Cybersecurity guide for small to medium-sized business, based on NIST Cybersecurity Framework

A Case Study

Abstract:

This project consists in developing a cybersecurity framework installation guide for small to medium-sized business. These companies have few resources, but since they are more and more involved in the modern CAMS environment (Cloud, Analytics, Mobile and Social Applications) they need to protect themselves to be competitive.
The main objective is to obtain a cyberisk management oriented guide, which allows to provide effective solutions to real cases and to face modern threats. For this reason, the guide is based on the new NIST Cybersecurity Framework, which collects most of the standards in security and risk management controls.
The Framework is technologically neutral and allows the free implementation of those controls.
This guide focuses on four main objectives that touch each CSFramework function: Identify, Protect, Detect, Respond and Recover.
Through these objectives, we want to provide ad hoc solutions for small to medium-sized business.
We want to:

• Achieve an alignment and balance between security measures and business needs, managing risks to reduce their possible impact.
• Try to dynamically sensitize the company areas creating different programs for each one of them. Resulting in greater interest and employees involvement in awareness programs, increasing the process effectiveness and efficiency.

This will serve to create a cybersecurity culture which adapts to the modern job environment, giving it a main focus to the CAMS pattern.
The aim is to install a cybersecurity governance strategy that allows:

• To manage security resources so that the generated infrastructure is effective and efficient.
• To establish a process that allows to constantly monitor the security infrastructure performances in order to achieve our 4 main objectives.

The guide focuses mainly on the transformation of the corporate cybersecurity culture. So that it includes all those necessary behaviors to safely manage technology in the field of information security.
The first phase is to interview the company personnel in order to collect and then analyze the main findings about the existing corporate cybersecurity culture.
This analysis will be used as a blog to propose future actions. After an attentive analysis of the results of the interviews we proposed and then implemented the necessary security controls.
Through implemented controls monitoring, we will establish a continuous improvement process.
All the information obtained by the case study has finally been compiled to draft the guide.

Here you can read the whole paper