NIST – Small Business Information Security: The Fundamentals – 54 pages
<http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf>
1 BACKGROUND: WHAT IS INFORMATION SECURITY AND CYBERSECURITY? 2
1.1 WHY SMALL BUSINESSES? 4
1.2 ORGANIZATION OF THIS PUBLICATION 5
2 UNDERSTANDING AND MANAGING YOUR RISKS 6
2.1 ELEMENTS OF RISK 6
2.2 MANAGING YOUR RISKS 8
• Identify what information your business stores and uses 8
• Determine the value of your information 8
• Develop an inventory 10
• Understand your threats and vulnerabilities 11
2.3 WHEN YOU NEED HELP 14
3 SAFEGUARDING YOUR INFORMATION 15
3.1 IDENTIFY 16
• Identify and control who has access to your business information 16
• Conduct Background Checks 16
• Require individual user accounts for each employee. 17
• Create policies and procedures for information security 17
3.2 PROTECT 18
• Limit employee access to data and information 18
• Install Surge Protectors and Uninterruptible Power Supplies (UPS) 18
• Patch your operating systems and applications 19
• Install and activate software and hardware firewalls on all your
business networks 19
• Secure your wireless access point and networks 20
• Set up web and email filters 20
• Use encryption for sensitive business information 21
• Dispose of old computers and media safely 21
• Train your employees 22
3.3 DETECT 23
• Install and update anti-virus, -spyware, and other –malware programs 23
• Maintain and monitor logs 23
3.4 RESPOND 24
• Develop a plan for disasters and information security incidents 24
3.5 RECOVER 25
• Make full backups of important business data/information 25
• Make incremental backups of important business data/information 26
• Consider cyber insurance 26
• Make improvements to processes / procedures / technologies 27
4 WORKING SAFELY AND SECURELY 28
• Pay attention to the people you work with and around 28
• Be careful of email attachments and web links 28
• Use separate personal and business computers, mobile devices, and
accounts 29
• Do not connect personal or untrusted storage devices or hardware into
your computer, mobile device, or network. 29
• Be careful downloading software 29
• Do not give out personal or business information 30
• Watch for harmful pop-ups 30
• Use strong passwords 31
• Conduct online business more securely 32
APPENDIX A— GLOSSARY AND LIST OF ACRONYMS 1
APPENDIX B— REFERENCES 1
APPENDIX C— ABOUT THE FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE
CYBERSECURITY 1
APPENDIX D— WORKSHEETS 1
• Identify and prioritize your information types 1
• Develop an Inventory 2
• Identify Threats, Vulnerabilities, and the Likelihood of an Incident 3
• Prioritize your mitigation activities 4
APPENDIX E— SAMPLE POLICY & PROCEDURE STATEMENTS 1
