The NIST Cybersecurity Framework (NIST CSF) provides a multi-step process to implement what is known as best practices when protecting our assets and infrastructure.
NIST has detailed 5 critical functions that need adherence:
Step 1 – Prioritize and Scope: Identifying organizational objectives will help define what is in scope and priorities. Prioritizing certain objectives above others doesn’t mean they fall by the wayside. Once the highest priority systems and assets are protected, lower-priority ones can be addressed systematically until all systems and assets are accounted for.
Step 2 – Orient: Understanding the processes, systems, and components that are within the scope, as well as the regulatory and compliance they are beholden, helps to understand the posture of the risk, threats, and vulnerabilities that need to be addressed.
Step 3 – Create a Current State: Understanding the current state of affairs will help focus efforts on where to start and which gaps are the widest. One may find out certain components and systems are close to ideal, while others may lag significantly.
Step 4 – Risk Assessment: To confirm a perceived ‘current state,’ engaging in third-party risk assessments will verify an organization’s understanding of existing systems and their vulnerabilities and risk posture. A risk assessment is meant to highlight areas of deficiencies as well as areas of strength.
Step 5 – Create a Desired State: With the help of the NIST CSF, systems and components and their acceptable risk objectives can be tracked over time to allow us to score postures and improvements.
Step 6 – Prioritize the Gaps: When we determine the gaps between the current and desired states, you can analyze the gaps that exist and prioritize those gaps for focused attention. This allows us to correlate resources, budgets, and levels of efforts and acts as a springboard or starting point to tackle the most egregious gaps first.
Step 7 – Implement an Action Plan: If executed properly, steps 1-6 should lead to an actionable plan of attack. High priority gaps found within critical systems and components, with high degrees of risk leading to undesirable impact to the organization, if present, should be clear and ready for remediation.
When followed continuously over time and modified according to the organization’s current state, it will greatly improve the overall security posture of any organization, large or small.