Do you need to establish your cyber defences in a hurry? In this article we’ll look at some techniques for getting immediate benefits from the implementation of an information security management system (ISMS).
Why Use A Framework?
The best defence against cyber security attacks is an organised defence. While it is is possible to “sprinkle” security controls throughout the company, dropping them in place where they seem most needed, this approach will almost certainly leave gaps through which your critical information assets will be vulnerable. The solution to a patchwork of controls, is to implement the processes and practices of a systematic information security management system. With this approach, security best practices become pervasive across all levels of the business.
While we can make a strong argument for the benefits of an ISMS, information security standards, such as the US government’s National Institute of Standards and Technology (NIST) 800-53 and the International Standards Organisation’s ISO 27001, are complex frameworks and the road to full compliance can be a long one.
Start Small
Fortunately you don’t have to go for broke from the outset. Full compliance, while seeming to be all or nothing, is rather a journey of improving security maturity. You can be selective in what you chose to implement upfront and the choice of security framework can help to reduce the effort of the first stage of implementation.
Let’s consider several frameworks as examples:
- CIS Critical Security Controls Top 20 (CSC)
- NIST Cyber Security Framework (CSF)
- NIST 800-53
The frameworks grow in complexity from first to last. The CSC is recognised within the industry as a minimum set of critical controls. They represent a key milestone in hardening your companies cyber defences and practices. If we are after some quick wins, then the CSC Top 20 is the starting point. From there you can build out the ISMS with CSF compliance, which adds additional controls. Finally, for a comprehensive framework you have the option to target NIST 800-53 as the next goal.
Each of the frameworks can be mapped from one to the other. Hence, if the ultimate goal is NIST 800-53 compliance then implementing the CSC Top 20 is an excellent jumping off point and won’t take you off at a tangent. Rather CSC ad CSF are all rungs on the maturity ladder.
Within New Zealand, compliance with the NZ Information Security Manual (NZISM) is often a requirement if you providing services to the government. The NZISM sits on a spectrum somewhere in between CSC and NIST 800-53 (or ISO 27001). Whereabouts the NZISM falls on this spectrum is somewhat arbitrary as controls fall into the category of “should” and “must”, meaning some of the recommendations are optional. Conversely, the standard also has “should not” and “must not”, as in if you are doing this now then please stop!
The CSC itself is not trivial and you may discover that implementing the CSC controls is sufficient for your company.
Be Specific
While we can start with the CSC Top 20, this is still a task that can benefit from breaking down into smaller units of work. Within the CSC you should still prioritise the controls that deliver the greatest benefit and implement those first. With this approach you want to be specific in your choice of controls. You can apply techniques such as threat modelling and risk management to identify the controls of greatest importance. By developing the threat model you can draw out the key security vulnerabilities and risks and then make an informed decision when planning the appropriate controls.
Your industry sector can also help refine the list of controls, as many of the frameworks have standard-sets that target specific industry verticals, e.g. healthcare, manufacturing etc.
Focus on Security Not Compliance
As has been mentioned, compliance might be the destination but the your cyber security defences will improve at every step of the journey.
Unlike CSF, NIST 800-53 and ISO 27001, the CSC Top 20 is not a framework but instead a recommended list of controls. Moreover, the CSC is not the only option, as government bodies also offer guidance to small businesses on the controls they see as most relevant.
One example is the New Zealand CERT site’s 10 critical controls. The list is based on the analysis of the top security threats reported in New Zealand, so the recommendations are both timely and geographically relevant. Looking outside of Australasia, the UK government also offer information on the higher priority controls with their 10 steps to cyber security. However, be wary of the intent of these reduced control sets. The goal of the organisations publishing them is to ensure that businesses, and the target audience here is small businesses, have at least a modicum of cyber defences in place. The guidelines fall well short of defining an effective ISMS.
Actively Manage the Process
Good planning is fundamental to the successful implementation of an ISMS. To get the ball rolling, consider creating a roadmap that clears defines the level of cyber security protection you are wanting to achieve. The roadmap will provide the basis for all planning activities. It is also a great way of getting everyone to buy into the big picture. Show the journey from where your company is now to where it will be in the next 30 days, 90 days and longer term.
Having established the roadmap you’ll find things get done if you actively manage them. It doesn’t matter how, add some controls to the SCRUM backlog, throw some cards on the kanban board or create yourself a gantt chart – whatever works best for you and your style of project management.
Good task management will not speed up the rollout of the ISMS but it will provide you with the ability to monitor progress, identify delays and take suitable actions to overcome obstacles.
Avoid Starting From Scratch
One of the first tasks in establishing the ISMS is to document all your information security policies, plans and operating procedures. Starting this process by staring at a blank sheet of paper is doing it the hard way. Much of the information you’ll need to include is generic, so look to obtain templates for these documents to get you underway. Examples can be obtained freely from the internet or sourced from similar industry groups. Where you need tailored content then look to the output of the threat modelling and risk management exercises.
The caveat to reusing policy documents and operating procedures is to be wary of pulling in too much boilerplate content. Instead, look to keep the first cut of your document set concise. Only pull in policies and procedures that you can enforce or implement. You can elaborate on the documentation as your ISMS evolves.
Reuse Existing Tools and Processes
Not everything has to be done from the ground up. If you have controls already in place confirm they are effective and then move on – no need to fix something that isn’t broken.
In terms of the tools needed to operate the ISMS it is not necessary to go straight to market. You may find you have all the systems already in use in-house. Some examples of the software that can be used for your ISMS includes:
- Configuration management systems
- Risk management tools
- Asset management solutions
- Work/task tracking tools
It is likely you may have some or all of these software assets already installed. Leverage what is available and note that simple solutions, such as the use of spreadsheets, can get you up and running quickly.
Seek Expert Advice
Finally, don’t be afraid to ask for help. The reality is that doing everything by yourself isn’t always the best use of your time. Drawing upon external expertise in the setup of an ISMS can greatly assist you in cutting through the chaff and getting the fundamentals of the framework in place. The sooner this is achieved the sooner the framework will start delivering value.
When you are engaging a security consultant you have the option as to the scope and duration of the engagement. You will almost certainly find that employing the expertise at the start of the programme can save considerable time and cost in the long run. Sometimes all you need is for a guiding hand to point you in the right direction and then let you loose.
Summary
You get stronger cyber security defences by implementing an information management security system but the standards, while exhaustive, are complex to apply. Rather than rolling out an ISMS in one fell swoop you can obtain immediate benefits by prioritising the key risks and incrementally applying the appropriate security controls over time. In this way, the maturity of your security processes and practices will improve week on week.