The NIST (National Institute of Standards and Technology) Cybersecurity Framework (CSF) provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks. It offers a taxonomy of high- level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to better understand, assess, prioritize, and communicate its cybersecurity efforts. The CSF does not prescribe how outcomes should be achieved. Rather, it links to online resources that provide additional guidance on practices and controls that could be used to achieve those outcomes. NIST.gov Framework Site.
The Cyber Security Evaluation Tool (CSET) provides a systematic, disciplined, and repeatable approach for evaluating an organization's security posture. CSET is a desktop software tool that guides asset owners and operators through a step-by-step process to evaluate industrial control system (ICS) and information technology (IT) network security practices. Users can evaluate their own cybersecurity stance using many recognized government and industry standards and recommendations. Install CSET.
CISA's Cross-Sector Cybersecurity Performance Goals 2.0 (CPGs) are a subset of cybersecurity practices, selected through a thorough process of industry, government, and expert consultation, aimed at meaningfully reducing risks to both critical infrastructure operations and the American people. These voluntary Cross-Sector CPGs strive to help small- and medium-sized organizations kickstart their cybersecurity efforts by prioritizing investment in a limited number of essential actions with high-impact security outcomes. A baseline set of cybersecurity practices broadly applicable across critical infrastructure with known risk-reduction value. A benchmark for critical infrastructure operators to measure and improve their cybersecurity maturity. A combination of recommended practices for information technology and operational technology owners, including a prioritized set of security practices. Unique from other control frameworks as they consider not only the practices that address risk to individual entities, but also the aggregate risk to the nation. CPGs Course.
"Normal" is understanding what your network is doing under normal conditions, expect to spend 2-4 weeks minimum to get that understanding.
Greenbone - The leading open-source vulnerability scanner :
Greenbone's mission is to identify IT security vulnerabilities and weaknesses before they can be
exploited.
We can reduce the risk and impact of cyberattacks on companies, organizations, and workplaces by up to
99.9%.
Greenbone
Security Onion - Network Security Monitoring :
Security Onion, a free and open platform for threat hunting, network security monitoring, and log
management.
Security Onion includes best-of-breed free and open tools including Suricata, Zeek, the Elastic Stack
and many others.
Security Onion
Using CSET we can now walk through each control and definitively answer each question with confidence. At the end of each module, you will be given a report outlining where improvements should be made to strengthen your cybersecurity posture.
No network is 100% hack proof. You should operate as if you are compromised. Keep using best practices like separate accounts for admin actions. Stay up to date on CVEs (Common Vulnerabilities and Exposures), keep your team accountable and update documentation.
Be sure to check out free services like CISA's Cyber Hygiene Services
Complete inventory of IT and operational systems with a designated cybersecurity owner. Provides visibility and accountability, satisfying HB 96 program requirements.
Patch management, secure configuration, and hardening of critical servers, endpoints, and applications. Reduces exposure to cyberattacks and supports HB 96 risk management goals.
MFA implementation, privileged account controls, and phishing-resistant authentication. Limits unauthorized access and protects sensitive data in line with HB 96 expectations.
Regular backups, disaster recovery planning, and tabletop exercises. Ensures rapid restoration after incidents and aligns with HB 96 recovery requirements.
Centralized log collection, continuous monitoring, and alerting on suspicious activity. Enables early detection of threats and compliance with HB 96 monitoring standards.
Creation and execution of an incident response plan, including HB 96-required reporting to authorities. Provides fast, compliant response to cyber incidents.
Employee training programs, phishing simulations, and policy awareness workshops. Reduces human error, increases readiness, and fulfills HB 96 training requirements.