Each organization should devise specific controls on the organization’s risk and ensure that processes and people are in place to manage controls continuously. Control issues are usually not due to technology failure, but are usually the result of individuals who do not pay due attention to the execution of the process or using a process that is not properly defined.
One of the main goals of any cyber security program should be the limitation of ATRACTIVITY for the attacker. Cyber attacks have moved beyond ‘script kiddie’ attacks and techniques continue to advance. The more time an attacker needs to penetrate into a system, the less desirable the attacks will be.
Investment control is done throughout the organization through technical, administrative and operational investment in people, processes, technology, and growing of a culture oriented towards security. These investments may include:
- Raising awareness
- Designing and implementing security policies
- Intrusion Detection Systems
- Recording events
- Response to the incident
- Classification of information assets
- Strengthen architecture and technology