Thinking About Your Cybersecurity Program
The National Institute of Technology and Standards, or NIST was tasked with developing a framework that could be used to understand and manage cybersecurity defenses. So, in good government fashion they came up with a 56 page document full of dense text and tables and so on. But – and this is the important part – they summarized it into 5 functions, each a different high level action step. And that provides a good jumping off place to start thinking about a cybersecurity program for your business.
We’ve come up with 20 questions, none of them really technical, that can help you start or accelerate the development of your cybersecurity defenses. As you think through these questions, a framework that fits your business should start to emerge.
Identify cybersecurity threats
- What are your highest value assets?
- What assets may be valuable to others?
- Who would be interested in your assets, and why?
- How could an adversary steal or compromise those assets?
Protect the system
- How do you manage users’ activity?
- How do you protect your data and digital assets?
- How do you protect your network?
- How do you protect your endpoint devices?
Detect threats in a timely manner
- What needs to be monitored?
- How will you monitor it?
- Who will be accountable for monitoring?
- How is a detected threat handled?
Respond to detected threats
- How are threats assessed?
- How do you determine the impacts?
- What plans are in place to respond?
- Are there physical assets that could be impacted?
Recover from an incident
- How will you recover lost or compromised assets?
- Have you made a recovery plan, and has it been tested?
- Who will be accountable for recovery?
- How will internal and external communications be handled?
If you address these broad questions in terms of; People, Process, and Technology you will get a pretty clear picture of your situation. Some answers may be more people or technology focused but keep all three facets in mind for each answer.
This is a great way to build a basic cybersecurity program. Start by answering the questions for the way things are now. Some gaps will show up - they always do – and use those gaps to determine the most important things to work on and how to improve.
And if you want to skip right to the sleep aid section of the NIST Cybersecurity Framework, here’s a link to the full document: Nist. There is a lot more to the whole framework and I hope to be able to post some more about how to make it effective in the real world of never enough time resources, but that means I will need time and resources.