There are 5 main core functions of the NIST Cybersecurity Framework: Identify, Protect, Detect, Respond and Recover. Let’s focus on the importance of the core function of Protection.
Protecting a cyber system takes more than just physical security controls and cyber access controls. In fact, out of all 5 core functions of the NIST Cybersecurity Framework, most organizations will spend more of their time on protecting their cyber assets than any of the other core functions. Since protection involves physical security, cyber security and personnel it should be an area of focus for all organizations and departments.
That is the challenge. How do you protect your cyber assets? What needs more protection and what needs less? A college professor of mine had a saying when it came to protecting cyber assets, “Protect diamonds like diamonds and protect pens like pens”, meaning you would not have the same security measures to protect a valuable cyber asset verses an inconsequential cyber asset.
The following questions are to help in understanding what needs to be protected and to what extent:
- What is the cyber asset you are trying to protect? What is its function?
- If this cyber asset were to fail, how much of an impact would it have on the rest of the system? Would failure of this equipment cause a critical failure of the system?
- How is the cyber asset really protected and used by personnel? Is that correctly documented in the policies and procedures your organization has?
- How comprehensive is your current training program when considering the cyber asset you are trying to protect? Do the personnel who will be around this cyber asset need to be trained in its use?
- What are the physical or cyber limitations of this cyber asset? What is its breaking point?
- If this cyber asset breaks and/or is destroyed has your personnel been trained in repairing or replacing that equipment, and have they practiced repairing or replacing that cyber asset?
- Who will be accessing this equipment and what data will they have access too? Are they trained in protecting the data they have access to?
When taking these questions into consideration, you can get the following categories to build and mature your Cybersecurity program:
- Identity Management and Access Controls
- Identifying who needs access to what systems, locations or data and what access controls need to be put in place to allow only authorized access.
- Awareness and Training
- Development of an awareness and training program to inform personnel of how to identify threats, what threats are currently being used by threat actors and how to respond to the threats base on the policies in place by your organization.
- Data Security
- Using access controls as stated above to enforce data integrity and security, by having written controls and procedures in place to prevent unauthorized access or use of sensitive documents or data.
- Information Protection Processes and Procedures
- Development of a detailed plan on how access controls are implemented, how data is secured, how the data is allowed to be access and having a process in place on how to grant access, preferably using the principal of least privilege.
- Maintenance and Protective Technology
- Development of a program to keep all systems and protective technology, such as firewalls, antivirus software and intrusion detection systems, up to date and verify that maintenance, such as patch management, is preformed regularly.
The questions above do in fact touch all 5 core functions of the NIST Framework in how they can be answered. But that is by design, you cannot protect a cyber asset you haven’t identified, you cannot protect a cyber asset if you have no methods to detect a malfunction, you cannot respond to an event if the cyber asset is not protected and you cannot recover properly if the cyber asset in question is not protected.
For more information on this topic, reach out to our Cyber Security Team.
James Fenstermaker, Project Consultant