I recommend clients start with the NIST Cybersecurity Framework. There are various components, but today we will specifically focus on 800-53 which is a cybersecurity standard and compliance framework developed by the National Institute of Standards in Technology. I LOVE it.! Why? Because it’s a framework that defines standard cybersecurity controls, it’s maintained, it’s current and it’s FREE! Not only is it free, but NIST provides supplemental guidance, blogs, support… they truly want organizations to have a shot against threats.
- The NIST 800-53: A cybersecurity standard and compliance framework developed by the National Institute of Standards in Technology.
- It’s free.
- It’s a framework that defines standard cybersecurity controls.
- It’s kept current.
- NIST provides supplemental guidance and blogs
800-53 is basically a spreadsheet of security and privacy controls. There are control components, such as access management and incident response, corresponding control text and discussions that provide additional guidance. The implementation of NIST can be daunting. Afterall, there are over 1,000 control considerations. It’s important to remember this is not an all or nothing game. Review the components and decide where it makes the most sense for your organization to begin.
The NIST Primary Components are sometimes referred to as families. They include:
- AC Access Control
- AT Awareness and Training
- AU Audit and Accountability
- CA Assessment, Authorization and Monitoring
- CM Configuration Management
- CP Contingency Planning
- IA Identification and Authentication
- IP Individual Participation
- IR Incident Response
- MA Maintenance
- MP Media Protection
- PA Privacy Authorization
- PE Physical and Environmental Protection
- PL Planning
- PM Program Management
- PS Personnel Security
- RA Risk Assessment
- SA System and Services Acquisition
- SC System and Communications Protection
- SI System and Information Integrity
Identify those that would satisfy your most pressing requirements or concerns and begin there. Risk Assessment, Incident Response, Contingency Planning or Access Control are where I typically see most organizations begin. Write global policies that apply to the organization as a whole, keeping in mind individual units and departments should define procedures as to how they will comply. All policies should be written such that a law degree is not necessary to decipher the information. And always be sure to define policy owners, the scopes, requirements and an enforcement statement. Lastly, include a statement regarding how the policy will be maintained. For instance, reviewed and updated as appropriate on an annual basis.
If you aren’t sure where to begin, start with Risk Assessment. This policy and process will clarify your next steps. Policy templates are a great first step.