Around July of 2021, we wrote about one of Connecticut’s new cybesecurity laws, which you can find here[Link]. Our disclaimer still stands that we aren’t lawyers, so if this law affects your organization, please consult with a knowledgeable attorney.
While that post was a regurgitation of the law, we didn’t talk about cybersecurity frameworks themselves. The other driving factor for this article are warnings from both CISA [Link] and the US Department of Justice [Link] stating businesses of all sizes need shore up their cybersecurity in anticipation of blowback from Russia with regard to Ukraine.
What is a cybersecurity framework?
Think of a cybersecurity framework as a set of guidelines for implementing best practices and security controls to help reduce risk to an organization. A framework covers a wide range of items like inventory management, data protection/destruction, access control, vulnerability management, and risk assessments to name a few.
What to expect when building out your framework
The framework your organization adopts is distilled into a few buckets that can be considered as:
- Identifying: These controls and tools are used to identify inventory, who/what has access to your resources, vulnerabilities, and threats. Threats include bad actors, weather events, and network outages, as a few examples.
- Protection: Protection controls and tools are used to safeguard things such as data you’re storing(data at rest) and data you’re sending(data in transit). Things like access to resources and making sure devices are updated fall into this bucket too. The same goes for ensuring things are difficult to tamper with/impersonate.
- Detection: Detection controls and tools are used to identify things like malware on a device/network, an intruder, or for hunting threats internal or external to the organization. Some examples of detection are antivirus, IPS/IDS/HIDS, and vulnerability scanners. With our specialty, we detect threats that exist outside of your four walls such as things published online, like social media, that are damaging to the organization and to see if your website has any security holes in it.
- Recovery: Recovery controls and tools are used to help your organization do just that; recover from an incident. Whether it’s data loss or another incident, having plans, resources, and tools in place helps make the recovery process easier.
- Response: This final bucket instills controls, procedures, policies, and tools needed to respond to an incident. It also includes who is the designated person, or group, that is responsible for handling incidents.
Other things to keep in mind when adopting a cybersecurity framework:
- If you are mandated by a Federal/State law/regulation (e.g HIPAA/HITEC, GLB) or industry regulation (e.g. PCI) adhere to those recommended frameworks. Otherwise look for a cybersecurity framework that best suits your organization. Some of these include NIST, CIS, and ISO/IEC 27000 series. Refer to the Connecticut cybersecurity law article we linked at the top of this post. That article has links to the frameworks mentioned for you to explore.
- This isn’t a project you can knock out in a few hours. Depending on the size and complexity of your organization it will take a while to build. If you’re flying solo, dedicate a certain amount of time per week to work on things. If you have employees, delegate responsibilities accordingly to complete this project.
- Once you have the cybersecurity framework in place, it’s an ever evolving thing. Your hardware/software inventory will change frequently. Having a cybersecurity awareness training program in place, and run more than once a year, is beneficial because threats evolve often. One final example of things that frequently change are vulnerabilities. By following the guidelines of a cybersecurity framework for vulnerability management, you’ll have success in finding security holes and closing them up in a timely manner.
Where we fit into your cyber security framework strategy
External risk/threat assessments
The core of what we do is look at risks and threats external to your organization. Depending on the framework you adopt, it will specifically call out having a risk assessment done that includes looking for stuff like security holes in your website to the other side of the coin, reputational risks/threats to the goodwill and reputation of the company. Some frameworks have some of this stuff peppered throughout. In short, we are well positioned to help you in this area.
We help guide you through the adoption of your cybersecurity framework and take on the role of advisor, if that is the help you seek.
Have a conversation with us to learn how we can help. Fill out the contact form below.