The NIST Cybersecurity Framework - The Protect Function

For the second part of our series on the NIST Cybersecurity Framework, we are going to be discussing the Protect function. Last time we discussed the Identify function which talked about the need to really understand your critical infrastructure, your systems, and the risks associated with those systems so you can move to the next step in the framework, to protect your critical infrastructure. As you can probably see, the functions of the framework build on each other in a logical order. In the first post in this series, I compared the framework to building a house. If the Identify function is the foundation, then the Protect function would be the framing of the outside of your house. You can’t build walls without a firm foundation!

According to NIST, the goal of the Protect function is to “Develop and implement the appropriate safeguards to ensure the delivery of critical infrastructure services.” Just like in the Identify function, the Protect function is broken down into 6 different categories, which we will dive into in a little more depth in a moment. These 6 categories are then broken down further into subcategories, however, since this is a high-level overview of the framework, we are going to stick to just the categories contained within the Protect function:

1. Access Control (PR.AC) – “Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions.” If you want to protect your critical infrastructure and data, you must control who has access to it, both physically and logically, as well as what types of transactions are allowed. Here at Compass we often describe this as who has access to what and do they need to have access to it? If you are talking about HIPAA, this is commonly referred to as the Principle of Least Privilege (POLP) where users are given the lowest “clearance” level necessary to do their job. If you are a fan of military movies or FBI type movies, you have heard the term “need to know basis.” This is the same concept. Controlling who has access to what information is a critical first step in protecting your systems and data.
2. Awareness and Training (PR.AT) – “The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security related duties and responsibilities consistent with related policies, procedures, and agreements.” I love this definition not only because of what it says, but also what it does not say. Notice that it doesn’t say that you will provide your employees a 1-hour computer based training once per year? Instead, this category talks about educating employees. How can you honestly believe that your employees can keep your systems and data safe, especially in the changing threat landscape today, with a 1-hour training (at most) one time per year? Out of the approximately 2,000 hours a full-time employee works in a year (50 weeks times 40 hours per week), devoting a single hour of “training” on how to keep your sensitive information protected doesn’t do much. Make this an ongoing part of your training and development. One wrong click on a link in an email will make you wish that you did, I promise!
3. Data Security (PR.DS) – “Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of the information.” This one to me is a bit confusing as it seems obvious. If the goal is to protect the sensitive information that an organization holds, you must have strategies for how your data at rest is protected, how data in transit is protected, and how you manage the lifecycle of your assets that hold this information, including retirement/disposal.
4. Information Protection Processes and Procedures (PR.IP) – “Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are used to manage protection of information systems and assets.” If there is one consistent theme among these blog posts, it is the importance of having documented policies and procedures. Without policies and procedures, how do your employees know the “rules of the road?” How can they be expected to know what is considered appropriate versus inappropriate and what the consequences are for violating these policies? Document, document, document and make sure you review them on at least an annual basis!
5. Maintenance (PR.MA) – “Maintenance and repairs of industrial control and information system components is performed consistent with policies and procedures.” The repair portion of this category is pretty straightforward, however, the maintenance portion is the one that is overlooked at times. When you think about this category, think about patch management and the importance of having a patch management policy and program in place. This is an ongoing item and ultimately not having a patch management policy and program in place is what leads to things such as the WannaCry Ransomware and the Petya Ransomware that wreaked havoc on the information security world over the last 2 months. Maintain your systems and software to reduce the vulnerabilities that could be exposed and put your data at risk.
6. Protective Technology (PR.PT) – “Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.” Some obvious things that would fall into this category could be firewalls and IDTs (configured appropriately, of course), but another key concept that is often overlooked is audit/log records. To take that one step further, reviewing those audit/log records on a regular basis is essential to know who is accessing what and when. This fits right in with the Access Control category of setting the privileges based on need, but then taking it a step further to monitor who has access to what and why they have that access.

We are building each week the various parts of our cybersecurity “house” in accordance with the NIST Cybersecurity Framework and the Protect function is the next step in the building process, the walls and roof of the house. One thing that is consistent, and will continue to be consistent and obvious over the next functions is the critical importance of Information Security Policies and Procedures. While one of the categories mentioned above talks specifically about these policies and procedures, most of the other categories referenced having these policies and procedures implemented. Are creating and implementing policies and procedures fun? No, no they are not. But they are a critical necessity and the good news is that we have an eBook that will give you a great place to start. Click here to download a copy! Next week we will move on to the 3^rd function of the framework, the Detect function! Till then, stay safe!