Please Note: Cybersecurity is a rapidly evolving field. This document was last updated on February 2, 2019. Some of the technical guidance within this document may change, and some of the risks defined may increase or decrease in their potential likelihood or impact.
Appendix C: Moving Beyond the Baseline
As an organization grows and takes advantage of more online technologies, the opportunities for attacks on your systems and sensitive data will grow. It will be important to consider these risks as the organization adopts new technology and works to improve security practices. This section includes a list of resources that can help a LRO become more informed about cybersecurity, and can help move the organization's security practices to the next level of sophistication.
- Citizen Lab Security Planner The Citizen Lab, a cybersecurity research lab at the University of Toronto, recently published a web-based guide that helps individuals find cybersecurity tools and tips based on the types of devices they use and the services they tend to access online. Security Planner can be accessed here: https://securityplanner.org/. Note that this guide is more appropriate to individuals than to LROs, but may still serve as a useful assessment and recommendation tool.
- NIST Small and Medium-Sized Business Guidance
The National Institute of Standards and Technology is an agency within the US Department of Commerce that issues sophisticated cybersecurity guidance that is adopted widely across the US government and in many large companies. While most of their guidance is highly technical, they also have some resources on how to apply their work in smaller and more resource-constrained organizations.
- NISTIR 7621: Small Business Information Security: The Fundamentals http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf
- Slides: https://csrc.nist.gov/csrc/media/projects/small-business-community/documents/sbc_workshop_presentation_2015_ver1.pdf
- FCC CyberPlanner The Federal Communications Commission of the US Government is a regulatory agency focused on telecommunications issues. They have many cybersecurity resources for small organizations, but their CyberPlanner page is a clear, helpful tool for developing a written organizational security policy that addresses common issues: https://www.fcc.gov/cyberplanner
- EFF Cybersecurity Training Materials The Electronic Frontier Foundation is a technology privacy and civil liberties advocacy organization. They have developed a number of strong, clear, and succinct training materials for improving individuals' cybersecurity practices. While many of their materials are geared toward high-risk individuals and organizations, their lessons are clear and usable by a broad audience.