The e-InnoSec team emphasizes the approach “Do it Right the First-Time.” Despite years of investment corporations feel their NIST program implementation is inadequate, budget intensive, repetition of work.
NIST is one of the best documentation available to address various aspects of cybersecurity, and in general, the program implementation is large and complex. Most of the time it’s not about size but lack of understanding related to the NIST basics and fundamentals. Moreover, organizations are not sure as to why they are implementing NIST. Is it just a checkbox from the compliance perspective or is it about organization security? The clarity of the objective will help develop the strategic plan for NIST program implementation. In the initial phases, it’s all about people compare to the process and technology. The right program implementation deserves the right people with the right skills.
Please see the test below. If you can organize the following concepts from NIST in sequential order to match with the stages listed below, then you are able to figure out the overall approach to the NIST implementation program cycle.
| FIPS 199 | SP 800-37 | SP 800-53 |
| SP-800-70 | SP 800-53A | SP 800-17 |
| SP 800-30 | FIPS 200 |
Here are the stages:
- Categorize
- Select
- Supplement
- Document
- Implement
- Assess
- Authorize
- Monitor
The next stage will be to apply the above approach to each aspect of NIST. One way to kickstart the process will be having a workshop to go over the process and ensuring stakeholders have a better understanding of the FIPS and NIST standards quoted above. The different stages above are explained below at a very high level:
| Categorize – Define criticality/sensitivity of information systems according to potential impact of loss |
| Select – Select baseline (minimum) security controls to protect the information system; apply tailoring guidance as appropriate |
| Supplement – Use risk assessment results to supplement the tailored security control baseline as needed to ensure adequate security and due diligence |
| Document – Document in the security plan, the security requirements for the information system and the security controls planned or in place |
| Implement – Implement security controls; apply security configuration settings |
| Authorize – Determine risk to agency operations, agency assets, or individuals and, if acceptable, authorize information system operation |
| Monitor – Continuously track changes to the information system that may affect security controls and reassess control effectiveness |
Visit www.einnosec.com to know more about GRC, Audit and Information Security practice.
The answer to the question: