One proven path to improving any organization’s security posture is to embrace the National Institute of Standards and Technology’s risk management framework set forth in its NIST 800 series of documents.
NIST 800-53, in particular, lays out recommended policies and procedures covering access control, incident response, business continuity, disaster recoverability and about a dozen more key areas.
I can attest, based on a principle role I played in helping IDT911, get fully immersed in this large document, that NIST 800-53 is a great place for any information security team to begin establishing or evolving a robust set of infosec controls.
Here are three key lessons I learned along the way:
1. Top management commitment is absolutely crucial
Seek senior-level buy-in at the start, and take steps to reinforce it as you go. Without senior executives fully on board, any wonderful new security policies and procedures you come up with will languish on your hard drive.
We made sure to invite top management to regular summary briefings with subject matter experts. This gave our senior execs ample opportunity to commit to the process of improving the company’s security posture. We took pains to send senior managers draft policies well ahead of time. That enabled them to arrive better prepared to fully engage in briefing sessions. And if they for some reason had to miss a session, they could still participate in the feedback loop. Bottom line: anything you can do to engage senior leaders and keep them actively involved is well worth the effort.
2. You can’t do it all, so do what you can
NIST 800-53 very extensively outlines how to establish baseline infosec controls based on an organizational assessment of risk. Common sense tells you that controls must be in place to have any effect. Creating policy for which you lack the manpower and resources to enforce is a recipe for futility.
To account for this, we engaged our subject matter experts in a triaging process. For instance, here’s how we triaged NIST’s “systems and communications protection policy,” which calls out 44 controls. First, we cross referenced the NIST controls to existing policies and procedures. This enabled us to derive a list of assumptions about what was, or was not, actually being done.
Next, we sought to confirm and/or clarified each assumption with the appropriate subject matter expert. This allowed us to omit some controls and keep others, while also setting aside any omitted controls for future review. By culling down to a subset of high-priority controls, we protected the company from stating that a given control was in place with no practical way to support it. In fact, this is how the NIST 800 framework should work. NIST should help you foster development of effective infosec policies that are actually useful to your unique organization.
3. Be wary of the butterfly effect
An insect flapping its wings in China can trigger a tornado in Florida. Creating new polices can trigger new responsibilities and intensify pressure on existing resources. It is vital to get buy-in, not just from top management, but especially from mid-level management, on whose shoulders a new tier specified responsibilities will likely fall.
The good news is that many of the NIST 800 controls are straight forward and self explanatory. A thorough review of the NIST protocols makes it obvious who is best suited to perform a particular function. Because we happen to be a small organization, many of the subject matter experts, including myself, who directly touch infosec at IDT911 already met on a monthly basis.
This helped develop a fairly straight forward buy-in process. Additionally, the committee gave me a forum to thoroughly explain policy proposals and hash out who should take responsibility for specific tasks. We were also able to establish framework for dealing with any future audits. By specifying functions and formalizing a communication path to track the controls we put in place, we created the capacity to produce consistent status reports on all of the controls we chose to implement and support.
Our goal is to use the NIST controls not just to tighten security, but to free up our organization so it’s more productive. Thus our mantra has become “enabling the business securely.” We express this often. Transparency and teamwork are the result. Meanwhile, this continual feedback loop is helping us keep our NIST controls alive and vital.