Icon

Directory

IconAccounting & Tax
IconActuaries
IconAdministrators
IconAppraisers & Valuers
IconArbitration Services
IconASIB
IconAssessors & Loss Adjusters
IconAssist and Lifestyle Benefits
IconAssociations & Institutes
IconAuditors
IconBBBEE Consulting and Verification Agencies
IconBroker Acquisition Financing
IconBrokers for Brokers
IconBusiness Process Management
IconBusiness Process Outsourcing
IconCall Centre Outsourcing & Sales
IconCompany Secretarial Services
IconCompliance
IconConsumer Protection
IconCorporate Governance
IconCredit Bureaus
IconDebit Order Collection Facilities
IconDefensive Driver Training
IconEducation and Training
IconEmergency Medical Rescue
IconFAIS
IconFire, Storm, Flood Damage Specialists
IconHuman Resources
IconIndustrial Cleaners
IconInformation Technology and Software Partners
IconInsurance Companies
IconLegal
IconLightning Damage & Surge Protection Specialists
IconNiche Insurance Products
IconOmbud
IconOutbound Sales
IconOutsourcing Companies
IconPolicy Administration
IconPremium Financing
IconPublic Loss Adjustors
IconPublications
IconRating Agencies
IconReference Books & Material
IconRegulatory Authorities
IconRisk Finance
IconRisk Management
IconRisk Surveyors
IconSalvage Operators
IconSpecialized Claims Investigations & Assessing
IconSurveys and Research
IconTraining Courses & Workshops
IconUnderwriting Managers
IconVehicle Accident Management
IconVehicle and Household Risk Inspection Services
IconVehicle Tracking
IconWellness Programs
IconWholesale Brokers
IconZZZZZZ
Image
  Subscribe To »

Companies and organisations must review critical security controls - expert

Published

2017

Wed

19

Apr

Recent incidents have highlighted the need for all companies and organisations to review the safety and security of their data and their IT systems, as standard approaches no longer protect against myriad vulnerabilities, an expert says.

“Even the highest judicial office in the land, that of Chief Justice, Mogoeng Mogoeng, is not immune. Regardless of the source of the attack, about which there is much speculation, the fact remains that the office, which has security and cameras on the premises, suffered a major setback recently when several computers - containing highly sensitive information - were stolen,” notes Wonga Ntshinga, Senior Head of Programme: Faculty of ICT at The Independent Institute of Education, SA’s largest private higher education provider.

Ntshinga says many companies and organisations may be under the impression that its data and systems are adequately secured, when in fact that is not the case at all. It is therefore important for business leaders to take some time to ensure that arguably their most important non-human assets and resources are effectively protected against a range of potential attacks – both internal and external.

“The challenge is that it is very difficult to quantify the value of assets when we consider reputational loss and other intangibles, much less predict the rate of occurrence without large volumes of historical data. Besides the obvious steps, such as getting a comprehensive inventory of all network devices and software, leaders should also ensure that critical security controls are in place to protect sensitive data, and make provision for scenarios in which the security control itself is compromised,” says Ntshinga.

He says it is crucial that sensitive information is protected at three stages: at rest (data needs to be protected whilst being stored on the storage device), in transit (data needs to be protected as it is being transported) and in process (when the data is being processed).

Ntshinga says that in order to ensure a comprehensive protection strategy, companies must consider incorporating the following approaches to safeguard intellectual property:

  • Vulnerability Management

This service is intended to perform live monitoring of the environment for emerging vulnerabilities and also to execute regular in-depth assessments to identify new weaknesses, for instance insufficient or weak security controls.

  • Access Control

Complex access control is needed to enforce separation of duties through assigned access authorisations. The principle of separation of duties is intended to minimise errors and make it more difficult to exploit access privileges for personal gain. This can even go into the level of whether a specific user has updated access to a particular file while executing a specific programme from a workstation at a specific network address.

  • Information Security Policy

Policies are essential as they set the foundation and tone for a security programme. Documents such as the Information Security Policy or an associated standard needs to be set in order to better understand the real exposure and the real problem – i.e. what is or could become the root cause for attacks?

  • Acceptable Risk

Risk can be defined as the expected loss of confidentiality, integrity, availability, or accountability. You need to understand that not all risks are the same, hence it is important to evaluate them so as to decide which to prioritise. Look at your organisation through the lens of “acceptable risk” and continuously measure the efficiency and effectiveness of your security programme, which is comprised of the following building blocks: policies, standards, guidelines, procedures and baseline.

  • Risk-Based Model

Risk-based models provide direction for focusing on most critical exposures and also prioritising risk mitigation. If you don’t already have a risk model, immediately adopt a simple qualitative risk model and start prioritising your risk activities (Low, Moderate, High). Set up an organisational risk committee to assess risks across the entire organisation. The committee must look into deviations of any security risk management programmes that have been implemented and, if needs be, propose some corrective measures to address the deviations.

“Risk management can be an overwhelming task if tackled using only one methodology and ideally requires a strategy which addresses the entire scope of risks within an organisation,” says Ntshinga.

“Additionally, critical security controls can be costly and therefore they require funding through annual security operating budgets. Ultimately, the security professionals need to understand what each service provider does in order to mitigate the risks, and data security should not be approached in checklist fashion.”

Ntshinga says while it is unfortunate that not every risk can be pre-empted and disarmed, attempts to holistically tighten controls can unravel some of the risks that organisations face.

“Most importantly, senior leaders of organisations – whether public or private – must take ownership of security, even (or perhaps especially) where there is a perception that adequate protections are in place.

“They must ensure that they thoroughly identify and analyse potential risk, and then put in place adequate mitigation. Additionally, it is important to be well versed on the current legal environment in order to minimise an organisation’s liability and reduce risks from electronic and physical threats, including losses from legal actions.”

 
Source: Meropa Communications
 
« Back to previous page Print this page » |
 

Breaking News »

One more holiday break in sight – stay safe on the roads

While many may have pleasant memories of the Easter weekend, others are however counting the costs of loss over the long weekend due to various road accidents that happened across the country. According to traffic ...
Read More »

  

Building on success: The 2017 FIA Awards survey is underway

The 2016-17 Global Competitiveness Report ranks South Africa 11th out of 138 countries for our financial market development. In a report card that even the toughest parent would be proud of we scooped first place ...
Read More »

  

Laws amendment to accommodate health insurance demarcation regulations

      Patrick Bracher, Director Norton Rose Fulbright South Africa Inc.   The pending changes to the Medical Schemes Act and the Long-term and Short-term Insurance ...
Read More »

  

The Competition Commission and the Aftermarket Automative Sector

By: Ahmore Burger-Smidt, Director at Werksmans Attorneys INTRODUCTION Following numerous complaints received by the Competition Commission from participants in the automotive aftermarket, the Commission, ...
Read More »

 

More News »

Image

Healthcare »

Image

Investment »

Image

Life »

Image

Retirement »

Image
Image
Image
Image
Image
Image
Image
Image
Image
Image
Image
Image

From The Glossary »

Icon

Investment Returns:

Also known as Investment Performance. The amount by which a portfolio's investments appreciate or depreciate in market value over a particular period, usually expressed as a certain percentage per year.
More Definitions »

 
 
By using this website you agree to the Terms of Use.
Copyright © Stoker Risk & ICT (Pty) Ltd 2004 - 2017.
All Rights Reserved.
Icon

Advertise

  Icon

eZine

  Icon

Contact IG

Icon

Media Pack

  Icon

RSS Feeds