Friday, January 23, 2015

OTA: over 90% of data breaches in the first half of 2014 “could have been avoided”


January 22, 2015 by Neil Ford  

The Online Trust Alliance (OTA), the global non-profit organisation “with the mission to enhance online trust and empower users, while promoting innovation and the vitality of the internet”, released its 2015 Security & Privacy Best Practices and Security & Privacy Risk Assessment guides yesterday.

According to its analysis of “nearly 500 breaches reported in the first half of 2014”, more than “90% could have been avoided had simple controls and security best practices been implemented.”

OTA recommends the following best practices:
-      Enforce effective password management policies.
-      Employ least privilege user access (LUA) to provide protection against malicious network behaviour and system faults.
-      Deploy multi-layered firewall protection; use up-to-date antivirus software; enable patch management for operating systems, apps and add-ons; disable auto-running of removable media; and employ whole-disk encryption.
-      Conduct regular penetration tests and vulnerability scans.
-      Require email authentication on all inbound and outbound mail streams to detect phishing and spoofed emails.
-      Implement a mobile device management programme.
-      Continuously monitor the organisation’s infrastructure security.
-      Deploy web application firewalls to mitigate common threats, as identified by OWASP.
-      Only permit authorised devices to connect wirelessly to the network and encrypt communications with wireless devices.
-      Implement Always On Secure Sockets Layer (AOSSL) for all servers requiring login authentication and data collection to prevent data sniffing.
-      Review server certificates for vulnerabilities and risks of domain hijacking.
-      Develop, test, and continually refine a data breach response plan.

Organisations that are concerned about information security and want to implement OTA’s recommendations will be pleased to learn that there is a single best-practice solution that can be employed to address all of the points listed above.

ISO 27001, the international information security standard, sets out the requirements of an enterprise-wide information security management system (ISMS) that encompasses people, processes and technology.

IT Governance ISO 27001 packaged solutions – Get A Little Help

IT Governance’s recently relaunched ISO 27001 packaged solutions provide ISMS implementation resources for all organisations concerned about information security. The ISO 27001 Get A Little Help Package contains three international standards, two training course places, two essential implementation guides, a comprehensive documentation toolkit, the ISO 27001-compliant risk assessment software tool vsRisk, and two hours’ Live Online consultancy support.

It is aimed at organisations that already have some management system expertise and an initial understanding of information security management, as well as the necessary available internal resources and a corporate culture of using best-in-class tools and skills to accelerate learning and implementation while still essentially following a do-it-yourself approach to project management.


No comments: