How Small Businesses Look Big with NIST Control Families

Many small businesses end up on the receiving end of highly nuanced security and regulatory questions from clients and partners, with little in the way of internal expertise or resources to find their way to acceptable answers.  One way that savvy small businesses prevail, is to know the language of "big company" compliance.  That way, when a question arises -- perhaps one about NIST Control Families -- the small business is prepared to give a contextually relevant answer about controls or compensating controls.

We're not saying that small businesses should have a perfect answer to every imaginable question about each NIST Control.  We are saying that when small businesses can credibly talk about how they conceptually align with NIST Control Families, that they make the right impression that helps to calm the nerves of big company compliance folks.  Agree?  Then let's hop to it.

NIST, Security Risks, and Security Controls

NIST is the National Institute of Standards and Technology.  But, what's relevant here, is that NIST created one of the most widely known frameworks for thinking thoroughly about the types of security controls that organizations should consider putting in place (more on security controls here).

The Havoc Shield team prefers to talk in concrete terms that are approachable for small businesses without any dedicated cybersecurity staff, so here's an example that we think should bring life to the topic of security controls.

Suppose that your organization has an external hard drive that you occasionally use to back up customer records.  That's worth protecting, right?  If someone were to accidentally have that hard drive in luggage that became lost during a business trip, that could be a huge problem on a bunch of dimensions.  Hopefully we can all agree that having this type of hard drive floating around on an ad hoc basis, in unknown hands, would be a security risk.

So, let's talk about mitigating that security risk.  If your instinct was that one of the ways to mitigate the risk could be by ensuring that the hard drive is encrypted, your instincts are great.  If you head down that path, you'd be implementing encryption as a security control to mitigate the security risk that we've talked about here.  Caveat: if you are travelling around the country with customer data backups in your luggage, we've got more to talk about than just encryption, but hopefully our example provided a straightforward illustration that is useful as an example.

So, what are NIST Control Families?  They are an organized list of security controls, grouped into related families.  For example, the encryption example we've been using is one that touches several of the controls in the System and Communication Protection control family.

How Small Businesses Talk a Big Game

The next time you are asked a security question that relates to NIST Control Families, you should now know (at least conceptually) that the conversation will be about security risks and security controls.  So, if you find yourself on the receiving end of questions about your company's approach to NIST, you'd be on solid ground to say that you'd be willing to talk about any particular control family, or more broadly about your view that your company carefully evaluates security risks, and implements security controls to mitigate those risks.  If the conversation turns to any particular control family, you can always peruse (we won't guarantee that it'll be fun) the list of NIST Control Families:

• AC - Access Control
• AU - Audit and Accountability
• AT - Awareness and Training
• CM - Configuration Management
• CP - Contingency Planning
• IA - Identification and Authentication
• IR - Incident Response
• MA - Maintenance
• MP - Media Protection
• PS - Personnel Security
• PE - Physical and Environmental Protection
• PL - Planning
• PM - Program Management
• RA - Risk Assessment
• CA - Security Assessment and Authorization
• SC - System and Communications Protection
• SI - System and Information Integrity
• SA - System and Services Acquisition

Some very light familiarity with each (even just having read through the names of the NIST Control Families) is often enough to help you do a great job representing how your organization takes security seriously.  And it's not just for show (we hope!) -- we can't imagine that you are the kind of company that would travel the globe with a customer data backup in luggage, so we already know that you've got an intuitive sense for security risks, security controls, and how to navigate the NIST Control Families to describe some of your companies perspectives on the widely-recognized families that big companies recognize from the NIST framework.

As always, let us know if you need a hand raising your security program to a level that you are proud to represent in your conversations with clients, partners, and employees.