A Guide to NIST CSF Controls

A Guide to NIST CSF Controls

The NIST Cybersecurity Framework is a globally recognized set of best security practices and guidelines. Although compliance is voluntary, and the framework provides much flexibility over how organizations implement the various controls it encompasses, it is heavily tied to the NIST Special Publication 800 53.

Compliance with NIST SP 800 53 is mandatory for federal agencies and organizations making up the Defense Industrial Base. That being said, the NIST Cybersecurity Framework sets the standards for security, and even though it was originally released with critical infrastructure in mind, it has since been widely adopted across multiple industry sectors.

A NIST Cybersecurity Framework overview

The NIST Cybersecurity Framework recommended controls share a lot in common with those mandated under the NIST SP 800-53. The framework covers five key functions, which include identifying risks and assets, protecting against them, proactively detecting threats, responding to them, and recovering from incidents. These five function areas are broken down into several categories and subcategories, which broadly align with the controls specified in NIST SP 800 53. The special publication itself contains 18 control families, while the framework includes 23 categories in total and 108 subcategories.

Here is an overview of what organizations need to do to implement the key NIST CSF controls:

#1. Continuous risk assessment

In the dynamic and unpredictable world of information security, the only constant is change. No business can afford to rely on the same controls and processes for years on end, which is why it is necessary to maintain a continuous risk assessment process. This applies across all five function areas of the NIST CSF, where every process should be repeatable and scalable.

Keeping in line with the continually evolving information security landscape, regulations also change and adapt regularly. For example, organizations that make up the Defense Industrial Base must now adhere to the CMMC framework. Integrated and continuous operational risk management makes it easier to adapt to these changes and keep a step ahead of the threats.

#2. Auditability of all systems

Perhaps one of the biggest challenges in today’s hyperconnected technology environment is maintaining visibility into every data-bearing asset and communications channel. In the age of cloud computing, it can be difficult to even figure out where your data actually lives. While the administrative controls might be in place to protect it, businesses might not have any control over physical security, for example.

The first function area of the NIST CSF, Identify, is all about identifying and mapping your IT assets and the risks that face them. However, since the risk environment changes all the time, it is vital to keep a log of all account access attempts, devices, and systems. Security Incident and Event Management (SIEM) can go a long way towards helping organizations achieve this.

#3. Defining the perimeter

Traditionally, IT administrators would identify which assets needed protection and monitoring by defining the perimeter. However, most business networks now extend far beyond the office environment to incorporate multiple public, private, and hybrid cloud assets that host data over many different physical systems. As such, the notion of conventional perimeter security is no longer relevant in most cases.

Instead, administrators should consider their computing assets in terms of individual nodes in need of protection, auditing, and monitoring. However, with the right SIEM solution, it can still be possible to manage the entire environment as a whole. NIST CSF controls must be applied to all remote access systems, external data services, portable devices, and any other endpoint or user account that accesses sensitive information.

#4. Managing incident remediation

The fourth and fifth function areas of the NIST CSF framework deal with incident response and recovery respectively. Every business should always plan for the worst-case scenario and take the assumption that an incident will happen eventually, regardless of their protective and detection systems.

A robust incident response platform can prevent security incidents from becoming serious and leading to data breaches or leaks or unscheduled downtime. Any incident response program should be regularly reviewed and updated, especially if any changes have been made to your operational or technology infrastructure.

The final function area of the NIST CSF concerns incident recovery, and every plan should be prepared for the worst-case scenario. The main goal must be to minimize long-term damage to the business in line with their appetite for risk and the priority of their systems. For example, if payment systems are compromised, that would typically present a much more urgent issue than a database of names and email addresses being breached.

Charles IT is your dependable compliance and information security partner in Connecticut. Get in touch today to schedule your first consultation!