COVID-19 Made a NIST Cybersecurity Framework More Critical for Ohio Businesses

In 2018, Ohio implemented the Ohio Data Protection Act. The Act is a comprehensive measure that allows businesses to limit their liability in the event of a data breach. They do this by having a NIST cybersecurity framework in place. COVID-19 may have disrupted your organization’s plans to meet these standards. Yet the pandemic also revealed serious gaps in security. These gaps make a comprehensive cybersecurity framework essential. If you have yet to establish your framework, or revisit it based on the changes your company has experienced because of the pandemic (like supporting a remote workforce), we urge you to consider prioritizing your cybersecurity strategy before it’s too late.

The Ohio Data Protection Act

As a refresher, the Ohio Data Protection Act provides businesses that store or transmit personal information a safe harbor in the event they experience a breach. However, you can only qualify if you follow the NIST cybersecurity framework. This Act is a significant step forward for all organizations interested in limiting their liability should a data breach occur. It offers clear steps to organizations on what they must do to qualify for safe harbor under the Act. With or without a pandemic, minimizing risk of liability while simultaneously establishing better protocols to protect your customers and your data is a win-win.

Principals of a NIST-Based Cybersecurity Network

The threat landscape continues to grow more complex. As a result, cyberattacks are more sophisticated than ever. New threats are discovered daily. The NIST framework is designed to help you have a comprehensive cybersecurity strategy in place to protect your organization, your people, your data, and your customers.

The principals of the NIST framework are:

• Use common and accessible language
• Adaptable to many technologies, lifecycle phases, sectors, and uses
• Risk-based
• Based on international standards
• A living document
• Guided by many perspectives – private sector, academia, public sector

5 Steps to Developing a NIST Cybersecurity Framework

Develop a framework that will guide your cybersecurity policy. In order to minimize your risk and limit your liability under the Ohio Data Protection Act, take the following steps:

1. Identify risks and security gaps in your organization
2. Include layers of security designed to protect against cyberattacks
3. Detect unwanted intruders in your network
4. Provide a detailed plan to report and respond to breaches
5. Establish clear steps (including appointed responsibility) to recover from a breach

By using the NIST framework, you can develop cybersecurity protocols that protect your organization. By meeting the standards for protection under Ohio’s Data Protection Act, you can assure your customers that you take protecting their personal data seriously.

The Five Steps in the Cybersecurity Framework:

IDENTIFY

Before you can develop a comprehensive plan to protect your data, you need to know what you are working with. First, think about the data.

• What data do you have?
• Where is it stored?
• Who has access to it?

Then, consider how data risk has changed since you’ve transitioned to a remote workforce. You likely have more devices than ever accessing your network from off-premises. How are you controlling that access? And how are you protecting your organization and your employees now that they’re working from home offices and potentially using personal devices and personal internet service providers to perform their jobs? You can’t protect what you don’t know is a risk; so, begin with a risk assessment.

Additionally, you’ll need to consider other risks. What third-party vendors have access to your network? How are you handling employee training – not just onboarding, but also ongoing security training to keep your employees from becoming your biggest liability. Communication, especially with a remote workforce, can be challenging. Many organizations have experienced a huge number of layoffs; how have you managed removing access? Are there former employees who still have access to your network who shouldn’t?

NIST standards require you to consider these areas in the Identify function:

• Physical and software assets within the organization to establish the basis of an Asset Management program
• Business Environment, the organizational supports including the organization’s role in the supply chain, and the organizations place in the critical infrastructure sector
• Cybersecurity policies established within the organization to define the Governance program as well as identifying legal and regulatory requirements regarding the cybersecurity capabilities of the organization
• Asset vulnerabilities, threats to internal and external organizational resources, and risk response activities as a basis for the organizations Risk Assessment
• Risk Management strategy for the organization, including establishing risk tolerances
• Supply Chain Risk Management strategy including priorities, constraints, risk tolerances, and assumptions used to support risk decisions associated with managing supply chain risks

PROTECT

After you have identified all gaps in your security and risks that are leaving you exposed, then you can establish comprehensive security. The first step is to control who has access to your data, establishing ways to monitor how and when data is accessed, and establishing policies around data control. The second step is to implement the layers of security that will protect your network, from firewall, antivirus, and malware detection software to sophisticated threat detection capability. In addition, more prosaic steps need to be taken to protect you, including the use of a VPN for remote access and utilizing password managers instead of simple passwords.

The NIST Framework Protect function suggests considering the following:

• Protections for Identity Management and Access Control within the organization including physical and remote access
• Empowering staff within the organization through Awareness and Training, including role-based and privileged-user training
• Establishing Data Security protection consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information
• Implementing Information Protection Processes and Procedures to maintain and manage the protections of information systems and assets
• Protecting organizational resources through Maintenance, including remote maintenance and activities
• Managing Protective Technology to ensure the security and resilience of systems and assists are consistent with organizational policies, procedures, and agreements

DETECT

One of the ways in which organizations can minimize the damage of a breach is by catching it as early as possible. To do this, you must be able to not only shut out as many threats as possible but also detect any that do get through.

The NIST Framework Detect function includes:

• Ensuring that Anomalies and Events are detected and that their potential impact is understood
• Implementing Security Continuous Monitoring capabilities to monitor cybersecurity events and verify the effectiveness of protective measures, including network and physical activities
• Maintaining Detection Processes to provide awareness of anomalous events

However, even with every effort made to establish the best possible cybersecurity protocols, it still just takes one employee clicking on one link to create a disaster. Therefore, you must always prepare for the worst. This is where the respond and recover functions play a role. NIST establishes these guidelines for responding to and recovering from breaches:

RESPOND

The Respond function includes appropriate activities to take action regarding a detected cybersecurity incident. In this way, the Respond function supports the ability to contain the impact of a potential cybersecurity incident.

Examples of outcome Categories within this function include:

• Ensuring Response Planning process are executed during and after an incident
• Managing Communications during and after an event with stakeholders, law enforcement, and external stakeholders as appropriate
• Analysis is conducted to ensure effective response and support recovery activities, including forensic analysis and determining the impact of incidents
• Mitigation activities are performed to prevent expansion of an event and to resolve the incident
• The organization implements Improvements by incorporating lessons learned from current and previous detection and response activities

RECOVER

The Recover function identifies appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. As a result, the Recover function supports timely recovery to normal operations to reduce the impact from a cybersecurity incident.

Examples of outcome Categories within this function include:

• Ensure the organization implements Recovery Planning processes and procedures to restore systems and  assets affected by cybersecurity incidents
• Implement Improvements based on lessons learned and reviews of existing strategies
• Finally, coordinate internal and external communications during and following the recovery from a cybersecurity incident

thinkCSC offers the following services required to comply with NIST guidelines, available to all private and public businesses, non-profits, and K-12 educational institutions:

• Cybersecurity Gap Analysis
• Security Awareness Program Implementation
• Security Awareness Training Program
• Incident Response Policy
• Risk Assessment
• Vulnerability Assessment
• Internal and External Combined Penetration Testing
• Policy Review and Development

thinkCSC encourages every organization to take the steps necessary to take advantage of the Ohio Data Protection Act. To learn more about how your organization can begin the process, contact thinkCSC now.