Diving into NIST Special Publication 800-53 for practical advice.
The document refers to Federal information systems, but this terminology will be removed in the forthcoming fifth revision, because the advice here is applicable to all organizations.
It may seem dense and inaccessible at first, so we’re going to break down some of the key elements and explain their importance.
Establishing a baseline
It’s not easy to calculate the business impact of a cyberattack, because there are many knock-on effects that take time to reveal themselves. The latest research from the Ponemon Institute suggests a global average cost of $3.62 million for a data breach. The level of potential risk is your starting point in developing and building solid cybersecurity defenses.
Before you can select the right set of security controls, you must consider the importance and sensitivity of the data. The FIPS 199 document explains how you might go about categorizing your systems, taking into account confidentiality, integrity, and availability to figure out if the potential impact of a breach is low, moderate, or high risk.
Having established the potential impact levels, you can select a security control baseline. It’s deliberately called a baseline, because it’s something to build on.
Tailoring your security controls
The guidelines are broad and make certain assumptions that might not apply to your organization, so the next step is to tweak your security control baseline to ensure that it’s aligned with your business functions, systems and operating environment. You may be able to drop some controls, but will probably have to add or enhance others.
Part of the aim during this process is to arrive an approach that strikes a good balance between security and cost. There’s no such thing as a perfect set of security controls. You must weigh in regulations, emerging threats, new and legacy technologies and systems, plus your business goals, to arrive at the right blend for your organization.
Implementation and assessment
Detailed documentation laying out the design, development and implementation of your security controls is vital for regulatory bodies to be able to audit your efforts. It also provides a sound rationale that can be continually applied for the future, because cybersecurity is a travelling cliché – it’s not a destination, but a journey.
Being able to refer to this documentation could be hugely valuable for the long haul, particularly if you have a new system to integrate, or your CISO resigns, or you hired a virtual CISO for the short term.
A common mistake that organizations make is to draft the plan, implement it, and then trust that it’s working as expected. Without in-depth, regular assessments you have no idea if your security controls have been implemented correctly, if they’re operating as intended, or if they’re meeting your expectations for security. Get an outside party with no vested interest to put your security through its paces and don’t forget to test your third-party service providers to ensure they meet your standards.
You’ve set a baseline, tweaked it to fit your needs, implemented it and tested to ensure that it’s working properly, now you can take it easy, right? Wrong!
Your work is never done when it comes to cybersecurity because things change. You might adopt a new system, integrate a new third-party service, or change your business goals. To comply with your legal requirements, you need to be up to date with the latest regulations. And all the while, new software vulnerabilities are being discovered, and hackers are probing your defenses and developing new techniques to gain entry.
At the heart of NIST’s holistic approach to infosec and risk management are two simple ideas – “Built it right” and “continuous monitoring.”
Take your time and create a solid cybersecurity foundation, but accept that you’ll need to be vigilant for cracks in your defenses and continually make improvements if you want to ensure that your data is truly protected.