In my previous post on the question of being ransomware-proof, I talked about the NIST Cybersecurity Framework (CSF). Some of you, I am sure, Googled “NIST CSF” and found tons of information from NIST on the framework. Then as you looked at the details, you might have been intimidated by the five functions (Identify, Protect, Detect, Respond, and Recover) and the 23 categories, and 108 subcategories. It might have sounded too complicated, too much to bite off, and you might have even wondered, “Where do I start??”
First, that feeling is totally understandable. The NIST CSF is a comprehensive framework. It works well for regulated companies, like banks, utilities, hospitals, etc., organizations that have regulatory compliance that needs to be addressed, that have to protect their customer’s data, and that also have to prove that they have protected that data.
Recall that at the end of that post, I said I would talk about CIS Controls as another framework you can use.
For medium-size companies that may or may not be regulated, or do not have to adhere to a compliance standard, the Center for Internet Security (CIS) Controls might be a better solution. CIS has a set of controls that can be downloaded for free and can be more easily applied to manufacturing, service organizations, retail, schools, and other verticals that are not tightly regulated.
CIS Controls version 8 has 18 categories with safeguards inside each category that map to a particular asset type (like a computer, a software application, company data, or corporate network). The safeguards do a particular function (like Identify, Protect, Detect, Respond, and Recover) for that asset type. Finally, each of these safeguards are tied to an implementation level of 1, 2, or 3, which will vary based on how far along a company is with its security program. Level 1 is if you are just getting started, Level 2 is more advanced, and Level 3 is the most advanced.
You’ll notice that the CIS controls map to the same general categories as the CSF; that’s done intentionally to help companies or organizations understand how they compare with their peers, communicate with auditors, board management, and risk committees.
The CIS Controls are written in easy-to-read language with clear functions and safeguards that are plainly identified and can be implemented at Level 1 with no cost or low cost tools.
Often the topic of cyber security is compared to eating an elephant—daunting and unapproachable—but when you look at the CIS controls you can see how the process is laid out in an understandable way that allows you to start your journey toward a safer and more secure environment.
In my next blog I’ll round out my Framework discussion with MITRE ATT&CK.
If you need guidance to implement or upgrade your cybersecurity program, contact the security team at CBTS. We can help your organization get ransomware-proof and stay that way.
Read more from CBTS Consulting CISO John Bruggeman:
How do you ensure the security of your supply chain?
What do new TSA requirements mean for the security of your critical infrastructure?