Co-authored by Ken Durbin, CISSP and Kevin McPeak, CISSP, ITILv3
(Continued from part four in our series on Canada's Digital Privacy Act, where we were discussing how NIST CSF can be tailored to assess against a specific requirement like the DPA.)
Now we move on to the Protect Function of the CSF. As with the other Functions, Protect is divided into Categories, Subcategories, and Informative References.
Protect consists of 6 Categories and 35 Subcategories, thus allowing an organization to get very granular in their assessment against Protect. Once again, we will not be able to cover the Subcategories in this series, but a detailed listing of all Functions, Categories and Subcategories can be found in Appendix A of the NIST CSF Document (https://www.nist.gov/document-3766).
What is the purpose of the Protect Function? According to NIST, Protect “supports the ability to limit or contain the impact of a potential cybersecurity event.” In other words, what people, processes, and technologies are in place to protect that which we have deemed critical to my business or mission? When you consider all you’re protecting (data, personnel, devices, systems, and facilities) it is easy to understand why it’s the largest of the 5 CSF Functions. Following are the 6 Categories of Protect and what they cover:
- Access Control: Ensuring people are who they say they are, and are allowed to access particular data, systems, facilities, etc.
- Awareness and Training: Enabling employees, partners, and suppliers to be part of your cybersecurity plan through education and training on policies, procedures, etc.
- Data Security: Data is managed according to company standards to mitigate risk, and protect its confidentiality, Integrity, and Availability.
- Information Protection Processes and Procedures: Ensure policies, processes, and procedures are in place to manage protection of information systems and assets.
- Maintenance: Information System components are being maintained and repaired
- Protective Technology: Security solutions are deployed to protect solutions according to established policy
Protect and the Digital Privacy Act:
The Digital Privacy Act (DPA) is designed to properly safeguard private data in Canada. Canadian organizations will be required to report data breaches, notify all affected individuals, and maintain relevant records of the breach.
The Protect Function has several potential ways it can help assess against the DPA. Remember, I use “potential” because it’s up to each organization to determine which Categories and Subcategories are important to their business needs. Following are some examples:
- Access Control: Preventing a data breach means keeping the bad guys out. Can you adequately control access? Do you have multi-factor authentication in place?
- Awareness and Training: A breach can also be caused by a “well intentioned” employee. Are they properly trained? Do you have a data loss prevention solution in place to prevent accidental misuse of data?
- Data Security: The bad guys are after the data. How well is it protected? Is it encrypted at rest AND in motion? Do you have a DLP solution to detect unauthorized access?
Putting it to use:
Taking the time to review each Protect subcategory to determine if it will help you comply with DPA will create a “DPA Current Profile.” A Risk Assessment against those subcategories will create a “DPA Target Profile” which can be used to guide your efforts to comply with the Protect components of DPA.
Symantec has solutions that align with both the CSF and DPA. We would be happy to discuss how we would be able to help you reach your Protect Target Profile.
Up next…the Detect Core Function of the CSF.
For more information on how to prepare for DPA, please visit: go.symantec.com/ca/dpa