What must you do to provide adequate information security to your organization? If your organization is small, it’s easy to decide that what needs to be done exceeds your resources. You need to pick your fights.
The generally accepted method for doing this combines two approaches. First, you do a risk assessment to determine what most needs protecting. Second, you examine a list of ways to protect them and choose the most appropriate.
Risk assessment, however, can be fairly intimidating, particularly if you try to be precise. It’s still worth doing, and I’ll blog about this soon. Another approach, however, is to go straight to the lists of things you can do and to measure your current state against those lists. Then you incrementally add the highest priority items on the lists, as you’re able.
The Mother of All Lists has got to be ISO 27001:2013. This is the international standard for information security. It lists around 85 controls you can apply to various categories of security issues. Controls are procedures to mitigate the risk of a particular problem. They range from the very general to the fairly exacting. A broad one is, “A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties.” A narrower one is, “Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization.”
The good thing about the ISO 27001 list is that it gives you a lot to think about. The bad thing is that it gives you a lot to think about. If you go farther into the standard, ISO 27002 also gives you procedures to go with each control.
ISO 27001 doesn’t really expect that every organization is going to implement every control. Their process relies on a risk assessment to decide which controls are appropriate. Even so, a lot of people have looked at that big list and decided it’s just too much, sort of like ITIL. As a result, some fairly distinguished people, including the National Security Agency and the SANS Institute, decided to create a list with priorities. Their list identifies both the controls with the biggest bang for the buck and those that are the easiest to accomplish.
The CIS Critical Security Controls
The Center for Internet Security (CIS) is the organization that currently hosts and revises this list of critical security controls. It got handed over to them from the SANS Institute a while back. The current list is the CIS Controls for Effective Cyber Defense Version 6.0.
The CIS Controls are not just a list of controls. They also contain explanations of why each control is critical and descriptions of the procedures and tools that apply to each control. It gives you a clearer idea of what to do.
As I said before, these controls are prioritized. The first five are considered “foundational cyber hygiene,” the basic things on which to build a cyber defense. Then the rest come in more or less priority order. The first item on the list, for example, is, “Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.”
The good things about this list are its priorities and its practicality. The bad thing is that it is still aimed at all organizations, including the largest. In fact, one can argue that to carry out the CIS Controls in a small organization is going to be a lot of work. If you’re ambitious, however, go for it. At least you’ll learn a lot in the process. In particular, you’ll learn how procedures, such as doing equipment inventories, are as important as technologies.
A good guide if you’re concerned about Advanced Persistent Threats (APTS), e.g. a foreign government trying to get the names of dissidents you help, is the Australian Signals Directorate’s Strategies to Mitigate Targeted Cyber Intrusions. This paper argues that you can eliminate at least 85% of risk from APTs with four controls: application whitelisting, patching operating systems, patching applications and limiting users’ administrative rights.
Guides for Small and Medium Businesses (SMBs) and Nonprofits
The U.S. Department of Commerce defines a “small business” as one with less than 500 employees. With the exception of the Gates Foundation, then, all Foundations are the size of small businesses, and most of them are tiny. It’s the same for the vast majority of nonprofits.
There’s been a realization among security mavens that small organizations have become security targets. Depending on whose statistics you trust, between 20 percent and 35 percent of all attacks now fall on small organizations. As a result, various groups have created guides for small organizations, realizing that while SMBs don’t have the same ability to protect themselves as larger organizations, they still are getting attacked.
These guides tend to be less ambitious but quite practical, and they might look a lot like what a reader of this blog is doing now. Still, there are a few things you might not be doing which would be basic things to check.
Some good ones to look at include the FCC Small Biz Cyber Planner 2.0 and NIST’s Small Business Information Security: The Fundamentals.
Microsoft has put out a set of materials, as well. One of the good things about it is a PowerPoint you can build on for user training. It’s called the Microsoft Internet Safety for Enterprise & Organizations Toolkit.
Finally, Idealware has just released What Nonprofits Need to Know About Security: A Practical Guide to Managing Risk. This is a pretty good basic guide, plus it has a nice list of references about incident response planning, which is getting to be a big deal. It should be right up there with disaster recovery planning, these days.