NIST CSF Overview: Protect

This blog post is about Protect, one of five "pillars" of the NIST CSF. This blog post is one of a series of posts, one per pillar.

Here links to the other posts in this series: Identify (Protect) Detect Respond Recover.

What is the NIST CSF and why does Pythia Cyber use it? The NIST CSF is the cybersecurity Framework (CSF) put out by the National Institute of Standards & Technology (NIST) when designing and implementing a custom Cybersecurity Program (CSP). Pythia Cyber is guided by the NIST CSF for programs that are the modest first steps of new or small organizations, for programs that are formal, rigorous programs for mature, mid-sized organizations, and for programs anywhere in between.

The NIST CSF mantra is simple: Identify, Protect, Detect, Respond, Recover. But this overview is also very abstract. So this blog post is one of a series to make these concepts a bit more concrete.

As we covered in the first post in this series (follow the "Identify" link above), the Identify pillar gives us a list of assets (what we are protecting) and for each asset, a risk (what we are trying to avoid).

The Protect pillar is mitigating each of the risks for each of the assets. The procedure or method or technology that we use to do the mitigating is called “a control” and we say that the Protect pillar “assigns a control to each risk.” A control should produce evidence that it is working, otherwise monitoring that control is difficult and overseeing the monitoring is impossible.

It can be tricky to distinguish assets from controls. In cybersecurity, an asset is a resource that an organization needs to protect, like hardware, software, data, or networks. A security control, on the other hand, is a mechanism implemented to protect those assets from cyber threats. Think of assets as the things that need protection, and controls as the measures used to protect them.

For example, software systems (the asset) have an authentication component (the control) to prevent unauthorized access (the risk). The evidence is the log kept of login attempts, telling us who tried to login, when they tried and whether or not they succeeded in logging in. The authentication component is, itself, not an asset because it is a tool and is, in theory at least, capable of being replaced without actually having much impact on operations. The Protect pillar includes formalizing the procedures used to gather the evidence (we call this “monitoring” for short) for each control. This includes whose job it is to monitor and how often, etc.

A good methodology (the NIST CSF) and a bit of rigor (formally presenting the evidence that you gather) goes a long way toward making your CSP integrated, scalable, trusted and self-sustaining. You can get there; Pythia Cyber can help by providing guidance about distinguishing assets from control, about setting priorities and about best practices to offer that protection.