Planning and Preparation
01 Security Procedures
Steps used to develop policies and procedures
Procedures must include data encryption, multi-factor authentication, incident reporting, and patch management details. Well-defined procedures help employees understand their roles in maintaining security.
Frequently review and update policies and procedures since threats constantly evolve. Regular audits and vulnerability assessments help identify gaps in existing policies.
Organizations must educate employees on cybersecurity policies through regular training. Simulated attacks, such as phishing tests and drills, reinforce training and inform employees of their responsibilities.
Policy development requires input from the organization’s stakeholders. Critical assets, vulnerable threat areas, and associated regulatory compliances define the security objectives and policy requirements.
Standards for process management
ISO/IEC 27001:2022 – Information Security Management Systems (ISMS) – Outlines requirements for establishing and continually improving an Information Security Management System (ISMS)
NIST Special Publication 800-53 (Rev. 5) – Security and Privacy Controls for Information Systems and Organizations – Offers detailed guidance on developing security policies and operational procedures that cover access control, incident response, risk assessment, and system maintenance
NIST Cybersecurity Framework (CSF) – Includes specific guidelines on developing and maintaining cybersecurity policies that align with the core functions: Identify, Protect, Detect, Respond, and Recover
ISO/IEC 27002:2022 – Information Security Controls – Includes detailed recommendations for developing and maintaining procedures related to access control, encryption, physical security, and employee awareness
CIS Controls – Center for Internet Security (CIS) – Controls Offers a set of prioritized best practices for securing IT systems and data with specific instructions on creating, implementing, and maintaining security procedures – vulnerability management
PCI-DSS (Payment Card Industry Data Security Standard) – Provides security standards that mandate creating and maintaining cybersecurity procedures. It includes data protection policies, secure system development – payment card data
SANS Institute Security Policy Templates – It is not a formal standard, but it offers security policy templates, including acceptable use policies, incident response, access control, and system hardening
Documentation Under Construction
Prioritize security efforts to mitigate identified risks
Identify Assets: Identify digital assets, such as servers, databases, applications, and network components. Map relations between assets and systems to understand how they could impact others.
Identify Potential Threats: Use threat intelligence feeds, industry reports, and vulnerability databases to stay updated on new threats, such as malware strains, phishing schemes, or exploitation techniques. Identify potential sources of threats, including cybercriminal groups, nation-state actors, insider threats, and accidental errors.
Assess Vulnerabilities in Systems: Use automated tools to scan systems, networks, and applications for vulnerabilities. Conduct periodic penetration testing to simulate attacks on your systems and identify potential security weaknesses.
Analyze the Impact of likely Threats: Assess how an identified threat will affect the organization, considering factors like asset exposure, vulnerability, and threat actor motivation. Estimate each threat’s impact by considering potential financial losses, operational disruption, reputational damage, and legal implications.
Prioritize Risks: Create a risk matrix (high, medium, low) based on the likelihood and impact of each identified risk, enabling a structured approach to prioritization. Align prioritization, focusing more on mitigating high-likelihood, high-impact risks that exceed your tolerance level.
Define Mitigation Strategies: Address vulnerabilities through patch management, network segmentation, multi-factor authentication, encryption, and other security controls. Update policies and procedures to mitigate risks identified in the assessment, such as enhanced access control or stricter data-handling processes. Create a plan for addressing vulnerabilities that pose immediate risk and a timeline for ongoing mitigation measures.
Review and Report Findings: Record all identified risks, their priorities, and the mitigation strategies in a report detailing which risks need immediate action and ongoing monitoring. Share findings with relevant stakeholders, including leadership and critical departments, to ensure organizational alignment on priorities and mitigation efforts.
Establish Continuous Monitoring and Re-assessment: Set up ongoing monitoring to detect new vulnerabilities, configuration changes, or emerging threats that could impact a risk landscape. Schedule periodic reassessments for new threats, IT environment changes, or business priorities. Annual or semi-annual reassessments are common, but the frequency may increase based on the industry or specific risk factors.
03 Incident Response Plan
Consider these strategies for newly identified threats
Define the Scope and Objectives: Evaluate regulatory, compliance, and business requirements. Determine which types of incidents (e.g., malware, phishing, data breaches) will trigger the response plan. Outline critical goals, such as minimizing impact, ensuring rapid recovery, and protecting sensitive data.
Assemble an Incident Response Team (IRT): Designate core team members (e.g., IT, legal, HR, public relations, executive leadership). Define responsibilities: Specify each member’s role in the incident response for planning and active response. Identify stakeholders: If necessary, include external entities like vendors, third-party security firms, and legal advisers.
Develop Policies and Procedures: Typically, it includes phases such as Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned, Determine how and when incidents are escalated within the organization. Include internal and external communication strategies to prevent misinformation.
Define Incident Detection and Reporting Mechanisms: Specify the monitoring tools (e.g., SIEM, IDS/IPS) used to detect incidents. Outline how incidents should be reported and to whom, including thresholds for reporting based on severity.
Develop Incident Response Playbooks: Create response templates: Provide specific, step-by-step playbooks for common incidents (e.g., ransomware, phishing). Specify actions to contain and isolate incidents quickly to prevent spread. Outline data preservation steps: Include instructions for evidence collection to aid in investigations.
Key Revisions to NIST's Guidelines
NIST has increased its focus on cybersecurity challenges since its inception in 2002 by FISMA. At first tasked with developing standards and guidelines for federal information systems, NIST has evolved into a key participant in shaping the expanse of today’s cybersecurity landscape. Here are the key developments in its role:
Cybersecurity Frameworks NIST released the Cybersecurity Framework CSF in 2014 (revised in 2018) to provide a set of best practices to combat cybersecurity risks. Its adoption has spread across industries globally. NIST’s SP 800-53 and SP 800-171 have become foundational for cybersecurity guidelines, guiding both government and private sectors.
Public and Private Sectors NIST ensures its guidelines are practical and relevant. NIST has aligned itself with international standards like ISO 27001 to provide a united approach to cybersecurity.
Emerging Threats NIST includes SP 800-161 supply chain risk management guidelines. The institute focuses on developing cryptographic algorithms that are resistant to quantum computing threats. NIST develops AI and the Internet of Things (IoT) guidelines.
Compliance with NIST guidelines has become required for federal agencies and contractors, such as the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC).
Cyber Strength NIST has provided education tools to improve cybersecurity by prioritizing critical assets and adapting to dynamic threats.
Global Collaboration NIST has promoted international cooperation on cybersecurity standards, ensuring worldwide interaction and advancing trust in digital systems.
CMMC and RMF
The CMMC and the RMF aim to help cybersecurity organizations working with federal agencies, like the Department of Defense (DoD). Each framework directs unique aspects of cybersecurity, creating an interactive approach to risk management and compliance.
The CMMC, developed by the DoD, establishes a standardized approach to cybersecurity for contractors in the Defense Industrial Base (DIB). It incorporates practices from frameworks like NIST SP 800-171 but adds a tiered certification model with five levels of maturity, ranging from basic cyber hygiene (Level 1) to advanced practices (Level 5). This configuration ensures contractors handling Controlled Unclassified Information (CUI) meet specific security requirements proportionate to their data sensitivity and risk exposure. Third-party assessments are required for CMMC compliance to encourage accountability.
The NIST RMF includes six key steps: categorizing information, selecting controls, implementing controls, assessing effectiveness, authorizing systems, and continuous monitoring. It calls attention to risk-based decision-making, organizational needs, and the alignment of standards such as NIST SP 800-53 and NIST SP 800-171. RMF is a flexible framework, enabling organizations to adapt controls based on their unique risk profiles and missions.
Achieving CMMC certification
Pre-assessment: Organizations review their current cybersecurity practices against CMMC requirements.
Third-party assessment: A Certified Third-Party Assessment Organization (C3PAO) evaluates the organization’s compliance.
Certification: Based on the assessment, the organization is certified at a specific CMMC level that is valid for three years.