The National Institute of Standards and Technology (NIST) has set up a framework of security controls to help organisations evaluate and improve their cybersecurity posture. The NIST framework covers a wide range of security topics, such as access control, awareness and training, auditing and accountability, and more. For organisations looking to assess their cybersecurity posture, the NIST framework provides a comprehensive and structured approach. In this blog post, we will provide a step-by-step guide on how a person can complete a NIST posture assessment for their organisation. By following this guide, you can figure out where to improve and take the necessary steps to strengthen your cybersecurity.

Access Control

  1. Evaluate the current access control policies and procedures, including user authentication and authorisation.
  2. Verify that only authorised users have access to sensitive data and systems.
  3. Ensure access controls are in place to prevent unauthorised access to sensitive data and systems.
  4. Evaluate the process for granting and revoking access to sensitive data and systems.

Awareness and Training

  1. Assess the current training programs for employees and ensure they cover cybersecurity best practices.
  2. Evaluate the effectiveness of the current training programs and identify areas for improvement.
  3. Ensure that employees understand the importance of cybersecurity and their role in protecting sensitive data and systems.

Auditing and Accountability

  1. Evaluate the current auditing and accountability processes and ensure they meet regulatory requirements.
  2. Verify that logs are being adequately maintained and reviewed for signs of security incidents.
  3. Ensure appropriate actions are taken in response to security incidents, including investigations and remediation.

Configuration Management

  1. Evaluate the current configuration management processes and ensure that they are in line with best practices.
  2. Verify that all systems are correctly configured and that changes are tracked and approved.
  3. Ensure that configurations are regularly reviewed and updated to maintain security.

Identification and Authentication

  1. Evaluate the current identification and authentication processes and ensure they meet regulatory requirements.
  2. Verify that all users are adequately authenticated before accessing sensitive data and systems.
  3. Ensure that passwords are properly managed and protected.

Incident Response

  1. Check the current plan for responding to security incidents to ensure it covers all possible problems.
  2. Verify that all employees understand their role in the incident response process.
  3. Make sure that the right steps are taken after a security incident, such as an investigation and fixing the problem.

Maintenance

  1. Evaluate the current maintenance processes and ensure that they meet regulatory requirements.
  2. Verify that all systems are regularly maintained and updated to ensure security.
  3. Ensure that all systems are backed up regularly to ensure data recoverability.

Media Protection

  1. Evaluate the current media protection processes and ensure that they meet regulatory requirements.
  2. Verify that all media containing sensitive data is properly protected and encrypted.
  3.  Ensure that all media is properly disposed of when no longer needed.

Physical and Environmental Protection

  1. Look at the physical and environmental protection processes already in place and ensure they are up to code.
  2. Ensure that all sensitive data and systems are safe from physical damage and people who shouldn’t have access to them.
  3. Ensure that the right steps are taken to keep sensitive data and systems from being stolen or lost.

Planning

  1. Evaluate the current planning processes and ensure they cover all potential security incidents.
  2. Verify that all employees understand their role in the planning process.
  3. Ensure that appropriate measures are in place to prevent security incidents.

Personnel Security

  1. Evaluate the current personnel security processes and ensure that they meet regulatory requirements.
  2. Before giving employees access to sensitive data and systems, ensure they have been properly screened and trained.
  3. Ensure that appropriate measures are in place to prevent insider threats.

Risk Assessment

  1. Evaluate the current risk assessment processes and ensure that they meet regulatory requirements.
  2. Verify that all risks to sensitive data and systems are identified and assessed.
  3. Ensure that appropriate measures are in place to mitigate risks.

Security Assessment and Testing:

  1. Check the current processes for testing and assessing security to make sure they meet regulatory requirements.
  2. Verify that all systems are regularly assessed and tested for vulnerabilities.
  3. Ensure that appropriate measures are in place to remediate

If you find the NIST posture assessment process too complex or overwhelming, don’t worry! Our team of experts can help you do a thorough NIST assessment and put in place the security measures you need. Contact us today via Calendly or LiveChat to learn more about how we can help you improve your cybersecurity posture.