CIS Critical Security Controls v8: Implementation Group 1
Print this Article | Send to Colleague
Essential Cyber Hygiene for Small Teams
By Leigh Johnson, Director of I.T. for the Town of Prosper | ljohnson@prospertx.gov
When it comes to securing their networks against the ever-changing cyber threat landscape, small to midsize municipal I.T. teams (particularly those who have no dedicated security staff) face unique challenges. Whether or not those organizations have a formal security program, the CIS Critical Security Controls v8, Implementation Group 1 (IG1) provides a foundational framework to safeguard against prevalent cyber risks efficiently. However, a department with limited time and resources might assume that rolling out these controls is beyond their reach, given the myriad other demands on their time and attention. In fact, implementing IG1 is easily within the reach of teams of all sizes, so how might an organization begin the process?
The first priority should be to establish a comprehensive inventory of both physical assets (Control 1) and software assets (Control 2). This step involves detailing all hardware devices, software applications, and associated data within the organization's network. While utilizing automated inventory management tools might streamline this process, it can just as easily be accomplished by taking an afternoon to manually catalog these assets in a spreadsheet.
For organizations with no security personnel, leveraging cross-functional teams can be instrumental. Training existing I.T. staff on basic cybersecurity principles and the specifics of the CIS Controls can foster a culture of security awareness. With IG1, small steps like regularly updating the asset and software inventories, assessing unauthorized assets and software for potential risks, and ensuring that only supported software is in use are critical. These actions not only enhance security but also build towards a more structured and disciplined I.T. environment. Collaboration tools and simple project management software can be utilized to assign responsibilities, set deadlines, and track progress across these tasks.
Tracking and documenting progress is crucial for sustaining momentum and demonstrating compliance with cybersecurity benchmarks. This can be achieved through regular audits of the asset and software inventories, accompanied by updates to the documentation to reflect the current state. As mentioned above, using ubiquitous, accessible tools like spreadsheets for documenting inventories and progress tracking can prove effective, especially in environments with limited resources. If you are looking for a suitable platform, Tony Gonzalez, former TAGITM President and Director of IT for the City of New Braunfels would be happy to provide a recommendation.
Additionally, establishing a simple, repeatable review cycle (quarterly reviews, biannual documentation updates, etc.) can help ensure that the organization remains aligned with the CIS Controls over time. By focusing on these manageable yet impactful steps, small departments can significantly enhance their cybersecurity posture, even if they do not have dedicated security staff.
Resources:
This tool can be used to select IG1 and then export a spreadsheet which will be helpful for tracking progress: CIS Security Controls Navigator
CIS Security Controls v8 (pdf)