asbdc sbdc cybersecurity and data protection

The following modules addresses Basic Cyber Hygiene 

The information below presents Level 1 of the CMMC and is meant to help business managers understand what needs to be done in common language.  Examples are provided to put this information in context. Other examples are forthcoming by industry.  As you read through this information consider your story. What would you use as an example and send it to us at cmmc@americassbdc.org. 

Level 1 requires that an organization performs the specified practices.

As you read the examples create one that makes sense to you. We are gathering them to be considered as formal examples for others. 

Send examples to cmmc@AmeriacsSBDC.org 

Control Access to Computer Resources

  • Control who can use company computers and who can log on to the company network.  
  • Limit the services and devices, like printers, that can be accessed by company computers.
  • Set up your system so that unauthorized users and devices cannot get on the company network
  • Make sure to limit users/employees to only the systems, roles, or applications they are permitted to use and that are needed for their job

EXAMPLE 1:

You are in charge of IT for your company. You give a username and password to every employee who uses a company computer for their job.

No one can use a company computer without a username and a password. You give a username and password only to those employees you know have permission to be on the system.

When an employee leaves the company, you disable their username and password immediately.

 

Example 2

A coworker from the marketing department tells you their boss wants to buy a new multi- function printer/scanner/fax device and make it available on the company network. You explain that the company controls system and device access to the network, and will stop non-company systems and devices unless they already have permission to access the network. You work with the marketing department to grant permission to the new printer/scanner/fax device to connect to the network, then install it.

Example 3

You are in charge of payroll for the company and need access to certain company financial information and systems. You work with IT to set up the system so that when users log onto the company’s network, only those employees you allow can use the payroll applications and access payroll data. Because of this good access control, your coworkers in the Shipping Department cannot access information about payroll or paychecks.

EXAMPLE:

You help manage IT for your employer. You and your coworkers are working on a big proposal, and all of you will put in extra hours over the weekend to get it done.

Part of the proposal includes Federal Contract Information, or FCI. FCI is information that you or your company get from doing work for the Federal government.

Because FCI is not shared publicly, you remind your coworkers to use their company laptops, not personal laptops or tablets, when working on the proposal over the weekend.

[ • Secure Remote Access learn more here ]

EXAMPLE:

You help manage IT for your employer. You and your coworkers are working on a big proposal, and all of you will put in extra hours over the weekend to get it done.

Part of the proposal includes Federal Contract Information, or FCI. FCI is information that you or your company get from doing work for the Federal government.

Because FCI is not shared publicly, you remind your coworkers to use their company laptops, not personal laptops or tablets, when working on the proposal over the weekend

Authenticate!

  • Authentication helps you to know who is using or viewing your system.
  • Make sure to assign individual, unique identifiers, like usernames, to all employees/users who access company systems.
  • Confirm the identities of users, processes, or devices before allowing them access to the company’s information system-usually done through passwords.

EXAMPLE:

You are head of marketing for your company and want to become better known by your customers. So, you decide to start issuing press releases about your company projects.

Your company gets Client Contract Information, from doing work for a client. This is information that is not shared publicly. Because you recognize the need to control sensitive information, including confidential information, you carefully review all information before posting it on the company website or releasing it to the public.

You allow only certain employees to post to the website.

[ • Email Authentication learn more here ]

EXAMPLE:

You are in charge of purchasing for your company. You know that some devices, such as laptops, come with a default username and a default password. Last week, your coworker in the Engineering Department received a laptop with the default username “admin” and default password “admin”.

You remind the coworker to be sure to delete the default account details or change the default password to a unique password. You also explain that default passwords are easily found in an internet search engine. So, it would be easy for an unauthorized person to guess and use the default password to gain access to the system.

EXAMPLE:You are moving into a new office. As you pack for the move, you find some of your old CDs in a file cabinet.

When you load the CDs into your computer drive, you see that one has information about an old project your company did for the Department of Defense (DoD).

Rather than throw the CD in the trash, you make sure that it is shredded.

EXAMPLE:

You work for a small company as the project manager for a client project.

The project requires special equipment that should be used only by project team members. You work with your boss to put locks on the doors to your area.

This restricts access to the room to only those employees who work on the client project.

EXAMPLE:

You and your coworkers like to have friends and family join you for lunch at the office on Fridays. Your small company is growing, and sometimes it’s hard to know who is coming and going from the lunch area.

You work with your boss, the company founder, and ask all non-employees to sign in at the reception area, then sign out when they leave.

Employees can have badges or key cards that enable tracking and logging access to the company facilities.

[ • Physical Security learn more here ]

EXAMPLE:

You are setting up the new network for your company, and want to keep the company’s information and resources safe.

You make sure to buy a router—a hardware device that routes data from a local area network (LAN) to another network connection—with a built-in firewall, then configure it to limit access to trustworthy sites.

Some of your coworkers complain that they cannot get onto to certain websites. You explain that the new network blocks websites that are known for spreading malware.

Watch this video on • Vendor Security

EXAMPLE:

You are setting up the new network for your company, and want to keep the company’s information and resources safe.

You make sure to buy a router—a hardware device that routes data from a local area network (LAN) to another network connection—with a built-in firewall, then configure it to limit access to trustworthy sites.

Some of your coworkers complain that they cannot get onto to certain websites. You explain that the new network blocks websites that are known for spreading malware.

Watch this video • Ransomware

EXAMPLE:

The head of recruiting wants to launch a website to post job openings and allow the public to download an application form. After some discussion, your team realizes it needs to use a router and firewall to create a DMZ to do this.

You host the server separately from the company’s internal network and make sure the network has the correct security firewall rules. Your company gets a lot of great candidates for open jobs, and the company’s internal network is protected.

[ • Ransomware PDF learn more here ]

   Patch Management     

  • All software and firmware have potential flaws.  Many vendors work to reduce those flaws by releasing vulnerability information and updates to their software and firmware.  
  • Have a process to review relevant vendor newsletters with updates about common problems or weaknesses.  
  • After reviewing the information, execute a process called patch management that allows for systems to be updated without adversely affecting the organization.  
  • Purchase support from their vendors to ensure timely access to updates.

EXAMPLE:

You have many responsibilities at your company, including IT.

You know that malware, ransomware, and viruses can be a big problem for small companies.

You make sure to enable all security updates for your software, and purchase the maintenance packages for new hardware and operating systems

EXAMPLE:

You are buying a new computer for your small business and want to protect your company’s information from viruses, spyware, etc.

You buy and install anti-malware software.

EXAMPLE:

You bought a new computer for your small business.

You know that you need to protect your company’s information from viruses, spyware, etc. So, you also purchased and installed anti-malware software.

You configure the software to automatically update to the latest antivirus code and definitions of all known malware

EXAMPLE:

While cleaning up your office, you find your old thumb drive. You are not sure if you should use it.

Then you remember something: Your company just purchased anti-malware software that auto-updates with the latest antivirus code and definitions of all known malware.

With this in mind, you decide to plug in the thumb drive. The new anti-malware software scans the thumb drive, finds a virus, then deletes the file.

The majority of the content above is from version 1.0 of the CMMC

You may be ready now to take a more formal approach, work with others and to follow the North Star.

Check out the CMMC tool to help prepare for an assessment by hitting this button.