Here’s a Cyber Security Checklist Backed by the Utah Government You’ll Want to Adopt
As part of our IT security due diligence and dedication to seeing our clients attain greater levels of successfully-auditable security controls, we wanted to share some guidelines we’ve adopted, via the Utah.gov website. We’ve included some of the text from that cybersecurity checklist called “Be Ready Utah,” which we’ve also included links to, so you can utilize it yourself.
A Cyber Security Audit Checklist: What You Need to Know
The Utah government-sponsored cybersecurity checklist is designed to identify and document the existence and status for a recommended basic set of cybersecurity controls (policies, standards, and procedures) for an organization. Security controls are designed to reduce and/or eliminate the identified threat/vulnerabilities that place an organization at risk.
A threat is a potential for a person or a thing to exercise (accidentally trigger or intentionally exploit) a flaw or weaknesses (vulnerability) within an organization. There are several types of threats that may occur within an information system or operating environment Threats are usually grouped into general categories such as natural, human, and environmental.
The desired outcome of identifying and reviewing (assessing) threats and vulnerabilities is determining potential and actual risks to the organization. The risk is a combination of factors or events (threats and vulnerabilities) that, if they occur, may have an adverse impact on a given organization.
The risk is established by considering the potential impact and likelihood of a vulnerability being exploited by a threat. Risk only exists when threats have the capability of triggering or exploiting certain vulnerabilities.
When determining the impact, consider the value of the resources at risk, both in terms of inherent (replacement) value and the importance of the resources (criticality) to the organization’s successful operation.
Factors influencing likelihood include threat capability, the frequency of threat occurrence, and effectiveness of current countermeasures (security controls). Threats caused by humans are capable of significantly impairing the ability for an organization to operate effectively.
After completing a review of current security controls and along with a review and rating of potential threats/vulnerabilities, a series of actions should be determined to reduce risk (threats exploiting vulnerabilities) to an acceptable level. These actions should include putting into place missing security controls, and/or increasing the strength of existing controls.
Security controls should ideally reduce and/or eliminate vulnerabilities and meet the needs of the business. The cost must be balanced against expected security benefit and risk reduction. Typically, security remediation efforts and actions will be focused on addressing identified high-risk threats or vulnerabilities.
What Are Security Controls?
Security controls are technical or administrative safeguards or countermeasures to avoid, counteract or minimize loss or unavailability due to threats acting on their matching vulnerability, i.e., security risk. Controls are referenced all the time in security, but they are rarely defined. The purpose of this section is to define technical, administrative/personnel, preventative, detective, and corrective compensating controls, as well as general controls.
According to the Government Accountability Office (GAO), “The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, and competence of the entity’s people; management’s philosophy and operating style; and the way management assigns authority and organizes and develops its people.”
From this we can derive that some controls are the actions that people take, we call these administrative controls. Administrative controls are the process of developing and ensuring compliance with policy and procedures. They tend to be things that employees may do, or must always do (such as having a reliable cyber security checklist and auditing process in place), or cannot do. Another class of controls in security that are carried out or managed by computer systems, these are technical controls.
Small Business Impact of Not Having a Cyber Security Checklist
Small businesses in Utah (as anywhere else) are every bit as vulnerable as enterprise-scale businesses to hack or data breaches, and sometimes even more vulnerable. The thought of having the personal and financial data of 143 million Americans stolen is enough to cause any business owner to get a bad case of the hives. Equifax’s security was violated due to the failure to correctly install a software patch, something that many small business owners can relate to as their internal IT departments are increasingly stretched in a variety of different directions. Installing patches and keeping software up-to-date is one of the first lines of defense for organizations attempting to reduce the possibility of a cybersecurity attack – through a working cybersecurity checklist should also be in place commensurately.
Winning Cyber Security Solutions Are Only a Phone Call Away!
If you’re ready for a leader among IT service providers who can help you with the right managed IT solutions for small businesses, then call our nationwide hotline at (800) 489-1706, or email us at sales@symtec.com, or use our secure contact form to get started.
We’ll help you reap all the benefits of a cybersecurity checklist, along with other strategic IT solutions that will help you maximize your productivity and ensure your IT longevity!