Measurement Guide on Information Security Management

Measurement Guide on Information Security Management

Here is a helpful Measurement Guide for your organization’s Information Security Management - from NIST

__________________________________________________________________________________________________

We at SpaceBound Solutions have a mission to help companies manage their cyber security needs. If you are in charge of cybersecurity at your company or are a member of the cyber security team – you know that staying on top of all of the threats from hackers and various attacks is a daunting task.

So, if your organization is ever attacked, your CEO and your customers need to trust you did everything you could to manage any cybersecurity threats.

In addition to hiring a trusted company like SpaceBound Solutions to perform security assessments, do penetration testing and handle disaster recovery/backup and more - there is also NIST to lean on for guidance before your organization is hit with a cyber-attack.

NIST is the National Institute of Standards and Technology – part of the U.S. Department of Commerce. The NIST Cybersecurity Framework helps businesses learn more about, manage, and lessen cybersecurity risks in order to protect your network and data.  This guide is provides organizations with an ‘outline of best practices to help you decide where to focus your time and money for cybersecurity protection.’

This two-part document, entitled:  NIST Special Publication (SP) 800-55 Revision 2: Measurement Guide for Information Security, ‘offers guidance on developing an effective program, and a flexible approach for developing information security measures to meet your organization’s performance goals.’

The NIST Cybersecurity Framework helps organizations identify and focus on five key items for organizations to:

1. Identify

  • List all equipment, software, and data you use - including laptops, smartphones, tablets, and point-of-sale devices

2. Protect

  • Control who logs on to your network and uses your computers and other devices

  • Use security software to protect data or hire a solutions firm

  • Make sure sensitive data is encrypted

  • Conduct regular backups of data

  • Update security software regularly, automating those updates if possible or outsource it to a solutions firm

  • Have formal policies for safely disposing of electronic files and old devices.

  • Train everyone who uses your computers, devices, and network about cybersecurity

 3. Detect

  • Monitor your computers for unauthorized personnel access, devices (i.e. USB drives), and software

 4. Respond

  • Notify customers, employees, and others if any data may be at risk

  • Report any attack to law enforcement

  • Investigate and contain an attack

  • Updating your cybersecurity policy

5. Recover

  • After an attack: Repair and restore the equipment and parts of your network that were affected. Plus, Keep employees and customers informed of your response and recovery activities.

From NIST’s Katherine Schroeder: “We want people to be able to figure out the process of what to measure. You don’t necessarily need to crunch every number,” she said. “For example, you might want to figure out whether your organization is responding to incidents appropriately, and you might consider factors such as your response time and impact to the mission or business such as additional staff hours, resources needed, or impact to the bottom line. Then you can present that information in a way that makes sense, even if you’re not a statistician — so that you can figure out how to do better.”

“The two volumes are aimed at different audiences within an organization. The first written mainly for information security specialists, provides guidance on how an organization can prioritize, select and evaluate specific measures to determine the adequacy of security that is already in place. The second is aimed primarily at the C-suite, outlines how an organization can develop an information security measurement program and offers a multistep workflow for implementing it over time.”

 “When technical teams communicate with management about information security, metrics provide a common language, using trends and numbers to bridge gaps in understanding,” the authors write. “Organizations want to be able to assess if controls, policies, and procedures are working effectively, efficiently, and how the organization is impacted. Metrics can be used to help prioritize areas for growth, improvement, or re-focusing resources.”  

 

At SpaceBound, we know that trying to anticipate every cyber security threat, respond to any attacks and running the overall management of your organization’s cyber security infrastructure can be overwhelming. This is where SpaceBound Solutions can help.  To learn more, visit: https://www.spaceboundsolutions.com/ContentPage/142?z=1  Or, email us at Services@SpaceBoundSolutions.com

 Source:

NIST (National Institute of Standards and Technology – part of the U.S. Department of Commerce)

 NIST SP 800-55 Vol. 1 (Initial Public Draft)

Measurement Guide for Information Security: Volume 1 — Identifying and Selecting Measures

https://csrc.nist.gov/pubs/sp/800/55/v1/ipd

GAO's insight on ransomware protections

GAO's insight on ransomware protections

From our SpaceBound Solutions Team, to your team - we want to wish you a very Happy Thanksgiving!

From our SpaceBound Solutions Team, to your team - we want to wish you a very Happy Thanksgiving!