If you are building up a new security program or improving upon an existing one, but you are not well verse in compliance - the NIST Framework can help provide a guide of what common controls should be in place.
The NIST Framework was originally created through collaboration between industry and government to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework doesn't just help critical infrastructure, but provides a holistic way to manage cybersecurity-related risk that can be augmented by any size company.
The NIST Framework consists of three main components: the Core, Implementation Tiers, and Profiles.
- The Core provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand. It also guides organizations in managing and reducing their cybersecurity risks in a way that complements an organization’s existing cybersecurity and risk management processes.
- The Implementation Tiers assist organizations by providing context on how an organization views cybersecurity risk management. The Tiers guide organizations to consider the appropriate level of rigor for their cybersecurity program and are often used as a communication tool to discuss risk appetite, mission priority, and budget.
- Framework Profiles are an organization’s unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core. Profiles are primarily used to identify and prioritize opportunities for improving cybersecurity at an organization.
These components will not only let you know the core controls that should be in place, but allow you to tailor it to your business needs and maturity.
Reading through the resources available on the https://www.nist.gov/cyberframework website, will also provide a good introduction to compliance concepts, organization, and practices. My recommendation is to start by downloading the excel version of the framework and start performing a gap analysis of what is in place and what isn't. Upload the spreadsheet to the cloud so it can be collaborative. Add columns and track all details within the spreadsheet and use it as a control tracker. Make sure each control has an owner. If you have "compliance manager" hat on you should not be responsible for all operating controls. Though if the company is small enough you may also have to wear a "control owner" hat, but that is typically the case with SMEs.
Having a structure in place will help guide anyone through the process of defining and implementing a holistic security program and NIST is a great resource to serve as a starting point.
