Skip to main content

Securing Your Organization Resource Guide

Level 1

Level 1 items are foundational and set your course. They are intentionally set up as no-cost/low-cost actions that any organization can complete.

Adopt the CIS Controls included in the Essential Practices Guide for K12 as your base cybersecurity framework.

The CIS Controls® follow our prioritized set of actions to protect your organization and data from known cyber-attack vectors. This step is the foundation of your organization's journey toward an orderly and prioritized approach to cybersecurity.

Complete this step by making a commitment within your organization to follow CIS Controls. This could be at a department level or a resolution from your governing body.

Resources:

 

Conduct a Simple Self-Assessment simple self-assessment.

The MISecure self-audit is a simple conversation starter for you, your team, your organization, and your leadership. Reserve about an hour for the starting conversation. Questions on the self-assessment refer to the CIS Controls.

Achievement of this step involves answering the self-audit questionnaire with a colleague. Note your answers and any questions you may have.

Resources:

 

Basic Cybersecurity Awareness Training for Staff

Cybersecurity is a team sport. This step enlists everyone in your organization to become the eyes and ears of cybersecurity.

Completing this step means that you are starting a conversation with everyone in your organization about their role in protecting your shared digital environment. When you do your detailed cybersecurity assessment as part of Level 2, you will identify other required trainings.

Resources:

  • Stay tuned for Michigan-focused videos in 2021

 

Sign up for MS-ISAC Membership and CISA Cyber Hygiene Monitoring

MS-ISAC (Multi State Information Sharing and Analysis Center) is part of the Center for Internet Security (CIS). They offer free and timely Cybersecurity Advisories and Notification emails. They will also monitor your public IP ranges and domains for possible compromises, and more.

CISA offers free cyber hygiene monitoring, which evaluates external network presence by executing continuous scans of public, static IPs for accessible services and vulnerabilities. This service provides weekly vulnerability reports and ad-hoc alerts.

Complete this step by joining MS-ISAC and sharing your domains and public IP address ranges with them and signing up for CISA's Cyber Hygiene programs.

Resources:

 

Join Michigan Cyber Partners

Sign up and receive invitations to monthly webinars and timely updates on emerging cybersecurity vulnerabilities impacting organizations in Michigan and nationwide.

Complete this step by signing up for Michigan Cyber Partners and attending at least one monthly webinar.

Resources:

Level 2

Make Improvements Based on Simple Self-Assessment

The self-assessment that your team completed in Level 1 started the conversation. Now take the time to start making changes based on what you identified.

Many items in the Level 1 simple self-assessment are things that you can do with the tools that you already have in place. Complete those tasks and make plans for more long-term work. For guidance, the CIS Controls are referenced in the self-assessment.

Achievement of this step is based on addressing more than half of the items identified in the self-audit.

Resources:

Prepare for a Cybersecurity Incident

Many people in the cybersecurity field say that your likelihood of experiencing a cyber event in your organization is not a matter of "if" but "when". Given that level of certainty, it is important to spend some time deciding and documenting what you would do in the event of a cyber incident.

Achievement of this step involves preparing a basic cyber incident response plan with your team (including organization leadership) and attending a virtual cybersecurity incident tabletop exercise.

Resources:

 

Conduct a More Formal Assessment

The Center for Internet Security offers a free online Controls Self-Assessment Tool. This allows you to review your implementation of cybersecurity controls, based on preventing the kinds of attacks that are happening in the real world.

If you have sufficient expertise, you can complete the assessment the tool yourself, but Michigan Cyber Partners recommends that organizations use a trusted third party to complete the assessment. The state of Michigan has pre-qualified vendors who can conduct a standard CIS Controls assessment using CSAT, develop a current state report and annual improvement plan, provide monthly coaching, and help you develop an incident response plan.

Achievement of this step is done by completing the CIS Controls CSAT assessment for Implementation Group 1.

Resources:

 

Attend Annual Statewide Cyber Briefing

To protect your organization, you need to keep abreast of recent and on-going cybersecurity attacks and the most important prevention measures as well as stay in touch with people and organizations who can help. Michigan Cyber Partners is working with others to develop and present an Annual Statewide Cybersecurity Briefing in the second half of 2021.

Resources:

  • Annual Statewide Cybersecurity Briefing - more information coming in 2021

 

 

Level 3

Annual Formal Cyber Assessment

Conducting one-time assessments give you a good roadmap of what needs to be done. Doing assessments annually ensures that you stay on track and up to date as well as help you measure and report your progress.

Achievement of this step involves conducting a second CIS Controls CSAT assessment one year after your initial assessment.

Make Measurable Improvements

At this stage, you get points for staying on track and making real improvements to your cybersecurity posture.

Complete this step by achieving a control score of 60 or above for each of the 43 sub-controls of Implementation Group 1

 

Host an Internal Cyber-Incident Tabletop Exercise

The incident response tabletop exercises in Level 2 are hosted by state of Michigan partner. They are designed to walk you through the steps required to prepare a basic cyber incident response plan and test the plan in a few scenarios. Full preparation for an incident at your organization requires the same kind of exercise with leaders and staff from across your organization. When you host your own tabletop, you will help people in your organization know what to do in the event of a cyber incident.

Complete this step by conducting a cybersecurity incident response tabletop exercise at your organization with participants from your IT group, executive leadership, risk management, and business areas. This tabletop will help the "players" understand their roles in the event of a cyber incident.

Resources:

  • Cyber Incident Exercises

 

Provide Internship Opportunities

As you have recognized by now, completing all the work involved in preventing cyber attacks is not easy. Establishing an internship program can help you qualify for assistance in implementing an organized cybersecurity plan and provide useful on-the-job skills for people seeking careers in the field.

Complete this step by establishing a cybersecurity internship program at your organization.

Resources:

  • Cybersecurity Internship Programs - more information coming in 2021