Request Demo

Cybersecurity Program Management

8 NIST Security Controls to Focus on During, and After, a Crisis

down-arrow

In times like these, attacks are exponentially more prevalent throughout some of our most prominent sectors. For information security leaders who have been working toward the measurement, implementation, and communication of best practices, or who are in the midst of adoption of industry standards such as the NIST CSF, time and resources may be constrained. Thus, prioritizing security initiatives that provide the most resilience against the most frequent attacks is key to an organization’s success. Better yet, communicating these activities in a way that business-side leadership understands is crucial to resourcing activities efficiently and keeping everyone from their employees, to customers, to partners safe. 

Each of the controls listed below applies broadly to information security goals, and help in buying down the risk of attack to the confidentiality, integrity, and availability of information systems. In times like these when ransomware, denial of service attacks, and false information campaigns are being exploited in the wild, it’s important to know where you stand and to direct activity towards the lowest-cost, highest-impact controls. 

Amongst all the chaos, now is the time to align with security best practices more than ever before. For many organizations, we see a rise in the decision to adopt an integrated risk management approach to cybersecurity program management to support times such as these. Those who are able to efficiently identify gaps, direct resources, and know what actions will deliver the highest Return on Security Investment (ROSI) will come out of this crisis more resilient than they were before. 

Spanning Incident Response, Planning, Program Management, Security Assessment and Authorization, and System and Information Integrity, these controls from the National Institute of Standards and Technology aim to align your organization with best practices as well as protect against cyber criminals who are taking advantage of the global crisis.

These controls are pulled from a newly launched practical set of forty-five security controls pulled from the NIST Cybersecurity Framework. This control set demonstrates where immediate resource allocation and responses should be taken during this crisis, clearly presented in a way that is actionable for both security teams and executive management.  

 

IR-4: Incident Handling

Control Description: The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; Coordinates incident handling activities with contingency planning activities; and Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implements the resulting changes accordingly.

Remediation Steps Required: Implement an incident handling capability for security incidents. Include preparation, detection and analysis, containment, eradication, and recovery. Coordinate incident handling activities with contingency planning activities. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly.

Evidence Needed: Proof of Capability. This can be documented with form templates, such as those offered by SANS including an Incident Contact List, Incident Identification, Incident Survey, Incident Containment, Incident Eradication, Incident Communication Log, and Chain of Custody form. 



IR-8: Incident Response Plan

Control Description: The organization develops an incident response plan that: Provides the organization with a roadmap for implementing its incident response capability; Describes the structure and organization of the incident response capability; Provides a high-level approach for how the incident response capability fits into the overall organization; Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; Defines reportable incidents; Provides metrics for measuring the incident response capability within the organization; Defines the resources and management support needed to effectively maintain and mature an incident response capability; and Is reviewed and approved by [Assignment: organization-defined personnel or roles]; Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; Reviews the incident response plan [Assignment: organization-defined frequency]; Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and Protects the incident response plan from unauthorized disclosure and modification.

Remediation Steps Required: Develop an incident response plan that provides a roadmap for implementing an incident response capability. The plan should: describe the structure and organization of the incident response capability; provide a high-level approach for how the incident response capability fits into the overall organization; meet the unique requirements of the organization, which relate to mission, size, structure, and functions; define reportable incidents; provide metrics for measuring the incident response capability within the organization; define the resources and management support necessary to maintain and mature an incident response capability. The plan is reviewed and approved by appropriate personnel or roles, and copies are distributed. Review the plan at an organization-defined frequency. Communicate plan changes to incident response personnel, and protect the plan from unauthorized disclosure or modification.

Evidence Needed: Incident Response Plan. An IR Plan specifies the process for identifying and reporting an Incident, initial investigation, risk classification, documentation and communication of Incidents, responder procedures, Incident reporting, and training. It provides a well-defined, organized approach for handling any potential threat to computers and data, as well as taking appropriate action when the source of the intrusion or Incident at a third party is traced back to the organization. The Plan identifies and describes the roles and responsibilities of the Incident Response Team, which is responsible for putting the Plan into action. Solutions that cut across cyber risk and compliance, such as the CyberStrong platform, have incident response plan templates available out of the box.



PL-8: Information Security Architecture 

Control Description: The organization develops an information security architecture for the information system that: Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information; Describes how the information security architecture is integrated into and supports the enterprise architecture; Describes any information security assumptions about, and dependencies on, external services; Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions.

Remediation Steps Required: Develop an information security architecture for the information system that describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information. Describe how the information security architecture is integrated into and supports the enterprise architecture. Describe any information security assumptions about, and dependencies on, external services. Review and update the information security architecture at an organization-defined frequency to reflect updates in the enterprise architecture. Ensure that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions.

Evidence Required: Plan and periodic gap analyses against a relevant framework or standard of practice. For organizations without regulatory oversight, a NIST Power Controls gap analysis can help benchmark current security posture and maturity over time



PM-16: Threat Awareness Program

Control Description: The organization implements a threat awareness program that includes a cross-organization information-sharing capability.

Remediation Steps Required: Implement a threat awareness program that includes a cross-organization information-sharing capability. One of the best techniques to address the advanced persistent threat (APT) is for organizations to share threat information. This can include sharing threat events (i.e., tactics, techniques, and procedures) that organizations have experienced, mitigations that organizations have found are effective against certain types of threats, and threat intelligence (i.e., indications and warnings about threats that are likely to occur).

Evidence Needed: Proof of Program. A best practice is to join the relevant industry Information Sharing and Analysis Center (ISAC). The National Council of ISACs is a good resource to get in touch with the appropriate organization for your sector. 



CA-2: Security Assessments

Control Description: The organization: Develops a security assessment plan that describes the scope of the assessment including: Security controls and control enhancements under assessment; Assessment procedures to be used to determine security control effectiveness; and Assessment environment, assessment team, and assessment roles and responsibilities Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; Produces a security assessment report that documents the results of the assessment; and Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].

Remediation Steps Required: Develop a security assessment plan that describes the scope of the assessment. Include security controls, enhancements, and procedures to determine security control effectiveness. Include assessment procedures to determine control effectiveness. Include assessment environment, assessment team, and assessment roles and responsibilities. Assess the security controls in the information system and its environment of operation at an appropriate frequency to determine the extent to which the controls are implemented correctly, operating as intended, and producing desired outcomes with respect to meeting established security requirements. Produce a security assessment report that documents the results of the assessment. Provide the results of the assessment to appropriate individuals or roles.

Evidence Needed: Plan. Integrated Risk Management platforms like CyberStrong enable teams to take on security assessments that provide a real-time viewpoint of your dynamic environment, as opposed to a static viewpoint in time. By moving away from spreadsheets and having one system of record, CyberStrong provides an unprecedented amount of automation, measurement, and real-time reporting that enables security and business leadership to know where they stand against any control set, at any time



CA-7: Continuous Monitoring

Control Description: The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Establishment of [Assignment: organization-defined metrics] to be monitored; Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; Correlation and analysis of security-related information generated by assessments and monitoring; Response actions to address results of the analysis of security-related information; and Reporting the security status of the organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].

Remediation Steps Required: Develop a strategy and program for continuous monitoring that establishes metrics, frequencies of monitoring and assessment, and ongoing security control monitoring. Correlate and analyze security-related information generated by assessments and monitoring. Response actions address the results of security-related information. Report the security status of the organization and information system to appropriate personnel or roles at an appropriate frequency.

Evidence Needed: Policy. If risk is defined as likelihood * impact, this control is all about minimizing the impact. The goal is to develop competency in quickly identifying malicious activity in network traffic and logs. Services like Managed Detection & Response can be a big help by providing both the technology and the people to enable continuous monitoring. 



SI-4: Information System Monitoring

Control Description: The organization monitors the information system to detect: Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and Unauthorized local, network, and remote connections; Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; Deploys monitoring devices: Strategically within the information system to collect organization-determined essential information; and At ad hoc locations within the system to track specific types of transactions of interest to the organization; Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]].

Remediation Steps Required: Monitor the information system to detect attacks and indicators of potential attacks in accordance with organization monitoring objectives. Also monitor unauthorized local, network, and remote connections. Identify unauthorized use of the information system through organizational techniques and methods. Deploy monitoring devices strategically within the information system to collect organization-determined essential information. Also, deploy at ad hoc locations within the system to track specific types of transactions of interest to the organization. Protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion. Heighten the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation. Determine risk based on law enforcement information, intelligence information, or other credible sources of information. Obtain legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations. Provide organizational information system monitoring information to appropriate personnel or roles. Provide monitoring information as needed, and/or at an appropriate frequency.           

Evidence Needed: Proof of Procedures. This control is closely related to Continuous Monitoring, with the output of System Monitoring being the input of Continuous Monitoring. IDS, IPS, NGFW, Syslog servers, SIEMs are some examples. 



SI-5: Security Alerts, Advisories, and Directives

Control Description: The organization receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis; Generates internal security alerts, advisories, and directives as deemed necessary; Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; an Implements security directives in accordance with established time frames or notifies the issuing organization of the degree of noncompliance.

Remediation Steps Required: Receive information system security alerts, advisories, and directives from organization-defined external organizations on an ongoing basis. Generate internal security alerts, advisories, and directives as deemed necessary. Disseminate security alerts, advisories, and directives to appropriate personnel or roles, and/or elements within the organization, and/or organization-defined external organizations. Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.

Evidence Needed: Proof of Procedures. A best practice here would be membership in your local InfraGard chapter and ISAC or Fusion Center. 

As a business that cares deeply about our information security community, we are partnering with organizations across all sectors to quickly and rapidly deploy automated assessments against these key controls with CyberStrong, so as not to tax already overwhelmed teams and to provide immediate results. Our goal is to help security teams and business leaders quickly secure themselves, their partners, and employees. 

This crisis isn't a reason to de-prioritize security - on the contrary, it has never been more important. Please send this along to your team or reach out if you would like to speak with us about how we can help, in any way.

 

Co-authored by CyberSaint's Principal Security Architect, Stephen Torino and VP Marketing Alison Furneaux.

You may also like

Risk Register Examples for ...
on July 29, 2020

Risk registers are a widespread utility among many cybersecurity professionals that allow practitioners to track and measure risks in one place. This type of reporting can quickly ...

3 Templates for a Comprehensive ...
on July 27, 2020

What is a Cyber Risk Assessment Information security risk assessments are increasingly replacing checkbox compliance as the foundation for an effective cybersecurity program. As ...

Infographic: The Six Steps of the ...
on July 24, 2020

As many organizations begin to mature their cybersecurity program, they are shifting to a risk-based approach to security. In most cases, security leaders are no strangers to ...

3 Cybersecurity Risk Areas to ...
on July 20, 2020

2020 has brought with it immense change across the cybersecurity risk landscape. The effects of COVID-19 pandemic are still ongoing, and the opportunities for new cybersecurity ...

Alison Furneaux
Efficient Demotivation: How Black ...
on July 16, 2020

As information security shifts from a siloed function to an increasingly relied upon business function and enabler, business executives and Boards have taken a greater interest in ...

Developing Your Risk Management ...
on July 14, 2020

The scope and process for an organization seeking to implement the NIST Cybersecurity Framework (CSF) can be daunting for even the most experienced CISO to handle. Despite the ...