Cyber Security, Best Practices, and Incident Response
Introduction
Security continues to increase in importance when we see increasing attempts to compromise critical IT infrastructure at corporations.
This guide describes Mirasys' security, physical security measures, and best practices that can help secure your Mirasys VMS against cyber-attacks. This includes security considerations for the hardware and software of a video surveillance system's servers, clients, and network device components.
The guide adopts standard security and privacy controls. It maps them to each of the recommendations, which makes it a resource for compliance across industry, government security, and network security requirements.
The guide provides two different levels of information:
Basic information with general insights into security in the company and the product (VMS systems)
The advanced information in the form of IT-specific technical guidance on hardening Mirasys VMS products.
Scope and applicability
This guide is relevant for organizations of all sizes, from small businesses to large enterprises and government agencies, that utilize the Mirasys VMS for their video surveillance needs. It primarily aims at people using Mirasys' software, system integrators, and component manufacturers. It also applies to all employees, contractors, and other third-party vendors working with or for Mirasys Oy.
The Guide covers all aspects of the Mirasys VMS, including servers, clients, network devices, and camera components. The policies and best practices outlined in this guide are applicable to the design, development, deployment, maintenance, and operation of the Mirasys VMS.
The information provided in this guide is intended to complement, not replace, any legal or regulatory requirements that may be applicable to the organization.
It is the responsibility of each organization to ensure compliance with all relevant laws, regulations, and industry standards, as well as to adapt the recommendations in this guide to suit their unique environment and risk profile.
Glossary
Buyer | The people or organizations that consume a given product or service. |
|---|---|
Critical Infrastructure | Systems and assets, whether physical or virtual, so vital to the country that the incapacity or destruction of such systems and assets would have a debilitating impact on cybersecurity, national economic security, national public health or safety, or any combination of those matters. |
Cybersecurity | The process of protecting information by preventing, detecting, and responding to attacks. |
Cybersecurity Incident | A cybersecurity event that has been determined to have an impact on the organization prompting the need for response and recovery. |
Framework | A risk-based approach to reducing cybersecurity risk composed of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers. Also known as the “Cybersecurity Framework.” |
Framework Core | A set of cybersecurity activities and references that are common across critical infrastructure sectors and are organized around particular outcomes. The Framework Core comprises four types of elements: Functions, Categories, Subcategories, and Informative References. |
Framework Implementation Tier | A lens through which to view the characteristics of an organization’s approach to risk—how an organization views cybersecurity risk and the processes in place to manage that risk. |
Framework Profile | A representation of the outcomes that a particular system or organization has selected from the Framework Categories and Subcategories. |
Risk | A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. |
Risk Management | The process of identifying, assessing, and responding to risk. |
Supplier | Product and service providers used for an organization’s internal purposes (e.g., IT infrastructure) or integrated into the products of services provided to that organization’s Buyers. |