Control 14 Mapping to the NIST Cybersecurity Framework
9 hours 54 minutes
Hey, everyone, welcome back to the core. So in the last video, we took a brief overview of CS Control 14 which again is a controlled access based on the need to know
in this video, we're just gonna take a look at how that maps up to the NIST cybersecurity framework.
So some control 14 1 That's where we segment the network based on sensitivity. So as an example, if I'm working with sensitive accounting or financial data,
Joey down in the janitorial services shouldn't have access to the same network with same data, right? So we do the network segmentation to make sure users on that network segment are only able to see the information that's applicable to them.
The other advantage of network segmentation, if you're not familiar, is if an attacker gets in. We can really,
for the most part, be able to isolate them to a certain network segment. Now that doesn't mean that they can't continue to move laterally through the network. But if we're dealing with, like, a script, kiddie or someone like that, then we can usually just keep them isolated to a certain network segment and then
lock them. I locked them down and clear up the infections, right?
It's not the attack.
Some control. 14 to what we're talking about. Firewall filtering between RV land. So that maps up to P. R. A. C Dash five in the next cybersecurity framework.
14 3 We're talking about disabling workstation to workstation communication,
and that maps up to P. R. A. C Dash five. So that's where we're talking about that network to integrity, right? So we're going back to things like the segregation and segmenting out our network
See as sub control. 14 4th We're talking about encrypting all sensitive information in transits. We talked a little bit earlier about data protection at rest. Now we're talking about also in transit Rights are protected in transit and at rest
14 5 utilizing active discovery tools to identify sensitive data. There's really not a 1 to 1 match in the cybersecurity framework for this one, but just know that's another aspect of it. And again, the overall arching thing of all of these is to help you build a better defense in depth for your organization.
Some control 14 6 Protecting the information through access control this so again Onley, allowing people to access the things they need to, right? So going back to principles of least privilege as well a separating duties. So just because I'm an administrator doesn't mean that you shouldn't put some kind of checking place. Right? So
you may have it where a couple of us administrators have to sign off on something
before I can actually access it and make a change.
Sub control 14 7
Enforcing access control through the automation of tools. Right, Because it's very difficult for me to go in manually and change your access every single time. So I just want to set
ah, a specific thing. So, for example, we could use, like, role based access control. And I could say, Okay, if you're an accountant at this company, these are the things you need access to, and this is it. You're limited on just thes things. So it makes it easier for me to automate that stuff as opposed to me having to manually say Okay. Well, Joey, who's Joey? Joey's an accountant.
Okay, let me go manually. Assigned these things
some control. 14 8 So again, going back to encrypting the sensitive information at rest
and some control 14 9 enforcing detail, logging for for people getting access or failing to log in properly, as well as any changes to that sensitive data. Because we want to track that if this change is made, why is the change made? So we could maintain integrity of that data.
So in this video, we just talk through the CIA's control 14 and how it maps to the NUS cybersecurity framework
in the next module, we're gonna jump into control 15 which is gonna be around wireless access control.