Skip to content

Security Situational Awareness – March 2023

white printer paper on green typewriter

The National Institute of Standards and Technology(NIST) Cyber Security Framework (CSF) is one of the de facto frameworks used by organisations to implement security controls and reduce cyber security risks. The current version of the framework has five high-level core functions – Identify, Protect, Detect, Respond and Recover. These functions are further broken down into various security capabilities to protect the organisation.

A major update of the CSF has been planned and NIST has released a proposal paper detailing the changes that can be expected. Two of the most significant changes in the paper are the addition of a Govern function to the existing core functions and the expansion of the Supply Chain Management content to the extent that they are considering making it an additional high-level function.

Typically, security frameworks concentrate on security controls and the implementation of these to reduce the risk and impact of cyber attacks on the organisation with little focus on the risk management, security policies, processes and how to effectively measure the security control effectiveness. The new govern function will address these gaps and provide a more comprehensive approach to the management and measurement of security and risk for the organisation.

Most of our efforts and resources are spent enhancing internal controls and training our staff on cyber security risks and to a lesser extent around our supply chain security. Gaining unauthorised access through partners is becoming an increasingly effective and lucrative method as partner controls are often easier to circumvent.

Some tips in dealing with the supply management risk:

  • Ensure that security is incorporated into supplier agreements and contracts. These should include the expected security controls, privacy requirements and ensure that your suppliers are mandated to report any suspected security incident that could impact your data and operations.
  • Regularly assess third party security controls,
  • Develop incident response playbooks that include the response to a breach in your supply chain.
  • Implement additional monitoring and alerting for third party access to systems and resources.

Regularly review all suppliers for compliance of security control and privacy expectations and requirements.


Related Posts

Why Managed Service Providers (MSPs) Partner with Advantage to Deliver Security Services to Their Customers

Advantage’s white label service allows you to offer your customers high-quality security services under your own brand, growing your brand and increasing your revenue without having to invest in resources and costly infrastructure and tools.
Advantage hires senior talent, continues to builds Security Consulting division
There’s a bit of a global cost of living crisis going on and everyone’s feeling the pinch. Even the hackers.