In this third of a six-part series, we will introduce the “Protect” function of the NIST-CSF.
With 6 categories and 35 subcategories, it is by far the most expansive function within the framework, for better or worse. This reflects the traditional view that cybersecurity, and security in general, is first and foremost a matter of preventing bad things from happening – it is no coincidence that the motto of many police departments is “Protect and Serve.” “Protect the Server” might as well be the respective motto for traditional cybersecurity – it is the activity companies spend the most time and money on, be it through built-in features, or add-on protection using specialized software. Employees are instructed to use strong passwords and secure their equipment, and warned not to fall for phishing scams that could open the door for hackers.
Five of the six categories – Access Control, Awareness and Training, Data Security, Maintenance, and Protective Technology – describe these and related activities. Typically, the IT Department has either the lead or a primary supporting role in suggesting and implementing products and processes in this space. Yet, this may not be the optimal organizational solution. In the “Protect and Serve” analogy: IT Departments are in fact not Police Departments, and cybersecurity goes beyond “Protect the Server.”
A more comprehensive approach to the protection function is exemplified in the remaining category, Information Protection Processes and Procedures (IP), which is not only the largest in terms of subcategories, but also the most constructive from an organizational point of view. It promotes security policies that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities, as well as processes, and procedures that are maintained and used to manage protection of information systems and assets. The subcategories are applicable across the enterprise, and adopt a view of risk as a combination of threats, vulnerability, and consequences:
| PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained |
| PR.IP-2: A System Development Life Cycle to manage systems is implemented |
| PR.IP-3: Configuration change control processes are in place |
| PR.IP-4: Backups of information are conducted, maintained, and tested periodically |
| PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets are met |
| PR.IP-6: Data is destroyed according to policy |
| PR.IP-7: Protection processes are continuously improved |
| PR.IP-8: Effectiveness of protection technologies is shared with appropriate parties |
| PR.IP-9: Response (Incident Response, Business Continuity) and recovery plans (Incident Recovery, Disaster Recovery) are in place |
| PR.IP-10: Response and recovery plans are tested |
| PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening) |
| PR.IP-12: A vulnerability management plan is developed and implemented |
One might argue that this category is too wide-ranging to be implemented effectively, and only someone at the C-level would have the authority to reach into all these different parts of the organization, it is precisely that enterprise-wide understanding that moves cybersecurity from “Protect the Server” to “Secure the Organization.” We at novaturient can assist in finding the right organizational form to move towards that goal.