Is NIST Compliance Just for the IT Department?
If you’ve been presented with a requirement to align your cyber security practices with the NIST Cyber Security Framework, you might at first think that compliance will just be the IT department’s responsibility. Nothing could be further from the truth. Cyber security is a responsibility that all employees need to share, but there are some specific obligations that lie within each department of your organization.
The following is a sampling of department specific obligations pertaining to cyber security:
Executives and Leadership
The construction of a culture of security starts with leadership. In fact, if it doesn’t, efforts to manage cyber risk will likely fall short because security will be seen as just a control and not as a capability. In addition to keeping security top of mind, it’s leadership’s responsibility to oversee the creation of an all-encompassing cyber security plan along with adequate budget and staffing to maintain security at the appropriate level.
Executives should have a firm understanding of how cyber security regulations and laws apply to their organization and enable the organization to meet those requirements. Contracts with vendors should communicate cyber security expectations and communicate shared responsibility to keep data and access to systems safe from hackers.
Finance and Accounting
Finance executives should understand that the lack of an effective cyber security strategy can have huge negative impacts on the financial health – and the life – of the organization. In addition to maintaining a separate line in the budget for cyber security, the CFO should have a complete view of all of the expenditures associated with security. It may also fall into the CFO’s lap to determine if there is a need for cyber security insurance.
Accounting staff should recognize that their department is a prime target for cyber criminals. Managers should develop and implement policies and procedures that require verification for any change in protocol, such as requests to change banks or transfer money. A procedure may be as simple as picking up the phone to ask if an email request is legitimate.
Human resource managers should use the employee handbook as a tool for communicating cyber security standards to all staff. They should actively engage employees to build a culture of security through training and internal communications. Training can include specific procedures that employees should follow to access information -- such as how to connect to the network when working remotely – as well as cyber security awareness training which teaches staff how to recognize and respond to a potential cyber attack.
The HR department has specific responsibility to protect the personally identifiable information of employees that they gather and store. HR may play a role in determining security levels for different groups of employees so that they have access to the data that they need to do their job and no more. HR should have specific protocols to follow when changes need to be made to information access such as when an employee moves to a different position or is terminated.
Operations and Facilities Management
The management of cyber risks includes physical security, so operations managers need to integrate building access controls into the company’s cyber security plan to maintain security. This includes controls on how employees and visitors may enter the building and any areas that may be off limits to unauthorized persons.
Operations managers should find ways to integrate cyber security into the company’s safety program which will help to keep security as an active topic for discussion and training. They also should be involved in conversations about network management pertaining to how network access will be provided to visitors, vendors and others outside the organization. This includes connected devices such as environmental controls and security systems.
Sales, Marketing and Communications
The people who interact with customers and prospective customers should understand the value of the data that they use to do their jobs. Intellectual property could certainly be a target for cyber criminals, but your customer and prospect list in your CRM has value too.
Sales and marketing professionals tend to have more interactions with people outside their organization, and use technologies that take company data outside of the organization’s network ecosystem so they may need to work with IT to make sure that IT first, knows where the data is, and second, can help to implement backup systems and provide secure access to the apps and resources they need when working away from the office.
Communication is a huge part of any organization’s incident response plan so it may fall to the marketing department to determine how employees, customers, vendors and stakeholders will be notified when a data breach happens.
Finally, we get to the IT department and what comes to mind is their responsibility for managing all of the technical layers of security such as firewalls, anti-virus and anti-spam applications to name just a few.
It’s up to IT to enforce many of the controls that are part of the organization’s cyber security plan. For example, if the plan calls for VPN access for remote workers, then IT needs to implement the technology to make that possible. Indeed, IT should be facilitating cyber security conversations across all departments and playing a part in helping the organization blend their needs for access and productivity, with the need for security.
The IT department needs to keep up with the latest trends in cyber security trends and tools, and to decide honestly if they need to outsource services and expertise in order to meet security goals.
Everyone Has a Role in NIST Cyber Security Compliance
Because everyone plays an important part in cyber security, NIST compliance cannot just be a project for the IT department. If your company is in a government supply chain, you’re going to be hearing about NIST because these requirements are being pushed down to vendors at all levels. The result of non-compliance is that you may lose a customer.
Accent Computer Solutions provides advanced cyber security as a stand-alone service or in conjunction with managed services. Our clients come to us because outsourcing cyber security is the most cost effective way to get the high level of expertise they need to interpret and implement the NIST cyber security framework for their business.
Contact us to schedule a cyber security assessment to get an objective view of your current cyber security stance along with actionable recommendations for improvement.
About Courtney Casey
In an industry dominated by men, Courtney Casey, Director of Marketing for Accent Computer Solutions, Inc., is making her mark on the world of information technology. Courtney has been immersed in the IT field most of her life and has been molded into the tech savvy expert she is today. She began working for Accent while earning her Bachelor's degree from California State University, Long Beach. Known in the Inland Empire as the "Tech Girl," Courtney is a regular columnist for the region's newspaper of record, The Press-Enterprise. Her columns address topical news trends, new technology products, and offer advice on how to embrace technology or avoid common IT pitfalls.