NIST CSF Controls: A Handy Checklist
One of the most common drawbacks of cybersecurity frameworks and standards is that they fail to make a sufficiently compelling case to business leaders. Many focus on the needs of IT teams and exhibit high technological complexity and technical challenges for implementation. Others are biased towards specific types of computing infrastructure or even specific vendors.
The NIST Cybersecurity Framework takes a different approach. It makes clear from the outset that cyber-risk is business risk. To that end, it is more a risk-management framework, and that is something business leaders are very familiar with. The NIST CSF controls span five function areas, 23 categories, and 108 subcategories to ensure comprehensive coverage.
The framework serves as voluntary guidance, drawing from widely adopted best practices and existing guidelines and standards. It also gives organizations complete flexibility over how they implement the framework and how they prioritize their information security strategies. Version 1.1, published in 2018, also places a greater emphasis on protecting supply chains.
Introducing the NIST Cybersecurity Framework phases
The NIST security control categories span five function areas that cover the entire lifecycle of cybersecurity-related incidents. Each of the 23 NIST CSF control categories are broken down into subcategories, of which there is a total of 108. These are directly tied to desired business outcomes. For example, the very first subcategory addresses physical device inventorying.
In addition to the Framework Core detailed above, there are two other main components – the Framework Implementation Tiers and the Framework Profile. The tiers provide context as to how the organization views its cybersecurity risk and how it manages it. The profiles represent the desired outcomes, prioritizations, and controls adopted specifically for your organization.
The first phase of implementing the framework deals with evaluating your current environment and building out your risk profile. This involves inventorying every information-bearing device or virtual machine that makes up your environment and defining the roles and responsibilities of your stakeholders and workforce.
- Asset management: Create a complete inventory of all devices, accounts, personnel, data assets, facilities, and their risk profiles.
- Business environment: Define the organization’s mission, stakeholders, objectives, and activities to inform cybersecurity roles.
- Governance: Draft the policies and procedures intended to manage and monitor the organization’s regulatory, risk, and operational environments.
- Risk assessment: Assess, qualify, and quantify the risks facing your business in order to prioritize the next steps.
- Risk management strategy: Identify your priorities, constraints, and tolerance to risk to support operational decisions.
- Supply chain risk management: Apply the previous two categories to the context of supply chain risk management.
The next phase deals with the protective measures to be applied to mitigate the risks identified in the first phase. This function area encompasses the technical, physical, and administrative measures required across six primary categories:
- Identity management, authentication, and access control: Establish a robust way to grant and revoke access rights, ideally using multifactor authentication.
- Awareness and training: Implement a documented training program for personnel and partners to ensure everyone understands your policies and procedures.
- Data security: Ensure that data at rest or in transit is protected by encryption and that all devices are correctly tracked and managed.
- Information protection processes and procedures: Establish a way to enforce your policies and procedures and identify the scope and key roles and responsibilities.
- Maintenance: Create a maintenance program for managing and maintaining all data-bearing assets and system components.
- Protective technology: Establish protective measures, such as antimalware, spam-filtering, and security incident and event management (SIEM).
The third phase covers an organization’s ability to detect threats and maintain full visibility over its computing environment. This plays a vital role in advanced and proactive security, since it guards against new and unknown threats as well.
- Anomalies and events: Establish a way to detect anomalous activity and the potential impact of such events.
- Security continuous monitoring: All assets and networks must be monitored around the clock with a solution like managed detection and response.
- Detection processes: Enforce a cybersecurity-aware company culture by ensuring that detection processes and procedures are properly maintained.
Next, organizations must have a clearly defined and documented process for responding to threats. This is vital for stopping attacks in progress and mitigating their effects before they lead to far-reaching consequences:
- Response planning: Determine how and when incident response plans are executed and maintained.
- Communications: Identify the key roles and responsibilities of your incident response personnel, including any external support from law enforcement and other third parties.
- Analysis: Establish an effective way to analyze incidents to ensure an effective and appropriate response and support future remediation plans.
- Mitigation: Perform activities to prevent the proliferation of an incident and mitigate its effects on your organization.
- Improvements: Response activities should draw upon your audit trails to determine exactly what went wrong and improve based on these insights.
The fifth and final stage is all about preparing for the worst-case scenario. Regardless of how sophisticated your detection and response capabilities are, it is vital that you have a process in place for recovering from an incident, such as a data breach, with as little damage to your business, clients, and stakeholders as possible.
- Recovery planning: Document your disaster recovery processes and establish ways to minimize damage by restoring affected systems as quickly and as safely as possible.
- Improvements: Create a plan for identifying the strengths and weaknesses of your IT incident recovery methods to improve them in the future.
- Communications: Recovery activities must be properly coordinated, which means all personnel and third parties must be clearly aware of their roles and available to contact.
Charles IT is Connecticut’s premier compliance and information security expert. We offer the full range of managed technology solutions and consultancy services to ensure your business is up to speed with the latest threats. Get in touch today to schedule a meeting!