Cyber security is often considered the responsibility if the IT department. Nothing could be further from the truth. Although the IT team has certain responsibilities in deploying and maintaining security systems, the ultimate responsibility for maintaining a strong security culture lies with Senior Management.

Senior Management must first take on the responsibility of Security Governance.  This means managing security as a process, not unlike many other functions within the company. As such, the implementation and management of the process falls to others within the organization under the leadership of senior management.

In order accomplish proper security governance, organizations should form a Security Council consisting of departmental leaders from all aspects of the organization and led by senior management.

The functions of the Security Council include:

• Clearly identifying roles and responsibilities of council members

• Implementing and promoting a culture of security awareness and vigilance

• Adopting an appropriate security framework for the organization

• Performing a thorough risk assessment for the organization

• Determining a desired security "profile" for the organization

• Generating a gap analysis between the desired profile and the current state

• Developing and implementing a plan to address security gaps

• Developing and approving policies and procedures defining proper security practices

• Maintaining security though monthly meetings and regular audits

• Identifying new threats and adapting processes to address them

• Establishing a comprehensive Cyber Security Incident Response Policy

Each member of the council should have deep experience with the functions of their department and understand the sensitivity of the informational assets their department owns. For instance, the HR director should understand where employee records are stored and the ramifications if that information were subject to unauthorized access. The Finance director should understand the importance of the financial data they own and the impact of that data being compromised. The participation of department heads in the risk assessment process is crucial to the proper identification of information at risk.

Representatives of the IT department take feedback from the department heads and formulate plans to secure the data in accordance with adopted security framework. The IT department typically identifies and implements the tools necessary to monitor and manage the security of the organization's assets.

However, it is not the role of IT to drive a culture of security awareness. That must come from top. All employees must be made aware of the importance of security in the organization. This is accomplished through security awareness training and testing.  It is not enough to simply educate users on the dangers of phishing or malware. They must be tested regularly to make sure their radar stays sharp. Senior management, along with the security council must continuously audit the results of testing and take corrective action to deal with repeat offenders.

With senior leadership driving a strong security awareness culture, flanked by a strong security council organizations can protect themselves to a great degree.

A couple of months ago I wrote about the importance of adopting a security framework to give structure and process to securing your practice. I went over several common frameworks and debated the pros and cons of each. In this article I am going to delve into the reasons why the Center for Internet Security (CIS) Frame work is the best for MSPs.

When we compared the NIST and ISO Frameworks to CIS, we discovered that NIST and ISO were somewhat loose and vague in regards to what controls needed to be implemented in order to be compliant. Both standards leave a lot of leeway for alternative approaches to meeting the standard of the control. While this flexibility may be desirable in some situations, it can be confusing and lead to lapses in security. On the other hand, CIS is very defined and prescriptive in terms of that actions are needed to meet the standard. CIS also offers clearly defined three levels of compliance, Implementation Groups 1, 2, and 3, based on the needs of the organization.

Implementation Group 1 covers basic cyber hygiene.  All organizations should strive to achieve IG1 at the very least. And that may be enough for small business with no real exposure to sensitive data. Implementation Group 2 is most likely the appropriate level for most organizations and most MSPs. It provides an appropriate level of protection with a reasonable amount of financial investment. Those organizations that are custodian to very sensitive information or manage critical systems would likely want to achieve Implementation Group 3 status.

Perhaps the most difficult part of implementing a security framework is knowing where to start. To guide organizations through the process CIS has created the CIS Self-Assessment Tool (CSAT). By using the CSAT, MSP can quickly determine their current state in relation to the CIS Framework. They can then determine the gap between where they are today and the desired Implementation Group attainment. They can then use the tool to track their progress against the goal.

One of the fundamental tasks of any MSP is the deployment of new technology into their client's networks. This includes servers (cloud based or on-premises), workstations, switches, firewalls, wifi, Etc. Each of these devices introduces potential vulnerabilities if not configured properly. This is where CIS really sets itself apart from the rest of the security framework community. Through close collaboration with many hardware and software manufacturers, CIS has developed a series of  Benchmarks that provide a clear guide on the configuration of hundreds of products. This includes Windows Operating Systems, Microsoft Azure Services, Mac OS, Palo Alto Firewalls, Cisco Switches, etc. For instance, if the MSP is deploying a Windows Server 2019, they can reference the Benchmark guide for Windows 2019 and configure all of the settings in compliance with CIS IG1, 2, or 3.

The Benchmark guides are extremely thorough and detailed. Many are more than 1000 pages in length. Although it would be possible to follow the guide and configure a system manually, it would be incredibly time consuming and laborious. For this reason, CIS has created Build Kits for most of the Benchmarks. Build kits automate the application of the configuration through scripts and group policy objects. This allows the MSP to apply the proper security to the device quickly, efficiently, and consistently.

Additionally, CIS has created the CIS CAT Pro Assessor Tool. CIS CAT Pro automates the comparison of a system's configuration against the corresponding Benchmark. It can also identify missing patches. The resulting report provides all of the changes required to bring the system back into compliance.

Access to the CIS Framework documentation and CSAT Tool is free of charge. However, the more advanced tool in the CIS Framework require membership in the CIS SecureSuite Program. The annual fee for membership in SecureSuite varies by company size. Academic, non-profit, and governmental agencies may be eligible for free subscriptions. MSPs looking to use the framework for commercial purposes and consulting services would pay an annual fee based on their annual revenue.

Given the highly prescriptive nature and clear definition of the standards the CIS Security Framework is the ideal framework for MSPs. Compliance is achieved through specific controls and those controls are enforced on deployed products in an automated and auditable fashion.

Additionally, CIS overlaps heavily with all of the other common frameworks and standards, therefore MSPs that have achieved CIS Implementation group 2 ensure their security standards are up to par with many of the regulatory requirements to which their clients are subject such as HIPAA, SOX, GLBA, Etc. Those MSPs that also pursue NIST or ISO certification are close to that goal as well due to the overlap and cross references between standards.

By implementing the CIS Security framework MSPs will increase their value, reduce their risk, and outshine the competition. What MSP wouldn’t want that?