Information Security Programs: Where to Start?
Hack, breach, phishing, spear phishing, ransomware. These are all words that we hear in the news on a daily basis due to some sort of threat that exists in the world of technology and information security. Most organizations have compliance requirements that they must adhere to, whether that is HIPAA, PCI, or any other regulation, so they are "forced" to have some type of information security program in place. But what about organizations, as rare as they might be these days, that don't have a compliance requirement hanging over them? Or what about a startup that wants to make security a priority out of the gate? Where do they begin and how should they start? While there are many different answers to this question, a great place to look first is the Center for Internet Security Critical Security Controls (for more detailed information, check out these previous blog posts: part 1, part 2, part 3, part 4). We are going to discuss a very high level overview of these controls and invite you to register for our webinar next week on the recent changes to these controls.
What are the Center for Internet Security Critical Security Controls? Formerly known as the SANS Top 20, these controls are a prioritized, scrutinized, and supported set of controls that organizations can implement to assess and ultimately improve their cyberdefense strategy and position. This doesn't mean that by implementing these controls makes you bulletproof, it means that you are more secure by having these controls, and MONITORING THESE CONTROLS, than not having them at all. The key to this entire information security program is to continually assess your security position, not just implement these controls, create a bunch of policies, and move on with your business. These are not the crock pot of information security where you "set it and forget it." You need to constantly be assessing your business, systems, and resources to ensure these controls are working for you. With all that, there are 5 main "sections" of an effective IT security program or cyberdefense program, which are:
- Offense Informs Defense: Take information from actual attacks that have taken place and use that information to better structure your information security program against real, validated threats
- Prioritization: We will cover this in greater detail in a moment but organizations should invest in and focus on the controls that provide the most "bang for the buck" by reducing risk the most
- Metrics: Create common metrics so that all stakeholders both inside and outside an organization can be on the same page. These stakeholders might include C-level executives, IT staff, Auditors, and Security professionals
- Continuous Diagnostics and Monitoring: Remember the crock pot analogy from above? Same thing!
- Automation: Automate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to controls and related metrics
The order of the CIS Critical Security Controls is also important. This is not a random, guesswork approach at what order to put the controls in, rather it is a well thought out, detailed plan designed for quick wins. To illustrate this, the first 5 CSC's are considered most important and foundational and essential for any information security program out there. And want to hear the best part of all of this? The order can change when revisions come out. This speaks directly to the point above of offense informing defense. The order of these controls, as well as the details for implementing these controls, are subject to change based on the current threat landscape, hence the continuous diagnostics and monitoring suggestion.
To close out, Compass would like to extend an invitation to you to join our upcoming webinar on March 24th where we specifically discuss the recent changes in the CIS Critical Security Controls from version 5.1 to version 6. There are a lot of changes to digest and all are important to understand as they can have a significant impact on your Information Security Program. For example, Controlled Use of Administrative Privileges used to be CSC 12 in version 5.1. In version 6, it has moved up to CSC 5, based on the threat landscape! Here are the details for planning purposes and register below. We can't wait to present to you on the 24th!
What: Changes in the Center for Internet Security Critical Security Controls from version 5.1 to version 6
When: Thursday March 24th @ 1:00 PM EST
Duration: 30 minutes with Q&A session to follow
Cost: FREE
Contact Us
Share this
You May Also Like
These Related Stories
No Comments Yet
Let us know what you think