The CIS Reasonable Cybersecurity Guide

Navigating the ever-evolving cybersecurity landscape can feel like walking a tightrope for managed service providers (MSPs). You’re responsible for safeguarding the digital assets of your diverse client base, so a clear understanding of “reasonable cybersecurity” is crucial.

The ambiguity surrounding this term has long been a source of frustration. What constitutes reasonable security for one company might be woefully inadequate for another. This ambiguity can lead to confusion and even litigation following a data breach.

The Center for Internet Security (CIS) has stepped in to provide much-needed clarity with its “Reasonable Cybersecurity: A Framework for Organizations” guide. This comprehensive resource offers a standardized approach to building a robust cybersecurity program, regardless of industry or size.

Want to see how Axcient’s products map to CIS Controls?

The Legal Landscape: Why Reasonable Cybersecurity Matters

Data breaches are a constant threat in today’s digital world, and the repercussions can be far-reaching. Beyond the immediate financial losses and reputational damage, organizations can face significant legal consequences following a breach.

The legal landscape surrounding data security is complex and constantly evolving. However, several key federal laws and regulations can impose hefty fines and penalties on organizations that fail to adequately protect sensitive data. These include:

• The Federal Trade Commission (FTC) Act: The FTC has broad authority to enforce unfair and deceptive trade practices, which can encompass inadequate data security measures. In the wake of a breach, the FTC may investigate and pursue civil penalties if it determines the organization’s security practices were unreasonable.
• Gramm-Leach-Bliley Act (GLBA): This law applies to financial institutions and requires them to implement a comprehensive information security program to protect customer data. Failure to comply with GLBA can result in significant fines and enforcement actions.
• Health Insurance Portability and Accountability Act (HIPAA): HIPAA sets strict security standards for healthcare providers and health plans that handle protected health information (PHI). Violations of HIPAA’s security rules can lead to civil and even criminal penalties.
• Family Educational Rights and Privacy Act (FERPA): A Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. The law gives parents certain rights with respect to their children’s education records, and also students once they are 18.
• General Data Protection Regulation (GDPR): Rules on ways to use, process, and store personally identifiable data.). It applies to all organizations within the EU and any supplying goods or services to the EU or monitoring EU citizens.
• Payment Card Industry (PCI): Compliance requirements to ensure the security of credit card information that is stored, transmitted, or processed.

Beyond Federal Laws: It’s important to note that these are just a few examples, and several other federal regulations and state laws can impose data security obligations on organizations depending on their industry and the type of data they collect.

The Importance of Reasonableness

The concept of “reasonable cybersecurity” plays a critical role in legal proceedings following a data breach. While there’s no single definition of “reasonable,” the CIS Reasonable Cybersecurity Guide provides a valuable framework for organizations to demonstrate they have taken appropriate steps to protect sensitive data. By implementing the guide’s recommendations, organizations can significantly strengthen their legal defense in the event of a breach.

In essence, a robust cybersecurity program isn’t just about mitigating technical risks but also legal risks. The CIS Reasonable Cybersecurity Guide provides a roadmap for achieving a security posture that meets a reasonable standard, helping organizations protect themselves from a data breach’s financial and legal repercussions.

The Five Essential Elements of Reasonable Cybersecurity

The CIS guide outlines five fundamental elements that every effective cybersecurity program and MSP’s security playbook needs to encompass:

1. Identify: This involves understanding your organization’s critical assets and the potential threats they face. This includes data, systems, applications, and even physical security measures.
2. Protect: Once you’ve identified your vulnerabilities, it’s time to implement safeguards. This includes firewalls, intrusion detection systems (IDS), data encryption, and access controls.
3. Detect: Early detection is critical for minimizing damage from a cyberattack. Security information and event management (SIEM) solutions can help you monitor your network for suspicious activity.
4. Respond: Having a well-defined incident response plan allows you to react swiftly and efficiently in the event of a breach. This plan should outline roles, responsibilities, and communication protocols.
5. Recover: Recovering from a cyberattack involves restoring compromised systems and data. Regular backups and disaster recovery plans are essential for minimizing downtime and ensuring business continuity.

Implementing Reasonable Cybersecurity

The CIS guide goes beyond theory, offering practical guidance on implementing its recommendations. This includes:

• Prioritization: The guide acknowledges that resources may be limited. It recommends prioritizing controls based on risk and potential impact.
• Customization: The framework is designed to be adaptable to different organizational needs. You can tailor the controls to your specific industry and threat landscape.
• Metrics and Measurement: The guide emphasizes the importance of measuring the effectiveness of your cybersecurity controls. This allows you to identify areas for improvement and demonstrate the value of your program to stakeholders.

Benefits for MSPs

The CIS Reasonable Cybersecurity Guide is a valuable tool for MSPs in several ways:

• Client Education: You can leverage the guide to educate your clients during QBRs on the importance of a robust cybersecurity program and the benefits of implementing the CIS framework.
• Standardized Approach: The guide provides a consistent and standardized approach to help inform your Reference Architecture that can be applied across a diverse client base. This simplifies the process of assessing and securing client environments.
• Enhanced Service Offerings: By incorporating the CIS framework into your service offerings, you can bundle security into your offering to differentiate yourself from competitors and demonstrate your commitment to client security.

Beyond the Guide: Additional Resources for MSPs

The CIS website offers a wealth of additional resources to support MSPs in their cybersecurity endeavors. These include:

• Guide: How x360 products map to corresponding CIS Controls
• Webinars: Regularly hosted webinars from security experts provide in-depth discussions on various cybersecurity topics.
• Case Studies: Learn from real-world examples and success stories of how your peers have implemented the CIS framework.
• Tools: Various tools, guides, and templates can help you assess your clients’ security posture and implement the CIS recommendations.

A Roadmap to Reasonable Cybersecurity

The CIS Reasonable Cybersecurity Guide is a great reminder and resource for MSPs and their clients to establish a strong foundation for cybersecurity. Defining your MSP’s “reasonable cybersecurity” can guide establishing your network and reference architecture, regular risk assessments, and corresponding disaster recovery plans and testing cadence. By adopting the framework’s principles and leveraging the available resources, you can significantly reduce your risk profile and build a more secure digital future for your clients.

Taking Action:

• Download Axcient’s Guide: Mapping CIS Controls to x360
• Download the CIS Reasonable Cybersecurity Guide.
• Get the Reference Architecture Guide for MSPs.
• Develop your Security Playbook.
• Revisit your DR planning with the Disaster Recovery  Planning and Testing Best Practices Guide for MSPs.
• Start incorporating the CIS framework into your client assessments and Quarterly Business reviews with help from the QBR Handbook for MSPs.

Carissa Johnson

Product Marketing Manager, Axcient

Carissa Kohn-Johnson has a background in healthcare technology and information technology, and is now the Product Marketing Manager for Axcient. She has a lot of MSP Channel experience from planning and attending hundreds of conferences and tradeshows, and found her passion in IT. Carissa is also an elected official in Cary NC, a town chock full of technology-forward people. Connect with her on LinkedIn – perhaps you can contribute to the Axcient blog?

An MSP’s Cyber Threat Glossary for Clients

An MSP Playbook for Best Practices in Disaster Recovery Planning and Testing

The Four Rs of MSP QBR Success: A Handbook

How well could you sleep with reliable cloud-based backups and recovery?

Take a deep dive into Axcient’s proprietary, automated security features to see how we’re ensuring uninterrupted business continuity — no matter what:

Start Your Free 14-Day Trial