Co-authored by Ken Durbin, CISSP and Kevin McPeak, CISSP, ITILv3
(Continued from part five in our series on Canada's Digital Privacy Act, where we were discussing how NIST CSF can be tailored to assess against a specific requirement like the DPA.)
Up next is the Detect Function of the CSF. As with the other Functions, Detect is also divided into Categories, Subcategories, and Informative References.
Detect consists of 3 Categories and 18 Subcategories, allowing an organization to get very granular in their assessment against the Detect Function. This series doesn’t cover the Subcategories in detail, however a full listing of all Functions, Categories, and Subcategories can be found in Appendix A of the NIST CSF Document (https://www.nist.gov/document-3766).
What is the purpose of the Detect Function? According to NIST, Detect “enables timely discovery of cybersecurity events.” In other words, what got through the Protection Mechanisms you implemented in the Protect Function? The word “timely” is key. To reduce the severity of a cyber event you need know as rapidly as possible that something got through your defenses. Not to get ahead of myself, but a strong Detect implementation makes the Respond Function (see next blog) much more effective.
Following are the 3 Categories that make up Detect:
- Anomalies and Events: Anomalous activity is detected in a timely manner and the potential impact of events is understood.
- Security and Continuous Monitoring: The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.
- Detection Processes: Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.
Detect and the Digital Privacy Act:
The Digital Privacy Act (DPA) is designed to properly safeguard private data in Canada. Canadian organizations will be required to report data breaches, notify all affected individuals in a timely manner, and maintain relevant records of the breach.
The Detect Function has the potential to play a critical role in preparing for DPA compliance. Remember, I use “potential” because it’s up to each organization to determine which Categories and Subcategories are important to align with their unique business needs. Keep in mind, at the heart of DPA is an organization’s ability to detect a breach and notify the Government and affected individuals as soon as possible.
- Anomalies and Events: Are you prepared to collect and analyze data from multiple control points to detect a security event? Are you utilizing a platform that allows correlation between the Endpoint, Network, and Gateway?
- Security and Continuous Monitoring: Do you have the ability to monitor key assets 24/7/365? Have you considered a Managed Security Service (MSS) to supplement your capabilities?
- Detection Processes: To stay on the right side of DPA, you have to know about a breach as soon as possible (and before you learn about it on the news!) and follow the proper disclosure requirements. Are you utilizing Data Loss Prevention (DLP) to detect inappropriate access to your data (and prevent exfiltration) wherever it resides?
Putting it to use:
Taking the time to review each Detect subcategory to determine if it will help you comply with DPA will create a “DPA Current Profile.” A Risk Assessment against those subcategories will create a “DPA Target Profile,” which can be used to guide your efforts to comply with the Detect components of DPA.
Symantec has solutions that align with both the CSF and DPA. We would be happy to discuss how we would be able to help you reach your Detect Target Profile.
Up next…the Respond Core Function of the CSF.
For more information on how to prepare for DPA, please visit: go.symantec.com/ca/dpa