

Contact IG

Icon

Media Pack

  Icon

RSS Feeds