Blog | Cyber Security News & Training | Securetain

NIST Implementation

The SecuRetain team emphasizes the approach “Do it Right the First-Time.” Despite years of investment corporations feel their NIST program implementation is inadequate, budget intensive, repetition of work.

NIST is one of the best documentation available to address various aspects of cybersecurity, and in general, the program implementation is large and complex. Most of the time it’s not about size but lack of understanding related to the NIST basics and fundamentals. Moreover, organizations are not sure as to why they are implementing NIST. Is it just a checkbox from the compliance perspective or is it about organization security? The clarity of the objective will help develop the strategic plan for NIST training program implementation. In the initial phases, it’s all about people compare to the process and technology. The right program implementation deserves the right people with the right skills.

Please see the test below. If you can organize the following concepts from NIST in sequential order to match with the stages listed below, then you are able to figure out the overall approach to the NIST implementation program cycle.

FIPS 199SP 800-37SP 800-53
SP-800-70SP 800-53ASP 800-17
SP 800-30FIPS 200 

Here are the stages:

  1. Categorize
  2. Select
  3. Supplement
  4. Document
  5. Implement
  6. Assess
  7. Authorize
  8. Monitor

The next stage will be to apply the above approach to each aspect of NIST. One way to kickstart the process will be having a workshop to go over the process and ensuring stakeholders have a better understanding of the FIPS and NIST standards quoted above. The different stages above are explained below at a very high level:

Categorize Define criticality/sensitivity of information systems according to potential impact of loss
SelectSelect baseline (minimum) security controls to protect the information system; apply tailoring guidance as appropriate
Supplement Use risk assessment results to supplement the tailored security control baseline as needed to ensure adequate security and due diligence
DocumentDocument in the security plan, the security requirements for the information system and the security controls planned or in place
Implement Implement security controls; apply security configuration settings
Authorize Determine risk to agency operations, agency assets, or individuals and, if acceptable, authorize information system operation
Monitor Continuously track changes to the information system that may affect security controls and reassess control effectiveness

Visit https://www.securetain.com/ to know more about GRC, Audit and Information Security practice.

The answer to the question:

RELATED POST: NIST 7358 PRISMA Part I