NIST is the National Institute of Science and Technology
and CSF is the Cybersecurity Framework. There are manypdf’s (v1.1) on this topic, but the changes in versions are not my focus. Although I did cover this a small bit in a post from 2014: https://oversitesentry.com/cybersecurity-framework-by-nistnational-institute-of-standards-and-technology/ at that point NIST had the major points but not the details yet.
The images are from an ISACA presentation about this topic.
Listing the main topics:
- Identify
- Protect
- Detect
- Respond
- Recover
The next point would be to map the CSF to data security methodology.
- Inventory
- Test
- Eliminate Vulnerabilities
- Enforce least Privileges
- Monitor for Anomalies
- Protect
- Respond to Incidents
Each organization should try to reproduce the IT processes that they have. Thus the first thing we need to do is to identify everything (this is from the following link):
- Identifying physical and software assets within the organization to establish the basis of an Asset Management program
- Identifying the Business Environment the organization supports including the organization’s role in the supply chain, and the organizations place in the critical infrastructure sector
- Identifying cybersecurity policies established within the organization to define the Governance program as well as identifying legal and regulatory requirements regarding the cybersecurity capabilities of the organization
- Identifying asset vulnerabilities, threats to internal and external organizational resources, and risk response activities as a basis for the organizations Risk Assessment
- Identifying a Risk Management Strategy for the organization including establishing risk tolerances
- Identifying a Supply Chain Risk Management strategy including priorities, constraints, risk tolerances, and assumptions used to support risk decisions associated with managing supply chain risks
The key is to start a program of IT Security with identification, then move on to protect and detect before respond and recover.
I.e. Patching computers, Log servers, incident response and rebuilding from backup is all part of it.
contact us to discuss