The NIST Cybersecurity Framework

Share on facebook
Share on twitter
Share on linkedin

as originally circulated and printed by the MEP National Network

The Framework for Improving Critical Infrastructure Cybersecurity (the “NIST Cybersecurity Framework”) helps organize the processes and tools you should consider in protecting your information. This is not a one-time process, but a continual, ongoing set of activities. There are some common practices you and your employees can implement to help keep your SMM firm safe. 

The specific mitigation activities in this section are grouped into the five broad categories of the Cybersecurity Framework. NIST Cybersecurity Framework Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. 

Understanding of resources and risks

Identify and control who has access to your SMM firm’s information. Control who has or should have access to your SMM firm’s information and technology.  Know what type of access each employee has and include both physical and logical access. Employees may have a key or administrative privilege or a password that is required to gain access. To help collect this information, review your list of accounts and what privileges those accounts have. Be aware of anyone who has access to your SMM firm. 

Do not allow unknown or unauthorized persons to have physical access to any of your firm’s computers. 

This includes cleaning crews and maintenance personnel. Do not allow a computer or network repair personnel to work on systems or devices unsupervised. No unrecognized person should be able to enter your office space without being questioned by an employee. If a criminal gains physical access to an unlocked machine, they can steal any private or sensitive information on that machine with relative ease. Physically lock up your laptops and other mobile devices when they are not in use. Use the session lock feature included with many operating systems, which locks the screen if the computer is not used for a specified period (e.g., 2 minutes). Use a privacy screen or position each computer’s display so that people walking by cannot see the information on the screen. 

Conduct background checks* 

Do a full, nationwide criminal background check, sexual offender check and if possible, a credit check on all prospective employees, especially if they will be handling your business funds. Consider doing a background check on yourself. Many SMM owners or executives become aware that they are victims of identity theft only after they do a background check on themselves. You may find reported arrest records and unusual previous addresses where you never lived. This can be an indication that your identity has been stolen. If prospective employees are applying for a job with educational requirements, call the schools they attended and verify their actual degree(s) or certificates(s), date(s) of graduation and GPA(s). If they provided references, call those references to verify the dates they worked for a company and other specifics to ensure the prospective employee is being honest. 

*Be sure follow your state’s laws regarding prospective employee background checks

Require individual user accounts for each employee 

Set up a separate account for each user (including any contractors needing access) and require strong, unique passwords to be used for each account. Without individual accounts for each user, you may find it difficult to investigate data loss or unauthorized data manipulation. Ensure all employees use computer accounts without administrative privileges to perform typical work functions. This will hinder any attempt — intentional or not — to install unauthorized software. Consider using a guest account with minimal privileges (e.g., Internet access only) if needed for your SMM firm.

Create policies and procedures for information security 

Policies and procedures are used to identify acceptable practices and expectations for business operations can be used to train new employees on your information security expectations and can aid an investigation in case of an incident. 

These policies and procedures should be readily accessible to employees – (i.e. in an employee handbook or manual). The scope and breadth of policies are largely determined by the type of business and the degree of control and accountability desired by management. Have a legal professional familiar with cyber law review the policies to ensure they are compliant with local laws and regulations. 

Policies and procedures for information security and cybersecurity should clearly describe your expectations for protecting your information and systems. These policies should identify the information and other resources that are important and should clearly describe how management expects those resources to be used and protected by all employees. 

All employees should sign a statement agreeing they have read the policies and relevant procedures and they will follow these policies and procedures. If there are penalties associated with violating the policies and procedures, employees should be aware of them. The signed agreement should be kept in the employee’s Human Resource file. 

Policies and procedures should be reviewed and updated at least annually and as there are changes in the organization or technology. Whenever the policies are changed, employees should be made aware of the changes and sign the new policy acknowledging their understanding. This can be done in conjunction with annual training activities.

To learn more about the NIST Cybersecurity Framework and to schedule a free Risk Assessment, contact Black Bottle Security today.