Youattest Logo

Top 5 NIST Cybersecurity Framework (CSF) Controls Regarding Identity Governance and YouAttest

The NIST CyberSecurity Framework offers solid guidance for how organizations should select and maintain customized security and privacy controls for their information systems.  NIST CSF is a voluntary framework that provides guidance for organizations on how to manage cybersecurity risks.

The standard provides a solid framework for any organization to develop, maintain and improve their information security practices – and is the basis for security for many private institutions and service companies.

Image #1:  Identity Governance is a key component of the NIST Cybersecurity Framework (CSF) and the associate control catalog: 800-53 r5.

 

Identity is key throughout the guidance.   It is throughout all of the listed functions: Identity (ID), Protect (PR), Detect (DE), Respond (RS) and Recover (RC).    

Related Document:

Key NIST 800-53r5 Controls, Mapped to IGA and YouAtest

 

Top 5 CSF 1.1 Identity Governance Controls that YouAttest Meets

ID.GV-2

Information security roles & responsibilities are coordinated and aligned with internal roles and external partners

Identity Governance Role:

To meet this control an enterprise must quantify all relevant roles associated with information security and then ensure that these roles are quantified and attested by knowledgeable parties (the managers).     

This is exactly what YouAttest user access reviews accomplish.

PR.AC-1  

Identity and Credentials are issued, managed, verified, revoked and audited for authorized devices, users and processes

Identity Governance Role:

There is a lot of  Identity and Access Management (IAM) block and tackling in this control.   But there is also a governance portion that spells out that identities should be reviewed for their roles and privileges.

YouAttest is designed specifically to meet the identity attestation portion of PR.AC-1.   

PR.AC-4

Access permissions and authorized are managed, incorporating for the principle of least privilege and separations of duties.

Identity Governance Role:

A managed identity is an audited identity – governance must be an active part of enterprise identity management to meet this control.

YouAttest allows enterprises to review their roles and permission to insure that privileges are limited to the access required to do the role. 

PR.AC-6

The best way to accomplish assigned organization tasks is by allowing authorized access for users or those acting on behalf of the users, while maintaining complete overview.

Identity Governance Role:

Enforcing the Principle of Least Privilege is the key objective of identity governance.  It requires not only a mature IAM system – but and actual IGA process.

It is nearly impossible for any organization of over 100 users to enforce this principle without a tool that goes through the roles and privileges and then identifies and helps eliminate excess privileges.   YouAttes is the easiest tool to use to effect the PR.AC-6, principle of least privilege, control

PR.PT-3

The principle of least functionality is incorporated by configuring systems to provide only essential capabilities.

Identity Governance Role:

Systems, devices, resources do NOT exist in a void.   They need to have access to these systems to conduct relevant functionalities – especially concerning PII (Personal Identifiable Information) and PHI (Personal Health Care information).

YouAttest is an automated tool to ensure the users allowed access to these systems are attested to and documented. 

Honorable Mentions

ID.AM-6

Learn more about the cybersecurity roles and responsibilities that must be shared by the workforce and third-party stakeholders. This includes suppliers, customers, and other partners.

Identity Governance Role:

Identity governance does NOT stop at the enterprise (identity) boundaries.  User and roles must be reviewed for partners, contractors and customers to ensure that the relevant access privileges are not exceeded.

YouAttest enables an enterprise to review both internal and external data sources for user privileges. 

ID.GV-4

Minimize and address risk management processes for potential cybersecurity risks.f

Identity Governance Role:
This control specifies that governance, and thus identity governance needs to be part of the cyber security plan to address risk.   Especially with the burgeoning of cloud (SAAS, PAAS and IDAAS) services – identity becomes the key control for their resources.

YouAttest offers a full suite of identity attestation functionality for attesting and documenting the roles/privileges of users throughout the enterprise.

PR.AC-3

Remote access is managed. 

Identity Governance Role:
Remote access is one more component that is quantified by not only the tools but by the grouping and roles of users allowed the privilege.  These roles must be reviewed in a well governed enterprise. .

YouAttest enables an enterprise to review remote access privileges – a key target of attacks for hackers.. 

PR.AT-2

Privileged users understand roles & responsibilities.

Identity Governance Role:
Privileged users are the most important aspect of identity governance.   A large part of an enterprises security posture is based on it’s policies, practic and governance of the privileged identities and identity groups.

YouAttest is utilized by all it’s customers for reviewing the privilege users.  The offering allows automated and auto-schedule review of these identities.  

PR.DS-1

Data–at-rest is protected.

Identity Governance Role:

Data-at-rest, and Data Loss Prevention is often the most important PURPOSE of an identity governance program.  It is vital that roles/privileges are frequently audited and monitored to insure the principle of least privilege (PR.AC-6) is applied to access to this data  

YouAttest insures the access to the resources (the enforcement points) that control access to the data is limited to legitimate, attested, users

PR.IP-5

Policy and regulations regarding the physical operating environment for organizational assets are met

Identity Governance Role:
Physical access is key part of any security policy.  And like data, web, remote access is best organized by standard identity management principles of quantified group roles/privileges.  These groups must be audited to meet security and compliance objectives.   

YouAttest enables an enterprise to review group privileges with an automated an easy to use gui-based platform. .

DE.DP-1   

Know the rules and responsibilities for each user to ensure right access and usage.

Identity Governance Role:
Threat detection and response are crucial roles in a secure IT enterprise.   These roles must be quantified and audited to insure the right personnel have acces to the tools and data to identify and then respond to threats.   This is the role of identity governance.   

YouAttest enables an enterprise to review the identity and threat group privileges with an automated and easy to use gui-based platform. .

RS.CO-1

Restrict access if needed and know which personnel have access to which operations.

Identity Governance Role:
IAM enables and enforces who has access to the threat detection tools, data and response mechanism.  IGA ensures that the right people have access to these tools and the proper approvals were in place to ensure that only the proper people have access to the corporate important resources.  

YouAttest enables an enterprise to review the access privileges to this tools and data. 

Summary

YouAttest is an automated user access review tool that helps organizations analyze and monitor user access policies. It allows businesses to quickly identify any potential security threats or anomalies and verify user identities and credentials. With YouAttest, companies can trust that they are always in compliance with security regulations and standards, including NIST CSF PR.AC-1, and access to data is restricted to attested to, authorized users.

The identity governance framework is a popular discussion within the industry. If you would like to learn more or discuss your options, feel free to schedule a call.

Contact us today to learn more about how YouAttest can help improve your user access reviews for compliance and better identity security.

Facebook
Twitter
LinkedIn

More
articles