Building a Cybersecurity Framework

I have now been instrumental in building cybersecurity frameworks in several organizations. A question that I have often been asked is "How do you know all the bases are covered?" This article aims to answer this question at a very high level using the NIST framework.

1. At the heart of the NIST framework lies the GOVERNANCE layer that was recently added. Here, let's ponder at our organization, its goals and mission statement. Let's determine the risks that exist for our organization and the roles that divisions and personnel play in the organization. Based on this, one needs to design the security policies which will correspond with the nature of the organization, its unique mission and its risks.
2. The next step is to IDENTIFY the assets of the organization that need to be protected. Assets will be data, hardware, software, personnel. These assets will need to be protected by the cybersecurity department. An asset registry - a collection of the organization's assets and a capability to dynamically identify new assets and classify them will need to be built. As a part of the identify layer, there also needs to be a comprehensive risk analysis. This analysis will include a vulnerability analysis and attack surface management.
3. Now, we come to the PROTECT layer. Here, I am going to fall back on the CIA triad - Confidentiality, Integrity and Availability. I have to ensure that sensitive data is only available to the people that are supposed to have it, that it cannot be tampered with and that it's available to the people who need it. This is achieved through cryptography, identity and access management capabilities and a backup system that is easy to use and restore services and data from.
4. Next, we come to the DETECT layer. This is where monitoring and proactive penetration systems come into place. A network intrusion detection system (usually firewalls), an endpoint monitoring and detection system which monitors all devices connected to the network and checks for malware, threat intelligence feeds, information about zero-day exploits, Dynamic Application Scanning tools (DAST), Static Code Scanning Tools (SAST), Infrastructure Scanning Tools, firewall intrusion systems etc. all come into play here. The sheer amount of information that these monitoring tools generate could very well be so humungous as to need a special data crunching tool - a security information and event management system that takes information telemetry from myriad monitoring devices to mine for better insights and actionable information
5. Now, we need to RESPOND to what has been detected. This is the security incident management system that we need to design and implement. This could be a ticket management tool where we triage our security incidents, assign them to the concerned divisions/individuals and follow them to their conclusion - risk mitigation/risk avoidance/risk acceptance. This is security orchestration, automation and response.
6. And finally, if despite all measures taken, a breach does happen, then we come to the RECOVER phase. The backup that had been taken in the protect phase now comes into play. Recover the lost data and restore crippled systems using the backup. This restored data needs to be verified for its correctness and integrity. And there needs to be a protocol of communication to all those who have been impacted by the breach - consumers, individuals whose data may have been breached, the governmental/regulatory body in some cases etc.

And that's the 50,000 ft. view of how a Cybersecurity framework is built and all bases are covered. In the coming days, I will delve on each of the above areas and discuss them in detail. A happy secure new year, everyone!