Small and Medium Organizations: The path to enterprise security
Cyber security advice and guidance can mean different things to different organizations. Our goal for this post is to suggest next steps if your organization implements the baseline controls and wants to make further strides towards enterprise security. We have also included some of our own cyber security resources and tools, as well as resources from our partners and other contributors to cyber security.
How can my organization work towards enterprise security?
Our path to enterprise security starts with the baseline controls, and then each step along the way uses existing guidance and toolkits from the Cyber Centre, our partners, or other contributors. You can use each step to increase your organization’s cyber security, gradually increasing cost, time, and complexity.
Steps towards entreprise security.
- We recommend starting with the baseline controls, which we designed to provide a balance between investment costs and cyber security outcomes.
- Organizations that want to take steps beyond the baseline controls should look at the following resources:
- The Center for Internet Security (CIS) Controls, which provides a list of recommended actions derived from best practices. Your organization can assess several of these controls by using items within the Global Cyber Alliance (GCA) Cybersecurity Toolkit
- Cyber Centre Top 10 IT Security Actions, which includes a list of 10 recommended actions that your organization can implement to build a strong IT infrastructure and protect its networks.
- The NIST Cyber Security Framework (CSF), which consists of standards, guidelines, and best practices for managing cyber security risks through a cost-effective approach. The CSF is widely adopted in industry, and there are many sources for consulting, training, and implementing this framework.
- ISO 27001:2013, which is the international standard for cyber security. There is an industry related to the implementation and certification to this standard. Your organization should consult ISO 27001:2013 if seeking certifications that attest to your cyber security.
- National standards for cyber security ITSG-33 is the Government of Canada’s baseline advice and guidance for IT security risk management. If your organization is looking for foundational enterprise security guidance, you should consider this framework.
Note: ITSG-33 is the Canadian equivalent to NIST 800-53. There is significant overlap in the control catalogues of these two frameworks. The NIST framework is helpful if your organization interacts with the US government.
The steps listed above are presented in an incremental order of cost, time, and complexity. However, your organization can implement these options in any order.
Get certified with CyberSecure Canada:
The new CyberSecure Canada certification program, which is run by Innovation, Science and Economic Development Canada, is a low-cost, low-burden way for your organization to demonstrate its compliance with the baseline cyber security controls. With this certification, your customers and partners know that you have invested in cyber security.
Recommendations for your organization:
- Implement the baseline controls first
- Get certified with Cyber Secure Canada
- Explore more sophisticated cyber security measures over time