BCSF Advanced Controls list contains 217 checklist items that tell your organization “what” you can do to meet your policy objectives. They are derived from our own internal operations and those of our customers.

Information governance often begins with a risk assessment and develop their information security programs from there. BCSF proposes a more actionable approach to developing a program that follows this set of milestones.

1. Why? Determine an high-level cyber security risk policy for your organization that informs stakeholders and vendors on why this matters to you.

2. Where? Adopt (and adapt) information security policies to your organizational needs/wants. These policies with inform where to focus control activities.

3. What? Use the checklists to select items that align control activities with your polciies. These lists inform what actions you will take as an organization to improve your posture.

4. How? Obtain implementaiton guidance from our team on how to implement the controls in a way that brings value and fits your needs.

Additionally, we also track all NIST SP 800-171 Controls. These can be viewed here:

• NIST SP 800-171 Controls Governmentwide Controlled Unclassified Information (CUI) 3 Program to standardize the way the executive branch handles unclassified information that requires protection. The CUI Program is designed to address several deficiencies in managing and protecting unclassified information to include inconsistent markings, inadequate safeguarding, and needless restrictions, both by standardizing procedures and by providing common definitions through a CUI Registry.

When faced with a control item that seems daunting, consider the impacts if you avoided the risk alltogether. Sometimes stopping an activity is the best option.

Every implemented control mitigates risks by some margin. Collectively, all implemented controls meet the minimum standards for information security. Focus on high-risk areas first.

• Asset Management Asset management involves obtaining and continually updating an accurate inventory of all IT assets, discovering security gaps related to the asset’s presence or configuration, and enforcing security requirements to rapidly address the identified gaps. It is important to maintain up to date inventory and asset controls to ensure that equipment locations and dispositions are understood. Lost or stolen equipment can contain sensitive data. Proper asset management procedures and protocols provide documentation that aids in recovery, replacement, criminal, and insurance activities.

• Backup Management Backup management is the comprehensive approach to designing, monitoring, and testing backup systems. Backups are not universal and must be paired with scenarios. For example, backups designed to expedite recovery in case of system failure may not be effective in remediating ransomware. Long-term retention is necessary to recover from persistent integrity threats.

• Business Continuity Business Continuity plans should help organizations quickly recover and resume business operations after a significant business disruption and respond by safeguarding employees, information systems, financial obligations, and allowing the organization’s customers to transact business. In short, our business continuity plan is designed to permit the organization to resume operations as quickly as possible, given the scope and severity of the significant business disruption.

• Change Management The purpose of this policy is to establish management direction and high-level objectives for the change management process. This policy guides the implementation of changes to reduce the impact on other tasks/projects as well as to mitigate associated risks.

• Configuration Management Changes to information resources shall be managed and executed according to a formal change control process. The change control process will ensure that the proposed changes are reviewed, authorized, tested, implemented, and released in a controlled manner; and that the status of each proposed change is monitored.

• Data Management This checklist covers all information assets owned and including (but not limited to), information (electronic & non-electronic), associated IT infrastructure such as software, networks, desktops, laptops, servers. Further, this policy is applicable to the owners, custodians and all users (employees, consultants and contractors) of such information assets.

• Identity and Access Management This checklist helps establish direction and requirements for access to data, information and systems, and, to ensure that users have the appropriate access levels to access information on systems and applications.

• Incident Response This checklist provides guidelines to manage security incidents that threaten the confidentiality, integrity or availability of information assets.

• Mobile Device Management The primary goal of these activities is to protect the integrity of the confidential client and business data that resides within the technology infrastructure, including internal and external cloud services. This policy intends to prevent this data from being deliberately or inadvertently stored insecurely on a mobile device or carried over an insecure network where it could potentially be accessed by unauthorized resources.

• Network Operations This activity list applies to all network devices (routers, switches, wireless access points, firewalls, other network services). The objective behind the activities is to secure its internal network, network connections and resources from intrusions and to provide/maintain the security of infrastructure and data and thus this policy provide guidelines to ensure availability and reliability of network devices for safe and secure connections to the information assets.

• Organizational Management The purpose of this activity set is to show the organization is committed to protecting employees, customers, partners, vendors and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.

• People Resources This list of activities is designed to manage risks from personnel screening, onboarding, termination, transfer and management. The personnel security policy helps the organization implement security best practices with regard to personnel processes and events.

• Risk Management Information security risk management is the process of identifying, evaluating, and treating risks around the organization’s valuable information. It addresses uncertainties around those assets to ensure the desired business outcomes are achieved. Thus, this series of activities supports information security risk management for the purpose of determining areas of vulnerability in corporate operations, products and services, and to initiate appropriate remediation.

• Security Governance Information security starts at the top, and this series of activities helps organizations act towards building a sustainable cyber security program.

• Service Lifecycle This set of activities feeds from distinct areas including Service Level Agreement policy, Software Development policy, and governance. It lists three major steps towards comprehensive software services.

• Site Operations This set of activities spans small office network closets all the way through data center operations. BCSF encourages the adoption of all activities at all times, with a proportionate amount of depth to business need. The objective here is to think about the physical environment and what malicious actors could do if they were able to access mission critical hardware, but also to think about supporting that hardware in the event of environmental failures.

• System Design Documentation The objective of this set of tasks is to enable transfer of functions from one person to the next, and maintain effective support for systems.

• Systems Monitoring Compliance requirements primarily focus on logging of security events and security exceptions. In reality that covers events to identity/access/events but also availability concerns. Ultimately, a security exception is any event that interrupts normal business and sufficient monitoring will assist in identifying those issues. Most commonly small companies transfer this responsibility to a managed service provider, but the organizations should define monitoring objectives instead of relying on canned offerings.

• Third-Party Management The primary objective behind this activity set is to help maintain the security of organization’s information systems and data when entering into any arrangement with a third-party supplier/vendor as well as to identify elements of managing vendors, due diligence, risk assessments as well as contract management.

• Training and Awareness Each organization should establish a routine and periodic training program for board/owners, managers, and staff. The extent of this program depends on individual needs. Some organizations require strict training due to regulatory compliance, while others should do this in an effort to educate and protect information systems.

• Vulnerability Management The intent of this activity set is to help organizations develop requirements regarding the application and network security scanning and penetration tests offered by external security vendors. While there are a number of ways to participate in vulnerability scanning, some businesses are forced into it simply due to PCI DSS requirements.