Today we start a new series where we will touch on a series of practical steps that districts can use to increase your NIST compliance. Looking at the complete set of NIST controls can be a daunting experience. One of the best ways we have found to make these cybersecurity improvements more attainable is following the CIS Controls Top 20 list, which maps nicely over into NIST. CIS also breaks their controls list into three implementation groups, in somewhat of a "start here" group 1, a more "advanced" group 2, and when that's done for full "Ninja status," move to group 3. This series is going to focus on a walk through the "start here" group 1 items.
The good news is the very first action items on our lists, which are related to Inventory and Control of Hardware assets, are most likely already being handled in your district.
Action item #1 - Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall include all hardware assets, whether connected to the organization's network or not.
Action item #2 - Ensure that unauthorized assets are either removed from the network, quarantined, or the inventory is updated in a timely manner.
Almost all of you are already performing most of these steps, perhaps just for essential asset management or insurance purposes. But having a complete listing of what devices your organization owns or manages, including identifying information like device MAC addresses, is a critical foundational step in your cybersecurity roadmap. And remember, proper hardware inventory control includes having processes in place for adds, moves, and deletions in that inventory database.
As your cybersecurity processes mature, this database will eventually become an essential part of the input into your Network Access Control system, determining which networks and resources a device is allowed to reach and whether it's considered internal, public, etc.
So, take a moment to evaluate how accurate and complete your district's hardware inventory and update process are. If corrections are needed, start now, as this information will be built on later on in the process as you continue your journey towards NIST compliance.