There are many ways to implementing Cyber Security in an Organization, such as referring to IT Security Standard like ISO 270001,ISO 38500 and also referring to IT STandard Governance such as COBIt5.
What we can set up according to sample document are in design using this guidlines :
- Strong cryptography to protect data, both at rest and in transit: All wired and wireless communications (data in transit) should be properly protected with strong encryption. Systems dealing with sensitive data should provide a mechanism to encrypt data at rest.
- Authentication capabilities: All systems should require a username and password to access functionality, at a minimum. To enhance authentication capabilities, the solution should support strong authentication mechanisms (one-time passwords, certificate- or biometric-based authentication, etc.).
- Authorization capabilities: All functionality should require and enforce proper permissions before performing any actions.
- Automatic and secure update of software, firmware, etc.: Software/firmware update mechanisms should be available, and updates should be delivered in an automatic and secure way.
- Auditing, alerting, and logging capabilities: All systems should provide mechanisms for auditing and logging security events. Logs must also be saved securely against tampering.
- Anti-tampering capabilities: Devices should have a mechanism to prevent tampering by unauthorized sources.
- No backdoor/undocumented/hardcoded accounts: Some vendors release systems with backdoor/undocumented/hardcoded accounts. Often, these accounts cannot be removed or disabled and have passwords that cannot be changed, allowing anyone to compromise the system using these accounts. Removing or disabling these accounts should be enforced in the service-level agreement (SLA) to ensure vendors will comply.
- Non-basic functionality disabled by default: Only basic functionality should be enabled by default, and the rest should be enabled depending on the organization’s needs.
- Fail safe/close: In the case of a system malfunction or crash, the system should remain secure and security protections remain enforced.
- Secure by default: Solutions should come with a secure configuration by default.
After the implementation fulfill those guidelines then we move to another step which is testing for all the system that already in placed. We can doing this by add Vulnerability Assessment or Pentesting Activity. Those services are aim to know how vulnerable or how strong the system again attack for internal or external an organization.