As CISO, I would use a combination of physical, personnel and software based securities and redundancies in order to ensure availability of systems. In addition, a routine training regiment to ensure policy compliance would be conducted in-company.
24/7 hour system admin monitoring
Employed and manned either remotely or on site, a minimum of two system administrators to monitor system state. With the minimum of two, both would have separate responsibilities to balance access. For example, a system admin would be able to stop start and modify system processes and a user admin to modify user rights and access control. For higher level and major system functions (like conducting a complete server reboot or failover) both would be needed (two person control) to approve the action. Having a minimum of two at all times would increase system uptime, allowing for maintenance windows outside peak hours and provide live support agents to remote workers and on site workers at all times.
24/7 hour physical security walkthroughs
Physical security is a very important and often overlooked part of a company’s cybersecurity plan. I would implement a 24/7 security detail to do physical walkthroughs of the system spaces and to verify the security locked spaces. Checkpoints, locks, tamper seals and devices and other security implements would be visually inspected at the minimum every 4 hours. Security personnel would also check for signs of overheating, error lights, flooding, leaks/electrical problems, fire or failure of cooling elements. When not on patrol, they would be stationed on key entry points to verify only authorized personnel are allowed near the data systems.
System redundancy
System failure is a when, not an if factor. I would ensure backup servers, spare servers and backup power for the system are set up.
Backup servers – Backup servers would replicate from in-use servers. These backup servers would be in a different room or offsite on a separate power grid to avoid total failure.
Spare servers – Powered off but pre-configured spare servers would be stored in a separate space to ensure further redundancy should the backup servers fail. Monthly backups of the spare servers from the in-use servers would be conducted.
Backup Power/Cooling – Backup power and cooling to the host site to provide redundancy against failure.
Air gapped standalone systems for high priority databases
High value information that does not necessarily need remote access (original plans, trade secrets, detailed financial data, unencrypted source code, etc..) would not be accessible via an external network and would be intranet if networked and only accessible in person on site. This would help mitigate malware damage and leaks.
Software considerations
Internal and external proxy – protect identity of company and clients, helps prevent malware, DDOS and leaks.
CAPTCHA and 2 factor authentication – protects against bots and unauthorized access to the system.
Training and continual improvement
Training is key! All employees would have to complete bimonthly mandatory cybersecurity training. Quarterly internal and external audits would be conducted in order to identify risk areas. Finally, modernization reviews would be conducted every 6 months. The system would be assessed on whether or not it meets current day standards for usability and security. If not up to standards, infrastructure, software and or equipment would be modernized.
These are the protections I would use as a CISO.