Concerns are constantly growing about companies that are not implementing the proper security controls to protect their information assets. A common question that arises is how do you know what controls to implement? The NIST Cybersecurity Framework can be a valuable tool in guiding policy-makers and managers towards additional mitigation strategies.
NIST Special Publication 800-53 provides a catalog of security controls. Managers can use this catalog to implement additional measures or on the contrary, determine what is not needed at their organization. The NIST 800-53 document provides an overview of each control and specifies whether it specifically addresses risk assessment, continuous monitoring, or other characteristics that are important for proper implementation.
Step 1 – Identify the Security Control
The first step in developing a compliance strategy based on NIST 800-53 is to identify which security control an organization needs to implement. Each identified control has additional information about its purpose and can be used as a baseline for initial protection of your information assets. This will help you determine the scope of your implementation project and how much time and resources should be allocated to the actual implementation.
Step 2 – Determine Applicability of a Control
Once a security control has been selected, you must determine which level of implementation is appropriate for your organization. Each security control is assigned as low, moderate or high impact on systems that contain sensitive information. A common mistake organizations make when implementing NIST controls is implementing all controls, regardless of their impact. It is important to assess the risk of implementing a control and determine whether the benefits outweigh the risks. This assessment should be revisited on a regular basis as your organization’s risk posture changes.
Step 3 – Security Control Implementation
After you have determined which security control(s) to implement, the next step is to put them into action. This process will vary based on the specific control selected but generally includes implementing technical and procedural controls, conducting tests and evaluations, and maintaining documentation. Many organizations find it helpful to use a project management methodology when implementing security controls.
Step 4 – Continuous Monitoring
Once your security controls are implemented, they should be continuously monitored for effectiveness. If your organization experiences an attack, you’ll need the insight to determine whether any of these security controls were breached or failed in their implementation. This is why it is essential to monitor the performance and status of each implemented control.
Step 5 – System Authorization
The last step in completing a compliance project based on NIST 800-53 is to gain system approval. The control list provided in the document can be used as a checklist for your organization to use when gaining approval from management and compliance teams.
It’s important that organizations not become overwhelmed with the amount of information provided by NIST 800-53. It is a valuable source that should be used as a starting point for your organization’s cybersecurity program. The most important takeaway from the document is that controls need to be tailored to the risk profile of an organization and implemented based on priority (low, moderate, or high) with continuous monitoring and re-assessments throughout their lifecycle.