Understanding the structure
- OpenCASE specifies 11 Priorities, each targeted at protecting a specific type of asset that is relevant to a small organisation’s cybersecurity posture.
- Each priority has a clearly stated objective, and 3 implementation levels from 1 (lowest) to 3 (highest).
- Implementation levels have been designed to accommodate organisations with gradually increasing implementation capabilities (implementation targets).
- Each Implementation Level specifies a distinct security control or capability which must be implemented, including clearly measurable completion criteria.
- Each implementation level represents an incremental improvement to security posture on the previous level.
- An Implementation Level of 0 is assigned to Priorities which do not meet the defined completion criteria for any Implementation Level.
Implementation Order
OpenCASE is designed for a sequential implementation, i.e. if your organisation is starting from scratch, start with Priority 1 at Implementation Level 1. When you have completed that, move on to Priority 2 and Implementation Level 1. When you have completed all Priorities at Implementation Level 1, move on to Priority 1 at Implementation level 2, etc etc.
The same approach applies even if you are not starting from scratch (i.e. a current state assessment reveals varying implementation levels achieved across all priorities): First implement priorities currently at level 0 to level 1, then uplift them and any others at level 1 to level 2, etc.
Implementation Targets
OpenCASE defines Implementation Targets as an indicative guide to the organisational archetypes each Implementation Level is targeted at. This takes into consideration the nature of controls at each level, and the minimum capability that is expected to be available in order to implement them. Organisation size is included as a guide but is not a deciding factor.
| ILv | Control Target | Capability Target | Org. size Target |
|---|---|---|---|
| 1 | Fundamental controls considered non-negotiable for every small enterprise. Focus on affordability and bang-for-buck. | DIY with appropriate documentation and/or help from a technically capable friend. | < 3 staff |
| 2 | Standard controls considered to be the minimum for small organisations whose core business depends on its IT. | Ad-hoc IT support provided by an experienced IT professional. | 3 - 10 staff |
| 3 | Enhanced controls which provide additional protection for small organisations which work with Personally Identifiable Information (PII) or other sensitive data. | On-going IT support from an IT Managed Services Provider (MSP). | 5 - 50 staff |
OpenCASE Implementation Targets are NOT “targets for implementation”, and adopters should not treat them as some sort of “finish line” for their cybersecurity uplift program. They serve to contextualise the differences between Implementation Levels, not define what adopters should aim for. OpenCASE is a starting point on an open ended journey, the expectation of the OpenCASE Project is that adopters will (eventually) fully implement all priorities up to Implementation level 3, and then graduate to a more comprehensive standard such as CIS controls or NIST CSF.
Implementation Guidance
To avoid ambiguity regarding completion criteria, high level guidance is provided as to what steps an organisation is expected to take in order to meet them. As IT environments will vary greatly from one organisation to the next, the guidance describes the existence of functionality or a capability (e.g. multi-factor authentication), and how it should be applied and/or configured (e.g. all primary user accounts must use it), rather than specific configuration settings for specific products.
Future enhancements to the framework may include more specific technical implementation instructions for different technology platforms and tools.