CISA Cyber Essentials Starter Kit

Spring 2021

STARTER KIT

The Basics for Building a Culture of Cyber Readiness

Cybersecurity and Infrastructure Security Agency

TABLE OF CONTENTS

Cyber Essentials: The Leader's Guide ........................... 1

Cyber Essentials: The IT Professional's Guide............... 2

Toolkit Chapter 1: Yourself, The Leader ........................ 3

Toolkit Chapter 2: Your Staff, The Users ........................ 5

Toolkit Chapter 3: Your Systems, What Makes You Operational.................................................................

7

Toolkit Chapter 4: Your Surroundings, The Digital Workplace ..................................................................

9

Toolkit Chapter 5: Your Data, What The Business Is Built On ......................................................................

11

Toolkit Chapter 6: Your Crisis Response ...................... 13

Webinars and Trainings ............................................. 15

Your success depends on Cyber Readiness. Both depend on YOU.

Reducing your organization's cyber risks requires a holistic approach - similar to the approach you would take to address other operational risks. As with other risks, cyber risks can threaten:

YOUR ABILITY TO OPERATE / ACCESS INFO

YOUR REPUTATION / CUSTOMER TRUST

YOUR BOTTOM LINE

YOUR ORGANIZATION'S SURVIVAL

Managing cyber risks requires building a culture of cyber readiness.

Essential Elements of a Culture of Cyber Readiness:

Yourself - The Leader

Drive cybersecurity strategy, investment

and culture

Your Staff - The Users

Develop security awareness and vigilance

Your Systems - What Makes You Operational

Protect critical assets and applications

Your awareness of the basics drives cybersecurity to be a major part of your operational resilience strategy, and that strategy requires an investment of time and money.

Your investment drives actions and activities that build and sustain a culture of cybersecurity.

Your staff will often be your first line of defense, one that must have - and continuously grow - the skills to practice and maintain readiness against cybersecurity risks.

Information is the life-blood of any business; it is often the most valuable of a business' intangible assets.

Know where this information resides, know what applications and networks store and process that information, and build security into and around these.

Your Surroundings - The Digital Workplace

Ensure only those who belong on your digital workplace have access

The authority and access you grant employees, managers, and customers into your digital environment needs limits, just as those set in the physical work environment do. Setting approved access privileges requires knowing who operates on your systems and with what level of authorization and accountability.

Your Data - What the Business is Built On

Make backups and avoid the loss of information critical to operations

Your Crisis Response

Limit damage and quicken restoration of normal operations

Even the best security measures can be circumvented with a patient, sophisticated adversary. Learn to protect your information where it is stored, processed, and transmitted.

Have a contingency plan, which generally starts with being able to recover systems, networks, and data from known, accurate backups.

The strategy for responding to and recovering from compromise: plan, prepare for, and conduct drills for cyberattacks as you would a fire. Make your reaction to cyberattacks and system failures an extension of your other business contingency plans.

This requires having established procedures, trained staff, and knowing how - and to whom - to communicate during a crisis.

Cyber-Essentials

For tech specs on building a Culture of Cyber Readiness, flip page 1

BOOTING UP

Things to Do First

Backup Data

Employ a backup solution that automatically and continuously backs up critical data and system configurations.

Multi-Factor Authentication

Require multi-factor authentication (MFA) for accessing your systems whenever possible. MFA should be required of all users, but start with privileged, administrative and remote access users.

Patch & Update Management

Enable automatic updates whenever possible. Replace unsupported operating systems, applications and hardware. Test and deploy patches quickly.

Yourself Drive cybersecurity strategy, investment and culture

Lead investment in basic cybersecurity.

Determine how much of your organization's operations are dependent on IT.

Build a network of trusted relationships with sector partners and government agencies for access to timely cyber threat information.

Approach cyber as a business risk.

Lead development of cybersecurity policies.

Essential Actions for Building a Culture of Cyber Readiness:

Your Staff Develop security awareness and vigilance

Your Systems Protect critical assets and applications

Your Surroundings Ensure only those who belong on your digital workplace have access

Leverage basic cybersecurity training to improve exposure to cybersecurity concepts, terminology and activities associated with implementing cybersecurity best practices.

Develop a culture of awareness to encourage employees to make good choices online.

Learn about risks like phishing and business email compromise.

Identify available training resources through professional associations, academic institutions, private sector and government sources.

Maintain awareness of current events related to cybersecurity, using lessons-learned and reported events to remain vigilant against the current threat environment and agile to cybersecurity trends.

Learn what is on your network. Maintain inventories of hardware and software assets to know what is in-play and at-risk from attack.

Leverage automatic updates for all operating systems and third-party software.

Implement secure configurations for all hardware and software assets.

Remove unsupported or unauthorized hardware and software from systems.

Leverage email and web browser security settings to protect against spoofed or modified emails and unsecured webpages.

Create application integrity and whitelisting policies so that only approved software is allowed to load and operate on their systems.

Learn who is on your network. Maintain inventories of network connections (user accounts, vendors, business partners, etc.).

Leverage multi-factor authentication for all users, starting with privileged, administrative and remote access users.

Grant access and admin permissions based on need-toknow and least privilege.

Leverage unique passwords for all user accounts.

Develop IT policies and procedures addressing changes in user status (transfers, termination, etc.).

Your Data Make backups and avoid loss of info critical operations

Learn what information resides on your network. Maintain inventories of critical or sensitive information.

Learn what is happening on your network. Manage network and perimeter components, host and device components, data-at-rest and in-transit, and user behavior activities.

Domain Name System Protection.

Learn how your data is protected.

Leverage malware protection capabilities.

Establish regular automated backups and redundancies of key systems.

Leverage protections for backups, including physical security, encryption and offline copies.

Actions for leaders. Discuss with IT staff or service providers.

Your Crisis Response Limit damage and quicken restoration of normal operations

Lead development of an incident response and disaster recovery plan outlining roles and responsibilities. Test it often.

Leverage business impact assessments to prioritize resources and identify which systems must be recovered first.

Learn who to call for help (outside partners, vendors, government/ industry responders, technical advisors and law enforcement).

Lead development of an internal reporting structure to detect, communicate and contain attacks.

Leverage in-house containment measures to limit the impact of cyber incidents when they occur.

Consistent with the NIST Cybersecurity Framework and other standards, these actions are the starting point to Cyber Readiness. To learn more, visit Cyber-Essentials.

2

Your success depends on Cyber Readiness. Both depend on YOU.

ESSENTIAL ELEMENT: YOURSELF, THE LEADER

: Drive Cybersecurity Strategy, Investment and Culture

Being a cyber leader does not require technical expertise, but rather an ability to change the culture of your organization. Reducing your organization's cyber risks requires awareness of cybersecurity basics. As a leader, you need to drive your organization's approach to cybersecurity as you would any other hazard (e.g. how you identify risk, reduce vulnerabilities, and plan for contingencies). This requires an investment of time and money, as well as the collective buy-in of your management team. Your investment drives actions and activities, and these build and sustain a culture of cybersecurity.

Essential Actions

Actions for Leaders

Discuss with IT Staff or Service Providers

Approach cyber as a business risk. Ask yourself what type of impact would be catastrophic to your operations? What information if compromised or breached would cause damage to employees, customers, or business partners? What is your level of risk appetite and risk tolerance? Raising the level of awareness helps reinforce the culture of making informed decisions and understanding the level of risk to the organization.

Resources for Taking Action

National Association of Corporate Directors: The NACD Director's Handbook on Cyber-Risk Oversight is built around five core principles that are applicable to board members of public companies, private companies, and nonprofit organizations of all sizes and in every industry sector.

National Institute of Standards and Technology (NIST) Cybersecurity Framework: Created through collaboration between industry and government, the voluntary Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure, and helps owners and operators of critical infrastructure manage cybersecurity-related risks.

CISA Security Tip ? Questions Every CEO Should Ask About Cyber Risks: Provides a primer on basic questions that CEOs of all businesses should ask themselves and their employees to ensure better cybersecurity preparedness and resilience.

U.S. Small Business Administration: Small Business Cybersecurity: A guide to help leaders of small businesses learn about common cyber threats, gain an understanding about where their business might be vulnerable, and steps they can take to improve their level of cybersecurity.

Determine how much of your organization's operations are dependent on IT. Consider how much your organization relies on information technology to conduct business and make it a part of your culture to plan for contingencies in the event of a cyber incident. Identify and prioritize your organization's critical assets and the associated impacts to operations if an incident were to occur. Ask the questions that are necessary to understanding your security planning, operations, and security-related goals. Develop an understanding of how long it would take to restore normal operations. Resist the "it can't happen here" pattern of thinking. Instead, focus cyber risk discussions on "what-if" scenarios and develop an incident response plan to prepare for various cyber events and scenarios.

Resources for Taking Action

Cyber Readiness Institute: The Cyber Readiness Program is a practical, stepby-step guide to help small and medium-sized enterprises become cyber ready. Completing the Program will make your organization safer, more secure, and stronger in the face of cyber threats. The Cyber Readiness Program also provides a template for an incident response plan that your organization can customize.

NIST Small Business Cybersecurity Corner: This platform provides a range of resources chosen based on the needs of the small business community. These resources include planning guides, guides for responding to cyber incidents, and cybersecurity awareness trainings.

CISA CRR Supplemental Resource Guide Risk Management: The principal audience for this guide includes individuals responsible for managing risk management programs for IT operations, including executives who establish policies and priorities for risk management, managers and planners who are responsible for converting executive decisions into action plans, and operations staff who implement those operational risk management plans.

For additional resources, visit Cyber-Essentials or email CISAEssentials@cisa.

3

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download