Thought Leadership
Customizing Your Organization’s IT Framework
Creating an IT framework isn’t just about protecting intellectual property or trade secrets – it’s about stopping attacks that can disable your business. By laying out an IT framework, you’re ensuring devices are protected and business operations run smoothly.
Finding the right framework fit for your organization’s IT approach is easy when working with a team that understands the current landscape and requirements of your business. With Thrive, you can have a customized IT framework that provides transparency, security and performance.
Thrive’s Top IT Frameworks: ITIL & CIS
There are two frameworks we tend to use here at Thrive: ITIL (IT Infrastructure Library)-based and CIS (Center for Internet Security)-based. ITIL-based frameworks govern things like efficiency, capacity planning, liability planning, and end user requests. Lately, my focus has been on CIS-based frameworks, which give insight into what is being done well within an organization and where improvements can be made.
Oftentimes, we identify areas in which there may be framework gaps. This can be anything from comprehensive asset management and discovery to software packages. One big challenge organizations currently face is the concept of “shadow IT.” With different business units utilizing the cloud, there’s no need for employees to request permission to install applications or contact IT to perform a basic action, like using Google Drive. However, this can raise its own set of problems.
Staying On Top of Security
By going through CIS software discovery controls, we help raise awareness to ensure that a business is aware of all applications, both cloud and internal, and account for them.
This helps answer important questions like:
- How is a member of the organization authenticating themselves?
- What’s the nature of the data that’s being stored?
- When someone leaves an organization, is HR aware that files can be transferred, putting company information at risk?
- Are unauthorized users accessing sensitive or proprietary information?
We help organizations understand hardware and software controls, who should manage authentication for systems, what level of encryption is present, and whether endpoint patching and endpoint detection and response systems are in place.
If something happens, how do you respond if there is suspicious activity? How are employees notified of a potential incident, and who should be contacted for the next steps? We go through these controls with IT leaders and key members and stakeholders at the executive team level to enlighten organizations.
Using Frameworks to Set Priorities
Within the CIS framework, there are benchmarked levels that a company can strive to reach, and we often help clients evaluate which level is the right fit for them. This helps keep an IT organization aligned on which actions can efficiently produce the best outcome (or reduce the risk of bad outcomes) instead of sinking resources into something beyond their needs.
Security training goes a long way, and bringing your workforce up to speed can have several benefits. A SIEM service can identify and respond to security anomalies, but if you can educate your user community for a relatively low cost, you now have more eyes trained to identify anomalies or limit the likelihood of a phishing attack.
DNS filtering should be another standard. How does your company figure out what cloud applications employees are using? With DNS filtering across all devices, you’re opening the lines of communication with employees, with the ability to add controls to account for who is logging into the system. This allows you to track how data is flowing and how to protect it.
By laying out a framework in phases, we can show the steps that should be taken, including the basics, to make sure your users are educated and endpoint devices are protected. Typically, in a first phase, we focus on security awareness training, to show executive teams how many employees have failed when it comes to a phishing-type attempt.
When putting in something like EDR (endpoint detection and response), we can show visibility into the types of issues that can happen. It’s not just about protecting trade secrets – it’s about protecting business uptime and minimizing downtime.
__________________
The Thrive team is here to adopt the framework that will be the best fit for your organization.