We continue our compliance journey with our second information security requirement.
The requirement reads:
To defend Information Technology (IT) systems against common cybersecurity threats, a company must install sufficient software/hardware protection from malware (viruses, spyware, worms, Trojans, etc.) and internal/external intrusion (firewalls) in Members’ computer systems. Members must ensure that their security software is current and receives regular security updates. Members must have policies and procedures to prevent attacks via social engineering. If a data breach occurs or another unseen event results in the loss of data and/or equipment, procedures must include the recovery (or replacement) of IT systems and/or data.
There is a lot to unpack here and not all of it can be solved with technology alone. All businesses should have a written policy and procedure to govern their information security strategy as well as an Incident Response plan to use if an attack is successful. In addition, we recommend an up to date acceptable use policy.
These documents will guide the procurement and configuration of the technology implemented to help prevent or respond to an attack. Without a coherent plan it is easy to spend thousands on point solutions and still be vulnerable to a breach.
AEGIS Innovators recommends that most businesses start with an assessment, build or edit their current policy documentation, and then deploy new processes and technology.
This can seem like a daunting task but if you want to know where to start please reach out to our consulting team to discuss building this roadmap for your business to be CTPAT compliant.