GOVERNANCE, RISK, AND COMPLIANCE (GRC)
Policies, Procedures, and Standards (PPS)
Health Insurance Portability and Accountability Act Collaborative of Wisconsin (HIPAA COW): Provides a myriad of whitepapers, template policies, procedures, forms, and training documents to help implement HIPAA’s Privacy, Security, and EDI Standard Transaction provisions.
System and Network Security (SANS): Becoming a member of SANS gives you access to the largest source for information security information in the world...for free. SANS also offers a number of training courses. They’re expensive and class size can be quite large, but the instructors are top-notch.
Security Education Management (SEM)
KnowBe4: KnowBe4 is a C G Silvers partner that offers security awareness training, automated alerting, and simulated phishing attacks. Find a range of free tools and resources on their website.
GO PHISH: A free, open-source phishing framework that makes it easy to test your organization’s exposure to phishing.
Data Privacy and Compliance (DPC)
Health Insurance Portability and Accountability Act (HIPAA):
- HIPAA COW Toolkit: Provides a valuable risk assessment and risk management toolkit. A risk assessment can help your organization ensure it is compliant with HIPAA’s administrative, physical and technical safeguards. It can also help reveal areas where your organization’s protected health information (PHI) could be at risk.
- HHS SRA Tool (Security Risk Analysis Tool): Another risk assessment option. This tool guides you on a compliance gap assessment instead of a full-blown risk assessment.
PCI:The PCI Security Standards Council is a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for credit card payment account data protection.
- PCI-DSS Scoping and Segmentation PDF: This guide makes previous guidance more official and can help you reduce your compliance burden through reducing the number of systems in scope for PCI DSS compliance.
- Penetration Testing and Guidelines PDF: This guide specifies how a penetration test is to be conducted to meet the requirements in PCI DSS requirement 11.3. Since not all penetration tests are created equal, this guidance is important to understand before conducting them.
General Data Protection Regulation (GDPR): A handy resource for understanding European data protection regulations, particularly for organizations who handle data concerning European citizens, whether they are customers, partners, or employees.
California Consumer Privacy Act (CCPA): If your organization does business with Californians or in California, then you want to make sure you understand and comply with the new regulations that protect consumer data.
Enterprise Risk Management (ERM)
CIS (Center for Internet Security)
- CIS-RAM: Provides instructions, examples, templates, and exercises for conducting a cyber risk assessment.
- CIS-CSAT: The CIS Controls Self-Assessment Tool is a free web application that enables security, IT, or business leaders to track and prioritize their implementation of the CIS Controls.
NIST (National Institute of Standards and Technology): NIST’s cybersecurity programs seek to enable greater development and application of security technologies and methodologies that enhance the country’s ability to address security challenges.
- NIST CSF (Cyber security framework): The NIST CSF reference tool provides a strategic view of an organization’s management of cybersecurity risk.
- Special Publication “Safeguarding Covered Defense Information and Cyber Incident Reporting”: For organizations that work with or contract with suppliers to the US Department of Defense, this handbook provides guidance for implementing NIST SP 800-171 in response to DFARS.
Core Security Solutions
pfSense: A free, powerful, and flexible firewalling and routing platform.
Microsoft LAPS: Use LAPS to automatically manage local administrator passwords so that passwords are unique on each managed computer, randomly generated, and securely stored.
Microsoft Defender Suite: Among other security tools, Windows Defender includes an antivirus solution that delivers comprehensive protection against software threats like viruses, malware, and spyware.
Security Operations Center
Security Onion: Security Onion is a free and open source Linux distribution for intrusion detection, enterprise security monitoring, and log management.
Elastic Stack (ELK): Elasticsearch, Logstash, and Kibana are three open source projects that can aid in security monitoring and can provide a security information and event management solution.