Today we continue our look at a series of practical steps that districts can use to increase their NIST compliance. Looking at the complete set of NIST controls can be a daunting experience. One of the best ways we have found to make these cybersecurity improvements more attainable is following the CIS Controls Top 20 list, which maps nicely over into NIST. CIS also breaks their controls list into three implementation groups, in somewhat of a "start here" group 1, a more "advanced" group 2, and when that's done for full "Ninja status," move to group 3. This series is going to focus on a walk through the "start here" group 1 items.
Today’s topic is about secure configurations, particularly under implementation group 1 (IG1) items – the adoption of secure software configuration standards.
Action item - Establish Secure Configurations - Maintain documented security configuration standards for all authorized operating systems and software.
Over the years, you have heard Scott speak numerous times on this topic, particularly as it relates to Active Directory management and best practices. Those sessions are a great place to start, but this topic involves more than merely your operating system best practices. It also includes your application software like MS Office, Outlook, or other software systems like your student management or finance systems.
What this requirement is asking you to do is to specifically document what the standards are that you are going to manage to, and then be able to demonstrate how you live by them.
Another excellent resource for this requirement comes from the folks at CIS / MS-ISAC who publish a series of documents called the CIS Benchmarks. The Benchmarks are a library of more than 100 sets of configuration guidelines across 25+ vendor product families (hardware & software) that will help you model your standards to protect against today's evolving cyber threats.
MS-ISAC membership is available to all school districts at no cost. You can find more membership information here:
You can find the CIS Benchmark library information here:
As always, if you are looking for assistance with getting started on building your own documented configuration standards, reach out to our team. We will be happy to help you get started.