KNOWLEDGE:
WHY BUILDING SECURITY PROGRAMS FOR SMALL BUSINESSES OR START-UPS IS A MUST...
The wide range of companies that have fallen victim to malicious breaches and the widely publicised mega breaches of recent years shows the importance of making security assessment part of the everyday work of business leaders, developers, and architects, and operations technical teams. The most important point is to build a learners’ mindset amongst teams regarding the importance of a companywide cyber security programme and it's supporting frameworks such as NIST, CIS, OWASP, ISO 27001, PCI -DSS to plan and defend against possible threats. Global findings published in 2021 by Forbes Alarming Cybersecurity Stats: What You Need To Know For 2021 (forbes.com) reminds us of the importance of baking in security into the development process to manage risks effectively. Business teams should be expected to explain the security precautions and challenges of business functions to business leaders so that businesses are more adequately prepared for attacks and can analyse threats and vulnerabilities. For businesses, leveraging a cyber security framework makes sure your company and customer data stay safe. You want to use trusted security and privacy frameworks for your business.
Customer data breaches, ransomware, theft of company secrets or intellectual property, phishing attacks — cybercrime has become a primary concern for businesses of every size. Protecting your company requires the thoughtful deployment of cybersecurity best practices. That’s where security frameworks come in. As organizations increasingly adopt digital tools to conduct their business processes, there are more and more opportunities for hackers to steal the valuable data upon which all companies rely upon. It’s not enough to create strong passwords and monitor traffic behind a firewall – modern companies are much more complex. Developing strong security controls that can meet the challenges created by a dynamic digital environment is central to any cybersecurity strategy. When it comes to cybersecurity best practices, it can be difficult to know where to start. Fortunately, businesses can gain a sense of direction by adopting a security framework.
︎ Read Article
CHOOSING CYBERSECURITY FRAMEWORKS
Let Locked Stack™ help you choose the right cyber security programme and supporting framework for your business and walk you through the implementation
process and certification.
![]()
PCI- DSS
What is the PCI DSS?
The PCI Data Security Standard (PCI DSS) applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational practices for system components included in or connected to environments with cardholder data. If you accept or process payment cards, PCI DSS applies to you.
Who has to comply with PCI DSS standards?
Each of PCI SSC’s founding payment brand members (American Express, Discover, JCB International, MasterCard and Visa) currently have their own PCI compliance programs for the protection of their affiliated payment card account data.
How does card holder data impact PCI DSS?
Use of encryption in a merchant environment does not remove the need for PCI DSS in that environment. The merchant environment is still in scope for PCI DSS due to the presence of cardholder data. For example, in a card-present environment, merchants have physical access to the payment cards in order to complete a transaction and may also have paper reports or receipts with cardholder data. Similarly, in card-not-present environments, such as mail-order or telephone-order, payment card details are provided via channels that need to be evaluated and protected according to PCI DSS.
Encryption of cardholder data with strong cryptography is an acceptable method of rendering the data unreadable in order to meet PCI DSS Requirement 3.4. However, encryption alone may not be sufficient to render the cardholder data out of scope for PCI DSS.
Encryption of cardholder data with strong cryptography is an acceptable method of rendering the data unreadable in order to meet PCI DSS Requirement 3.4. However, encryption alone may not be sufficient to render the cardholder data out of scope for PCI DSS.
The following are each in scope for PCI DSS:
- Systems performing encryption and/or decryption of cardholder data, and systems performing key management functions
- Encrypted cardholder data that is not isolated from the encryption and decryption and key management processes
- Encrypted cardholder data that is present on a system or media that also contains the decryption key
- Encrypted cardholder data that is present in the same environment as the decryption key
- Encrypted cardholder data that is accessible to an entity that also has access to the decryption key
Where a third party receives and/or stores only data encrypted by another entity, and where they do not have the ability to decrypt the data, the third party may be able to consider the encrypted data out of scope if certain conditions are met.
Additionally, merchant may receive scope reduction through use of a validated P2PE solution.
PCI DSS is intended for all entities involved in payment processing, including merchants, regardless of their size or transaction volume. When compared with larger merchants, small merchants often have simpler environments, with limited amounts of cardholder data and fewer systems that need protecting, which can help reduce their PCI DSS compliance effort. ︎Oficial PCI Security Standards Council Site – Verify PCI Compliance, Download Data Security and Credit Card Security Standards
CIS Controls
What if your company doesn’t have the bandwidth to implement all 20 security controls?
CIS Controls also uses a tiered model for businesses to self-assess their resource availability, called implementation groups. This addition to CIS Controls helps address resource constraints at businesses of different sizes. That makes it is ideal for small businesses or start-ups.
Implementation Group 1 is modelled for small businesses and start-ups, which have limited resources to implement the CIS Controls and sub-controls. Implementation Group 2 is for medium or mid-market enterprises that have moderate resources to implement controls and sub-controls. Finally, Implementation Group 3 can be implemented by large and multinational enterprises with significant resources, capable of implementing all the CIS controls and sub-controls.
Overall, the implementation groups make it easier for a security team at small or medium businesses to identify the critical security issues which will have the most impact.
When it comes to security, taking proactive measures is always better than waiting for a breach to occur. A security framework like CIS Controls can provide the foundation that an organization needs to get started developing a cohesive information security strategy.
In the era of cybercrime, it’s not worth it to take risks with security. Companies struggling to acquire the resources or knowledge to enact a security strategy should consider reaching out to experts. Security helps companies ranging from start-ups to large enterprises develop the strategies they need to keep their network safe. All while giving you the tools to showcase your security posture and win new customers.
For businesses, leveraging a framework like CIS Controls makes sure your company and customer data stay safe. You want to use trusted security and privacy frameworks for your business, and we think the controls in the CIS framework are an excellent fit for many businesses or even start-ups.
Customer data breaches, ransomware, theft of company secrets or intellectual property, phishing attacks — cybercrime has become a primary concern for businesses of every size. Protecting your company requires the thoughtful deployment of cybersecurity best practices. That’s where security frameworks come in.
As organizations increasingly adopt digital tools to conduct their business processes, there are more and more opportunities for hackers to steal the valuable data upon which all companies rely upon. It’s not enough to create strong passwords and monitor traffic behind a firewall – modern companies are much more complex.
Developing strong security controls that can meet the challenges created by a dynamic digital environment is central to any cybersecurity strategy.
CIS Controls are a set of 20 best practices that can guide you through the process of creating a layered cybersecurity strategy. Research suggests that implementing CIS Controls can reduce the risk of a successful cyberattack in a company by as much as 85 percent.
The CIS Controls align with the NIST Cybersecurity Framework, which was designed to create a common language for managing risk within a company. In other words, it helps companies answer critical questions about their cybersecurity program such as what inventory they need to protect, and where gaps in security lie. Whereas the NIST Cybersecurity Framework has five core concepts, the CIS Controls have 20 actionable points. Your small business or start-up can treat these as steps to building your security program.
Any companies looking to adopt the comprehensive NIST cybersecurity framework to guide their security strategy can start with the CIS Controls. Once a baseline has been achieved there are resources available to ease the transition to the NIST Cybersecurity framework, such as CIS Controls V7.1 Mapping to NIST CSF. While the CIS Controls and NIST Cybersecurity Framework are aligned, they aren’t completely interchangeable. Here’s how to get started with the CIS framework for your security program.
Implementing CIS Controls for a Business:
Even if you don’t implement all 20 best practices, your cybersecurity strategy will be made much stronger with this framework.
Using CIS Controls can help a company gain control of its cybersecurity strategy in a methodical, organized way. Organizations that aren’t sure where to start, or that wish to conduct a thorough cybersecurity assessment, should consider working through the 20 steps of the CIS Controls.
CIS Controls are also put into implementation groups (more on this below), so you’ll know what to prioritize and know where to start. This is ideal for start-ups or small businesses that don’t have professional security experts on their team.
Identify the Security Environment with Basic Controls:
The first six CIS Controls handle basic cybersecurity best practices, referred to by CIS as “cyber hygiene” controls set. These are all about understanding the people, software, or devices that could have access to your company or customer data. To implement basic controls:
Perform an inventory and of company hardware and establish means to control it: You should have a clear view of all devices in a company, including printers, smart devices, and other electronics. Document all software assets: Determine what software is installed on computers or networks either manually or using a management tool. Investigate instances of shadow IT: Survey employees for the tools they use to do their jobs, or manually investigate what software or hardware may have been introduced into the work environment without IT’s knowledge. Identify and limit user account permissions: Identify what users are running with administrator privileges and restrict accounts that don’t need it. Update passwords and software configurations: Make sure all devices are running with secure passwords and the right configurations. Implement and maintain audit logs or another management system: Have a way to track software installations and prevent the use of non-approved applications.
Protect Assets with Foundational Controls:
Foundational controls provide advanced guidance to improve overall technical aspects of security. They do this by establishing technical security controls that protect the assets that your company uses to conduct its processes – emails, computers, and consumer data. With an assessment of the security environment complete, it’s now possible to implement these controls: Email and browser protection: Make sure you’re using a secure browser and a modern email provider. Malware and virus defences:Deploy antivirus and malware defences to keep the network protected. Port and network protection: Limit and control network ports, protocols, and other services to prevent unauthorized connection to the network. Data recovery capabilities: Strong data backup and recovery capabilities mitigate data corruption or loss. Secure network configuration: Configure devices that connect to the network, including firewalls, routers, and switches. Boundary defences: Limit access to the network to only known and trusted IP addresses. Data protection measures: Encrypt hard drives, laptops, or mobile devices that carry sensitive business data. Consider using secure data storage tools. Additional access controls: Further protect data by limiting access to it on a need to know basis. Wireless access controls: Segment networks, configure filters, and audit network traffic accordingly. During this step, encrypt wireless data in transit. Account monitoring and controls: Require the use of multi-factor authentication for all user accounts. Disable accounts that cannot be associated with a specific user or business process.
Develop a Security Culture with Organizational Controls:
Foundational controls create a strong cybersecurity program. However, all of these strategies are useless if employees aren’t trained in cybersecurity best practices. Therefore, the final four CIS controls emphasize organizational security processes such as awareness, preparedness, and incident response. In this phase, you should: Implement security awareness training: Help employees understand the importance of security and identify any skill gaps that may exist. Manage the security life cycle of software: Establish secure coding or development practices to prevent, detect, and correct any security weaknesses that might occur. Develop incident response and management procedures: Define roles and procedures for handling incidents and returning operations to normal as quickly as possible. Perform penetration tests: Test the strength of your company’s defences by simulating incidents or breach attempts.
︎CIS Controls (cisecurity.org)
NIST
Whether a small, midsized or large organization, everyone can agree on one thing: Managing cyber risk is no easy feat. In the current landscape, especially, having a strong and reliable security program is more important than ever.
︎Cybersecurity Framework | NIST
To effectively validate the performance of your security program, you should measure it against a set of standards — this is where organizations like the National Institute of Science and Technology (NIST) come in. Well regarded for its cyber risk management and information security frameworks, NIST developed its Cybersecurity Framework (CSF) in 2014 to offer an easy-to-understand risk management methodology for the 16 sectors of critical infrastructure. It has since been globally adopted at organizations large and small, far beyond the critical infrastructure industry.
Helping SMBs With A Flexible Framework
NIST understands that not all businesses are created equal, and small and medium-sized businesses (SMBs) are especially strapped for resources, such as staff and budget, to manage risk. With this reality, the simplicity of the NIST CSF proves to be valuable. The framework provides a well-defined taxonomy known as the CSF Core. The Core is a way to organize and communicate cybersecurity objectives and outcomes. The Core begins with five functions:
Identify: Develop an understanding of your business and potential cybersecurity risks to align efforts with risk management strategy and needs.
Protect: Take appropriate precautions, and work to limit the impact of a potential cybersecurity incident.
Detect: Identify incidents in a timely manner through continuous monitoring.
Respond: Take action if an event does occur and try to contain the impact of the event.
Recover: Engage in the right activities to be resilient in the face of future attacks and restore any affected systems to normal operations as quickly as possible.
These five critical functions make up a cybersecurity risk management program and are easy for nonexperts to understand. Executives and board members can focus on the status of these five functions to get a high-level understanding of cyber risk posture.
The Core also supports more granular definitions that align with these functions. Specifically, there are three more levels of granularity defined by 23 categories, 110 subcategories and informative references (i.e., security controls). Controls feed subcategories, which feed categories, which feed functions. This layered taxonomy allows consistent cybersecurity awareness communication at all levels of an organization, from the server room to the board room.
Because the CSF is a voluntary framework, organizations can adopt it at whatever level is needed to meet their own customized needs. For example, an organization may choose to start its cyber risk management program with a subset of categories, subcategories and controls to get started and expand over time. The CSF offers the freedom to decide which security objectives (categories, subcategories and controls) make the most sense for your busines
NIST understands that not all businesses are created equal, and small and medium-sized businesses (SMBs) are especially strapped for resources, such as staff and budget, to manage risk. With this reality, the simplicity of the NIST CSF proves to be valuable. The framework provides a well-defined taxonomy known as the CSF Core. The Core is a way to organize and communicate cybersecurity objectives and outcomes. The Core begins with five functions:
Identify: Develop an understanding of your business and potential cybersecurity risks to align efforts with risk management strategy and needs.
Protect: Take appropriate precautions, and work to limit the impact of a potential cybersecurity incident.
Detect: Identify incidents in a timely manner through continuous monitoring.
Respond: Take action if an event does occur and try to contain the impact of the event.
Recover: Engage in the right activities to be resilient in the face of future attacks and restore any affected systems to normal operations as quickly as possible.
These five critical functions make up a cybersecurity risk management program and are easy for nonexperts to understand. Executives and board members can focus on the status of these five functions to get a high-level understanding of cyber risk posture.
The Core also supports more granular definitions that align with these functions. Specifically, there are three more levels of granularity defined by 23 categories, 110 subcategories and informative references (i.e., security controls). Controls feed subcategories, which feed categories, which feed functions. This layered taxonomy allows consistent cybersecurity awareness communication at all levels of an organization, from the server room to the board room.
Because the CSF is a voluntary framework, organizations can adopt it at whatever level is needed to meet their own customized needs. For example, an organization may choose to start its cyber risk management program with a subset of categories, subcategories and controls to get started and expand over time. The CSF offers the freedom to decide which security objectives (categories, subcategories and controls) make the most sense for your busines
A Self-Assessment Process
Alongside the Core is a seven-step process to help operationalize the CSF and establish a cybersecurity risk management program. The process steps recommended in the CSF include:Prioritize and scope:
The CSF allows you to start small and expand over time when the organization is ready or needs to expand based on emerging business requirements or risks. The bottom line is this: You decide how to expand the program and on what timeline.
Looking Forward
As the current landscape rapidly evolves, NIST continues to update users on the latest changes to the framework, including draft revisions made available for public comment. NIST is continuously looking ahead to create a framework that not only addresses future risks but does so in a way that provides risk management blueprints for organizations, regardless of their size.
Alongside the Core is a seven-step process to help operationalize the CSF and establish a cybersecurity risk management program. The process steps recommended in the CSF include:Prioritize and scope:
- Define the environment based on physical or logical boundaries. Define roles and responsibilities. Identify business objectives to include regulatory requirements, etc.
- Identify security objectives that the business requires. This will help determine which categories, subcategories and controls you need.
- Use categories, subcategories and controls to create the organization’s “target profile.” The CSF also offers a maturity model, which includes four levels, known as “tiers.” This capability can help define how advanced cybersecurity objectives need to be to support the business.
- Testing and evaluation are conducted to determine if the objectives defined in the target profile are in place. If the tier function is implemented, it is also possible to determine how mature the program and program elements are.
- The outcome of the testing process will determine the current profile and identify gaps if certain objectives are determined to not be in place.
- Gaps are reviewed for severity and business impact. This analysis helps an organization define remediation/action plans.
- Action plans are then managed to completion, at which time the current profile is updated. The goal is to achieve what is defined in the target profile. It is also important to continuously monitor status by periodically retesting and reviewing remediation activities.
The CSF allows you to start small and expand over time when the organization is ready or needs to expand based on emerging business requirements or risks. The bottom line is this: You decide how to expand the program and on what timeline.
Looking Forward
As the current landscape rapidly evolves, NIST continues to update users on the latest changes to the framework, including draft revisions made available for public comment. NIST is continuously looking ahead to create a framework that not only addresses future risks but does so in a way that provides risk management blueprints for organizations, regardless of their size.
ISO 27001:
First, it is important to note that the full name of ISO 27001 is “ISO/IEC 27001 – Information technology — Security techniques — Information security management systems — Requirements.”
It is the leading international standard focused on information security, published by the International Organization for Standardization (ISO), in partnership with the International Electrotechnical Commission (IEC). Both are leading international organizations that develop international standards. ISO-27001 is part of a set of standards developed to handle information security: the ISO/IEC 27000 series.
ISO framework and the purpose of ISO 27001
ISO framework is a combination of policies and processes for organizations to use. ISO 27001 provides a framework to help organizations, of any size or any industry, to protect their information in a systematic and cost-effective way, through the adoption of an Information Security Management System (ISMS). Why is ISO 27001 important?Not only does the standard provide companies with the necessary know-how for protecting their most valuable information, but a company can also get certified against ISO 27001 and, in this way, prove to its customers and partners that it safeguards their data.
ISO framework is a combination of policies and processes for organizations to use. ISO 27001 provides a framework to help organizations, of any size or any industry, to protect their information in a systematic and cost-effective way, through the adoption of an Information Security Management System (ISMS). Why is ISO 27001 important?Not only does the standard provide companies with the necessary know-how for protecting their most valuable information, but a company can also get certified against ISO 27001 and, in this way, prove to its customers and partners that it safeguards their data.