IT Governance & Risk Compliance

The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the U.S. Department of Commerce that provides measurement, standards, and technology policy leadership to the nation. NIST’s Cybersecurity Framework (CSF) is a voluntary framework that helps organizations improve their cybersecurity posture. The CSF is based on five functions: Identify, Protect, Detect, Respond, and Recover. Each function includes categories and subcategories that describe specific activities that organizations can implement to improve their cybersecurity.

The CSF is not a checklist, and organizations are not required to implement all of the activities in order to be considered compliant. However, the CSF can be used as a guide to help organizations identify and prioritize their cybersecurity needs.

NIST also provides a number of resources to help organizations implement the CSF, including:

  • A self-assessment tool
  • A guide to implementing the CSF
  • A set of case studies
  • A list of resources for further information

The CSF is a valuable tool for organizations of all sizes. It can help organizations improve their cybersecurity posture and reduce their risk of a cyberattack.

The Center for Internet Security (CIS) is a nonprofit organization that provides security best practices for IT systems and data. CIS is best known for its CIS Controls, a set of 20 security controls that are designed to protect IT systems from attack. CIS also publishes a number of other security resources, including benchmarks, tools, and training materials.

CIS’s work is used by organizations of all sizes, from small businesses to large enterprises. CIS’s resources are also used by governments and educational institutions. CIS is a trusted source of security information, and its work is widely recognized as being authoritative and comprehensive.

Benefits of using CIS resources:

  • They are based on the latest security best practices.
  • They are comprehensive and cover all aspects of security.
  • They are easy to understand and implement.
  • They are backed by a trusted organization.

MITRE ATT&CK is a knowledge base of adversary tactics, techniques, and common knowledge (TTCK) used by threat actors in their attacks. It is maintained by MITRE Corporation, a non-profit organization that provides research and development in the fields of computer security and information assurance.

ATT&CK is divided into three parts:

  • Adversary Tactics: These are the high-level goals that an adversary is trying to achieve.
  • Adversary Techniques: These are the specific steps that an adversary takes to achieve their goals.
  • Adversary Tools: These are the tools that an adversary uses to carry out their attacks.

ATT&CK is a valuable resource for security researchers, defenders, and threat intelligence analysts. It can be used to:

  • Understand the tactics and techniques that threat actors use.
  • Identify the tools that threat actors use.
  • Develop defensive strategies to mitigate the risk of attack.
  • Track the evolution of threat actors’ tactics and techniques.

CISA, or Cybersecurity and Infrastructure Security Agency, is a United States federal agency under the Department of Homeland Security (DHS) that is responsible for protecting the nation’s critical infrastructure from physical and cyber threats. CISA’s mission is to “lead the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure.”

CISA has a number of resources available to help organizations improve their cybersecurity posture. These resources include:

  • The Cybersecurity Framework (CSF): The CSF is a voluntary framework that organizations can use to improve their cybersecurity posture. The CSF is based on five functions: Identify, Protect, Detect, Respond, and Recover.
  • The Continuous Vulnerability Management Program (CVMP): The CVMP is a program that helps organizations identify and manage their cybersecurity risks. The CVMP includes a number of tools and resources that organizations can use to improve their vulnerability management program.
  • The National Cybersecurity and Communications Integration Center (NCCIC): The NCCIC is a 24/7 operations center that provides threat analysis, warning, and coordination to the federal government and its partners. The NCCIC also provides a number of resources to help organizations improve their cybersecurity posture.

CISA also offers a number of training and education resources to help organizations improve their cybersecurity workforce. These resources include:

  • The Cybersecurity Workforce Development Program: The Cybersecurity Workforce Development Program provides a variety of training and education resources to help organizations develop their cybersecurity workforce.
  • The Cybersecurity Accelerator Program: The Cybersecurity Accelerator Program is a program that helps organizations develop and implement cybersecurity programs. The program includes a number of resources, including training, mentoring, and funding.
  • The Cybersecurity for Small Business Program: The Cybersecurity for Small Business Program provides a variety of resources to help small businesses improve their cybersecurity posture. These resources include training, tools, and best practices.

The Cyber Readiness Institute (CRI) is a non-profit organization that provides free cybersecurity resources to small and medium-sized businesses (SMBs). CRI’s mission is to “empower small and medium-sized enterprises (SMEs) by providing free cybersecurity tools and resources to help them improve their cybersecurity posture.”

CRI offers a variety of resources for SMBs, including:

  • The Cyber Readiness Program: The Cyber Readiness Program is a free, online training program that provides SMBs with the knowledge and skills they need to protect their businesses from cyberattacks. The program covers a variety of topics, including:
    • Cybersecurity basics
    • Password security
    • Phishing attacks
    • Social engineering
    • Data breaches
    • Ransomware
  • The Cyber Readiness Blog: The Cyber Readiness Blog is a blog that provides SMBs with up-to-date information on cybersecurity threats and best practices.
  • The Cyber Readiness Newsletter: The Cyber Readiness Newsletter is a monthly newsletter that provides SMBs with cybersecurity news, tips, and resources.
  • The Cyber Readiness Community: The Cyber Readiness Community is a forum where SMBs can ask questions, share information, and get help from other SMBs and cybersecurity experts.