NISTRISK & COMPLIANCE

NIST Implementation

1 Mins read

The e-InnoSec team emphasizes the approach “Do it Right the First-Time.” Despite years of investment corporations feel their NIST program implementation is inadequate, budget intensive, repetition of work.

NIST is one of the best documentation available to address various aspects of cybersecurity, and in general, the program implementation is large and complex. Most of the time it’s not about size but lack of understanding related to the NIST basics and fundamentals. Moreover, organizations are not sure as to why they are implementing NIST. Is it just a checkbox from the compliance perspective or is it about organization security? The clarity of the objective will help develop the strategic plan for NIST program implementation. In the initial phases, it’s all about people compare to the process and technology. The right program implementation deserves the right people with the right skills.

Please see the test below. If you can organize the following concepts from NIST in sequential order to match with the stages listed below, then you are able to figure out the overall approach to the NIST implementation program cycle.

FIPS 199SP 800-37SP 800-53
SP-800-70SP 800-53ASP 800-17
SP 800-30FIPS 200 

Here are the stages:

  1. Categorize
  2. Select
  3. Supplement
  4. Document
  5. Implement
  6. Assess
  7. Authorize
  8. Monitor

The next stage will be to apply the above approach to each aspect of NIST. One way to kickstart the process will be having a workshop to go over the process and ensuring stakeholders have a better understanding of the FIPS and NIST standards quoted above. The different stages above are explained below at a very high level:

CategorizeDefine criticality/sensitivity of information systems according to potential impact of loss
SelectSelect baseline (minimum) security controls to protect the information system; apply tailoring guidance as appropriate
SupplementUse risk assessment results to supplement the tailored security control baseline as needed to ensure adequate security and due diligence
DocumentDocument in the security plan, the security requirements for the information system and the security controls planned or in place
Implement Implement security controls; apply security configuration settings
AuthorizeDetermine risk to agency operations, agency assets, or individuals and, if acceptable, authorize information system operation
Monitor Continuously track changes to the information system that may affect security controls and reassess control effectiveness

Visit www.einnosec.com to know more about GRC, Audit and Information Security practice.

The answer to the question:

Related posts
CYBERSECURITYRISK & COMPLIANCE

Prevention, Detection, and Recovery from Cyberattacks Part III

2 Mins read
Is Zero Trust a model for effective and efficient security? We are adding a third blog post in the series of Prevention, Detection, and Recovery…
RISK & COMPLIANCE

Everything You Need to Know About DoD CMMC - CMMC Introduction

2 Mins read
In March 2020, Visser Precision Manufacturing confirmed it was “the recent target of a criminal cybersecurity incident, including access to or theft of data.” Visser…
RISK & COMPLIANCE

Everything You Need to Know About DoD CMMC - CMMC Background

2 Mins read
In March 2020, Visser Precision Manufacturing confirmed it was “the recent target of a criminal cybersecurity incident, including access to or theft of data.” Visser…
 

Leave a Reply

Your email address will not be published. Required fields are marked *