Not knowing where to start in Information Security is a common problem and is the reason why we started developing this simple to follow standard (now in simpler English) back in September 2008.

Since June 2009, we have worked to develop the CDS to be as accessible as possible, removing techie and the complex security speak that peppers most standards.  Whilst we respect and recognise the value of ISO27001, HIPPA, PCI DSS and other Information Security standards, we believe they weren't written with the Small to Medium Enterprise (SME) organisation in mind, because they were designed by security professionals for  security professionals.

The Certified Digital Security (CDS) standard  is different;
it was developed by an SME for SMEs. 

CDS was designed to allow smaller organisations to be able to demonstrate to their larger clients that they had undertaken the security basics, that the big corporations' data was safe on the SME's systems and that they would assist in developing a greater confidence between your businesses . 

CDS was actually developed following the authors our work with the music and film industries; we had conducted many reviews and audits on small technical and artistically unique organisations as they were delivering music gold out of the security versions of tin cans. 

We developed these simple to follow steps to allow SMEs to 'work at it' over several years, incrementally improving their security, while still allowing the organisation to be boutique and specialised, secure and robust but still nimble and fast.

In October 2008 CDS Level 3 and Level 6 were openly adopted (with some content-management-industry specific adjustments) by the Content Delivery and Storage Association or CDSA, (the film and music trade body) as the basis for their Content Protection and Security, THE worldwide standard that they use to gauge compliance for all sites but especially their SME partners.  See here for further details http://www.cdsaonline.org/content-protection-and-security-standards-and-procedures/. 

To get an understanding of the types of organisations that now work to CDS Levels 3 and 6, have a look at the CDSA Members listings:  http://www.cdsaonline.org/directory/member-companies/.

So if you are looking for the most implemented, but easiest to understand IT Security Strategy in the world then CDS Levels 1 through 3 is what you need.  These requirements are written in simple English, and all 3 Levels fit  on one page of A4!   (There is also link to a PDF version)

Think about what areas that are important to your business; now focus upon the things that relate to data or information and CDS will be concentrate on how you protect these items and this information. 

To achieve a CDS Level 1 grade of security, you will need to show you have done the following:

1. Write a Policy for Managing Information and its Security (including how your staff should use email and the Internet).
2. Give everyone their own user account (protected with a password).
3. Don’t use a Microsoft Windows ‘Administrator’ or 'Super User' account for routine work (eg email).
4. Install an AntiVirus product (and keep it up to date).
5. Tell your staff how they need to dispose of things that may hold important information (yours or that of your customers).
6. See if the Information Commissioner’s Office believes you should be Data Protection Act registered.

To achieve a CDS Level 2 grade of security, you will need to show you have also (in addition to Level 1) done the following:

1. Confirm your computer administrator’s references and have them background checked (eg credit check).
2. Teach your users how to use computers and the Internet in a safe and secure way.
3. Keep your software and hardware up to date.
4. Keep a list of your most valuable assets.
5. Switch on your computer’s logging and record keeping (where possible).
6. Get the contact details of a computer emergency call-out company printed out in case the computers crash, you lose data or get hacked (this could be your normal IT Support).
7. Switch on the encryption on the wireless networks (WPA2).
8. Check for things you didn't agree to have on your network.

To achieve a CDS Level 3 grade of security, you will then need to show you have also (in addition to Levels 1 and 2) done the following:

1. Check you need and have licences for all the software installed (remove stuff you don’t).
2. Ensure your computer administrators are trained to do the stuff you need them to do.
3. Use an up-to-date firewall when connecting to other networks (including the Internet).
4. Dispose of things that hold data, in a way that prevent others ever reading it again.
5. Plan how you would deal with a disaster or big computer problem.
6. Make sure your servers are physically secure.
7. Don’t allow personal equipment on the network.
8. Limit external access to computers from the Internet.

Attachments:

File	Description	File size
Starting Information Security	One page outlining CDS Levels 1 to 3, in simple English	406 Kb

This RoadMap has been designed to allow organizations to conduct a quick check of their current standing in relation to the CDS levels. 

Under each level are the short descriptions for the items required at each level.  Areas already implemented can be checked off the sheet and then can be used to compare what has already been achieved and to quickly allow the viewer to see what could be done next.

The PDF file linked to this posting outlines the roadmap through the various levels; it was designed to be printed onto A3 paper, so the text and check boxes were scaled appropriately. 

Remember that the CDS material on the website maybe used to improve a organizations security at no cost to them.  The information is provided free on the condition it retains the branding it was released with.

For additional information do not hesitate to contact us.