We are in process of building a security program from the ground up based on the NIST Cybersecurity Framework. Our other regulatory obligations include PCI, HIPAA, and GDPR to a small degree. So the challenge before us is designing a robust security program that works for a very small company (27 people) but covers all the bases needed. Additionally, because the NIST CSF doesn’t tie into HIPAA 1:1, considerations needed to be made for policies and procedures to support that. The third hard thing is that I don’t have unlimited budget, a CISO, or basically any guidance from above me. To append the skill set, I’ve consulted with both our legal team and outside security experts to work on this plan.
The first thing we did was undergo a security and risk assessment against the NIST CSF for critical infrastructure. This gave us a good idea of how the sensitive data flows through the systems and what controls we already have in place. Based on the results, it gave us a good idea of what areas to focus on first.
Next, I am leading an awareness and training campaign for the human firewall, as this is one of the most common breach vectors. Not only is this a good idea, it’s also a requirement for HIPAA and PCI I believe.
In tandem, I am building a Key Policy statement that employees will attest to annually, which states the companies stance on a very broad scope of technology usage and data security.
Under the key policy, I am building individual policies that fit within each category identified in the NIST CSF Functional areas. After that, I will build out Standards based on the sub-categories, and finally will create Standard Operating Procedures to support each Standard.
I’ll probably have some HIPAA specific polices that reference the NIST policies, but I figured this is a good place to start.
At the end of this, I will have built a security program for the company that is ready to audit and expansion, versus random controls and scattered/undocumented ways of securing the environment.
Gut instinct as a “doer” is to throw controls in place, especially ones that are best practice. I’ve found this to be a balancing act, and showing restraint on my approach is unnatural. Of course, there are things that should be in place (endpoint protection, MFA where available, encryption), but it is best if these can be identified, documented, and place in support of a specific policy of policies.
You’re probably looking for more of a tactical answer, which I was too when I started this project, but it has opened my eyes as to how more mature organizations should handle this particular topic and be ready for the future.