Step 1 – Align a NIST-Based Program with Business Objectives Map your objectives to the NIST control families. For example, if your organization requires “availability” of systems as the top priority, then starting with “Contingency Planning” (CP) controls is going to align your program with your business objectives better.
Step 2 – Focus on Foundational “Primary Controls” First Start with a subset of the control families selected and limit your initial custom framework control list to the vital “Primary Controls.” This will save “Control Enhancements” for later when your NIST CSF program is more mature. Control enhancements include details beyond the base control, such as frequency of testing, automation, and extensive documentation of the process surrounding the control. While important, these control enhancements only matter if the base control is already in place.
Step 3 – Get the Low-Hanging Fruit by Implementing NIST SP 800-171 Select your base framework controls using an existing framework profile or selection such as the NIST SP 800-171, which covers more than 80% of the full NIST CSF but requires approximately 20% of the effort, significantly reducing the number of controls that need to be adopted. Similar to the 80/20 principle, this approach can dramatically improve security with a fraction of the effort required to implement the full NIST CSF.
Step 4 – Balance the Five Framework Functions Evenly Distribute your effort equally across all five phases of the NIST CSF. Creating a balanced program. If we follow the natural periods embodied with the NIST CSF, we can break the various stages down into smaller pieces that are easier to digest and implement. • Identify the risks to your systems, data, and other assets. You must be able to effectively prioritize your focus, fully understand governance, and carry out accurate risk assessments. • Protect your critical infrastructure by limiting access to assets, training employees, securing and validating data integrity, implementing protective procedures and systems, and scheduling regular maintenance. • Detect cybersecurity events that could be attacks. This means flagging anomalies, monitoring traffic and modeling regular noise so you can accurately identify anything suspicious. • Respond when an event is detected. It would be best if you had a clear response plan with a communication protocol and a fixed timeline. Responses should be analyzed, 9 © CyberSaint, Inc. 2019 mitigation efforts tested, and all lessons learned used to make structural process improvements. • Recover your vital services and capabilities after an attack as quickly as possible, so the impact to your organization is reduced. Solid recovery plans should be bolstered by a continually evolving approach informed by events and strong communication links with relevant internal and external parties. • If you’re stronger in one phase, then focus your efforts on one of your weaker aspects. Do this until your program becomes balanced across the five framework phases.
Step 5 – Leverage the Entire Organization Make NIST CSF adoption a team sport. Engage business units and other resources across your organization. Many of the framework’s controls can be assigned to business functions such as HR, finance, or IT. The security team doesn’t have to own every control.
