In our last couple of blog posts we talked about implementation of ITSM and the criticality training to Cybersecurity. Now we are going to tie NIST processes with ITSM and personnel training to create a solid cybersecurity framework.
In NIST publication 800-171 there are 14 different security families, which are groups of related processes. They are closely related and derivative of 800-53 security control families. See, 800-171 augments 800-53 control families giving specific practices which should be executed when an organization is operating in a secure manner. These families include:
- Access control
- Awareness and training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information
These families form the basis of an organization’s cybersecurity policy and coincide directly with typical ITSM functionality such as axis control, configuration management, audit and accountability, maintenance, risk assessment, systems and information security. After policy creation comes the implementation which is where the intersection with ITSM really takes root.
As you begin to finalize the ITSM implementation and layering in the cyber processes within your organization, it is important to begin to apply these principles. There are a lot of options and different ways to do this.
For instance, let’s talk about access control. One of the principles of cybersecurity is to protect information with passwords. Password security and complexity standards are expected to be part of the security posture for an organization, and your system password is part of the ITSM, as are your password reset protocols. In the previous post we talked about Tirrihana who needed her password reset. This could be because she got locked out, can’t remember what her password is, a possible result of a complex password policy, or it could be because her organization instituted a password policy where her password would expire in a given period of time. Password resets are just one of the facets of a security policy in conjunction with your ITSM functionality.
There are many ways and opportunities to combine ITSM functionality of a well-run organization with the IT security requirements proposed from NIST. Beyond the password complexities and lifespan policies mentioned, others include configuration management (how you oversee changes within your organization’s IT systems), another place you can efficiently merge ITSM functionality with NIST.
The examples could go on forever. But it comes down to each organization, how they are set up, what ITSM systems they have in place, and what level of security they need to be operating at.
Many organizations and people avoid security in their operations because they view security as a hindrance to doing what they want to do. Unfortunately, as illustrated in the previous post this can have some very bad consequences. This is where the third leg of the stool, being training, comes into play. It is important to help the members of an organization to understand that they all play an important part when it comes to cybersecurity. When done right, and coupled with awareness and proper training, cybersecurity should not be a hindrance to operations.
In the next post we will be bringing all these elements together and present the full picture of an organization which operates in a posture of Defense in Depth.