Norms and standards
In the area of cybersecurity, we recognize:
- Standards based on which IT systems can be certified, e.g. PN-ISO/IEC 27001, ISO/IEC15408 (Common Criteria), ITSEC, TCSEC. They are characterized by measures of compliance with security standards, such as:
- classes (TCSEC),
- levels E0-E6 (ITSEC, TCSEC),
- Evaluation Assurance Levels – EAL (ISO/IEC-15408).
- Standards that represent the so-called best practices, such as the following recommendations from Information Technology Infrastructure Library (ITIL), National Institute of Standards and Technology (NIST), “Generally Accepted Information Security Principles (GAISP)”, Network Reliability and Interoperability Council (NRIC), or “OECD Guidelines for the Security of Information Systems of Government Commerce (OECD)”.
Their application in everyday activities is directly reflected in the level of cybersecurity of the organization. However, compliance with standards is not everything, it is a good idea to follow good practices as well.
These in turn include:
- Identifying security vulnerabilities and responding immediately when they are discovered.
- Raising user awareness – making users aware of potential threats and teaching them how to act appropriately and safely.
- Selecting security methods that are not too inconvenient for users so that they do not avoid using them in their everyday work.
- Ensuring well-thought-out and sensible management of access levels granted to employees.
- Creating back-up copies of data.
- Conducting audits and monitoring user behavior and how they comply with security procedures that have been imposed.
- Protecting remote workers – understanding the way they use the hardware and applications entrusted to them and adopting security measures that suit their habits.
- Using the SOC (Security Operations Center) as a unified security and incident response platform, collecting and cross-referencing data from multiple sources.
- Data classification and protection – realizing that not all data requires the same level of protection and adjusting varying, adequate safeguards.
- Ongoing risk management – automating security assessments, prioritization of activities, and making incremental improvements.
To take comprehensive care of your IT, it is recommended to rely on security testing in addition to standards and best practices. Tests are necessary to protect the company against encryption or theft of valuable data.
Security tests, also known as penetration tests, consist of simulated cyber attacks conducted in a special, controlled environment by third-party security experts using the same techniques as the cybercriminals.
They reveal whether the servers or applications used by the company are resistant to attacks and whether any detected errors or gaps in security may result in break-ins. Conducting them once or twice a year will on one hand enable ongoing control of the security status, and on the other hand will guarantee business continuity.
Strategic plans concerning security issues should be an integral part of every company’s business strategy and consider both the current state of security practices and the predefined short-, medium- and long-term goals. The vision, goals, and objectives of such plans should be reviewed and adjusted to the changing business conditions at least once a year.