Analysis of information security procedures and tools
Securing the information held in your practice systems is essential to running your general practice, maintaining professional responsibilities to your patients and ensuring practice information is available when required.
The effectiveness of any information security control procedures you have in place need to be measurable. This will allow you and your practice team to monitor and assess if your information security controls and processes are working.
The challenge with information security is to find a balance between good protection and ease of use.
Make sure your security controls are regularly tested. Ideally, test would take place every three to six months.
To measure your information security controls, consider the following questions:
- How will you know if your information security controls are effective?
- Are they too restrictive? Do they make your systems difficult for the practice team to use?
- What resources are needed if changes to your practice’s information security controls are required?
The Essential Eight Maturity Model
The Australian Cyber Security Centre (ACSC) has developed prioritised mitigation strategies to help organisations protect themselves against various cyber threats.5
Eight mitigation strategies have been identified by the ACSC as essential in achieving adequate cyber security in organisations, including your practice. These strategies are known as the Essential Eight.
Implementing the Essential Eight proactively can be more cost-effective in terms of time, money and effort than having to respond to a large-scale cyber security incident.6
The Essential Eight Maturity Model:
- The Essential Eight Maturity Model is designed to assist organisations to implement the Essential Eight in a graduated manner, based upon different levels of adversary tradecraft (i.e. tools, tactics, techniques and procedures) and targeting.7
- The likelihood of being targeted is influenced by the desirability of the data you hold. The consequences of a cyber security incident will depend on any confidentiality requirements associated with the data you hold, as well as your requirement for the availability and integrity of your systems and data.8 Practices are often the target of cyber attacks as they hold private and confidential information and tend to rely heavily on their electronic systems.
- The Essential Eight mitigation strategies include:
- application control
- patch applications
- configure operation system settings
- user application hardening
- restrict administrative privileges
- patch operating systems
- multi-factor authentication
- regular backups.
Links to other key resources:
The Australian Cyber Security Centre – Essential Eight Maturity Model FAQ
5 Australian Governement. (2022). Essential Eight Maturity Model FAQ. Retrieved from Australian Cyber Secuirty Centre
6 Australian Governement. (2022). Essential Eight Maturity Model FAQ. Retrieved from Australian Cyber Secuirty Centre
7 Australian Governement. (2022). Essential Eight Maturity Model FAQ. Retrieved from Australian Cyber Secuirty Centre
8 Australian Governement. (2022). Essential Eight Maturity Model FAQ. Retrieved from Australian Cyber Secuirty Centre