Steps for using Uncle Sam’s framework for cybersecurity
Organizations need to have buy-in at all levels when putting protocols in place
By Edric Wyatt, Special to ThirdCertainty
For organizations of all sizes seeking to improve their security posture, there is a terrific best practices resource that is comprehensive, flexible and, best of all, free.
What I’m referring to is the National Institute of Standards and Technology’s risk management framework set forth in its NIST 800 series of documents.
The NIST 800 series is Uncle Sam’s own computer security policies, procedures and guidelines. It has been widely implemented in most federal agencies, and comes into play in an array of cybersecurity recommendations issued by various bodies in both the public and private sectors.
Free resource: Putting effective data risk management within reach
The U.S. Food and Drug Administration, for instance, recently referred to the NIST framework in issuing draft guidance for medical device manufactures to implement cybersecurity risk management planning for products already out in the marketplace.
The NIST series derives from extensive research into practical and cost-effective steps to take a more proactive approach to improving information security and network security. And many organizations rely on adherence to the NIST framework as part of being prepared to deal with legal matters involving security issues.
Best of all, the NIST 800 series exists as a public service. The documents are available at no cost to organizations of all types and sizes, small- and medium-size companies, educational institutions and state and local government agencies.
In particular, NIST 800–53 is a great place for any information security team to begin establishing or evolving a robust set of infosec controls. I can attest to this first-hand, based on the principle role I played in helping my company, IDT911, get fully immersed in this part of the series. Here are three steps to successfully leverage the NIST framework at your organization:
- Seek senior-level buy-in. We made sure to invite top management to regular summary briefings with subject matter experts. This gave our senior execs ample opportunity to commit to the process of improving the company’s security posture. We took pains to send senior managers draft policies well ahead of time. That enabled them to arrive better prepared to fully engage in briefing sessions. And if, for some reason, they had to miss a session, they could still participate in the feedback loop. Bottom line: Anything you can do to engage senior leaders and keep them actively involved is well worth the effort.
- Do what you can. NIST800-53 very extensively outlines how to establish baseline infosec controls based on an organizational assessment of risk. To leverage the NIST framework, we engaged our subject matter experts in a triaging process. For instance, with respect to the 44 controls called out by NIST’s “systems and communications protection policy,” we cross referenced the NIST controls to our existing policies and procedures. This allowed us to clarify and focus on our highest priority controls. And we were able to put the controls that did not directly apply to our specific operations on a schedule for periodic future reviews. In fact, this is just how the NIST 800 framework should work. NIST should help you foster development of effective infosec policies that are actually useful to your unique organization.
- Be wary of the butterfly effect: An insect flapping its wings in China can trigger a tornado in Florida. Creating new polices can trigger new responsibilities and intensify pressure on existing resources. It is vital to get buy-in, not just from top management, but especially from mid-level management, on whose shoulders a new tier of specific responsibilities likely will fall. The good news is that many of the NIST 800 controls are straightforward and self-explanatory. A thorough review of the NIST protocols makes it obvious who is best suited to perform a particular function.
Your goal should be to make NIST work for your particular organization, not just to tighten security, but especially to free up your organization to be more productive. At IDT911 our mantra has become “enabling the business securely.” We express this often. Transparency and teamwork are the result. Meanwhile, this continual feedback loop is helping us keep our NIST controls alive and vital.
More cybersecurity-related stories:
Industry experts weigh in on Obama’s cybersecurity blueprint
To get ahead of threat curve, boost security during software development
Managed security services help SMBs take aim at security threats