I recently mentioned NIST's draft document, "Small Business Information Security: The Fundamentals". You will be happy (or at least you should be) to hear that the final document has been has been released. The 146kb, 20 page PDF is available at: http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf
After the introduction there are three main sections:
- The “absolutely necessary” actions that a small business should take to protect its information, systems, and networks
- Highly Recommended Practices
- Other planning considerations for information, computer, and network security
Followed by three appendices/worksheets:
- Identifying and prioritizing your organization’s information types
- Identifying the protection needed by your organization’s priority information types
- Estimated costs from bad things happening to your important business information
This is a simple, easy to understand, introduction to information security, focused on the small business. There is nothing earth-shattering here, just the basics. You could easily pick apart some of the oversimplification or other shortcomings in this document- but that misses the point, this is not for the seasoned infosec or IT professional, this is a tool to help us get the message out to those who need it.
Take a look at it, and spread the word to those who can benefit from it.