The Methodology We Follow in Offering Our IT Security Services
The Kaytuso team are strong believers in risk-based security As opposed to a purely compliance-driven approach in which security staff tick boxes, a risk-based strategy allows organizations to adopt the best processes and controls for the environment and needs, allocating their security budget to address the most pressing threats first.
To provide the best risk-based cybersecurity protection to our clients, we’ve incorporated frameworks and resources from federal agencies deep into our process, including those from the National Institute for Standards and Technology (NIST).
Frameworks like the NIST Cybersecurity Framework (CSF) and Risk Management Framework (RMF) provide guidelines, processes, and best practices for mitigating cybersecurity risk. The NIST frameworks are authoritative resources for reducing cyber exposures and vulnerabilities at the national level infrastructure, which can also play a key role in guiding private organizations in implementing strong cybersecurity practices.
Additional benefits these frameworks provide include the following:
Create a way for cybersecurity teams to discuss obstacles and objectives in a unified manner
Develop a frame of reference for cybersecurity and risk management activities
Help to prioritize and communicate improvements to cybersecurity protections
The NIST Cybersecurity Framework
The federal government developed the NIST Cybersecurity Framework (CSF) in 2013 to respond to the increased threat of cyberattacks on critical U.S. infrastructure, including energy production facilities, water supplies, communication systems, and more.
The CSF integrates elements of other authoritative cybersecurity resources, but it stands apart from previous NIST documents like NIST Special Publications 800-53 and 800-171. While those are focused on the management of security systems and classified data, the CSF is fully focused on the analysis and management of cybersecurity risk.
The Five Core Cybersecurity Functions
The backbone of the CSF is five core functions. Structured as a single, logical process, these five core functions are further divided into 23 categories and then 108 sub-categories. Each of those sub-categories has its own set of cybersecurity controls. They together provide a comprehensive frame of reference for the management of cybersecurity risks, exposures, and vulnerabilities.
Function 1 - Identify
The identify phase is where we develop an organizational understanding of the risks that threaten your systems, assets, and data. Gaining this understanding requires a careful analysis of the connections between each component, documenting how assets move through your systems, and how they get accessed by staff. During this phase, we also take note of the laws and regulations that your data and systems may be subject to.
The Identify function consists of the following categories:
• Asset management
• Business environment
• Governance
• Risk assessment
• Risk management strategy
Function 2 - Protect
The protect phase is where you deploy safeguards to limit the impact of a potential cybersecurity event and includes both digital and physical protections. The protect phase consists of the following categories.
• Access Control
• Awareness and Training
• Data Security
• Information Protection Processes and Procedures
• Maintenance
• Protector technology
Function 3 - Detect
As the name implies, this function includes all the processes and procedures for detecting cybersecurity anomalies and making sure that those events are properly understood. The categories within the detect function include:
• Anomalies and events
• Security continuous monitoring
• Detection processes
Function 4 - Respond
Organizations must also implement processes to properly and quickly respond to a cybersecurity event after it’s been detected. This includes:
• Response planning
• Communications
• Analysis
• Mitigation
• Improvements
Function 5 - Recover
The final function of the NIST cybersecurity framework is recover, which refers to the ability to provide resilience after a cyberattack and recover any capabilities or services that may have been affected.
• Recovery planning
• Improvements
• Communications
A Note Aboot NIST Implementation
The NIST framework isn’t a compliance standard — it was designed to guide the work of competent cybersecurity professionals. Unlike a compliance standard, there’s no regulatory body that will verify whether your company is properly implementing the CSF, nor is the standard designed to be followed word for word.
Furthermore, the CSF has been designed to be highly compatible with other existing frameworks, like the NIST Risk Management Framework (RMF), allowing IT security experts to make adjustments based on the requirements of their business, technology, or circumstances.
The NIST Risk Management Framework
Designed for use by the Department of Defense and the U.S. Government, the NIST Risk Management Framework (RMF) is another important resource for implementing a risk-based IT security strategy. While the CSF is broad and designed for accessibility by private enterprise, the RMF is a more rigorous, prescriptive document.
The Risk Management Framework outlines a six-step process for managing security risks:
Categorize
Conduct impact analysis to categorize systems and the data transmitted and stored by those systems using the CIA triad: confidentiality, integrity, and availability.
Select
Choose a set of baseline controls of the system, tailoring this baseline based on risk and local conditions.
Implement
Implement the controls chosen in the previous step and thoroughly document that implementation for future work.
Assess
Determine the degree to which the controls have been properly implemented. Are they producing the desired outcomes?
Authorize
After the first four steps have been verified as working properly, someone of authority must accept the risk of implementing those controls in a real-life environment.
Monitor
Because risks and environments change, the last step means continually monitoring your controls to ensure that they’re providing the desired levels of risk management.
While following the prescriptions of the NIST CMF & RMF can be very challenging, they offer an excellent reference for technologists that wish to maximize the security of sensitive or protected data and help close the gap between C-suite executives and risk management activities, while also improving data governance and accountability.
We provide world-class critical managed cybersecurity services to small and medium-sized businesses as well as larger enterprises nationwide. Don’t be a victim of cyberattacks. Work with a technology partner that has decades of experience deploying world-class cybersecurity defenses that keep companies safe and secure.
Get In Touch
