A: Yes, really.
A: There is currently no truly fit-for-purpose cybersecurity framework developed specifically and only for small enterprise. Certain existing frameworks claim to address small enterprise, or to be adaptable for it, but all miss the mark in some respect or other - usually by assuming that a small enterprise is the same as large enterprise, just smaller. If you’ve had the opportunity to work across both types, you know that nothing could be further from the truth. They are as different as night and day, and the same rules and assumptions can’t be applied to both.
A: Without naming names, here are a few of the issues that apply variously to existing frameworks which make them unsuited to being used in small enterprise:
- They exist to make money: small enterprises hate spending money, even when they can afford to. If they have to pay just to access the standard, they won’t.
- False sense of simplicity: Complexity and difficulty of implementation are masked by a name or top level structure which implies a simplistic checklist approach.
- False sense of assurance: “Certifications” handed out based on self attestation with no oversight by certifying body.
- Technologically unsuitable: Use language or design assumptions which aren’t aligned with modern small enterprise IT operations, e.g. secure/trusted internal networks, remote access VPNs, legacy Active Directory, self managed servers, etc.
- Too focused on technology controls: Heavy emphasis on implementation of specific configuration settings or tools, little attention given to people and process related measures.
- Infrequently updated: Cybersecurity is a rapidly changing field. Any framework which doesn’t receive a meaningful update at least every 12 months is out of date.
A: Attempting to adapt existing frameworks to a small enterprise context is not a good solution. It invariably results in a myriad of inconsistent interpretations, none of which is really fit for purpose.
A: Yes. OpenCASE is specifically for you. You will need either modest IT skills yourself, or the assistance of someone who has them, but the intention of OpenCASE is that it caters to the needs of people just like you.
A: OpenCASE is essentially a sequentially prioritised list of 33 security controls. The list is split into 3 implementation levels, with 11 controls per level. You start at the beginning and implement the controls in sequence until you reach the end.
Review the SPECIFICATION and the HOWTO for more details.
A: Every organisation is different, and there are a lot of variables which can impact a security uplift program - availability of the right skill sets, time and funding available, etc. For an organisation of under 20 people with one internal IT person OR an outsourced IT service provider, the recommended project duration for start to finish completion of the framework, from nothing to each Implementation level is:
- 3 months for Implementation Level 1
- 6 months for Implementation Level 2
- 12 months for Implementation Level 3
A: Probably because it’s not really suitable or appropriate for small enterprise, or it just doesn’t provide enough bang-for-buck compared to the controls which are included. OpenCASE is NOT intended to be a comprehensive framework, it should be considered the starting point on a longer journey. Organisations which fully implement OpenCASE and continue to grow and mature will naturally look to more mature frameworks with more comprehensive coverage as they start to consider how to shape their cybersecurity architecture in the future.
A: Congratulations, you’re doing great! Take a moment to appreciate the magnitude of what you have accomplished! …. As for what other frameworks might be suitable to graduate to, the OpenCASE project recommends looking at the CIS controls, as their Implementation Group model will feel familiar, and you will likely have a good head start on their IG1. You may also consider the NIST Cybersecurity Framework (CSF) v2.0 if you have loftier ambitions, and/or want to significantly build up your governance, risk, and compliance capabilities.
A: Pending completion of the beta release phase, the main branch will treated as the current stable release, and will be updated twice a year in January and July, based on the current state of the testing branch. The testing branch will be updated as necessary as changes are considered and put through their paces to gather feedback.