When I teach Learning Tree’s System and Network Security Introduction, participants often ask me similar questions at the end of the course:
“There is a lot of material here, how can I begin to implement it at work?”
“How do I know our security plan is good enough?”
“Is there any help on ensuring that we are doing everything we need to do?”
These are good questions and fortunately there is help! There are multiple frameworks for these tasks and one is from the US National Institute for Standards and Technology or NIST. The are others, but the ideas and concepts are fundamentally the same – they mostly differ in details. Learning Tree has a one-day bootcamp on this topic, Course 4528, Compliance Checklists (NIST Framework). I’ll be teaching this course on October 20th, and last time I checked, there was still room to enroll.
The idea behind the frameworks is simple. They help you to look critically at your systems and networks, analyze the threats, and implement solutions. While the idea is simple, the details are complex. The NIST framework document NIST Publication 800-53 is 462 pages long! Course 4528 helps you learn the basics so you can effectively navigate the framework.
One aspect of the NIST framework I find particularly attractive – and beneficial to organizations of virtually any size – is the breakdown of responsibilities by role. From the CEO to end users, the NIST framework details each role’s specific responsibilities when it comes to cyber security. This is essential in most organizations as sometimes it is difficult to delineate who is to perform assessments, who is to audit, who is to design and implement defenses, and who is to approve what. Fortunately, the frameworks lay this out.
One of the biggest benefits of defining roles and their responsibilities is that specific responsibilities are not overlooked. Often, when I ask “who approved that policy?”, their eyes glaze over. The policy was stated by someone and that was that. The frameworks detail the chain of approval and the forms of documentation needed. That greatly helps not only policy and procedure design, but also helps gain buy-in from users as they know why a policy is what it is and not just because “the CIO says so”.
I don’t want to give away too many details of the class, but I hope I’ve whetted your appetite. I would like to know whether and how you are using the NIST frameworks or another framework to form your security plan. Let us know in the comments below.
To your safe computing,