Appendix B: Implementation Guidance
Please Note: Cybersecurity is a rapidly evolving field. This document was last updated on February 2, 2019. Some of the technical guidance within this document may change, and some of the risks defined may increase or decrease in their potential likelihood or impact.
While many of the controls described in this guide are simple, that does not mean it is easy to decide where (or how strictly) to implement them in an organization. This section provides additional resources and guidance to help identify critical accounts, priority devices, and other information to help prioritize where an organization focuses its limited time and attention.
Strong Authentication
Read the description of this control here.
Set policy for this control here.
The below chart is a basic way to determine which accounts should be considered "critical" to an organization. By rating the accounts and mapping them to the staff with access, organizations can determine which staff members need to prioritize enabling strong authentication.
Account Inventory
What online accounts does your organization consider important to your mission? This could include email, social media, financial, online storage, etc.:
Account
Purpose
Impact on organization if access is lost
(High, Medium, Low)
What staff members have access to which account? Include if they "own" the account and are responsible for its activity.
Account
Staff
MFA Enabled?
Automatic Updates and Software Licenses
Read the description of this control here.
Set policy for this control here.
Turning on Automatic Updates
If an organization uses enterprise software that requires centralized deployment of patches and updates, an IT administrator should be in charge of patch management for critical software.
Guides on how to enable automatic updates on common operating systems can be seen below:
Finding Affordable Software Licenses
Productivity Suites:
Web Services:
Web Hosting:
Contact/Customer Relationship Management:
The Cloud
Read the description of this control here.
Set policy for this control here.
Migrating Files to Cloud-Based Storage
It is likely that data - both sensitive and insensitive - is currently spread across many personal devices. These files should now be consolidated in a single place. Cloud storage services, such as Google Drive or Office OneDrive, provide a simple way for employees to migrate files into a centralized location. Employees can log into a cloud storage service and upload any legacy files. This process is imperfect - it is very easy to miss files. Here a few common locations that individuals often miss when looking for legacy files on a device:
Downloads folders: This applies to both mobile devices and laptops. Files downloaded onto devices for one-time viewing are often forgotten, making the downloads file a honeypot of potentially sensitive information. Employees should search through their downloads for documents that need to be archived in the cloud, and delete the entirety of their downloads folders when they have finished. For information on how to find common downloads directories, see below:
Search: Organizations can save documents in many locations, sometimes accidentally, sometimes on purpose. The result is that most organizations end up having a sprawl of folders across their "documents" library, their desktop, and everywhere in-between. While spending time searching through common directories for important documents is worthwhile, it is not always clear where to look. Using the search function in your operating system can be a powerful shortcut - but what should you search for? Depending on what type of work you do, there are likely only a few file types with which you regularly work - Microsoft Word, Excel, and Powerpoint are some of the most common. By searching for their extension name (or the .xyz at the end of the file type - such as .doc or docx for Word, or .xls or .xlsx for Excel), you can search your operating system for documents that are important to migrate. The searching process can also reveal folders you may have forgotten about that are hiding important files. Some common extensions you may want to search for include:
Microsoft Word: .doc, .docx, .odt
Microsoft Excel: .xls, .xlsx, .csv
Microsoft Powerpoint: .ppt, .pptx
Adobe: .pdf
Apple Pages: .pages
Apple Numbers: .number
Apple Keynote: .key, .keynote
Temporary folders and other hidden locations: Some operating systems will have "temp" folders for a number of applications, such as Office, that save in-progress documents. While it is possible to find these folders, they can often be hidden and rarely contain complete documents or files that you'll want to back up. The best way to ensure a device is clean of legacy files is to reinstall its operating system. Newer devices make this refresh easy - but many will ask if you'd like to keep an archive of the old files. This is fine, but make sure you remove that archive and store it somewhere safe - like on a USB drive not connected to the internet.
WARNING: Resetting a device to factory settings or reinstalling its operating system will purge all data and applications from the device. Make sure any information you want to keep is backed up in the cloud or on an external drive before resetting your device.
Information on how to reset, refresh, or reinstall common operating systems can be found here:
HTTPS
Read the description of this control here.
Set policy for this control here.
Other guides to enabling HTTPS can be found here:
Additional information on how to enable HTTPS in common site hosting and design services can be found here:
Data Security
Read the description of this control here.
Set policy for this control here.
Data Inventory
Data security is a difficult task, and requires ongoing management and attention. However, basic measures to encrypt devices with access to sensitive information can go a long way for low-risk organizations. The below inventory is an example of how to identify which devices should be encrypted:
Data Inventory
What data does your organization consider "sensitive" or to be essential to fulfilling its mission? This could include strategic plans, donor lists, financial records, HR records, etc. Where (what devices or systems) does that information reside?
Data Type
Location
What staff members regularly access or process that information? Include if they "own" that data type.
Data Type
Staff
What devices do those staff members use to access critical or sensitive information? Those devices should have full disk encryption enabled.
Staff
Devices
Access Management in the Cloud
Access management is an ongoing task, but many cloud-based storage services provide a high-level view of document permissions in use across the organization. Larger organizations may need to deploy more robust solutions to manage access to organization resources, but these two guides are a good place to start for LROs using common cloud storage services:
Not all documents or directories warrant constant monitoring for access permissions. However, a few key considerations that may help organizations identify documents and directories likely to need their permissions reviewed:
Documents of critical importance to organizational operations: Strategic plans, budgets, funding agreements or plans.
Documents containing personal or sensitive information: HR files, donor or outreach lists with contact information, payment records, or any data that might illustrate information about individuals' behavior or preferences
Files exposed to external viewers: Documents shared outside of your organization for purposes of external review or collaboration.
Files accessed by departing staff: When staff leave, they are unlikely to resolve any outstanding access permissions issues. For example: owners of documents may have allowed a personal account to access an organization-owned document. Once their organization account is disabled, they may be able to retain access to that document if their personal account has opened it even once. They may have also shared documents and directories outside the organization in a way that other staff are unaware of. When staff leave, it is important to review their files for permissions issues - or to archive all their documents in a new directory where the permissions can be holistically altered.
Enabling Device Encryption
Windows Devices
Note: This feature is not available on Windows Home edition, requires at least Windows Professional license.
Apple Devices
FileVault is a disk encryption feature built in to Mac OS X. FileVault provides 128bit AES encryption with a 256 bit key to encrypt the disk and all files located on the drive. This is a very strong encryption mechanism. Strong encryption helps to prevent unauthorized access to the Mac since the disk and all file contents are encrypted, requiring that the password be entered on boot before the computer, data, and files can be accessed.
Android Devices
Note: Chromebooks, which run a similar (but distinct) operating system called ChromeOS, are encrypted by default.
Last updated