In this COVID-19 pandemic, cybersecurity incidents are increasingly prevalent in some of our most prominent sectors. For information security leaders working toward the measurement, implementation, and communication of best practices, or amid the adoption of industry standards such as the NIST CSF, time and resources may be constrained. Thus, prioritizing security initiatives that provide the most resilience against the most frequent security breaches is key to successful business operations. Better yet, communicating these activities in a way that business-side leadership understands is crucial to resourcing activities efficiently and keeping employees, customers, and partners safe.
Each of the controls listed below applies broadly to information security goals and helps buy down the risk of attack to the confidentiality, integrity, and availability of information systems. In times like these, when ransomware, denial of service attacks, and false information campaigns are being exploited in the wild, there are essential security controls to focus on in this pandemic.
Amongst all the chaos, now is the time to align with security best practices more than ever before within your cyber crisis management. For many organizations, we see a rise in the decision to adopt an integrated risk management approach to information security management to support times such as these. Those who can efficiently identify potential gaps, direct resources, and know what actions will deliver the highest Return on Security Investment (ROSI) will come out of this crisis more resilient than they were before.
Spanning Incident Response, Planning, Program Management, Security Assessment and Authorization, and System and Information Integrity, these controls from the National Institute of Standards and Technology (NIST) aim to align your organization with best practices as well as protect against cybercriminals who are taking advantage of the global crisis and work from home setups.
These controls are pulled from a newly launched practical set of forty-five security controls pulled from the NIST Cybersecurity Framework. This control set demonstrates where immediate resource allocation and responses should be taken during this crisis, clearly presented in a way that is actionable for both security teams and executive management.
IR-4: Incident Handling
Control Description: The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; Coordinates incident handling activities with contingency planning activities; and Incorporates lessons learned from ongoing incident handling activities into incident response processes, training, and testing, and implements the resulting changes accordingly.
Remediation Steps Required: Implement an incident handling capability for security incidents. Including preparation, detection and analysis, containment, eradication, and recovery. Coordinate incident handling activities with contingency planning activities. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly.
Evidence Needed: Proof of Capability. This can be documented with form templates, such as those offered by SANS, including an Incident Contact List, Incident Identification, Incident Survey, Incident Containment, Incident Eradication, Incident Communication Log, and Chain of Custody form.
IR-8: Incident Response Plan
Control Description: The organization develops an incident response plan that: Provides the organization with a roadmap for implementing its incident response capability; Describes the structure and organization of the incident response capability; Provides a high-level approach for how the incident response capability fits into the overall organization; Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; Defines reportable incidents; Provides metrics for measuring the incident response capability within the organization; Defines the resources and management support needed to effectively maintain and mature an incident response capability; and Is reviewed and approved by [Assignment: organization-defined personnel or roles]; Distributes copies of the incident response plan to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; Reviews the incident response plan [Assignment: organization-defined frequency]; Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; Communicates incident response plan changes to [Assignment: organization-defined incident response personnel (identified by name and/or by role) and organizational elements]; and Protects the incident response plan from unauthorized disclosure and modification.
Remediation Steps Required: Develop an incident response plan that provides a roadmap for implementing an incident response capability. The plan should: describe the structure and organization of the incident response capability; provide a high-level approach for how the incident response capability fits into the overall organization; meet the unique requirements of the organization, which relate to mission, size, structure, and functions; define reportable incidents; provide metrics for measuring the incident response capability within the organization; define the resources and management support necessary to maintain and mature an incident response capability. The plan is reviewed and approved by appropriate personnel or roles, and copies are distributed. Review the plan at an organization-defined frequency. Communicate plan changes to incident response personnel, and protect the plan from unauthorized disclosure or modification.
Evidence Needed: Incident Response Plan. An IR Plan specifies the process for identifying and reporting an Incident, initial investigation, risk classification, documentation and communication of Incidents, responder procedures, Incident reporting, and training. It provides a well-defined, organized approach for handling any potential threat to computers and information assets and taking appropriate action when the source of the intrusion or Incident at a third party is traced back to the organization. The Plan identifies and describes the roles and responsibilities of the Incident Response Team, which is responsible for putting the Plan into action. Solutions that cut across cyber risk and compliance, such as the CyberStrong platform, have incident response plan templates available out of the box.
PL-8: Information Security Architecture
Control Description: The organization develops an information security architecture for the information system that: Describes the overall philosophy, requirements, and approach to be taken concerning protecting the confidentiality, integrity, and availability of organizational information; Describes how the information security architecture is integrated into and supports the enterprise architecture; Describes any information security assumptions about, and dependencies on, external services; Reviews and updates the information security architecture [Assignment: organization-defined frequency] to reflect updates in the enterprise architecture; and Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions.
Remediation Steps Required: For PL-8, NIST developed an information security architecture for the information system that describes the overall philosophy, requirements, and approach to be taken to protect the confidentiality, integrity, and availability of organizational information. Describe how the information security architecture is integrated into and supports the enterprise architecture. Describe any information security assumptions about, and dependencies on, external services. Review and update the information security architecture at an organization-defined frequency to reflect updates in the enterprise architecture. Ensure that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions.
Evidence Required: Plan and periodic gap analyses against a relevant framework or standard of practice. A NIST Power Controls gap analysis for organizations without regulatory oversight can help benchmark current security posture and maturity over time.
PM-16: Threat Awareness Program
Control Description: The organization implements a threat awareness program with a cross-organization information-sharing capability.
Remediation Steps Required: Implement a threat awareness program that includes a cross-organization information-sharing capability. One of the best techniques to address the advanced persistent threat (APT) is for organizations to share threat and vulnerability information. This can include sharing threat events (i.e., tactics, techniques, and procedures) that organizations have experienced, mitigations that organizations have found are effective against certain types of threats, and threat intelligence (i.e., indications and warnings about threats that are likely to occur).
Evidence Needed: Proof of Program. A best practice is to join the relevant industry Information Sharing and Analysis Center (ISAC). The National Council of ISACs is a good resource for contacting the appropriate organization for your sector.
CA-2: Security Assessments
Control Description: The organization: Develops a security risk assessment process that describes the scope of the assessment including: Security controls and control enhancements under assessment; Assessment procedures to be used to determine security control effectiveness; and Assessment environment, assessment team, and assessment roles and responsibilities Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome for meeting established security requirements; Produces a security assessment report that documents the results of the assessment; and Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].
Remediation Steps Required: Develop a security assessment plan that describes the scope of the information security risk assessment. Include security controls, enhancements, and procedures to determine security control effectiveness. Include assessment procedures to determine control effectiveness. Include assessment environment, assessment team, and assessment roles and responsibilities. Assess the security controls in the information system and its environment of operation at an appropriate frequency to determine the extent to which the controls are implemented correctly, operating as intended, and producing desired outcomes for meeting established security requirements. Produce a security assessment report that documents the results of the assessment. Provide the results of the assessment to appropriate individuals or roles.
Evidence Needed: Plan. Integrated Risk Management platforms like CyberStrong enable teams to take on security assessments that provide a real-time viewpoint of your dynamic environment instead of a static viewpoint in time. By moving away from spreadsheets and having one system of record, CyberStrong provides an unprecedented amount of automation, measurement, and real-time reporting that enables security and business leadership to know where they stand against any control set, at any time.
CA-7: Continuous Monitoring
Control Description: The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Establishment of [Assignment: organization-defined metrics] to be monitored; Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy; Correlation and analysis of security-related information generated by assessments and monitoring; Response actions to address results of the analysis of security-related information; and Reporting the security status of the organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].
Remediation Steps Required: Develop a strategy and program for continuous monitoring that establishes metrics, frequencies of monitoring and assessment, and ongoing security control monitoring. Correlate and analyze security-related information generated by assessments and monitoring. Response actions address the results of security-related information. Report the security status of the organization and information system to appropriate personnel or roles at an appropriate frequency.
Evidence Needed: Policy. If the risk is defined as likelihood * impact, this control minimizes the impact. The goal is to develop competency in quickly identifying malicious activity in network traffic and logs. Services like Managed Detection & Response can significantly help by providing both the technology and the people to enable continuous control monitoring.
SI-4: Information System Monitoring
Control Description: The organization monitors the information system to detect: Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and Unauthorized local, network, and remote connections; Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; Deploys monitoring devices: Strategically within the information system to collect organization-determined essential information; and At ad hoc locations within the system to track specific types of transactions of interest to the organization; Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]].
Remediation Steps Required: Monitor the information system to detect attacks and indicators of potential attacks following organization monitoring objectives. Also, monitor unauthorized local, network, and remote connections. Identify unauthorized use of the information system through organizational techniques and methods. Deploy monitoring devices strategically within the information system to collect organization-determined essential information. Also, deploy at ad hoc locations within the system to track specific types of transactions of interest to the organization. Protect information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion. Heighten the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation. Determine risk based on law enforcement information, intelligence information, or other credible sources of information. Obtain legal opinion about information system monitoring activities per applicable federal laws, Executive Orders, directives, policies, or regulations. Provide organizational information system monitoring information to appropriate personnel or roles. Provide monitoring information as needed, and/or at an appropriate frequency.
Evidence Needed: Proof of Procedures. This control is closely related to Continuous Monitoring, with the output of System Monitoring being the input of Continuous Monitoring. Some examples are IDS, IPS, NGFW, Syslog servers, and SIEMs.
SI-5: Security Alerts, Advisories, and Directives
Control Description: The organization receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis; Generates internal security alerts, advisories, and directives as deemed necessary; Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; an Implements security directives by established time frames or notifies the issuing organization of the degree of noncompliance.
Remediation Steps Required: Receive information system security alerts, advisories, and directives from organization-defined external organizations on an ongoing basis. Generate internal security alerts for identified alerts, advisories, and directives as deemed necessary. Disseminate security alerts, advisories, and directives to appropriate personnel or roles, and/or elements within the organization, and/or organization-defined external organizations. Implement security directives by established time frames, or notify the issuing organization of the degree of noncompliance.
Evidence Needed: Proof of Procedures. A best practice here would be membership in your local InfraGard chapter and ISAC or Fusion Center.
As a business that cares deeply about our information security community, we are partnering with organizations across all sectors to quickly and rapidly deploy automated cybersecurity risk assessments against these key controls with CyberStrong, so as not to tax already overwhelmed teams and to provide immediate results. Our goal is to help security teams and business leaders quickly secure themselves, their partners, and their employees.
This crisis isn't a reason to de-prioritize data security - on the contrary, it has never been more critical. Please send this along to your team or reach out if you would like to speak with us about how we can help, in any way. Contact us to learn more about how CyberStrong can automate the assessment process and streamline compliance with frameworks like the NIST Incident Response Framework.
Co-authored by CyberSaint's Principal Security Architect, Stephen Torino, and VP of Marketing Alison Furneaux.
