Protection and Risk Mitigation in the NIST Framework

Protection and risk mitigation is the second core function of the NIST Framework. It is important to become familiar with it, as it involves implementing appropriate security controls to protect all information systems and assets, and, in the event a threat materializes, mitigating the impact of these risks.

As cybersecurity analysts, this is a fundamental part of our job, since effective management of protection and risk mitigation helps safeguard information and ensures the security of our systems in the event of a cyberattack.

Let’s discuss what can be done within this function:

1. Security Controls and Safeguards

The NIST Framework provides clear guidelines on how to implement security controls and safeguards effectively. According to the framework, these controls can be divided into three main categories: management controls, technical controls, and operational controls. These categories cover a wide range of measures organizations can implement to protect their information assets.

Management controls focus on planning, organizing, and overseeing cybersecurity activities. This can be achieved by developing security policies and procedures, assigning clear responsibilities, conducting risk assessments, and implementing security awareness and training programs.

Technical controls refer to technological measures implemented to protect systems and information. These may include firewalls, intrusion detection and prevention systems, data encryption, user authentication, and access control to resources.

Operational controls focus on the processes and procedures implemented to ensure cybersecurity in the organization’s daily operations. This includes change management, incident management, monitoring and analyzing logs, and conducting regular security testing.

It is important to note that security controls and safeguards in the NIST cybersecurity framework are not an exhaustive list of measures; they must be tailored to the specific needs and characteristics of each organization. Conducting a risk assessment is essential to identify relevant threats and vulnerabilities, and then implementing appropriate controls to mitigate those risks.

Additionally, implementing security controls is not a one-time process; it must be continuously evaluated and updated. Organizations should conduct regular audits to ensure controls are functioning properly and adjust them as needed.

1. Security Policies and Access Management

Security policies are documents that establish the rules and guidelines for protecting an organization’s information and systems. These policies should be clear, concise, and understandable for all employees and users, and should address aspects such as information classification, acceptable use of resources, password management, personal data protection, and incident response, among others.

It is important that security policies align with the organization’s objectives and requirements, as well as applicable laws and regulations. They should also be reviewed and updated regularly to adapt to changes in the cybersecurity landscape.

Access management refers to the processes and controls used to ensure that only authorized individuals have access to resources and information. This involves implementing measures such as user authentication, role- and privilege-based access authorization, and monitoring access activities.

The NIST cybersecurity framework recommends following the principle of "least privilege," meaning users should only have the privileges necessary to perform their tasks. This reduces the risk of a malicious or compromised user causing harm to systems or accessing confidential information.

Access management also involves implementing technical controls such as identity and access management systems, physical and logical access controls, and audit logs to monitor and track access activities.

It is important to highlight that security policies and access management are not solely the responsibility of the IT department; they should be a concern for the entire organization. All employees must be aware of security policies and comply with them in their daily work. Training and awareness are key to ensuring a cybersecurity culture throughout the organization.

1. Vendor and Third-Party Security Management

Vendor and third-party management aims to assess and manage the risks associated with business relationships and services provided by third parties. This is very important in a digital environment, as organizations often rely on external vendors for critical services such as cloud storage, payment processing, and technical support.

Within the NIST framework, a risk-based approach is recommended for managing vendors and third parties. This involves assessing the importance of the services provided by third parties, as well as the level of access they have to the organization’s systems and data. Based on this assessment, appropriate controls and safeguards can be implemented to mitigate identified risks.

Some best practices for vendor and third-party management include:

• Risk assessment: Conduct a thorough evaluation of potential vendors and third parties before establishing a business relationship. This includes reviewing their security policies, risk management practices, and regulatory compliance.
• Contractual agreements: Establish clear contractual agreements that include cybersecurity clauses. These agreements should specify each party’s responsibilities regarding data protection, incident notification, and regulatory compliance.
• Continuous monitoring: Conduct regular audits and assessments of vendors and third parties to ensure they meet agreed security requirements. This may include reviewing security test reports, external audits, and compliance assessments.
• Incident management: Establish an incident response plan that includes collaboration with vendors and third parties in the event of a security incident. This ensures a rapid and coordinated response to minimize the impact of an incident.
• Awareness and training: Provide cybersecurity training and awareness to employees and vendors to ensure they are aware of best security practices and associated risks.

By following the NIST cybersecurity framework guidelines, organizations can establish effective processes and controls to assess and manage risks associated with vendors and third parties, thereby strengthening their cybersecurity posture.

1. Incident Response and Business Continuity Plans

An incident response plan is a set of predefined procedures and actions to follow when a security incident occurs. The main objective of this plan is to minimize the impact of the incident, restore affected systems and information, and mitigate any further damage. The incident response plan should include incident identification and classification, notification and escalation, containment and eradication, recovery and restoration of systems, and a post-incident review to learn from the experience.

Business continuity, on the other hand, refers to an organization’s ability to maintain its critical operations in the event of a significant disruption, whether caused by a security incident, natural disaster, or other contingency. A business continuity plan should include identification of critical processes and systems, risk and vulnerability assessment, implementation of mitigation measures, development of recovery plans, and regular testing and exercises to ensure the plan’s effectiveness.

Within the NIST Framework, a lifecycle approach is recommended for incident management and business continuity. This involves prior planning and preparation, response and recovery during an incident or disruption, and continuous review and improvement after the incident.

Some best practices for incident response and business continuity planning include:

• Identification and classification of critical assets: Identify information assets and systems critical to the business and prioritize their protection and recovery in the event of an incident or disruption.
• Establishment of roles and responsibilities: Clearly define the roles and responsibilities of the incident response team and business continuity team members, as well as communication and decision-making lines.
• Communication and coordination: Establish clear communication channels and coordination mechanisms with internal and external stakeholders, such as vendors, customers, and regulatory authorities.
• Testing and exercises: Conduct regular tests and exercises to assess the effectiveness of incident response and business continuity plans, identify areas for improvement, and train staff in plan execution.
• Continuous improvement: Conduct post-incident and post-disruption reviews to identify lessons learned and make adjustments and improvements to plans and processes.

All these steps will help us do a better job in protecting and mitigating risks within the organization where we work.