AN INSTRUMENT TO ASSESS CYBER-SECURITY

29. My organisation has deployed technologies to protect informatio n infrastructures against cyber threats

(a) Why it is important to deploy automated technologies to safeguard informat io n infrastructure

Appropriate automated technologies are effective and efficient in detecting cyber threats, prevent threats to access information infrastructure, and monitor activities on information infrastructure. These automated technologies perform activities that human beings cannot perform. By their very nature, information infrastructure assets require automated technologies to be protected. Physical security is also important.

If appropriately implemented, automated technologies offer 24/7 protection, and monitoring of information infrastructure assets.

(b) Risks associated with lack of automated technologies to safeguard informat io n infrastructure

Besides physical security, information infrastructure requires only automated technologies in order to be protected. Without automated technologies, infrastruct ur e assets would not be protected and would be exposed to cyber threats.

(c) Recommended practice for automated technologies to protect informat io n infrastructure

The designated cyber-security function must implement current and applicable automated technologies to safeguard information infrastructures. This goes hand to hand with asset management practices. Automated security technologies must be deployed and implemented for all critical information infrastructure assets within the municipality. The designated cyber-security structure must keep an inventory of all automated technologies implemented in each information infrastructure asset.

30. Access to information infrastructures is controlled through identification and authentication

(a) Why it is important to control access through identification and authentication Keeping track of and records on the activities on information infrastructure is important because it provides evidence of who accessed the resource, and furthermore in other cases, it aligns the actions performed on the resources by the individuals, thereby confirming accountability behind those actions that have been performed. User identification ensures that the municipality knows who the individual is that accessed the infrastructure asset. Knowing who the individual is, is not sufficient. That individual must confirm whether they are the person. They must prove that they are indeed the one purported to be them.

(b) Risks associated with lack of identification and authentication of users when accessing information infrastructure

There could be uncontrolled access to information infrastructure, thereby compromising the protection of such assets. Uncontrolled access could lead to unauthorised modification of information assets, and also could lead to lack of accountability. If you cannot identify who performed certain activities on information infrastructure, it also means that you cannot hold anyone accountable for such activities.

(c) Recommended practice for user identification and authentication when accessing information infrastructure assets

There must be proper identification and authentication mechanisms for all users who access information infrastructure assets. There must be a unique identification for each user in order to enforce accountability.

31. Management has adopted industry best practices to protect informatio n infrastructure against cyber-threats

(a) Why it is important to adopt industry standards to secure informat io n infrastructure

At an operational level, industry standards are widely known and used by various institutions, and if the municipality adopts these widely known standards, support of information infrastructure that uses those standards becomes easily available. The standards are universal tools that achieve consistency in the application of information infrastructures. Service providers who are known and understand these universal standards have an advantage when providing support to informat io n infrastructure assets. Industry standards offer credibility for the work done on the information infrastructure, only if they have been used to such work. Industry standards offer critical and credible guidelines to be adopted by the municipal it y when safeguarding the information infrastructure

(b) Risks associated with non-adoption of industry best practices/standards

Organisational siloed processes could be adopted to protect the informat io n infrastructure which could prove to be costly and unreliable. Organisational siloed processes could be difficult to outsource and or to be supported by service providers.

It could be difficult for management to rely on the effectiveness of controls implemented without reference to industry best practices or standards. There could be lack of direction and insight without the guidance of industry best practices (c) Recommended practice for the adoption of industry best practices

The cyber-security designated structure must develop an inventory of industr y standards that can be adopted by the municipality for each type and use of information infrastructure. The rationale for a selected standard must be clear and communicated to relevant management. Once a specific industry best practice has been adopted, compliance to such a standard must be monitored and enforced.

32. Anti-virus software is installed on our laptops, desktops, and other devices (a) Why it is important to use anti-virus software for the applicable informat io n

infrastructure

Prevention is better than cure because it is much cheaper to implement than fight i ng fires trying to contain the spread of the virus in the information infrastructure system.

Anti-virus software is used as a proactive mechanism to prevent known viruses from infecting the information infrastructure. Implementing anti-virus software is a risk mitigating mechanism, and it limits the possibility of the information infrastruct ur e becoming infected with viruses.

(b) Risks associated with not implementing anti-virus software