We’ve already laid out a broad overview of what NIST’s cybersecurity framework can do for you, so today we’re going to drill into Special Publication 800-53. Published by the National Institute of Standards and Technology, and based on important research from the Information Technology Laboratory, this publication offers a comprehensive set of security controls to help you protect your data.
The document refers to Federal information systems, but this terminology will be removed in the forthcoming fifth revision, because the advice here is applicable to all organizations.
It may seem dense and inaccessible at first, so we’re going to break down some of the key elements and explain their importance.
Establishing a baseline
It’s not easy to calculate the business impact of a cyberattack, because there are many knock-on effects that take time to reveal themselves. The latest research from the Ponemon Institute suggests a global average cost of $3.62 million for a data breach. The level of potential risk is your starting point in developing and building solid cybersecurity defenses.
Before you can select the right set of security controls, you must consider the importance and sensitivity of the data. The FIPS 199 document explains how you might go about categorizing your systems, taking into account confidentiality, integrity, and availability to figure out if the potential impact of a breach is low, moderate, or high risk.
Having established the potential impact levels, you can select a security control baseline. It’s deliberately called a baseline, because it’s something to build on.