---

Cybersecurity – norms, standards, good practices

17 February 2021

IT security is a business decision and one that has a real impact on the functioning of your organization. Those responsible for managing IT issues in companies should therefore, on the one hand, draw attention to the links between digital and business risks, and on the other hand, actively take care of better security management, ensure the appropriate level of protection, and hire the best specialists in this area.

Norms and standards

In the area of cybersecurity, we recognize:

1. Standards based on which IT systems can be certified, e.g. PN-ISO/IEC 27001, ISO/IEC15408 (Common Criteria), ITSEC, TCSEC. They are characterized by measures of compliance with security standards, such as:
   •  classes (TCSEC),
   • levels E0-E6 (ITSEC, TCSEC),
   • Evaluation Assurance Levels – EAL (ISO/IEC-15408).
2. Standards that represent the so-called best practices, such as the following recommendations from Information Technology Infrastructure Library (ITIL), National Institute of Standards and Technology (NIST), “Generally Accepted Information Security Principles (GAISP)”, Network Reliability and Interoperability Council (NRIC), or “OECD Guidelines for the Security of Information Systems of Government Commerce (OECD)”.

Their application in everyday activities is directly reflected in the level of cybersecurity of the organization. However, compliance with standards is not everything, it is a good idea to follow good practices as well.

Good practices

These in turn include:

• Identifying security vulnerabilities and responding immediately when they are discovered.
• Raising user awareness – making users aware of potential threats and teaching them how to act appropriately and safely.
• Selecting security methods that are not too inconvenient for users so that they do not avoid using them in their everyday work.
• Ensuring well-thought-out and sensible management of access levels granted to employees.
• Creating back-up copies of data.
• Conducting audits and monitoring user behavior and how they comply with security procedures that have been imposed.
• Protecting remote workers – understanding the way they use the hardware and applications entrusted to them and adopting security measures that suit their habits.
•  Using the SOC (Security Operations Center) as a unified security and incident response platform, collecting and cross-referencing data from multiple sources.
• Data classification and protection – realizing that not all data requires the same level of protection and adjusting varying, adequate safeguards.
• Ongoing risk management – automating security assessments, prioritization of activities, and making incremental improvements.

Safety tests

To take comprehensive care of your IT, it is recommended to rely on security testing in addition to standards and best practices. Tests are necessary to protect the company against encryption or theft of valuable data.

Security tests, also known as penetration tests, consist of simulated cyber attacks conducted in a special, controlled environment by third-party security experts using the same techniques as the cybercriminals.

They reveal whether the servers or applications used by the company are resistant to attacks and whether any detected errors or gaps in security may result in break-ins. Conducting them once or twice a year will on one hand enable ongoing control of the security status, and on the other hand will guarantee business continuity.

---

Strategic plans concerning security issues should be an integral part of every company’s business strategy and consider both the current state of security practices and the predefined short-, medium- and long-term goals. The vision, goals, and objectives of such plans should be reviewed and adjusted to the changing business conditions at least once a year.

This might also interest you

back