The NIST framework for cyber security
is a living document that details five areas of focus your business can use as the outline for filling out your cyber security portfolio. We’ve provided a summary of each so that you have a starting point for taking the next steps to protect your business’s data. Think of the information below as a detailed checklist to print out and mark off when you have each completed. Once they’re all finished, know that you, your stakeholders, and your customers can feel prepared for cyber security events, no matter your industry, budget, or level of risk.
You need to understand the WHAT of your business. Create inventories, data flows, maps, and catalogs of the following:
- Assets: personnel, computers, servers, software, databases, cloud services, etc.
- Business environment: your business’s role within your industry; your mission; and what your critical services are.
- Governance: legal and regulatory requirements for cyber security in your industry; processes, policies, and procedures to meet the requirements.
- Risk assessment: identify possible threats both internal and external; determine the impact of those threats to the business; define and prioritize how to respond to those risks.
- Risk management strategy: establish processes to manage risks; sign off with stakeholders; express the business’s risk tolerance clearly and transparently.
Develop and implement safeguards. You need to ensure delivery of your critical business services by setting up the following:
- Access control: manage authorized devices and users; protect physical access to assets; provide encrypted remote access; use principles of least privilege to grant access; segregate network where appropriate to create network integrity.
- Awareness and training: regularly train and inform users on risks; set high expectations for privileged users; clearly communicate expectations to third-party vendors.
- Data security: protect data-at-rest; protect data-in-transit; set policies for disposing of old assets; ensure uptime by providing adequate capacity; implement data leak protection; keep development and testing environment separated from production.
- Information protection processes and procedures: define your system development life cycle to manage implementations; put a configuration change control process in place; set up regular backups and test frequently; set a policy for destroying data; define response and recovery plans.
- Maintenance: log maintenance and repair; ensure approval, logging, and performance for all remote maintenance.
- Protective technology: record audits and logs; create a careful policy for the use of removable media.
Unfortunately, the likelihood of your business dealing with a cyber security event is pretty much guaranteed. You want to be the one identifying when it happens, not finding out from a third-party. Get the following taken care of:
- Security continuous monitoring: monitor the network for cyber security events; set up physical security monitoring; track personnel; detect malicious code; set up regular vulnerability scans.
- Detection processes: define the roles and responsibilities for detection and accountability; test detection processes.
Do you know how you will act if a cyber security event is detected? Define your game plan ahead of time by using the following:
- Analysis: investigate all notifications from detection systems; understand the impact of any incident; research causes; categorize incidents with corresponding response plans.
- Mitigation: contain incidents; mitigate incidents; document any newly identified vulnerabilities and determine risk.
- Improvements: include lessons learned with response plans; update response strategies.
Be resilient. To do this, you should prepare ahead of time the activities and plans for restoring business services and repairing your brand following an event. Do the following:
- Recovery planning: execute a plan during or after an event.
- Improvements: include lessons learned with recovery plans; update recovery strategies.
- Communications: manage public relations; work to repair reputation following an event; communicate recovery activities to stakeholders and management.
Cyber security risk affects your business’s bottom line. Make it a priority. When you have a well-organized plan for creating an effective portfolio of cyber security services, you can feel confident in setting your business up for success, providing you with a strong environment to then cultivate innovation and growth, as well as creating trust and brand recognition with customers. By using NIST’s Framework, regardless of size or degree of risk for your business, you will improve your security and resilience for your critical infrastructure. As you look for the best cyber security products to fill out your portfolio, choose those that provide the following three services our CEO Francis Dinha outlined in a recent Forbes article
- Private access to information on the internet through encryption and masking of your IP address.
- A powerful system for filtering out all kinds of cybercrime, including DDoS.
- Virtual presence in the U.S., Europe or another country that is known to provide some level of unrestricted access to information in the cloud.