Cyber-Resiliency Measures for Information Technologies

Cyber Resiliency Measures for Information Technologies

Source: Adapted from IAPH (2021) Cybersecurity Guidelines for Ports and Port Facilities, Version 1.0, International Association of Ports and Harbors, Tokyo.

The concept of cyber resilience relies on four dimensions supporting the integrity of the information system of an organization:

  • Access control. The range of strategies controlling and regulating access to a specific information technology network of an organization. The most fundamental relates to how the network is accessed through the use of credentials, mainly user names, and passwords. Further, the roles and what information users can access are subject to close management to ensure that privileges are removed if a user leaves the organization or is assigned another function. Stricter conventions are being imposed on the selection of passwords that need to be more complex and include special characters to avoid brute force password attacks. For highly sensitive information or if the user accesses the system from a new (remote) location, two-factor authentification is becoming the norm.
  • Data security. The range of strategies used to regulate the integrity of the information stored by an organization. Encrypting data and its transmission has become the norm to avoid breaches. Further, corporate data needs to be classified by level of importance and sensitivity and stored accordingly. Key strategic information should be stored in systems only accessible through internal networks and through highly secure connections. Removable media, such as UBS storage drives, but also laptops and portable devices, needs to be restricted as they represent security risks if lost or stolen. Additionally, old IT equipment such as computers (particularly their hard drives) needs to be properly disposed of. A common practice is to wipe or physically destroy any storage device subject to disposal. The software and the hardware processing the data can also be tampered with, implying that their integrity needs to be verified on a regular basis.
  • Network security. The range of strategies to protect the integrity of an organizational information technology network. An IT network can be segmented so that the administrative network is separated from the network supporting operations. Network redundancy can improve cyber resilience. Firewalls have become standards and allow monitoring all the inbound and outbound traffic between a network and the outside, which also includes using virtual private networks (VPN) for outside access. IT systems also require a form of physical protection that can range from locked access for servers and network hubs, but this protection must also include a form of protection from hazards such as floods and power outages. The IT network must be protected from malware attacks using it as a propagation tool within the organization’s IT infrastructure. Further, physical components of the network, such as cables and switch boxes, must be hardened against physical damage.
  • Operational security. The range of strategies to ensure that daily IT operations do not contribute to risks. Software upgrades and patches must be monitored the ensure that each network component is up to date with the latest version. IT networks are constantly probed by hackers, implying that the network needs to be constantly monitored for vulnerabilities. Since the finance of organizations can be accessed online, there is a risk that unauthorized transactions can occur as there are strong incentives for hackers to achieve these results. Further, the IT of an organization has to be on par with changes in the culture and intelligence in the sector. This is how new risks can be identified and mitigated and that lessons can be learned from events taking place elsewhere.