Diving into NIST Special Publication 800-53 for practical advice. Credit: Thinkstock We’ve already laid out a broad overview of what NIST’s cybersecurity framework can do for you, so today we’re going to drill into Special Publication 800-53. Published by the National Institute of Standards and Technology, and based on important research from the Information Technology Laboratory, this publication offers a comprehensive set of security controls to help you protect your data.The document refers to Federal information systems, but this terminology will be removed in the forthcoming fifth revision, because the advice here is applicable to all organizations.It may seem dense and inaccessible at first, so we’re going to break down some of the key elements and explain their importance.Establishing a baselineIt’s not easy to calculate the business impact of a cyberattack, because there are many knock-on effects that take time to reveal themselves. The latest research from the Ponemon Institute suggests a global average cost of $3.62 million for a data breach. The level of potential risk is your starting point in developing and building solid cybersecurity defenses. Before you can select the right set of security controls, you must consider the importance and sensitivity of the data. The FIPS 199 document explains how you might go about categorizing your systems, taking into account confidentiality, integrity, and availability to figure out if the potential impact of a breach is low, moderate, or high risk.Having established the potential impact levels, you can select a security control baseline. It’s deliberately called a baseline, because it’s something to build on. Tailoring your security controlsThe guidelines are broad and make certain assumptions that might not apply to your organization, so the next step is to tweak your security control baseline to ensure that it’s aligned with your business functions, systems and operating environment. You may be able to drop some controls, but will probably have to add or enhance others.Part of the aim during this process is to arrive an approach that strikes a good balance between security and cost. There’s no such thing as a perfect set of security controls. You must weigh in regulations, emerging threats, new and legacy technologies and systems, plus your business goals, to arrive at the right blend for your organization.Implementation and assessmentDetailed documentation laying out the design, development and implementation of your security controls is vital for regulatory bodies to be able to audit your efforts. It also provides a sound rationale that can be continually applied for the future, because cybersecurity is a travelling cliché – it’s not a destination, but a journey.Being able to refer to this documentation could be hugely valuable for the long haul, particularly if you have a new system to integrate, or your CISO resigns, or you hired a virtual CISO for the short term.A common mistake that organizations make is to draft the plan, implement it, and then trust that it’s working as expected. Without in-depth, regular assessments you have no idea if your security controls have been implemented correctly, if they’re operating as intended, or if they’re meeting your expectations for security. Get an outside party with no vested interest to put your security through its paces and don’t forget to test your third-party service providers to ensure they meet your standards.Continuous monitoringYou’ve set a baseline, tweaked it to fit your needs, implemented it and tested to ensure that it’s working properly, now you can take it easy, right? Wrong! Your work is never done when it comes to cybersecurity because things change. You might adopt a new system, integrate a new third-party service, or change your business goals. To comply with your legal requirements, you need to be up to date with the latest regulations. And all the while, new software vulnerabilities are being discovered, and hackers are probing your defenses and developing new techniques to gain entry.At the heart of NIST’s holistic approach to infosec and risk management are two simple ideas – “Built it right” and “continuous monitoring.”Take your time and create a solid cybersecurity foundation, but accept that you’ll need to be vigilant for cracks in your defenses and continually make improvements if you want to ensure that your data is truly protected. Related content opinion Diversity in cybersecurity: Barriers and opportunities for women and minorities Increasing the numbers of women and minorities in cybersecurity isn't just good for the individuals involved, it's good for the practice of security. Here's a look at what's holding them back and what can be done about it. By Michelle Drolet Dec 23, 2021 5 mins Diversity and Inclusion Hiring Security opinion 6 steps for third-party cyber risk management If you have third-party partners, you need a third-party cyber risk management program. Here are six key steps to follow. By Michelle Drolet Sep 30, 2021 4 mins Risk Management Security Practices Security opinion 5 open source intrusion detection systems for SMBs If you don’t have a lot of budget at your disposal, these open-source intrusion detection tools are worth a look. By Michelle Drolet Nov 13, 2020 5 mins Intrusion Detection Software Security feature 6 steps to building a strong breach response plan Cybersecurity resilience depends on having a detailed, thorough, and tested breach response plan in place. Here's how to get started. By Michelle Drolet Oct 07, 2020 5 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe