Top 5 NIST Critical Security Controls

The NIST Cyber Security Framework

The NIST Cybersecurity Framework (CSF) 2.0 provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks. It offers a taxonomy of high- level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to better understand, assess, prioritize, and communicate its cybersecurity efforts.

Recently, the Information Systems Security Association Hall of Famer, Dr. Ronald Ross spoke in an interview about the Top 5 NIST Critical Security Controls. He has given his opinion on what he thinks are the most crucial NIST cyber security controls. Here are the top 5!

Information Security Architecture

Starting off, Dr. Ross points out that perhaps the most important security control to take seriously is Information Security Architecture, as it will help build an understanding of the focus areas for your specific enterprise. Developing a clearly defined security strategy from the very beginning ensures that all components of a business are created with security in mind.  A well-designed security architecture ensures that security is a built-in part of your systems and not just added as an afterthought.

Configuration Management

The lead author of the Risk Management Framework (RMF) says that configuration management plays a critical role in identifying and managing potential attack vectors. Maintaining an inventory of software applications and network devices helps prevent unauthorized access and reduces security risks. It is important to know about every device and application in Your inventory to acknowledge all possible attack vectors. If one goes unnoticed, it could cause great harm to the organization.

Being Consistent with Reducing and Managing Complexity

Dr. Ross emphasizes the significance of security architecture as the foundation for managing complexity and implementing the zero trust principle. Implementing the principle of least functionality and least privilege helps minimize attack surfaces and limit potential vulnerabilities. By removing unnecessary ports, protocols, services, and granting privileges only to those who need them, organizations can enhance security. Anything that is not essential for the business operations should be terminated.

Least Privileges (Zero Trust)

Dr. Ross has brought out that implementing the principle least privilege helps minimize attack surfaces. By granting privileges only to those who absolutely need them for business operations, it can enhance security. It is a common mistake that people have too many privileges which expands the attack surface.

Strong Access Control, Authentication and Authorization

Strong access control, authentication, and authorization are crucial for implementing the zero trust concept. Applying these controls to well-managed security domains ensures that only authorized individuals have access to sensitive information, reducing the risk of data breaches.

Incident Response Plan – Bonus

Having a contingency plan or incident response plan is crucial. Get it written, and make sure it’s exercised! Conduct tabletop exercises to ensure your incident response plan preparedness in case of a cyber-attack. Regular exercises and training are essential for ensuring a well-prepared incident response plan. By practicing and incorporating the plan into the organization’s culture, businesses can respond effectively to cyber threats.

Lack of Focus on the Human Firewall

We strongly agree with the points highlighted by Dr. Ross, but for the most part, he has focused on technical topics. The incident response plan emphasized by Dr. Ross, along with regular practice, ensures the best possible preparedness for a cyberattack. The best way to achieve this is through cybersecurity table-top exercises, which allow organizations to simulate different scenarios in a controlled environment and test the readiness, completeness, and effectiveness of their incident response plan. Additionally, at RiskSight, we believe that continuous training of an organization’s employees is crucial, as we consider people to be the most critical link in the organization’s security chain.

To begin building the Human Firewall on a user or management level, visit our Cyber Security Awareness Trainings or Strategic Cybersecurity Exercises pages.