Thanks, as ever, to Dave Ries (friend, frequent co-author and frequent co-presenter) for passing along these three recent invaluable cybersecurity resources.
1. On September 30, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC)released a joint Ransomware Guide, which is a customer centered, one-stop resource with best practices and ways to prevent, protect and/or respond to a ransomware attack. CISA and MS-ISAC are distributing this guide to inform and enhance network defense and reduce exposure to a ransomware attack:
This Ransomware Guide includes two resources:
Part 1: Ransomware Prevention Best Practices
Part 2: Ransomware Response Checklist
2. On September 23, the National Institute of Standards and Technology (NIST) released Special Publication (SP) 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, representing a multi-year effort to develop the next generation of security and privacy controls.
The most significant changes to SP 800-53, Revision 5 include:
- Consolidating the control catalog: Information security and privacy controls are now integrated into a seamless, consolidated control catalog for information systems and organizations.
- Integrating supply chain risk management: Rev. 5 establishes a new supply chain risk management (SCRM) control family and integrates SCRM aspects throughout the catalog.
- Adding new state-of-the-practice controls: These are based on the latest threat intelligence and cyber-attack data (e.g., controls to support cyber resiliency, secure systems design, security and privacy governance, and accountability).
- Making controls outcome-based: Rev. 5 accomplishes this by removing the entity responsible for satisfying the control (i.e., information system, organization) from the control statement.
- Improving descriptions of content relationships: Rev. 5 clarifies the relationship between requirements and controls as well as the relationship between security and privacy controls.
- Separating the control selection processes from the controls: This allows the controls to be used by different communities of interest, including systems engineers, security architects, software developers, enterprise architects, systems security and privacy engineers, and mission or business owners.
- Transferring control baselines and tailoring guidance to NIST SP 800-53B: This content has moved to the new (draft) Control Baselines for Information Systems and Organizations.
3. Finally, The Cybersecurity and Infrastructure Security Agency (CISA) has released the Telework Essentials Toolkit, a comprehensive resource of telework best practices. The Toolkit provides three personalized modules for executive leaders, IT professionals, and teleworkers. Each module outlines distinctive security considerations appropriate for their role:
- Actions for executive leaders that drive cybersecurity strategy, investment and culture
- Actions for IT professionals that develop security awareness and vigilance
- Actions for teleworkers to develop their home network security awareness and vigilance
None of it is light reading but if keeping up with all of the subjects above is not your responsibility, make sure these resources get to the people managing your cybersecurity.
Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: firstname.lastname@example.org Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology