This document discusses strategies for implementing the National Institute of Standards and Technology's (NIST) cybersecurity control families. It recommends prioritizing the top six critical control families in Phase 1, which include configuration management, access control, awareness and training, media protection, and risk assessment. Phase 2 involves following up on the remaining NIST control families. The document also discusses balancing cybersecurity with business goals, gaining cross-organizational buy-in, and juggling priorities by leveraging different organizational teams.

1. National Institute of Standards and Technology
(NIST) 800-53 Controls: Deep Dive
KINETIC POTENTIAL

2. Learning Objectives
• Past data breaches
• Top cybersecurity risks (2020)
• Strategy - National Institute of Standards and Technology (NIST) Control Families
• Phase 1: Top 6 critical control families
• Phase 2: Follow-on control families
• Cybersecurity Metrics
• Balancing between cybersecurity & business goals
• Cross organizational buy-in
• Juggling priorities

3. Past Data Breaches
• 2020 – Microsoft
• Data unprotected on the web
• 2019 - Capital One
• Former employee/misconfigured firewall
• 2018 – FedEx
• Unsecured AWS cloud storage server/acquisition
• 2017 - Equifax
• Lack of patching
• 2016 - Uber
• Lack of multifactor authentication
• 2015 – Anthem Blue Cross
• Phishing email
• 2014 – Federal Bureau of Investigation
• Failure to conduct privacy impact assessment/policies

4. Top Cybersecurity Risks (2020)
• Lack of secure development practices
• Single factor passwords
• Unpatched security vulnerabilities
• Lack of vendor risk management (3rd party offerings)
• Phishing (social engineering attacks)
• Employees (insider threat)
• Data Leakage

5. Strategy

6. NIST Control Families

7. Phase 1: Top Six Critical Control Families
• Configuration Management
• Access Control
• Logical and Physical
• Awareness and Training
• Media Protection
• Risk Assessment
• Privacy Program

8. Phase 2: Follow on Security Control Families
• Enterprise-wide system security plan
• Assure all documentation are up to date
• Annual internal audit
• Address rest of NIST control families
• Adequate categorization of systems
• Continuous monitoring
• Closely follow best practices

9. Cybersecurity Metrics
• Number of systems
• Patch Management Plan
• Internet of Things
• Tracking Security Incidents
• Annual Security Awareness Training
• Acquisition of new business/systems
• Vendor Management offerings

10. Balancing Between Cybersecurity & Business Goals
• Create a cybersecurity committee
• Ensure alignment with business goals
• Communicate with SMEs
• Investment in Governance, Risk, and Compliance (GRC) tools. Insight to:
• Risk exposure
• Implementation of security controls
• Policy/Procedural updates
• Can tie back to metrics such as security awareness/role based training
• Types of GRC tools include:
• Commercial Organizations: RSA Archer, Logic Manager, Riskonnect, MetricStream
• Government Organizations: CFACTS, XACTA, EMASS

11. Cross Organizational Buy-In
• Keep cybersecurity processes as simple as possible
• Single sign-on to all applications
• Educate staff on importance of cybersecurity
• Stress trends in the news
• Requesting input, feedback, concerns and/or questions

12. Juggling Priorities
• Bring in other teams to support cyber tasks
• HR Team - Reminders of Annual Security Awareness Training
• System Admin – Deactivation of user account not used within 60 days
• Developers – Review/Input of technical documentation
• Business Analyst – Look out for functions that may need the security teams
input(data, availability of system, etc.)
• Receptionist – Always utilize visitor logs/paper badges
• You do not have to know it all!!!!

13. Questions?