Image
Icon

Directory

IconAppraisers and Valuers
IconAssociations and Institutes
IconBBBEE Consulting and Verification Agencies
IconConsumer Protection
IconCorporate Governance
IconCredit Bureaus
IconDefensive Driver Training
IconEmergency Medical Rescue
IconInsurance Brokers - Alphabetical Listing
IconInsurance Brokers by Type of Product or Service Needed
IconInsurance Companies
IconInsurance Consultants
IconLightning Damage & Surge Protection Specialists
IconOmbud
IconOnline Quotes and Cover
IconPremium Financing
IconPublic Loss Adjustors
IconPublications
IconRating Agencies
IconRegulatory Authorities
IconRisk Finance
IconRisk Management
IconRisk Surveyors
IconSalvage Operators
IconTelephone Quotes
IconVehicle Accident Management
IconVehicle and Household Risk Inspection Services
IconVehicle Tracking
IconWellness Programs
Image
  Subscribe To »

Companies and organisations must review critical security controls - expert

Published

2017

Wed

19

Apr

Recent incidents have highlighted the need for all companies and organisations to review the safety and security of their data and their IT systems, as standard approaches no longer protect against myriad vulnerabilities, an expert says.

“Even the highest judicial office in the land, that of Chief Justice, Mogoeng Mogoeng, is not immune. Regardless of the source of the attack, about which there is much speculation, the fact remains that the office, which has security and cameras on the premises, suffered a major setback recently when several computers - containing highly sensitive information - were stolen,” notes Wonga Ntshinga, Senior Head of Programme: Faculty of ICT at The Independent Institute of Education, SA’s largest private higher education provider.

Ntshinga says many companies and organisations may be under the impression that its data and systems are adequately secured, when in fact that is not the case at all. It is therefore important for business leaders to take some time to ensure that arguably their most important non-human assets and resources are effectively protected against a range of potential attacks – both internal and external.

“The challenge is that it is very difficult to quantify the value of assets when we consider reputational loss and other intangibles, much less predict the rate of occurrence without large volumes of historical data. Besides the obvious steps, such as getting a comprehensive inventory of all network devices and software, leaders should also ensure that critical security controls are in place to protect sensitive data, and make provision for scenarios in which the security control itself is compromised,” says Ntshinga.

He says it is crucial that sensitive information is protected at three stages: at rest (data needs to be protected whilst being stored on the storage device), in transit (data needs to be protected as it is being transported) and in process (when the data is being processed).

Ntshinga says that in order to ensure a comprehensive protection strategy, companies must consider incorporating the following approaches to safeguard intellectual property:

  • Vulnerability Management

This service is intended to perform live monitoring of the environment for emerging vulnerabilities and also to execute regular in-depth assessments to identify new weaknesses, for instance insufficient or weak security controls.

  • Access Control

Complex access control is needed to enforce separation of duties through assigned access authorisations. The principle of separation of duties is intended to minimise errors and make it more difficult to exploit access privileges for personal gain. This can even go into the level of whether a specific user has updated access to a particular file while executing a specific programme from a workstation at a specific network address.

  • Information Security Policy

Policies are essential as they set the foundation and tone for a security programme. Documents such as the Information Security Policy or an associated standard needs to be set in order to better understand the real exposure and the real problem – i.e. what is or could become the root cause for attacks?

  • Acceptable Risk

Risk can be defined as the expected loss of confidentiality, integrity, availability, or accountability. You need to understand that not all risks are the same, hence it is important to evaluate them so as to decide which to prioritise. Look at your organisation through the lens of “acceptable risk” and continuously measure the efficiency and effectiveness of your security programme, which is comprised of the following building blocks: policies, standards, guidelines, procedures and baseline.

  • Risk-Based Model

Risk-based models provide direction for focusing on most critical exposures and also prioritising risk mitigation. If you don’t already have a risk model, immediately adopt a simple qualitative risk model and start prioritising your risk activities (Low, Moderate, High). Set up an organisational risk committee to assess risks across the entire organisation. The committee must look into deviations of any security risk management programmes that have been implemented and, if needs be, propose some corrective measures to address the deviations.

“Risk management can be an overwhelming task if tackled using only one methodology and ideally requires a strategy which addresses the entire scope of risks within an organisation,” says Ntshinga.

“Additionally, critical security controls can be costly and therefore they require funding through annual security operating budgets. Ultimately, the security professionals need to understand what each service provider does in order to mitigate the risks, and data security should not be approached in checklist fashion.”

Ntshinga says while it is unfortunate that not every risk can be pre-empted and disarmed, attempts to holistically tighten controls can unravel some of the risks that organisations face.

“Most importantly, senior leaders of organisations – whether public or private – must take ownership of security, even (or perhaps especially) where there is a perception that adequate protections are in place.

“They must ensure that they thoroughly identify and analyse potential risk, and then put in place adequate mitigation. Additionally, it is important to be well versed on the current legal environment in order to minimise an organisation’s liability and reduce risks from electronic and physical threats, including losses from legal actions.”

 
Source: Meropa Communications
 
« Back to previous page Print this page » |
 

Breaking News »

The anatomy of risk

Magda Stepanyan, The Risk Doctor Partnership It is clearly important for us to understand the nature of a risk properly if we are to manage it effectively. Many people only consider a limited number of risk ...
Read More »

  

POPI is here: are you ready?

      Justin Keevy, Divisional Director Camargue Underwriting Managers (Pty) Ltd           Enacted on 26 November 2013, the Protection ...
Read More »

  

The fraud threat is within, warns Justicia

South African businesses are buckling under the cost of crime during tough economic times – but the perpetrators are often where companies least expect to find them. “The threat comes from within,” ...
Read More »

  

Comrades Marathon Insurance Tips

The world’s largest ultra-marathon takes place on Sunday June 4, and runners should ensure they have adequate insurance cover in place before they tie their shoelaces to tackle the Comrades Marathon. Colin ...
Read More »

 

More News »

Image

Healthcare »

Image

Investment »

Image

Life »

Image

Retirement »

Image
Image
Image
Image
Image
Image
Advertise Here

From The Glossary »

Icon

Contingency reserve:

Is the amount set aside in terms of the Short-term Insurance Act to cover abnormal losses flowing from abnormal or unusual events such as earthquakes, floods and tidal waves. Charges are made against the reserve onlyas approved by the South African Registrar of Insurance.
More Definitions »

 
 
By using this website you agree to the Terms of Use.
Copyright © Stoker Risk & ICT (Pty) Ltd 2004 - 2017.
All Rights Reserved.
Icon

Advertise

  Icon

eZine

  Icon

Contact IG

Icon

Media Pack

  Icon

RSS Feeds