Search for:
What Is Multi-Factor Authentication (MFA)? – ISMS TIPS – WEEK IV

What Is Multi-Factor Authentication (MFA)?

Multi-factor authentication (MFA) is a security mechanism that requires users to provide two or more forms of identification before accessing an account or system. The goal of MFA is to make it more difficult for unauthorized users to gain access to sensitive information. Traditionally, authentication is done with a username and password, but this method is not very secure. Usernames are often easy to guess, and passwords can be stolen or hacked. MFA adds an extra layer of security by requiring a second form of identification, such as a fingerprint, a smart card, or a one-time code sent to your phone. This way, even if someone knows your password, they still can’t access your account without the second factor.

Multi-factor authentication, or MFA, protects your applications by using a second source of validation before granting access to users. Common examples of multi-factor authentication include personal devices, such as a phone or token, or geographic or network locations. MFA enables organizations to verify the identities of users before they can gain entry to critical systems.

Why is multi-factor authentication needed?

As organizations digitize operations and take on greater liability for storing customer data, the risks and need for security increase. Because attackers have long exploited user login data to gain entry to critical systems, verifying user identity has become essential.

Authentication based on usernames and passwords alone is unreliable and unwieldy, since users may have trouble storing, remembering, and managing them across multiple accounts, and many reuse passwords across services and create passwords that lack complexity. Passwords also offer weak security because of the ease of acquiring them through hacking, phishing, and malware.

What are some examples of multi-factor authentication?

Cloud-based authenticator apps such as Duo are engineered to provide a smooth login experience with MFA. They are designed to integrate seamlessly within your security stack. With Duo, you can:

  • Verify user identities in seconds
  • Protect any application on any device, from anywhere
  • Add MFA to any network environment

 How does multi-factor authentication work?

MFA requires means of verification that unauthorized users won’t have. Since passwords are insufficient for verifying identity, MFA requires multiple pieces of evidence to verify identity. The most common variant of MFA is two-factor authentication (2FA). The theory is that even if threat actors can impersonate a user with one piece of evidence, they won’t be able to provide two or more.

Proper multi-factor authentication uses factors from at least two different categories. Using two from the same category does not fulfill the objective of MFA. Despite wide use of the password/security question combination, both factors are from the knowledge category–and don’t qualify as MFA. A password and a temporary passcode qualify because the passcode is a possession factor, verifying ownership of a specific email account or mobile device.

 

CFS ISMS MANAGER

Loading

SECURE FILE SHARING – ISMS TIPS – WEEK IV

Secure file sharing is the process of transferring files online in a way that protects them from unauthorized access, modification, or disclosure. Secure file sharing is important for complying with the information security management system (ISMS) standards, such as ISO 27001, which aim to ensure the confidentiality, integrity, and availability of information.

There are different ways to share files securely online, depending on the type, size, and sensitivity of the files, as well as the preferences and needs of the sender and the receiver. Some common methods are:

  • Cloud storage services: These are online platforms that allow users to store and share files over the internet. Cloud storage services offer secure file sharing and protection with various security features, such as permission-based access, password protection, encryption, virus scanning, ransomware detection, and more. Some examples of cloud storage services are DropboxGoogle DriveOneDrive, and Internxt.
  • Email attachments: These are files that are attached to an email message and sent to one or more recipients. Email attachments are convenient for sharing small files, but they have some limitations and risks. For example, email attachments may have size limits, may be blocked by spam filters, may be intercepted by hackers, or may contain malware. Therefore, email attachments should be encrypted and scanned before sending or opening them.
  • File transfer services: These are online tools that allow users to upload and download files from a server. File transfer services are useful for sharing large files that cannot be sent via email or cloud storage. However, file transfer services may also have some drawbacks, such as limited storage time, bandwidth restrictions, or lack of security features. Therefore, file transfer services should be chosen carefully and used with caution. Some examples of file transfer services are WeTransferMediaFire, and SecureDocs.
  • Virtual private networks (VPNs): These are secure connections that create a private network over a public network. VPNs allow users to access and share files securely from any location, as if they were on the same local network. VPNs encrypt the data that is transmitted over the internet, making it unreadable to anyone who intercepts it. VPNs also hide the user’s IP address and location, enhancing their privacy and anonymity. Some examples of VPNs are ExpressVPNNordVPN, and CyberGhost.

To choose the best way to share files securely online, you should consider the following factors:

  • The size and type of the files you want to share
  • The number and identity of the recipients you want to share with
  • The level of security and privacy you need for your files
  • The speed and reliability of your internet connection
  • The cost and convenience of the service you want to use

CFS ISMS MANAGER

Loading

PHYSICAL SECURITY
Physical security is the protection of information and information processing facilities from unauthorized physical access, damage, or interference. Physical security is an essential part of information security management system (ISMS) as it helps prevent or reduce the impact of various threats such as theft, vandalism, fire, flood, or natural disasters.

According to ISO 27001, the international standard for ISMS, physical security should be implemented in accordance with Annex A.11, which covers the following controls:

  • A.11.1 Secure areas: This control requires the organization to define and establish security perimeters and boundaries for areas that contain sensitive or critical information and information processing facilities. The organization should also control access to these areas using appropriate measures such as locks, alarms, guards, or CCTV cameras.
  • A.11.2 Equipment: This control requires the organization to protect equipment from environmental threats and hazards, such as dust, water, heat, or power fluctuations. The organization should also prevent unauthorized access to equipment by securing cables, ports, and removable media. Additionally, the organization should ensure proper maintenance and disposal of equipment and media.
  • A.11.3 Working in secure areas: This control requires the organization to establish rules and procedures for working in secure areas, such as restricting unauthorized visitors, prohibiting unattended equipment or media, and ensuring clear desk and clear screen policies.

Physical security is not only applicable to the organization’s premises but also to any other locations where information and information processing facilities are used or stored, such as home offices, mobile devices, or cloud services. Therefore, the organization should also consider the physical security aspects of its suppliers, partners, and employees who work remotely or travel frequently.

If you want to learn more about physical security in accordance with ISMS, you can check out these web search results:

ISMS MANAGER

Loading

CLOUD SECURITY

Cloud security is the set of cybersecurity measures used to protect cloud-based applications, data, and infrastructure from unauthorized access, online attacks, and insider threats. Cloud security involves applying security policies, practices, controls, and other technologies to help secure cloud environments.

Cloud security is important because it enables organizations to benefit from the flexibility, scalability, and innovation of cloud computing while minimizing the risks of data breaches, compliance violations, and service disruptions. Cloud security also helps organizations meet their regulatory and legal obligations regarding data protection and privacy.

Cloud security works by following a shared responsibility model between the cloud service provider (CSP) and the customer. The CSP is responsible for securing the cloud infrastructure, such as servers, storage, networks, and virtualization. The customer is responsible for securing the data, applications, and user access in the cloud. Depending on the type of cloud service model used (IaaS, PaaS, or SaaS), the level of responsibility may vary.

Some examples of cloud security measures are:

  • Identity and access management (IAM): This is a process of verifying the identity of users and devices and granting them appropriate permissions to access cloud resources. IAM helps prevent unauthorized access and enforce the principle of least privilege.
  • Encryption: This is a method of transforming data into an unreadable format using a secret key. Encryption helps protect data from being intercepted or tampered with while in transit or at rest in the cloud.
  • Firewall: This is a device or software that monitors and filters network traffic based on predefined rules. Firewall helps block malicious or unwanted traffic from reaching or leaving the cloud.
  • Antivirus: This is a software that detects and removes malware from devices or systems. Antivirus helps prevent malware infections that could compromise data or functionality in the cloud.
  • Backup: This is a process of creating copies of data and storing them in a separate location. Backup helps ensure data availability and recovery in case of accidental deletion, corruption, or disaster in the cloud.

If you want to learn more about cloud security, you can check out these web search results:

 

CFS ISMS MANAGER

Loading

ISMS POLICY STATEMENT

An ISMS Policy Statement is a document that defines the scope, objectives, and principles of an Information Security Management System (ISMS). An ISMS is a set of policies, procedures, and processes that aim to protect the confidentiality, integrity, and availability of information from various threats. An ISMS Policy Statement also demonstrates the commitment of the management to implement, maintain, and improve the ISMS in accordance with the ISO 27001 standard or other relevant frameworks.

Some examples of ISMS Policy Statements are:

    • CFS: This document states that CFS is committed to securing the information of the organization and her customers from internal or external, deliberate or accidental threats. You can always read more on our page.
  • GS1 India: This document states that GS1 India is committed to securing the information of the organization and its subscribers from internal or external, deliberate or accidental threats. It also outlines the management’s responsibilities, such as meeting regulatory and legislative requirements, ensuring information security awareness among employees, conducting risk assessments and audits, and providing appropriate resources for the ISMS.
  • Systematics International Ltd: This document provides an overview of the company, the activities it carries out, and the quality standards it conforms to. It also explains how the company implements the requirements of the ISO 27001 standard, such as defining the scope and context of the ISMS, establishing information security objectives and policies, conducting risk assessments and treatment plans, measuring and improving the ISMS performance, and ensuring internal and external communication.
  • CoralPay: This document states that CoralPay is committed to the integrity of its information and implements measures to protect the organization’s information through an information security program. It also defines the scope of the ISMS, which covers all information assets, processes, and systems that support the business operations of CoralPay.

I hope this helps you understand what an ISMS Policy Statement is. If you have any further questions, please feel free to ask your ISMS Manager

 

CFS ISMS MANAGER

Loading

INFORMATION CLASSIFICATION POLICY – ISMS TIPS – WEEK IV

Adopting a full set of information security policies is a critical step in ensuring that every department and employee understands their role in helping protect company, customer, and employee data.  

To properly manage risk, organizations need to understand how to properly store, process, transmit, and destroy sensitive data based on the risk that information poses to the organization. 

 

Purpose 

The purpose of the Information Classification and Management Policy is to provide a system for classifying and managing Information Resources according to the risks associated with its storage, processing, transmission, and destruction. 

Audience 

The Information Classification and Management Policy applies to any individual, entity, or process that interacts with any Information Resource. 

 

Responsibilities 

Information User 

  • The person, organization or entity that interacts with Information for the purpose of performing an authorized task. 
  • Have a responsibility to use Information in a manner that is consistent with the purpose intended and in compliance with policy.  Information Owner 
  • The person responsible for, or dependent upon, the business process associated with an information resource. 
  • Is knowledgeable about how the information is acquired, transmitted, stored, deleted, and otherwise processed. 
  • Determines the appropriate value and classification of information generated by the owner or department. 
  • Must communicate the information classification when the information is released outside of the department and/or. 
  • Controls access to their information and must be consulted when access is extended or modified. 
  • Must communicate the information classification to the Information Custodian so that the Information Custodian may provide the appropriate levels of protection. 
  • Must periodically review their information to ensure the proper classification is applied.  Information Custodian 
  • Maintains the protection of Information according to the information classification associated to it by the Information Owner. 
  • Delegated by the Information Owner and is usually Information Technology personnel.  
    Policy Information Classification 
  • Information owned, used, created or maintained by should be classified into one of the following three categories: 
    • Public 
    • Internal 
    • Confidential 
    •  
  • Public Information: 
    • Is information that may or must be open to the general public. 
    • has no existing local, national, or international legal restrictions on access or usage. 
    • While subject to disclosure rules, is available to all employees and all individuals or entities external to the corporation.  Examples of Public Information include: 
  • Publicly posted press releases, 
  • Publicly available marketing materials, 
  • Publicly posted job announcements. 
  • Internal Information: 
    • Is information that must be guarded due to proprietary, ethical, or privacy considerations. 
    • Must be protected from unauthorized access, modification, transmission, storage or other use and applies even though there may not be a civil statute requiring this protection. 
    • Is restricted to personnel designated by who have a legitimate business purpose for accessing such Information.  Examples of Internal Information include: 
  • Employment Information, 
  • Business partner information where no more restrictive confidentiality agreement exists, 
  • Internal directories and organization charts, 
  • Planning documents, 
  • Confidential Information: 
    • Is information protected by statutes, regulations, policies or contractual language. Information Owners may also designate Information as Confidential. 
    • Is sensitive in nature, and access is restricted. Disclosure is limited to individuals on a “need-to-know” basis only. 
    • Disclosure to parties outside of must be authorized by executive management, approved by the Director of Information Technology and/or General Counsel, or covered by a binding confidentiality agreement. 

Examples of Confidential Information include: 

  • Customer data shared and/or collected during the course of a consulting engagement, 
  • Financial information, including credit card and account numbers, 
  • Social Security Numbers, 
  • Personnel and/or payroll records, 
  • Any Information identified by government regulation to be treated as confidential, or sealed by order of a court of competent jurisdiction, 
  • Any Information belonging to a customer that may contain personally identifiable information, 
  • Patent information. 

 

Information Handling

  • All Information should be labeled according to the Labelling Standard. 
  • Public: 
    • Disclosure of Public Information must not violate any pre-existing, signed non-disclosure agreements. 
  • Internal: 
    • Must be protected to prevent loss, theft, unauthorized access, and/or unauthorized disclosure. 
    • Must be protected by a confidentiality agreement before access is allowed. 
    • Must be stored in a closed container (i.e., file cabinet, closed office, or department where physical controls are in place to prevent disclosure) when not in use. 
    • Is the “default” classification level if one has not been explicitly defined. 
  • Confidential: 
    • When stored in an electronic format must be protected with a minimum level of authentication to include strong passwords as defined in the Authentication Standard. 
    • When stored on mobile devices and media, must be encrypted. 
    • Must be encrypted at rest. 
    • Must be stored in a locked drawer, room, or area where access is controlled by a cipher lock and/or card reader, or that otherwise has sufficient physical access control measures to afford adequate protection and prevent unauthorized access by members of the public, visitors, or other persons without a need-to-know. 
    • Must not be transferred via unsecure communication channels, including, but not limited to: 
      • Unencrypted email 
      • Text messaging 
      • Instant Messaging 
      • Unencrypted FTP 
      • Mobile devices without encryption 
    • When sent via fax, must be sent only to a previously established and used address or one that has been verified as using a secured location. 
    • When transmitted via USPS or other mail service, must be enclosed in a sealed security envelope. 
    • Must not be posted on any public website. 
    •  Management must be notified in a timely manner if Information classified as Confidential has been or is suspected of being lost or disclosed to unauthorized parties. 

Information Retention & Destruction 

  • All information stored by must be stored in accordance with the Data Retention Schedule. 
  • All information maintained by must include a documented timestamp or include a timestamp as part of metadata. 
  • Information that is no longer required to be maintained by is classified as “Expired” and must be destroyed in accordance with the Media Reuse and Destruction Standard. 
  • Information owners should be consulted prior to information destruction and may have the opportunity to extend Information expiration, given business needs and/or requirements for the extended retention. 
  •  customers may have their own information retention requirements that supersede ’s requirements. Such customer requirements should be documented in contractual language. 

 

CFS ISMS MANAGER

Loading

CLEAR DESK/CLEAR SCREEN POLICY – ISMS TIPS – WEEK III

Clear Desk and Clear Screen policy refers to an organizational practice that requires employees to maintain a clutter-free workspace and ensure that computer screens are free from sensitive or confidential information when not in use. This policy is implemented to protect the security and privacy of sensitive company information and prevent data breaches.

A Clear Desk policy typically dictates that employees must tidy up their workstations before leaving for the day. This includes removing any documents, files, or personal belongings from the desk surface and storing them in locked cabinets or drawers. The objective is to minimize the risk of sensitive information being left unattended or falling into the wrong hands.
Furthermore, a Clear Screen policy emphasizes the importance of locking or logging out of computers when not in use. This prevents unauthorized access to information displayed on the screen, encompasses system security, and serves as a safeguard against potential data breaches.
The need for a Clear Desk and Clear Screen policy stems from the increasing focus on data security and privacy in the digital age. Organizations collect and store large volumes of data, some of which may be sensitive or confidential. Unauthorized access to this data can result in financial losses, reputation damage, and legal consequences.
Implementing a Clear Desk and Clear Screen policy offers several benefits to organizations. First and foremost, it helps protect sensitive information from unauthorized access. By clearing the desk and locking the computer screen, employees ensure that confidential data is not visible to unauthorized individuals, reducing the risk of data leaks.
Additionally, a Clear Desk and Clear Screen policy can enhance productivity and organization. A clutter-free workspace promotes a better work environment, enabling employees to focus on their tasks without distractions. Furthermore, logging out or locking the computer when not in use ensures that work-related files or websites are not mistakenly accessed or altered by others.
To successfully implement a Clear Desk and Clear Screen policy, organizations need to communicate the policy clearly and train employees on its importance and procedures. Regular reminders and updates can help reinforce the policy and keep it at the forefront of employees’ minds.

In conclusion, a Clear Desk and Clear Screen policy is a vital practice for organizations to protect sensitive information, maintain data security, and foster a productive work environment. This policy ensures that employees maintain a clutter-free workspace and secure computer screens to prevent data breaches and unauthorized access. By implementing this policy and promoting awareness among employees, organizations can mitigate risks and safeguard their valuable information.

 

CFS ISMS MANAGER

Loading

Nigeria, India on track for improved trade relations — Trade minister

The Minister  of Industry, Trade and Investment, Dr Doris Uzoka-Anite, has said that  Nigeria is exploring ways to improve trade and investment relations with India, even as she is wooing various Indian entrepreneurs who are already doing business in Nigeria.

The minister who is in the company of President Bola Tinubu on  the Nigerian team in the ongoing G-20 Summit in India,  said this during a bilateral meeting with the Indian Minister of Commerce and Industry, Piyush Goyal.

In a statement,  Uzoka-Anite  said: “Our trip here has so far been fruitful and Nigerians should be proud of our achievement here. We signed an agreement on Infrastructure Corporation of Nigeria Limited (InfraCorp) and Invest India. We also signed another agreement between the Nigerian Ministry of Communication, Innovation and Digital Economy and the Indian Ministry of Electronics and Information Technology. We have also secured investment commitments from multinationals like; SkipperSeil Group, Jindal Steel and Power Limited, Bharti Enterprises, Indorama Petrochemical Limited amounting to several billions of dollars.”

She further stated: ‘We have more than 130 Indian companies that are active in Nigeria from manufacturing to hospitality to oil and gas, and healthcare sector”.

Meanwhile, the  National President of the Nigerian Association of Chambers of Commerce, Industry, Mines, and Agriculture (NACCIMA), Dele Kelvin Oye, has expressed confidence that the newly appointed minister has what it takes to drive the growth of the nation’s real sector, noting that her impressive background and extensive experience have uniquely positioned her to excel in her current role.

“Her previous roles in the banking industry and subnational governance have equipped her with a wealth of knowledge, skills, and expertise that she has applied to the task with exceptional competence,” Oye stated.

 

Source: Vanguard

Loading

TELEWORKING – ISMS TIPS – WEEK II
Teleworking, also known as telecommuting or remote work, is a work arrangement in which employees are allowed to work from home or a location outside of the traditional office. This practice has gained popularity in recent years, thanks to advancements in technology that allow for seamless communication and collaboration between employees and their colleagues.
Many companies have implemented teleworking policies as a way to attract and retain talented employees, as well as improve work-life balance. Teleworking can offer numerous benefits to both employers and employees. For employees, it can provide flexibility in work hours and location, reduce commuting time and expenses, and increase productivity by eliminating distractions often present in the office environment. For employers, it can lead to cost savings on office space, decreased absenteeism, and improved employee satisfaction and morale.
However, implementing a teleworking policy is not without its challenges. It requires setting clear guidelines and expectations to ensure that teleworkers are meeting their responsibilities and that team collaboration and communication are not compromised. Managers should also provide the necessary resources and support to ensure that teleworkers have the tools and connectivity needed to perform their tasks effectively.
Additionally, teleworking may not be suitable for all types of jobs or industries. Certain roles require physical presence or face-to-face interaction, and not all employees may have the suitable workspace or equipment at home to carry out their work effectively. Employers must carefully consider these factors when deciding to implement a teleworking policy.
Another consideration is the potential impact on company culture and employee engagement. When employees are physically separated, it can be more challenging to foster a sense of camaraderie and teamwork. To mitigate this, companies should provide opportunities for virtual meetings, team-building activities, and regular communication to ensure that teleworkers still feel connected and engaged with their colleagues and the organization.
Overall, teleworking can bring numerous benefits to both employers and employees, but it needs to be implemented thoughtfully and with clear guidelines. With the right policies and support, teleworking can be a valuable tool for companies to attract and retain talent, improve work-life balance, and increase productivity.
CFS ISMS MANAGER

Loading

How to Report an Information Security Incident?

What is a Security Incident?

A security incident is any attempted or actual unauthorized access, use, disclosure, modification, or destruction of information. This includes interference with information technology operation and violation of the organization’s policy, laws or regulations.

Examples of security incidents include:

  • Computer system breach
  • Unauthorized access to, or use of, systems, software, or data
  • Unauthorized changes to systems, software, or data
  • Loss or theft of equipment storing institutional data
  • Denial of service attack
  • Interference with the intended use of IT resources
  • Compromised user accounts

It is important that actual or suspected security incidents are reported as early as possible so that campus can limit the damage and cost of recovery. Include specific details regarding the system breach, vulnerability, or compromise of your computer and we will respond with a plan for further containment and mitigation.

How to report a security incident

email: it@cfsfin.com

phone: 234-909-032-9828
Important: If the incident poses any immediate danger, contact the Incidence Response Team immediately via unitsheads@cfsfin.com

Information to include in the report:

  • Your name
  • Department
  • Email address
  • Telephone number
  • Description of the information security problem
  • Date and time the problem was first noticed (if possible)
  • Any other known resources affected

 

To report an information security incident, follow these steps:

  1. Identify the incident: Determine if the situation qualifies as an information security incident. This can include unauthorized access to systems or data, malware infections, data breaches, network attacks, or any other security-related event.

 

  1. Contain the incident: Take immediate action to contain the incident and prevent further damage. This can involve isolating affected systems, disconnecting from the network, or disabling compromised accounts.

 

  1. Document the incident: Gather as much information as possible about the incident. Note the date, time, and location of the incident, as well as the systems, devices, or individuals involved. Document any suspicious or unusual activities leading up to the incident.

 

  1. Notify the appropriate authority: Report the incident to your organization’s designated reporting authority. This can be your IT department, security team, or incident response team. If your organization has specific incident reporting and response procedures, follow those guidelines.

 

  1. Follow incident response procedures: If your organization has established incident response procedures, follow the steps outlined in those protocols. This may include preserving evidence, conducting a forensic investigation, or engaging external security consultants.

 

  1. Inform affected parties: If the incident involves a breach of personal data or could potentially impact individuals or organizations outside your organization, consider notifying those affected. Depending on the regulations and laws in your country, you may be required to inform individuals of any breach involving their personal information.

 

  1. Learn from the incident: After the incident is resolved, conduct a post-incident analysis to identify any lessons learned and areas for improvement in your organization’s security practices. Use this information to enhance your security measures and prevent similar incidents in the future.

 

Remember, the specific reporting procedures and contacts may vary depending on the organization, so it is essential to follow your organization’s policies and guidelines when reporting an information security incident.

 

CFS ISMS MANAGER

 

Loading

error: You do not have access. Content is protected !!
×

Powered by WhatsApp Chat

× How can we be of help please?