Steps for using Uncle Sam’s framework for cybersecurity

Organizations need to have buy-in at all levels when putting protocols in place

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

For orga­ni­za­tions of all sizes seek­ing to improve their secu­ri­ty pos­ture, there is a ter­rif­ic best prac­tices resource that is com­pre­hen­sive, flex­i­ble and, best of all, free.

Ed note_Edric Wyatt_IDT911What I’m refer­ring to is the Nation­al Insti­tute of Stan­dards and Technology’s risk man­age­ment frame­work set forth in its NIST 800 series of documents.

The NIST 800 series is Uncle Sam’s own com­put­er secu­ri­ty poli­cies, pro­ce­dures and guide­lines. It has been wide­ly imple­ment­ed in most fed­er­al agen­cies, and comes into play in an array of cyber­se­cu­ri­ty rec­om­men­da­tions issued by var­i­ous bod­ies in both the pub­lic and pri­vate sectors.

Free resource: Putting effec­tive data risk man­age­ment with­in reach

The U.S. Food and Drug Admin­is­tra­tion, for instance, recent­ly referred to the NIST frame­work in issu­ing draft guid­ance for med­ical device man­u­fac­tures to imple­ment cyber­se­cu­ri­ty risk man­age­ment plan­ning for prod­ucts already out in the marketplace.

The NIST series derives from exten­sive research into prac­ti­cal and cost-effec­tive steps to take a more proac­tive approach to improv­ing infor­ma­tion secu­ri­ty and net­work secu­ri­ty. And many orga­ni­za­tions rely on adher­ence to the NIST frame­work as part of being pre­pared to deal with legal mat­ters involv­ing secu­ri­ty issues.

Best of all, the NIST 800 series exists as a pub­lic ser­vice. The doc­u­ments are avail­able at no cost to orga­ni­za­tions of all types and sizes, small- and medi­um-size com­pa­nies, edu­ca­tion­al insti­tu­tions and state and local gov­ern­ment agencies.

In par­tic­u­lar, NIST 800–53 is a great place for any infor­ma­tion secu­ri­ty team to begin estab­lish­ing or evolv­ing a robust set of infos­ec con­trols. I can attest to this first-hand, based on the prin­ci­ple role I played in help­ing my com­pa­ny, IDT911, get ful­ly immersed in this part of the series. Here are three steps to suc­cess­ful­ly lever­age the NIST frame­work at your organization:

  • Seek senior-lev­el buy-in. We made sure to invite top man­age­ment to reg­u­lar sum­ma­ry brief­in­gs with sub­ject mat­ter experts. This gave our senior execs ample oppor­tu­ni­ty to com­mit to the process of improv­ing the company’s secu­ri­ty pos­ture. We took pains to send senior man­agers draft poli­cies well ahead of time. That enabled them to arrive bet­ter pre­pared to ful­ly engage in brief­ing ses­sions. And if, for some rea­son, they had to miss a ses­sion, they could still par­tic­i­pate in the feed­back loop. Bot­tom line: Any­thing you can do to engage senior lead­ers and keep them active­ly involved is well worth the effort.
  • Do what you can. NIST800-53 very exten­sive­ly out­lines how to estab­lish base­line infos­ec con­trols based on an orga­ni­za­tion­al assess­ment of risk. To lever­age the NIST frame­work, we engaged our sub­ject mat­ter experts in a triag­ing process. For instance, with respect to the 44 con­trols called out by NIST’s “sys­tems and com­mu­ni­ca­tions pro­tec­tion pol­i­cy,”  we cross ref­er­enced  the NIST con­trols to our exist­ing poli­cies and pro­ce­dures. This allowed us to clar­i­fy and focus on our high­est pri­or­i­ty con­trols. And we were able to put the con­trols that did not direct­ly apply to our spe­cif­ic oper­a­tions on a sched­ule for peri­od­ic future reviews. In fact, this is just how the NIST 800 frame­work should work. NIST should help you fos­ter devel­op­ment of effec­tive infos­ec poli­cies that are actu­al­ly use­ful to your unique organization.
  • Be wary of the but­ter­fly effect: An insect flap­ping its wings in Chi­na can trig­ger a tor­na­do in Flori­da. Cre­at­ing new polices can trig­ger new respon­si­bil­i­ties and inten­si­fy pres­sure on exist­ing resources. It is vital to get buy-in, not just from top man­age­ment, but espe­cial­ly from mid-lev­el man­age­ment, on whose shoul­ders a new tier of spe­cif­ic respon­si­bil­i­ties like­ly will fall. The good news is that many of the NIST 800 con­trols are straight­for­ward and self-explana­to­ry. A thor­ough review of the NIST pro­to­cols makes it obvi­ous who is best suit­ed to per­form a par­tic­u­lar function.

 Your goal should be to make NIST work for your par­tic­u­lar orga­ni­za­tion, not just to tight­en secu­ri­ty, but espe­cial­ly to free up your orga­ni­za­tion to be more pro­duc­tive. At IDT911 our mantra has become “enabling the busi­ness secure­ly.” We express this often. Trans­paren­cy and team­work are the result. Mean­while, this con­tin­u­al feed­back loop is help­ing us keep our NIST con­trols alive and vital.

More cyber­se­cu­ri­ty-relat­ed stories:
Indus­try experts weigh in on Obama’s cyber­se­cu­ri­ty blueprint
To get ahead of threat curve, boost secu­ri­ty dur­ing soft­ware development

Man­aged secu­ri­ty ser­vices help SMBs take aim at secu­ri­ty threats