Veille : NIST – Small Business Information Security: The Fundamentals

NIST – Small Business Information Security: The Fundamentals – 54 pages

<http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf>

1 BACKGROUND: WHAT IS INFORMATION SECURITY AND CYBERSECURITY? 2

1.1 WHY SMALL BUSINESSES? 4

1.2 ORGANIZATION OF THIS PUBLICATION 5

2 UNDERSTANDING AND MANAGING YOUR RISKS 6

2.1 ELEMENTS OF RISK 6

2.2 MANAGING YOUR RISKS 8

• Identify what information your business stores and uses 8

• Determine the value of your information 8

• Develop an inventory 10

• Understand your threats and vulnerabilities 11

2.3 WHEN YOU NEED HELP 14

3 SAFEGUARDING YOUR INFORMATION 15

3.1 IDENTIFY 16

• Identify and control who has access to your business information 16

• Conduct Background Checks 16

• Require individual user accounts for each employee. 17

• Create policies and procedures for information security 17

3.2 PROTECT 18

• Limit employee access to data and information 18

• Install Surge Protectors and Uninterruptible Power Supplies (UPS) 18

• Patch your operating systems and applications 19

• Install and activate software and hardware firewalls on all your

business networks 19

• Secure your wireless access point and networks 20

• Set up web and email filters 20

• Use encryption for sensitive business information 21

• Dispose of old computers and media safely 21

• Train your employees 22

3.3 DETECT 23

• Install and update anti-virus, -spyware, and other –malware programs 23

• Maintain and monitor logs 23

3.4 RESPOND 24

• Develop a plan for disasters and information security incidents 24

3.5 RECOVER 25

• Make full backups of important business data/information 25

• Make incremental backups of important business data/information 26

• Consider cyber insurance 26

• Make improvements to processes / procedures / technologies 27

4 WORKING SAFELY AND SECURELY 28

• Pay attention to the people you work with and around 28

• Be careful of email attachments and web links 28

• Use separate personal and business computers, mobile devices, and

accounts 29

• Do not connect personal or untrusted storage devices or hardware into

your computer, mobile device, or network. 29

• Be careful downloading software 29

• Do not give out personal or business information 30

• Watch for harmful pop-ups 30

• Use strong passwords 31

• Conduct online business more securely 32

APPENDIX A— GLOSSARY AND LIST OF ACRONYMS 1

APPENDIX B— REFERENCES 1

APPENDIX C— ABOUT THE FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE

CYBERSECURITY 1

APPENDIX D— WORKSHEETS 1

• Identify and prioritize your information types 1

• Develop an Inventory 2

• Identify Threats, Vulnerabilities, and the Likelihood of an Incident 3

• Prioritize your mitigation activities 4

APPENDIX E— SAMPLE POLICY & PROCEDURE STATEMENTS 1