With school districts now required to adopt the NIST Cybersecurity Framework (CSF) for managing their IT operations, our district administrative and technology teams have just become responsible for ensuring that approximately 108 technical or management best practice outcomes are occurring each day in their IT operations. And while the NIST CSF does a great job of telling us what those outcomes need to be, for example: "Data-at-rest is protected," the CSF on purpose does very little about telling us how we might get it done.
The job of how do we make this happen is left to other documents and sources referenced by the CSF. The most notable is the CSF's companion document, the NIST SP 800-53 Controls - Security and Privacy Controls for Information Systems and Organizations. This huge document contains over 300 base controls that explode out to probably closer to 1000 controls with the included enhancements and is considered the master reference for IT controls.
But a perhaps easier NIST CSF referenced document to work with along the journey to NIST CSF compliance is the CIS Controls. Published by the Center for Internet Security (CIS), the CIS Controls v8, updated just this past June, contains 160 efficient controls across 18 control groups, all cross-referenced to the NIST CSF. Many schools find working with the CIS Controls to be a bit less daunting than the full SP 800-53 document. So, with this in mind, we are going to revisit our last series on the CIS controls and look at their latest V8 – Implementation Group 1 updates beginning with CIS Control 1 - Devices - Inventory and Control of Hardware Assets:
This control requires the organization to “Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.”
The suggested controls in this group directly support the outcomes required in the NIST CSF subcategories ID.AM-1 “Physical devices and systems within the organization are inventoried” and PR.DS-3 “Assets are formally managed throughout removal, transfers, and disposition”
CIS Controls provides some additional recommendations on how to do all this based upon best practice standards developed by a group of cybersecurity experts from around the globe. The initial IG1-Control 1.1 is about establishing the inventory process, and it includes:
· Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include:
o end-user devices (including portable and mobile)
o network devices
o non-computing/IoT devices
· Ensure the inventory records:
o the network address (if static)
o hardware address
o machine name
o data asset owner
o department for each asset
o whether the asset has been approved to connect to the network.
o For mobile end-user devices, MDM type tools can support this process, where appropriate.
· This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments.
· Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise.
· Review and update the inventory of all enterprise assets bi-annually, or more frequently.
IG1-Control 1.2 addresses handling unauthorized assets:
· Ensure that a process exists to address unauthorized assets on a weekly basis.
· The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset.
While CIS does not answer all the questions on how and in what systems you can do this inventory work, they do help by the controls providing some additional color around the types of assets we need to capture information on and the types of minimum information we should be tracking for each asset. Use this information as a starting point for discussing creating a NIST CSF compliant inventory system and process in your district.
In the coming weeks, I will continue to walk through the various CIS Controls groups one-by-one. If you would like some consulting assistance on implementing any of the controls we highlight in this series, we would be happy to help. Please contact our office to set up an appointment.