So, you’re a small business. You may be a small school district, a local restaurant chain, or even a non-profit helping your community; whatever you are though, resources are tight, especially when it comes to IT. With the tidal wave of security incidents in the news lately, you are curious about how to better secure your information.
A great way to begin to secure your organization is to get a baseline of where you are now and set goals to improve your security stature. The Council on CyberSecurity’s Critical Security Controls (CSC), formerly the SANS 20 Critical Controls, is a great framework for smaller organizations to follow and I have personally recommended it several times.
Earlier this year, though, the Center for Internet Security (CIS), the Council on CyberSecurity (CCS), as well as the Governors Homeland Security Advisors Council launched the National Campaign for Cyber Hygiene, which is an effort to provide several key recommendations for a low-cost security program at any organization.
It is important to note that this campaign is not necessarily an alternative to the CSC controls or any other framework, but more of a spark to get a security program initiated at an organization. Think of the Cyber Hygiene Campaign as a catalyst to drive a security program towards maturity.
The Cyber Hygiene Campaign has 5 Top Priorities: Count, Configure, Control, Patch, and Repeat. My recommendation for a small organization looking to begin a security program is to start with the fiive priorities outlined by the Cyber Hygiene Campaign, and then migrate the program’s focus to a security framework, such as the CSC or NIST once you have implemented the Top Priorities.
So, how exactly does the Cyber Hygiene Campaign help initiate a security program?
For starters, it practically lays it out step-by-step. Not only that, but it includes a toolkit with technical and non-technical resources for each of its top priorities. The toolkit is a set of PDF guides for each priority and is the most valuable component of the campaign.
Let’s revisit the Top Priorities. It starts with Count: Know what’s connected to and running on your network. Before you can secure anything, you must know what you will be securing, right? Well, several frameworks say that in one way or another, but the toolkit included with the campaign not only elaborates on the priority, but explains how to do it, as well.
Each PDF includes five sections:
- Plain English Guide – Great overview of “Who, What, When, Where, Why”
- Technical How-To Guide – Includes tasks listed with a priority level and effort level along with tools to help you accomplish the tasks
- How to Measure Guide – Lists several metrics that can be used to measure your success
- Additional Resources – Lists even more available resources
- Mapping to NIST Cybersecurity Framework. – This section is extremely helpful if you plan to migrate your security program to the NIST Cybersecurity Framework in the future.
To start a security program at your organization, I would just start with the first priority in the campaign, read through the accompanying PDF in the toolkit for that priority, and begin implementing tasks in that priority. Once you have a good handle on the first priority, move on to the second and repeat through the rest.
So, what happens after your organization has reasonably implemented the top priorities? I would shift focus to a security framework, such as the CSC or NIST Cybersecurity Framework. If you have implemented the top priorities, then you will have many of the controls in other frameworks well established.
The Cyber Hygiene Campaign isn’t a silver bullet for all your security needs, but it directs and provides several tools to get any organization on the right path. A small organization with little resources will greatly appreciate the toolkit included with the campaign and frankly it is one of the most palatable ways to begin a security program in your organization.
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the ShellShock and Heartbleed vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Image header courtesy of ShutterStock.com.