A large part of any company’s security plan if the security controls. Security controls are a set of directives that must be followed within an organization. For those who have compliance requirements, you are likely already subject to a set of controls such as HIPAA, PCI-DSS, NERC CIP, or others. Because you are already required to comply with a law or industry regulation, you at least have a starting point for a control set. You must adhere to these minimums put forth for compliance. You can stop there, knowing you’ve met the minimum obligation, or you can choose to review and extend that control set to meet your unique security needs.
If you have no compliance requirements or choose to go further than your compliance requirements, you have the opportunity to carefully craft your own set of security controls. Even with the blank slate, I recommend starting from a known industry standard. For small and mid-sized businesses, this should be the Center For Internet Security Critical Security Controls (version 6.1 is current). This starting point should not be an ending point, however. These controls, commonly referenced at CSC20, will still require some adjustment to fit within smaller businesses.
Overall, the CSC20 controls are heavily focused on technical security. You must also ensure you account for non-technical security needs such as protecting information in manual processes, physical security of facilities, and security in vendor and partner relationships. While most people think of cyber security as solely a technical process, in reality it transcends your computer systems and extends to your entire business.
Finally, some of the CSC20 controls will be out of reach for smaller businesses. In CSC20 version 6.1, there are “Foundational” and “Advanced” designations. While it is recommended that everyone should implement the Foundational sub-controls, some of these are even too much. Specifically, Number 20 calls for penetration tests and red team exercises. However, this may not be cost effective for smaller businesses. Several of the sub-controls that call for constant monitoring aren’t a reasonable use of resources for smaller businesses either.
Ultimately, the business owner or principle decision maker should determine which controls will be implemented in the company. In turn, they should enlist the assistance of a security professional to fully understand the risk and cost associated with each control. A good security consultant can help you find the right mix of controls to reduce your risk considerably while minimizing the impact on operations and resources.
Don’t know a good security professional, you say? Well, we may know a few.