10-07-2022 01:04 PM - edited 10-07-2022 01:25 PM
If you are building up a new security program or improving upon an existing one, but you are not well verse in compliance - the NIST Framework can help provide a guide of what common controls should be in place.
The NIST Framework was originally created through collaboration between industry and government to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework doesn't just help critical infrastructure, but provides a holistic way to manage cybersecurity-related risk that can be augmented by any size company.
The NIST Framework consists of three main components: the Core, Implementation Tiers, and Profiles.
These components will not only let you know the core controls that should be in place, but allow you to tailor it to your business needs and maturity.
Reading through the resources available on the https://www.nist.gov/cyberframework website, will also provide a good introduction to compliance concepts, organization, and practices. My recommendation is to start by downloading the excel version of the framework and start performing a gap analysis of what is in place and what isn't. Upload the spreadsheet to the cloud so it can be collaborative. Add columns and track all details within the spreadsheet and use it as a control tracker. Make sure each control has an owner. If you have "compliance manager" hat on you should not be responsible for all operating controls. Though if the company is small enough you may also have to wear a "control owner" hat, but that is typically the case with SMEs.
Having a structure in place will help guide anyone through the process of defining and implementing a holistic security program and NIST is a great resource to serve as a starting point.
New to the site? Take a look at these additional resources:
Ready to join us? You can register here.