Cybersecurity measures and controls for the organization.
By Global Trust Association
01 August, 2019 | 22:08hrs
Today, cybersecurity has become a more than relevant aspect in a scenario where the world is increasingly interconnected. Emerging digital technologies, devices, and services integrate economies around the world, and as the use and dependence on Information and Communication Technologies (ICTs) increase, so do the risks.
In that sense, organizations must take into account the measures and controls available as good practices, as well as those described in ISO/IEC 27032, to counteract, neutralize or minimize the risk exposure of organizations and end-users to the majority of known cybersecurity attacks. To this purpose, it is essential to perform a risk analysis that –as a general risk framework– considers the four types of security incidents, such as: natural disasters, malicious attacks from an external source, internal attacks in the organization, and malfunctions and unintentional human errors, all to determine the threats and vulnerabilities affecting the use of information in relation to cybersecurity in the organization.
Some good practices to implement measures or safeguards, which in turn may be used as a general framework for the implementation of security controls, may include aspects such as to adapt the organization’s functional structure according to the need for actions, provided that there are no roles in a conflict of interest, and based on the organization’s size and context; to define and document policies and procedures to establish the general guidelines to be complied with to safeguard information in general, and especially concerning the use of networks and technologies through which the organization’s information flows; to evaluate the costs and benefits related to risk management and the impact levels that may affect the organization, and to the implementation and use of new technologies that facilitate risk management and control activities.
With regard to the specific controls for cybersecurity, ISO/IEC 27032 proposes the following:
- Application level controls.
- Server protection.
- End-user controls.
- Controls against social engineering attacks.
- Cybersecurity readiness.