Control 17 Mapping to the NIST Cybersecurity Framework
9 hours 54 minutes
the everyone Welcome back to the course. So in the last video, we took a look at an overview of sea ice control 17 which again, about implementing a security awareness and training program.
And this for you. We're gonna take a look at how that might map up to indigenous cybersecurity framework.
So some control 17 1 performing a skills gap analysis. And what you're gonna notice here is that it really doesn't map up 1 to 1 with CSF. But this is just something that you need to implement in your organization. So you have to identify where are we lacking Act. Right. So do we have users that air falling for phishing emails?
Do we use default credentials on routers, switches, firewalls, etcetera? What are our gaps for our particular organization?
Some control 17 to deliver training to fill those gaps. Right. So this will actually map to many a CSF categories. S o p. R. 85 432 and one
sub control 17th 0.3. That's where we want to. Once we've identified those gaps and filled them, we want to implement a security awareness program and that maps up to PR 81 I d a. M six
self control 17 4 where we want to update the awareness contract content frequently, right? So as threats evolve as issues evolved that are more relevant to our particular organization, we want to make sure we're updating the program to meet those needs
some control. 17 5 train our workforce on secure authentication. Right. So we don't just want to make sure that we're properly training our end users.
Just a quick side note. The power of that is ah,
is something that you can't overlook. So I'll give an example from my real life.
I worked for a health care organization and I dealt with clinicians, and I myself was a nurse for many years in pediatrics. But I dealt with these clinicians and they never really understood why they couldn't do something right. So we talked earlier about lock of their screens
after a period of an activity. They didn't like that. We talked about making sure you've got stronger passwords and that you're not using the same password across different devices or sharing the the passwords as well.
And I got a lot of pushback and what I've basically figured out I said, I need to relate this to what they care about, right? It's all about what they care about it. If you could do that, then people understand, like why they shouldn't do something right. So I would say, Look, if you
share, if you're used sharing credentials with each other, what happens when that other nurse gets mad at you one day and they mess up all your charting and you have to go back and do all your charting or they go in with your credentials and they delete all your charting for the past month? What are you going to do? You know you don't have a paper chart
that you can pull from to get the information on the patient vitals and stuff, and that's your nursing license that's going away, not theirs.
So that's how I approached it with them. And I said the same thing about the phishing emails. I said, Look, if you click on something that doesn't look right,
but you still click on it, well, that's going to do is it's gonna lock up your computer with Ransomware. You know, I give in the worst case in area, right? So it's gonna lock up your computer with Ransomware. You won't be able to do any of your charting for the day. You're gonna have to come in on the weekend into your charting. And then you're gonna have patients mad at you because you don't know the last blood pressure. They're gonna ask you questions.
You won't be able to care for patients. The doctor is gonna ask you something, I said. That's how it usually works as a nurse
is. When one thing goes wrong, all of them go wrong, Right? So I approached it that way with the problems they actually cared about. And I saw almost an overnight change with these clinicians in their practices on their day today. And so we actually went from a point of them, clicking every single phishing email
to a point of them, always emailing first. In fact, I got to the point where when the company was acquired for by another company, a new CEO came in and it sent out like a welcome email with a survey
and every single one of those nurses shot four to me. The email said, This doesn't look right. Is this Spam is this riel. Is this a criminal hacker? Right? Because that we had built that awareness in place, and we related it to what they actually cared about. So if you're watching this video and unity deal, implement security awareness for your organization,
figure out what those people care about
and then, ah, adjust your training to match those needs, right? It kind of goes back to the marketing side of things, right? You figure out what your customers problem is, and then you go solve it. We're doing the same thing here with security awareness,
some control 17 6 training the workforce on identifying social engineering attacks. Right. So I talked about the phishing emails, but that's just one way, right? You want to you want to make them paranoid and suspicious of everyone
because I would rather have someone questioning me, saying, Well, what? Who are you? Why are you here? To live in this package and having that check and balance in place as opposed to me just being able to walk into your company, which I've done many times. In fact, I've been unfortunately, given access to things I shouldn't have seen various companies because I have a trustworthy face. Right? And I I wasn't nefarious
by any means,
but people were just like, showing me stuff and telling me stuff like, No, no, you like You shouldn't be giving me this stuff, right? So just keep that in mind. You want to train your workforce to identify potential social engineering attacks
some control 17 7 training the workforce on how do they handle that sense of data? Right. So I talk a lot about health care because that's where predominant amount of my experiences in the health care industry.
So how are we handling the sense of data? Right? We've got things we have to follow. Like hip, A high tech. So how are we handling that? We need to train the end users how they actually handle that information and make sure they understand it. They can show us how they would handle that sensitive data
Sub control 17 8 Training the workforce on causes of unintentional data exposure. So I may be looking at a patient's chart, and then someone's ableto walk by and look over my Children, see the information on the patient. Right? So that's unintentional. I didn't know that somebody was behind me. But what could I do in this situation? Well,
they've got things I can put on my screen for privacy rights. So privacy filter.
I could also turn the monitor to not face the hallway, so it faces just the wall behind me. So there's a few minor things there I could do to help prevent against the unintentional data exposure. But again, our end users don't know that until we train them on doing that.
Some control. 17 9 Training the workforce members on identifying and reporting incidents. So again, I talked about those nurses, right
Then once they got that email from the new CEO, they were suspicious immediately and they said, Hey, is this legitimate right? Is this the right thing or is this attack and so that's what you want? Do you want to train the end users to be able to identify that stuff for you so they can report it, right? Do you want to train them on the If you see something, say something. Say something mentality.
So in this video, we just talk through control 17 of the NUS cyber Theo. Excuse me. The sea ice controls again implementing a security awareness and training program. Really? The overarching thing here I want you to take away from this particular video is make sure you focus on the cares of the end user. When you're building these programs don't make it. Just
you throw in a bunch of information at them,
figure out how it relates to what they're doing and how they would actually care about it and then make that part of your training. So they actually care about following the steps that they're learning
in the next video, we're gonna take a look at control 18 for applications, software security.