For organizations getting started implementing a full Cyber Security Framework following the NIST guidelines the journey can look long, steep and daunting (https://www.nist.gov/cyberframework). Certainly implementing the formal framework is well worth the effort but will take some time.
What I offer here are some top line general principles that teams can apply immediately without alot of planning to have some quick improvements in security posture as you implement a more complete framework.
Identify Critical Assets & Data
Inventory both the assets and data that are most critical to the organizations operations. This shorter list are the ones that are in most need of protection for the CIA triad of Confidentiality, Integrity and Accessibility. Eventually all your cyber systems will or ordered, categorized and protected, but at the outset start with the critical ones.
Minimize Access to Critical Assets & Data
A potentially quick win is to simply reduce the attack surface by minimizing access to these critical assets and data. If they cannot be accessed they cannot be compromised for CIA. And in order to execute a compromise one of the smaller list of those with access would need to be compromised as part of the attack and not just anyone in the organization.
Patch Management Programs
Improve or create your patch management programs. A large number of breaches have a starting point of vulnerabilities already known in software. Make sure that you can find out about and patch all your systems. This includes ALL systems on your network, not just the critical ones. Everything for the endpoints of users through all active applications and devices.
- Inventory all system software and applications deployed
- Subscribe to notifications for all vendors for patch notifications
- Schedule all routine patching processes from vendor schedules
- Have a process to add vendor patches that are just notified and not routinely scheduled
Backup & Disaster Plans
Routinely evaluate and test your backup systems to insure the data is being collected in a form that can be recovered. Make sure the appropriate notifications are in place so you will know if backups are failing. And periodically re-group to insure your disaster plans are still appropriate for the systems and processes critical to the organization.
Implementing a full security framework and program is well worth the time and effort for any size organization. But if you are feeling overwhelmed or bogged down in the process, look for some quick wins with these shorter to implement security improvements. These are not a replacement for a full security program, but can help put you on a better posture while on the journey.
NIST Quick Start Guide
Originally published 5/22/2021