Computer Security MT24, NIST framework

A set of voluntary guidelines, best practices and standards for organisations to adhere to as to ensure they are following the best practices and policies to manage and reduce cybersecurity risk.

• Identify: Understand what the risks are
• Protect: Take action to prevent these risks
• Detect: Have systems for spotting cybersecurity incidents
• Respond: Have systems for responding to detected cybersecurity incidents
• Recover: Stay online and restore functionality after a cybersecurity incident

(Mnemonic: I personally don’t really rave)

Understand what the risks are.

“Developing an organisational understanding to manage cybersecurity risk to systems, people, assets, data and capabilities.”

• Asset management:
  • Work out what assets you need to protect
  • “The data, personnel, devices, systems, and facilities that enable the organisation to achieve business purposes are identified and managed consistent with their relative importance to organisational objectives and the organisation’s risk strategy.”
• Business environment:
  • Work out what your priorities are as a business (don’t spend ages protecting something that’s not important)
  • “The organisation’s mission, objectives, stakeholders, and activities are understood and prioritised; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.”
• Governance:
  • Make sure there’s effective leadership for understanding cybersecurity risk
  • “The policies, procedures, and processes to manage and monitor the organisation’s regulatory, legal, risk, environmental and operational requirements are understood and inform the management of cybersecurity risk.”
• Risk assessment:
  • Understand where the risks are
  • “The organisation understands the cybersecurity risk to organisational operations (including mission, functions, image or reputation), organisational assets, and individuals.”
• Risk management strategy:
  • Understand the risk tolerances across different parts of the business
  • “The organisation’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.”
• Supply chain risk management:
  • Make sure the supply chain isn’t a weak point
  • “The organisation’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decision associated with managing supply chain risk. The organisation has established and implemented the processes to identify, assess and manage supply chain risks.”

(Mnemonic: Identify what you want and then GRABRS it)

Take action to prevent identified risks.

“Develop and implement appropriate safeguards to ensure delivery of critical services.”

• Awareness and training:
  • Make sure people are well-informed about the risks
  • “The organisation’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements.”
• Maintenance:
  • Keep systems up to date
  • “Maintenance and repairs of industrial control and information system components are performed consistent with policies and procedures.”
• Authentication, access control and identity management:
  • Have good authentication and access control in place
  • “Access to physical and logical assets and associated facilities is limited to authorised users, processes, and devices, and is managed consistent with the assessed risk of unauthorised access to authorised activities and transactions.”
  • “Identities and credentials are issued, managed, verified, revoked, and audited for authorised devices, users and processes.”
• Data security:
  • Make sure data is encrypted
  • “Information and records are managed consistent with the organisation’s risk strategy to protect the confidentiality, integrity and availability of information.”
  • “Data-at-rest is protected”
  • “Data-in-transit is protected”
  • “Protections against data leaks are implemented”
• Information protection processes and procedures:
  • Have rules and procedures that cover what needs to be protected
  • “Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordinate among organisational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.”
• Protective technology:
  • Use antivirus pretty much
  • “Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.”
  • “Removable media is protected and its use restricted according to policy.”

(Mnemonic: To protect, I AM PAID)

Have systems for spotting cybersecurity incidents.

“Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.”

• Security continuous monitoring:
  • Keep an eye on everything
  • “The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.”
• Anomalies and events:
  • Know what looks normal in your system
  • “Anomalous activity is detected and the potential impact of events is understood.”
• Detection processes:
  • Make sure your detection systems are working
  • “Detection processes and procedures are maintained and tested to ensure awareness of anomalous events.”

(Mnemonic: SAD)

Have systems for responding to detected cybersecurity incidents.

“Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.”

• Improvements
  • Learn from your mistakes
  • “Organisational response activities are improved by incorporating lessons learned from current and previous detection/response activities.”
• Mitigation:
  • When a cybersecurity incident is happening, actually do something
  • “Activities are performed to prevent expansion of an event, mitigate its effects, and resolve the incident.”
• Communications:
  • Communicate with law enforcement and tell your customers
  • “Response activities are coordinate with internal and external stakeholders (e.g. external support from law enforcement agencies).”
• Analysis:
  • Understand what is happening
  • “Analysis is conducted to ensure effective response and support recovery activities.”
• Response planning:
  • Know how you’re going to respond before you do
  • “Response processes and procedures are executed and maintained, to ensure response to detected cybersecurity incidents.”

(Mnemonic: IM CAR)

Stay online and restore functionality after a cybersecurity incident.

“Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities that were impaired due to a cybersecurity incident.”

• Improvements:
  • Learn from your mistakes
  • “Recovery planning and processes are improved by incorporating lessons learned into future activities.”
• Recovery planning:
  • Know how you’re going to recover from cybersecurity incidents
  • “Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents.”
• Communications:
  • Talk to the people involved afterwards
  • “Restoration activities are coordinate with internal and external parties (e.g. coordinating centres, ISPs, owners of attacking systems, victims, other cyber security response teams, and vendors).”

(Mnemonic: IRC)