For many Small and Medium businesses, the thought of “Where to start?” as it pertains to cybersecurity can be a daunting or overwhelming task. Fortunately, there are many resources to help an SMB answer that question AND get started. One of the most useful and easy to digest is the Center for Internet Security’s Critical Security Controls Framework.
A quick way an SMB can evaluate its overall cybersecurity hygiene and understanding is to do a survey of the CIS 18 Critical Security Controls. AND to make it easier, here is a survey you, as an SMB owner, can use to start to get a handle on your cybersecurity needs.
Please rate your organization’s implementation of each control on a scale of 1 to 5, where 1 indicates “Not Implemented” and 5 indicates “Fully Implemented.”
- Inventory and Control of Hardware Assets: How well does your organization maintain an accurate and up-to-date inventory of all hardware assets?
- Inventory and Control of Software Assets: How effectively does your organization maintain an accurate and up-to-date list of all software assets?
- Continuous Vulnerability Management: How effectively does your organization identify, assess, and remediate software vulnerabilities in a timely manner?
- Controlled Use of Administrative Privileges: How effectively does your organization restrict, monitor, and control the use of administrative privileges?
- Secure Configuration for Hardware and Software: How well does your organization establish, implement, and maintain secure configurations for all hardware and software?
- Maintenance, Monitoring, and Analysis of Audit Logs: How effectively does your organization collect, manage, and analyze audit logs to detect potential security incidents?
- Email and Web Browser Protections: How well does your organization implement security measures for email and web browsing to protect against phishing and other attacks?
- Malware Defenses: How effectively does your organization implement and maintain malware defenses to detect and prevent malicious software?
- Limitation and Control of Network Ports, Protocols, and Services: How effectively does your organization restrict and manage the use of network ports, protocols, and services?
- Data Recovery Capabilities: How well does your organization implement and maintain data backup and recovery processes to ensure timely recovery in case of data loss?
- Secure Configuration for Network Devices: How effectively does your organization establish, implement, and maintain secure configurations for all network devices?
- Boundary Defense: How well does your organization protect its network perimeter and prevent unauthorized access?
- Data Protection: How effectively does your organization protect sensitive data from unauthorized access, disclosure, modification, or destruction?
- Controlled Access Based on the Need to Know: How effectively does your organization limit access to sensitive data based on the principle of least privilege?
- Wireless Access Control: How effectively does your organization manage and secure wireless access points and devices?
- Account Monitoring and Control: How well does your organization monitor and manage user accounts, including detecting and responding to unauthorized access?
- Security Skills Assessment and Appropriate Training: How effectively does your organization assess and improve the cybersecurity skills of its staff through training and awareness programs?
- Application Software Security: How effectively does your organization ensure that software applications are developed and maintained securely?
- Incident Response and Management: How well does your organization plan for, detect, respond to, and recover from security incidents?
- Penetration Tests and Red Team Exercises: How effectively does your organization conduct regular penetration tests and red team exercises to identify and address security vulnerabilities?
If you are still unsure where to start BAWN can help you get started. Contact us for a free consultation.
Comments