Develop an Information Security Program
Cyber security is about doing - at least - the bare minimum to reduce the likelihood you or your customers will have a bad day due to a mistake or intentionally harmful act. No two companies have the same needs and this is why each organization must develop their own approach to cyber security. However, the process is standardized and shared; BCSF makes them work for small companies.
Inventory Your Assets
Risk assessment and information technology asset inventory go hand in hand. This is less about documenting every piece of hardware and software and more about recognizing what pieces really matter to your organization and how vulnerable they are.
Policy development involves looking at what you are willing to do that is a reasonable balance of convenience and control. At this stage your management (and owners) need to think through what they deem acceptable for standards of security and write up simple policies that get you there. BENTO:GUIDES offers policy templates with guidance in them cutting out most of the work. It is possible to read them, make minor edits, and adopt them as written.
Design & Implement Controls
Controls development is two parts: deciding how to become more secure and selecting the tools and technology to get you there. Odds are your business is already half-way there and an experienced solution consultant can work with what you have. The main objective here is to avoid buying tools that make impossible promises and instead take measurable steps towards risk mitigation.
Verify and Optimize
Once your systems are configured and running, a mindful audit process what it will take to ensure they do their job as designed. This is also the part of the process where you can change things that can work better.
Frequently Asked Questions
Got a question? We've got answers. If you have some other questions, contact us using email.
The cyber security landscape is changing, and doing nothing means denial of claims. Your insurance carrier expects you to do the bare minimum.
BCSF is a series of cyber security publications in three major categories: policy, implementation, and oversight. Collectively, it enables business owners to build and deploy an information security and compliance program.
BENTO:GUIDES is a software solution for accessing and working with the Bento Cyber Security Framework. While all BCSF core publications are accessible to anyone who registers with their company e-mail address, we offer premium subscriptions to enable companies to easily manage BCSF implementations.
All BCSF core publications are available without a subscription – they enable any small company to develop a comprehensive cyber security strategy. Entry paid subscriptions enable access to security awareness training while premium tiers give each organization a dedicated instance of GUIDES with content that can be edited. This enables companies to develop their own security management programs, track key information, and share that data with our experts.
We provide comprehensive advisory and implementation services. Customers with paid plans have access to our solution architects, informations security managers, system engineers, and support staff. Our team is your virtual CISO, IT department, IS department, and professional services team. We can help you determine what to do, how to do it, and then get you there. We provide end:end support for BCSF implementation.
Increasingly companies are asked to prove their cyber security readiness to vendors, prospects, and customers alike. For instance, your insurance company may demand proof that you are managing cyber security risks. Equally, a prospect may be concerned over your resiliency before signing a contract. Or – perhaps – a customer may suddenly becomes concerned over your risk in their supply-chain. Premium tier customers may elect to have their policies and controls audited for effectiveness by our team. The audit includes a report you may share with others and a certification seal valid for as long as you remain a subscriber (renewable every 18 months).
Sign-up to get access to BENTO:GUIDES and start reading the various materials and publications. BCSF is designed to be modular, thus you may begin by reading introductory materials or dive right into checklists. The initial objective is to make you familiar with all areas of information technology security and show you practical ways of designing policies and controls. Upgrading your subscription unlocks access to security awareness training, a key component of cyber security strategy. The training is easily accessible and shared with your employees. Premium tiers unlock a dedicated instance of BENTO:GUIDES accessible only to your organization and expand our professional services. This enables you to edit, create, and modify content. You may choose to modify generic policies, add custom procedures, or remove irrelevant content. This process may take you many weeks to months, but enables your company to increase control while balancing convenience. For example, you may review policies surrounding departing employees, and decide that your organization “will off-board all terminated staff within 48 hours.” BENTO:GUIDES contains enough information for you to properly assemble checklists and procedures for handling a departure successfully. You will find that we cover a variety of scenarios including temporary staff, friendly departures, sudden terminations, and disgruntled employees to help you design a process. We also document common procedures such as properly disabling Office 365 accounts, forwarding e-mail, and preserving data. In other words, we have the policy and the implementation pieces covered. Beyond all that, BCSF also covers the auditing and compliance side of managing off-boarding.
There are three major skillsets required to implement cyber security. Segregation of duties and experience both force your organization to leverage multiple individuals/teams in program development. Cyber Security Experts: Help you develop policy and information programs. Solution Consultants: Help you manage vendor requirements and design solutions that align your program with technical specifications. Security Engineers: do the work required to implement technical solutions.