Data Security Checkpoints You Might Be Missing
Information security is so much more than making sure firewalls and anti-virus are up to date. While these technical controls are important to your overall security plan, they do not tell the whole story.
We have focused recent blog posts on how a FISASCORE is a comprehensive measurement of risks to information security. Today we are going to dive in to the specifics of what that means.
The FISASCORE assessment looks for vulnerabilities, weak points and deficiencies in your information security with the ultimate goal of protecting the confidentiality, integrity and availability of information.
What makes a FISASCORE security assessment comprehensive?
To be truly comprehensive, you need to look at more than just the technical aspects of security, which have to do with hardware and software. To look at the whole picture of your information security, there are really three controls to consider, and the FISASCORE assessment looks at all of them:
Technical controls are what you probably picture first when reviewing information security. These have to do with your IT hardware and software and are divided into two sub-categories: internal and external.
Internal technical controls protect information within your network.
- Intrusion prevention systems
- Anti-virus software
- Mobile Device Management (MDM)
- Security logs
- Access controls
- Data encryption
- Search engine indexes
- Domain Name System (DNS)
- Port scanning
- Vulnerability scanning
- Security Operation Centers (SOC)
Administrative controls include organizational processes, policies and procedures and the humans behind them who choose, develop, implement and maintain security practices in your environment. People are the biggest weak points in your network, and the more you can educate them and give them standards to adhere to, the more secure your information will be. Administrative controls can include:
- Policies, such as requirements to lock computer screens while unattended
- Awareness training and education
- Procedures, such removing network access during employee offboarding
- Appointed security officers
- Internal audits
- Business continuity plans
- Reporting of security breaches
Physical controls have to do with your building security. Security measures are useless if your files or servers are physically stolen or destroyed. A FISASCORE assessment will look at physical controls, such as:
- Locked doors
- Camera surveillance
- Alarm systems
- Backups stored offsite
- Employee ID badges
- Locked file cabinets
- Restriction of employee access to sensitive areas
- Measures to prevent fire and flood damage
By assessing these different control areas with a FISASCORE, you not only get the most comprehensive look at your information security risk, you also get a comprehensive report and action plan to address any control areas that might be lacking. The size, complexity and function of your organization will determine the extent of the technical, physical and administrative controls you need, as will the type of IT infrastructure you have and your industry’s compliance requirements.
It is common for organizations to spend their budget and time on technical controls, while administrative and physical controls are lacking. This oversight can have dramatic impacts on your security posture. You do not have to be an IT expert to understand the value of each of these controls to your overall information security.
Read Next: Ten Reasons You Need a FISASCORE
Joe has been part of the Loffler IT leadership team since 2015 and has a deep background in enterprise software with experience spanning the areas of Unified Communications, Workflow Automation, Contact Center, Collaboration and ERP/SCM/WFM. A little known fact? Joe used to be the drummer in a blues band called the Electric Trane.