Creating templates from scratch is definitely hard work. First, you have to find the source material and ensure it is accurate. Next, you have to try and find a copy that is easy to transfer to myITprocess (TruMethods’ software framework built specifically for vCIOs). Finally, you have to perform the work of export/import or copy and paste it into a spreadsheet. The process is time-consuming—and in some cases—not worth the effort.
Over the course of my tenure at TruMethods, I have stumbled across tools and resources for creating templates or for research. Some I use more often than others, but they each give a sense of understanding for the topic you want to transition into myITprocess.
The compilation below is not an exhaustive list. However, the resources below have a higher frequency of use and worth their weight in gold.
Secure Controls Framework (www.securecontrolsframework.com)
From the website: The SCF is designed to empower organizations to design, implement and manage both cybersecurity and privacy principles to address strategic, operational and tactical guidance. It is far more than building for compliance – we know that if you build-in security and privacy principles, complying with statutory, regulatory and contractual obligations will come naturally.
My take: The SCF is a very invaluable tool for mapping statutory, regulatory, contractual, and industry-leading best practices to various frameworks. The site has a built-in tool that allows a user to select their requirements and map them to other requirements. These benefit organizations attempting to follow specific standards while helping to understand the process.
Cyber Security Evaluation Tool (CSET®) (https://us-cert.cisa.gov/ics/Downloading-and-Installing-CSET)
From the website: The Cyber Security Evaluation Tool (CSET®) provides a systematic, disciplined, and repeatable approach for evaluating an organization’s security posture. CSET is a desktop software tool that guides asset owners and operators through a step-by-step process to evaluate industrial control system (ICS) and information technology (IT) network security practices. Users can evaluate their own cybersecurity stance using many recognized government and industry standards and recommendations.
My take: The CSET tool is very useful when trying to see regulations in a format that is more readable than a document or spreadsheet provided by the regulatory authority. CSET is a stand-alone application and provides web-based access to the tool. The interface is quite like myITprocess, allowing a user to perform an assessment, flag, and comment on questions, and export the results to a spreadsheet. The downside is that the Cybersecurity & Infrastructure Security Agency (CISA) does not update it as frequently as I would like so some newer frameworks are not available yet.
CIS Workbench (https://workbench.cisecurity.org)
From the website: Everything we do at CIS is community-driven. Bring your IT expertise to CIS WorkBench, where you can network and collaborate with cybersecurity professionals around the world. Register now to help draft configuration recommendations for the CIS Benchmarks, submit tickets, and discuss best practices for securing a wide range of technologies.
My take: CIS Workbench is a great tool for evaluating the web- and PDF-based CIS Benchmarks. CIS and, in some cases the manufacturer of the software or hardware, curate these benchmarks to provide best practices for configuring, monitoring, and maintaining these products. If you do not mind copy and paste, the Workbench web format makes it a bit easier to move into myITprocess.
SANS Security Policy Templates (https://www.sans.org/information-security-policy/)
From the website: In collaboration with information security subject-matter experts and leaders who volunteered their security policy know-how and time, SANS has developed and posted here a set of security policy templates for your use. To contribute your expertise to this project, or to report any issues you find with these free templates, contact us at firstname.lastname@example.org.
My take: These SANS policy templates are great for MSPs that need to document policies in writing and are unsure where to start. The templates provide clear language that the customer would understand. A benefit of using these templates is your ability to create your own based on these layouts in the future.