As cyber threats and technologies continue to evolve and supply chain security becomes more critical, the National Institute of Standards and Technlogy (NIST) is planning to update the Framework for Improving Critical Infrastructure Cybersecurity (CSF), one of the best overall guides to organizational cybersecurity.
This is good news, as the CSF is widely regarded as one of the most valuable voluntary roadmaps for addressing cyber risk, and revising it should create even more value as the landscape continues to evolve.
However, it’s unlikely the updated version will be available anytime soon. The original CSF, published in 2018, took about five years of collaboration between the public and private sectors from start to finish.
In the meantime, the original CSF’s core tenets are crucial for keeping organizations secure. Here’s a quick refresher of how your business should be meeting each core principle.
The vast majority of organizations discover unknown devices connected to their enterprise IT systems during an asset discovery scan.
Your company should maintain an accurate and up-to-date inventory of all employees, hardware, software, and data, including laptops, smartphones, tablets, and Internet of Things (IoT) devices.
Identifying and inventorying the components of the software solutions—in essence, creating a software bill of materials (SBOM)—will be a big help when the next widely deployed software exploit is announced. (Remember Log4j and SolarWinds?)
Regularly discover new devices on your enterprise and add them to your asset inventory or remove them. Then, conduct regular certification campaigns to ensure that only current users have active accounts.
Deprovision users when they separate from the organization, even if only temporarily, including contractors and suppliers.
Control who has access to your organization’s data and resources, including the network, endpoints, mobile devices, and cloud-based applications.
Train employees and contractors who use your company’s computers, devices, and networks about cybersecurity. Don’t just help them understand their crucial role in the “everywhere workplace,” but their personal risk too. You should also have a formal company policy for safely disposing of electronic files and old devices.
When it comes to data, be sure to use strong cryptographic algorithms to encrypt sensitive data at rest, in use, and in transit. Perform regular backups of data as well.
To protect and remediate risks, use antivirus, mobile threat defense, and EDR/XDR software. Update regularly, and automate those updates where possible.
Lastly, be sure to implement risk-based vulnerability management and automated patching, especially for high-risk vulnerabilities.
Develop a complete and accurate asset inventory, and automate the discovery of new devices on your enterprise network.
Check your company network for unauthorized users or connections, and investigate any unusual activities on your network or by your staff.
When an incident does occur, it’s important to develop a Concept of Operations (ConOps) response. This includes:
- Investigating and containing a security incident as well as performing forensics
- Preparing for inadvertent events (like power outages and weather emergencies) that can put data at risk
- Updating your cybersecurity policy and plan with lessons learned
It’s also wise to automate your playbooks to remediate vulnerabilities, deploy patches, and implement additional access controls.
After an attack, be resilient by repairing and restoring the hardware, software, and critical components of the company network that were affected.
Be sure to communicate with employees, partners, and customers, and keep them informed of the company response and recovery activities.
While cyber threats have evolved, old favorites like phishing and ransomware continue to plague both individuals and organizations. Some preventive measures simply don’t get old, and that’s certainly the case with the CSF framework. Make sure your business is prepared.
Bill Harrod is Federal CTO at Ivanti, a global technology company on a mission to enable and secure the Everywhere Workplace.