Many organizations are working to define an information security baseline through the use of a consistent cybersecurity framework, such as the NIST Cybersecurity Framework, or the NIST Special Publication 800-171.
These frameworks provide a predefined set of security controls for endpoint security, access control, physical security, application security, policy, training, etc., to protect systems and information. You can take a holistic approach to information security across the organization, have a defined set of best practices for everyone to follow, and have a more calculated process for assessing and managing risk levels of new systems or applications.
By utilizing a standard framework across all areas, you can:
- Consistently assess the security practices of various departments
- Implement common tools, processes, and procedures (and align your overarching cybersecurity policies)
- Monitor and verify security metrics to ensure all departments are operating at the minimally acceptable security baseline
- Identify critical security gaps and define where organizational resources are needed most in order to best protect sensitive information and high risk systems
- Identify tasks and timelines for individual departments to meet the defined security standards
As an organization, you may also want to track metrics related to the outlined security controls. Examples include the percentage of systems that have a network firewall in place, the number of systems with anti-virus software installed, the number of systems that are patching critical vulnerabilities within 30 days, the percentage of systems with data encryption, and those that have completed risk assessments. You can then use this data to show improvements in your information security program over time.
The utilization of a cybersecurity framework across your whole organization also provides a way to measure where you stand compared to other similar organizations, and allows you to simplify communications about security metrics with board members and executive leadership.
Following this approach, you can ensure practical, basic IT security measures have been implemented. This baseline will not ensure full compliance with specific federal or industry security standards (PCI DSS, HIPAA, FERPA, CMMC, etc.), but once you have aligned the majority of your business practices with a cybersecurity framework, you can much more easily comply with compliance requirements as you will have already addressed almost 80 percent of the necessary controls and can now focus on meeting the remaining 20 percent of requirements specific to each data type or system.
Some additional guidance from CampusGuard’s Security Advisor Team:
[Coudeyras]: Many federal/industry compliance standards require organizations to implement a baseline security configuration for all devices in scope. Therefore, not only is it a good idea from a purely compliance perspective, it is a good idea from an information security perspective as well. As we know, there is a difference between being compliant and being secure. Implementing and auditing baseline security configurations is a surefire way to decrease overall risk levels at the organization while at the same time checking compliances boxes. It is important to also include all in-scope systems in your annual risk assessment to verify the appropriate controls have been implemented and are being maintained accordingly.