Do you know your Digital Risk?
Trusted and experienced information security (infosec) expertise can go a long way towards savings in reduction of downtime, lost resources, theft, and many more threats. offthegridit can raise your security posture to new heights.
Plan Security For Change
To define the fundamentals of you security strategy, you may want to consider the following three general questions:
- Stakeholders: Who are your key stakeholders and potential threat agents?
- Assets: What are your information assets and how do they (and their protection) generate value for your clients inside and outside the organization?
- Capabilities: What are the essential security and protection capabilities that the organization and its stakeholders need to deliver that value proposition?
It takes a seasoned professional to review and plan a Security Strategy. The fundamentals are here. Combine your team with ours to document, plan, and implement your Security Strategy.
Consider maintaining and your securing your systems with offthegridit to protect your business, protect your privacy, and data.
✓ Vulnerability Assessments and Remediation
✓ Cloud Security Monitoring
✓ Managed Detection and Response (MDR)
✓ MDM (Mobile Device Management)
✓ Secure Hardware Vaults
✓ USB, USB-C
✓ Router and Firewall Monitoring
✓ Website Vulnerability Assessment and Remediation
✓ SSL Certificate Management
✓ File Integrity Monitoring
✓ Implement Dual-factor Authentication
✓ SSO (Single Sign On)
✓ Use DNS to secure resource availability
✓ Cloud DVR
✓ On-Premises DVR
✓ Hybrid (analog/digital) DVR
✓ 4K Recording
✓ Supporting 1000’s of cameras
✓ Video monitoring
✓ Video Network Design
✓ Motion detection alerting
✓ Facial recognition, people counter
✓ License plate reader
Enhancing your data security starts with a plan. By defining your security posture you can plan and implement increasing levels of security. We use resources from the U.S Department of Commerce such as NIST (National Institute of Standards and Technology.)
We use industry standards and academic research in AI and Big Data. The way threats are being detected is being automated with with artificial intelligence allowing greater insight into digital footprints, detecting faces, biometric signatures, and more. Choose either to protect your assets, or letting someone allow your data to become an asset.
Enterprises, SOHO, and private individuals can implement security monitoring and logging tools to enable you to have security insights allowing you to strengthen your security posture and take better control of threat management.
- Strengthen security
- Implement privacy controls and transparency requirements
Being in Silicon Valley has its advantages as we are on the ground floor of revolutionary technologies that are enabling consumers with more insight into their own Cybersecurity.
To prepare for an increased security posture we can start by defining our security standards. The following will outline some of the security standards that should be documented:
✓ On-Premise (Physical) Security Standards
✓ Endpoint Security Standards
✓ Server Security Standards
✓ Network Security Standards
The following may list some security standards of our own. All standards should be properly vetted for accuracy and applicability to your environment.
Security Categorization of Information Systems
The classic model for information security defines three objectives:
This is also called the CIA Triad. Determining how strongly a system needs to be protected is based largely on the type of information that the system processes and stores. In order to properly asses this it requires the implementation of security categories for each system.
Potential Impact on Organizations and Individuals
Legislation by government entities has brought use technical standards and organizations that can help us steer through the conundrums of IT Security compliance and management.
The E-Government Act of 2002 (Public Law 107-347), passed by the one hundred and seventh Congress and signed into law by the President in December 2002, recognized the importance of information security to the economic and national security interests of the United States. Laws like this help the public to recognize the importance of IT Security even for private entities.
Some publications like FIPS Publication 199 define three levels of potential impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability). The application of these definitions must take place within the context of each organization and the overall national interest.
While many of these standards were enacted for national security they can and are being applied to commercial & private interests. Using these national standards we can form our own security baseline applicable to an enterprise, SOHO, or private end user.
We offer best in class services to secure your vital data assets. Consider offthegridit to work for you to combat security threats and establish a heightened security posture.
Get to know your Digital Risk and secure yourself by keeping it offthegridit.
PCI DSS Resources:
Excerpt from Sample of Industry-Standard Security Frameworks
from Appendix A
Information Supplement – Best Practices for Maintaining PCI DSS Compliance – January 2019
There are numerous governance frameworks available that can be used to complement PCI DSS controls to enhance the overall effectiveness of an organization’s cardholder data security program. Several examples of these frameworks are outlined below.
▪ Control Objectives for Information Technology (COBIT) is a framework for information technology management and governance from the ISACA. COBIT is structured to allow managers to bridge the gap between control requirements, technical issues, and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, and enables alignment and simplifies implementation of the COBIT framework.
▪ Committee of Sponsoring Organizations of the Treadway Commission (COSO) performs research and provides guidance on the topics of enterprise risk management (ERM), internal controls, and fraud deterrence. The COSO Internal Control – Integrated Framework components of internal control⎯Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities⎯are supported by 17 internal control principles that can assist organizations in developing and improving internal governance structures with risk-assessment processes fundamental to maintaining PCI Compliance.
▪ General Data Protection Regulation (GDPR) is the European Union (EU) data protection and privacy regulation that went into effect on May 25, 2018. The GDPR is applicable to any entity that processes personal data of individuals residing in the EU, regardless of where the entity is located, and includes the following rights for data subjects: breach notification, right to access, right to be forgotten, data portability, and privacy by design. Data impacting PCI DSS compliance also affects the adherence to GDPR.
▪ HITRUST® develops, maintains and provides broad access to programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. HITRUST® CSF v9.1 rationalizes relevant regulations and standards into a single overarching security framework.
▪ International Organization of Standardization (ISO) has published numerous standards and guidance for addressing information security issues. The most relevant documents to information security and risk management are the ISO/IEC 27000-series of standards. ISO/IEC 27001:2013 Information technology – Information security management systems – Requirements defines the requirements for creating an information security management system (ISMS) that brings information security, for both IT based and non-IT based security assets, under explicit management control. The standard also has an Annex A, which is a list of Information Supplement
▪ Information Technology Infrastructure Library (ITIL) is a globally recognized collection of best practices for information technology service management. Hallmarks of ITIL are an organization-wide approach that involves a development cycle of services from preliminary concept to a full release and continuous improvement. The enterprise-wide approach involved in ITIL can help support ongoing PCI DSS compliance activities across the whole organization. ITIL also stresses the continuous monitoring of key business processes as well as formal change-management processes to minimize business interruptions (incidents), and makes security assessments part of everyday business.
▪ The National Institute of Standards and Technology (NIST) develops standards, metrics, tests, and validation programs to promote, measure, and validate the security in information systems and services. Guidance on the selection and implementation of information security controls is covered in NIST Special Publication 800-53 (Revision 5), Security and Privacy Controls for Federal Information Systems and Organizations. In addition, the NIST Cybersecurity Framework provides a prioritized, flex