Test your Physical Access and Organization

User Privileges are limitations on how much access an individual/employee has on a computer. Restricting User Privileges is crucial so that accidental data exposure, intentional privilege misuse and abuse, compromisation of user credentials from hackers and malware infections are reduced and avoided. Not only does user privilege restriction help in reducing the chances of a breach/cyber-attack happening, it also helps in limiting the scope of the breach if one happens.

Organizations should be extremely careful with the information they publish. Organizations should carefully manage the information they publish, in order to mitigate potential threats. 

Publishing information regarding their network architecture, organigram or any information regarding their employee’s such as names and job positions increases the risks of social engineering, targeted cyberattacks, compromised physical security, identity theft, employee privacy violations and much more. 

It is important that when interviewing people for job vacancies within an organization/company the hiring staff does not overshare detailed technical descriptions of the technology used within the company. Doing so increases the risks of intellectual property exposure, security vulnerabilities, resource drain, competitive intelligence leakage and reputation damage. Interviewers should ensure alignment with legal and compliance guidelines, use hypothetical scenarios and carefully plan discussions in order to mitigate the risks mentioned above.

ISO 27001 is an international standard for information security management systems. Some of it’s policies include: 

1. Information Security Policy
2. Data Protection Policy
3. Data Retention Policy 
4. Asset Management Policy
5. Access Control Policy
6. Risk Management Policy
7. Information Classification and Handling Policy
8. Information Security Awareness and Training Policy 
9. Acceptable Use Policy
10. Clear Desk and Clear Screen Policy
11. Remote Working Policy
12. Business Continuity Policy
13. Backup Policy
14. Malware and Antivirus Policy
15. Change Management Policy
16. Third Party Supplier Security Policy
17. Continual Improvement Policy
18. Logging and Monitoring Policy
19. Network Security Management Policy
20. Information Transfer Policy
21. Secure Development Policy
22. Physical and Environmental Security Policy
23. Cryptographic Key Management Policy
24. Cryptographic Control and Encryption Policy
25. Document and Record Policy

Information Security Policy – sets the principles, framework of supporting policies, responsibilities and addresses all programs, data, infrastructure, third parties, users and more. By creating a detailed and effective framework for ISP, organizations ensure that their data is protected and security incidents such as data leaks and/or data breaches are prevented.  

Data Protection Policy – main goal is to protect and secure all data, as it is a policy dedicated to the use and management of data. Aspects such as legal compliance for data protection, roles and responsibilities in relation to data protection and data protection techniques must be covered by the policy in an organization.  

Information Classification and Handling Policy – ensures that information is correctly classified and handled based on its classification. It sets the limitations on what an organization or individual can do with the information based on its classification, which commonly is separated into three categories: Confidential, Public and Internal.  

Network Security Management Policy – covers access to networks, physical network devices, network services, network locations and security of network services. It essentially guards the information in networks and the supporting information facilities. 

Information Transfer Policy – ensures that when information is transferred both internally and/or externally that the correct treatment is applied and safeguards the transfer of information by using all types of communication facilities. Covers loss of information, information encryption and data transfer methods. 

Physical and Environmental Security Policy – its goals are prevention of unauthorized physical access, interference with the information and information processing facilities of an organization. Cabling security, employee and visitor access, network access control and equipment protection are covered. 

For a company/organization to prevent security issues such as data breaches, phishing attacks or information leakages, implementing security awareness for its employees is a crucial step. Some ways of implementing security awareness are having policies (such as password policies, firewall rules, data retention policies etc), have employees take part in trainings which cover sensitive data management (such as data encryption, wireless networks and risk assessment and risk management plan) and know what kind of security tools the organization needs (such as penetration testing, vulnerability scanning, firewalls and IDS/IPS) 

When it comes to the security of a company/organization, and Information Security Department is an incredibly important asset, as this department is responsible for the implementation and maintenance of security policies, procedures and standards. Moreover, they provide security awareness trainings and education and ensure that every employee knows their role in maintain security in an organization/company.

Penetration testing is an authorized simulated cyber-attack, which uses the same tools, techniques and processes (TTPs) as attackers, to find and evaluate the security of an organization/company. Regular penetration testing is important for the security of a company/organization as it covers the aspect of security (finding vulnerabilities that can be exploited by hackers) and compliance (seeing if the organization/company is in compliance with the certain security standards that are applied to them).

Data storage encryption on disk is important for several reasons, most important being data confidentiality (as it ensures that the data in the disk is kept confidential and is not easily accessed by unauthorized individuals), theft protection (in cases where the device is lost, encrypting the data prevents the thieves from easily accessing information) and mitigation against insider threats (employees with or without authorized access may try to misuse their privileges, such as making unauthorized copies of the data).

Employee IDs serve as a method of instant identification of everyone in the building and as a way to restrict access to certain areas, thus protecting the staff, as well as any sensitive information that the organization/company stores.  

Having policies which prohibit employees from attending public blogs or forums aids in mitigating security concerns, based on the nature of the organization. Public forums or blogs can be potential sources of many security threats, including phishing scams and social engineering attacks, data leakage, where employees may accidentally share information about the company or the nature of their work, increasing the chances of malicious attackers exploiting vulnerabilities.