In this blog series, we examine the fourteen themes of IASME Cyber Assurance, the comprehensive, cost-effective cyber security standard designed to help organisations of all sizes improve their cyber resilience.
Our first two blogs explored the themes under the categories, Identify and Classify, and Protect.
The third category is Detect and Deter and this includes Theme 12, Monitoring.
This theme emphasises the importance of embedding security into everyday business operations to ensure a secure and resilient environment. It focuses on carrying out security activities as part of routine processes, ensuring that businesses can identify and address risks effectively. Key considerations include monitoring business systems and processes to track acceptable activity, identifying unacceptable behaviour, and improving the organisation’s overall security posture. Clear policies and procedures should guide these efforts, ensuring they align with legal, regulatory, and contractual obligations.
Monitoring and tracking are central to secure business operations. Businesses must ensure their monitoring systems are properly calibrated, maintain forensically sound records for legal purposes, and establish accessible reporting mechanisms for employees and the public. It is also critical to monitor who is accessing information and from where, while ensuring that logs and audit trails are synchronised and stored securely. Role segregation and access controls are essential to prevent unauthorised access or tampering with sensitive data.
Regular vulnerability management is another key requirement. Larger businesses should conduct vulnerability scans at least every six months, after major system changes, or following incidents. For high-risk systems, such as those containing customer data, penetration testing may be necessary to identify and address potential security weaknesses. Acting on the findings of these scans and tests promptly can help mitigate risks and prevent potential breaches.
Finally, fostering a culture of security awareness is vital. Employees, contractors, and the public should be encouraged to report security concerns or incidents through clear and accessible channels, including anonymous options. Promptly addressing alerts and reviewing policies, risk assessments, and technical settings can help reduce the impact of potential issues. By integrating security into daily operations, businesses can protect their systems, data, and stakeholders while ensuring compliance with legal and regulatory requirements.