Security Hygiene Controls from 2016

There are a number of security controls that are valuable to organizations in or outside of government. In an effort to increase adoption of these controls, the B.C. Government has developed a number of templates that can be utilized and developed.

  

Information Security Policy (ISP)

Information Security Policy is a fundamental requirement of any security program that helps employees understand what they may and may not do.  This document outlines requirements to ensure networks, systems, and data benefit from adequate security controls.
Risk Register Risk registers are a key instrument in communicating risks, including those related to information security, to executive and boards of directors.  The risk register should be reviewed quarterly.  The objective is to ensure the inherent risk rating and trend are correct and that the controls are sufficient to mitigate risk to an acceptable level.
Risk Assessment Risk assessments should be performed upon introducing a new system or material change to an existing one.  Through leveraging the risk assessment process, organizations can identify risks that must be mitigated to an acceptable level before they are in alignment with the organization’s risk appetite.
Security Incident Response Plan  The Security Incident Response Plan is the plan that is executed upon the report of a real or suspected security incident.  This plan should be reviewed and exercised on a regular basis and is instrumental to ensuring security incidents are responded to in an organized fashion.

Security Course (In progress)

Education and awareness are the greatest return on investment within organizations seeking to build a security culture.  Information Security courses can help employees understand what they may and may not do according to an organization’s security policy and also what steps they may take to mitigate risk to the organization.  For example, avoiding clicking on suspicious links and attachments.