Components of a Cyber Security Program
IT Risk Assessment
A Cybersecurity Assessment Tool (CAT) is a diagnostic test that helps institutions identify their risk level and determine the maturity of their cybersecurity programs. This assessment measures risk levels across several categories, including delivery channels, connection types, external threats, and organizational characteristics. Ultimately, the results allow management to make risk-driven security management decisions through regular cybersecurity assessments using standardized criteria for risk measurement.
Your Cybersecurity Assessment should measure both the security risk present in your institution and your preparedness to mitigate that risk.
- Technologies And Connection Types - Some types of technologies and the networks they connect to come with a higher inherent risk level. In this category, you should examine the number of connections from third parties and ISPs, the number of unsecured connections, whether hosting is outsourced or handled internally, and several other factors.
- Delivery Channels - Some delivery channels for company products and services pose a higher risk than others. More delivery channels and more diverse delivery channels means a higher inherent risk. In this category, the risk is measured across websites, web, and mobile applications.
- Online, Mobile Products, and Tech Services - The security of an organization varies depending on the different technology products and services they offer. Payment services and transaction services such as credit cards, wire transfers, person-to-person payments, and correspondent banking all come with different security challenges that are assessed in this category.
- Organizational Characteristics - In this category, characteristics of the organization itself are examined, including the number of direct employees, changes in security staff, number of users with elevated security privileges, locations of data centers, and more.
- External Threats - The number of attacks (and the type of attacks) sustained by an organization factor into its risk assessment under this section.
- Cyber Risk Management and Oversight - Does the board of directors oversee management's commitment to an organization-wide cybersecurity program? This assessment examines oversight in terms of strategy, policies, robustness of the risk management program, staffing and budgeting of the program, culture, and training.
- Threat Intelligence And Collaboration - What processes are in place to uncover, analyze, and share findings on evolving cybersecurity threats? This is how management grades the institution in terms of threat intelligence, monitoring/analyzing, and relationships between peers and internal stakeholders that facilitate or hinder cyber threat information sharing.
- Cyber Incident Management Resilience - This is how the organization evaluates its response to cyber threat events, including planning and testing to recover normal operations after an event.
- Cybersecurity Controls - What's the current maturity of controls in place to protect infrastructure, assets, and information through constant, automated monitoring and protection? In this domain, controls are assessed from detective, preventative, and corrective perspectives.
- External Dependency Management - This looks into your organization's existing program to oversee and manage third-party relationships and external connections that have access to the enterprise's information and technology assets.
Have you tested the technology controls you have in place to protect your member data and systems? You should often perform a comprehensive assessment of your physical, technical, and network security controls against industry regulations. The results of your assessment should include an easy-to-read report with actionable steps ready for your board's approval.
Technical Security Controls
- IT Infrastructure
Administrative Security Controls
- Account Management
- IT and Security Policy
- Physical Security
- Network Devices
- Patch Management
- Malware Protection
A penetration test is a simulated attack against the outside of your network to check for exploitable vulnerabilities. One of the most common methods that cybercriminals use to gain access to an organization is finding an open port. Use industry-recognized tools to test your network defenses and provide actionable advice on how to secure them in a very easy-to-understand way.
Scan for open ports
- IP attack scans
- Web application security scans
Do you know every system that is connected to your network? What about applications that are at the end of life and are no longer supported or updated? Finally, are you still using default passwords on any of your systems? A vulnerability assessment will scan every network-connected device and determine where any potential vulnerabilities exist inside your network.
Phishing is the number one method that criminals use to gain unauthorized access to organizations. Phishing test services will send simulation emails that are very similar to what the attackers use. If one of your team members clicks on the link, they will receive teachable in the moment training. Emails may appear to be common themes such as free gift cards, package delivery notifications, verification of loan approvals, etc. If an employee of the Client clicks on a test, they will receive immediate in-the-moment training that highlights areas they should be alert to in the future. Upon completion, the Client will receive a report listing the overall Client score and a breakdown of any failed tests.
The goal of this training is to equip employees with the knowledge to combat common cybersecurity threats. Training should be done weekly and doesn't have to be all at once. Everyone in an organization needs to trained with methods that pertain to their level of expertise and risk.