Schools, municipalities, and non-profit organizations contribute to flourishing communities by supporting civic life and democratic processes.
In many cases, they need someone with training and expertise to implement mitigations and securely configure products- a resource they can't always afford.
To make true progress in securing the organizations that lead to flourishing communities, technology manufacturers should keep the context and constraints of these end users in mind and ensure that organizations with varying levels of resources and technical expertise can deploy products securely.
The organization may not have a dedicated full-time Chief Information Security Officer, or even an Information Technology Director.
Products should be securely configured out of the box so that the burden isn't on non-IT personnel to implement configurations correctly.
When serving K-12 institutions, you are serving an organization with users that are just learning their ABCs.
This should be reflected so that anyone can use a product securely without needing to be a cybersecurity expert.
Security is often not their primary focus or motivator.
Take CISA's Secure by Design pledge to commit to building products that have security from the start and available out of the box.
Make it easy to use technology products securely for users of all skill level.
Not every organization has a dedicated full-time CISO, IT Director, or even a team member with the technical background to understand a product's security controls and their impact on the organization's digital ecosystem.
Industry should include a Customer Responsibility Matrix and simplified instructions as part of a product offering and implementation.
This is a requirement in StateRAMP's security package for StateRAMP Ready and StateRAMP Authorization, as security relies on shared responsibilities.
Ideally, end users shouldn't need to take any steps to use a product securely.
Consider reviewing hardening guides to lift the burden from users by making secure configurations the default.
Contribute time and technical expertise to programs that support the cyber readiness of schools, municipalities, and non-profits.
Industry subject matter experts can advise under-resourced organizations on cybersecurity best practices through participation in cyber volunteer programs.
Industry can also participate in programs, such as StateRAMP, Multi-State-Information Sharing and Analysis Center, NetHope, and others that provide shared resources to state, local, educational, and non-profit organizations.
CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services referenced or linked to on this page.
Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA..
This Cyber News was published on www.cisa.gov. Publication date: Thu, 09 May 2024 16:13:06 +0000