Protect - Data Security
The third of the six critical cybersecurity categories I presented previously is “data security.” An organization's most valuable asset is data; hackers seek data sources to steal from businesses, governments, and non-profit organizations, including small and midsized companies. Data must be protected in transit and at rest.
The NIST CSF addresses data security in its Protect function under its data security category (PR.DS). The first and second subcategories handle data in transit and data at rest, respectively. Organizations must implement security controls to address the integrity and confidentiality of the data. However, when putting this advice into practice, the challenge becomes how to protect against all the vulnerabilities; at the time of this recording, the Common Vulnerability Exposure (CVE) contains 183,630 CVE records.
One approach proposed by Scott Musman is to protect against the attack effects, which he classifies as the following categories:
The proposed concept is that regardless of the vulnerability of the 183,630, the impact will be one of the categories listed.
The other area that NIST CSF addresses under data security is environment segmentation, keeping the development and testing environments separate from the production environment. Not only by installing a DEV or TST system in production but also by avoiding the communication between these environments.
Last but not least, NIST CSF addresses hardware integrity. Not every company will need to implement this control, so I suggest adopting an ISO 27001 practice: create a spreadsheet with all the NIST CSF controls from the informative reference column and mark them as implemented or justify why it was not implemented. This practice will give you a good inventory of what you have implemented and a business justification for why not.
*** FREE GUIDE ***
Dr. Bill Souza
CEO | Founder