Youattest Logo

Mapping Access Reviews and Internal Control to NIST CSF PR.PT-1

With the National Institute of Standards and Technology (NIST) tasked with creating a voluntary framework for the enhancement of cybersecurity infrastructure, its Cybersecurity Framework (CSF) was passed into law in 2014. Based on existing practices and guidelines, NIST CSF was designed to reduce cybersecurity risks to critical infrastructure. With five Functions serving as the Framework’s core, the NIST CSF is designed to identify, protect, detect, respond, and recover. 

The Protect Function, which outlines safeguards to “ensure the delivery of critical infrastructure services” is designed to contain and reduce the impacts of potential threats. Of the Protect Function, which is further broken down into categories, the protective technologies category is defined as “technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

In Building a HIPAA-Compliant Cybersecurity Protocol by Eric Thompson, he outlines the internal control measures required to meet the recommendations described in NIST CSF. For the Protective Technologies subcategory PR.PT-1, the Framework instructs that “audit/log records are determined, documented, implemented, and reviewed in accordance with policy.” To meet this, Thompson recommends that an organization should capture events and data within logs, while having specific policies established to determine what information is recorded so that it meets established cybersecurity protocols.

NIST CSF PR.PT-1: Audit/log records are determined, documented, implemented and reviewed in accordance with policy.

This can be met in part with regular access reviews, during which an organization reviews who within their organization has access to specific information. Done to ensure that sensitive data is protected against unauthorized access, access reviews are a key preventative measure. When access reviews are completed, the results and actions taken to remedy any issues that arise should be logged so that the information can be referred back to if necessary. With the information logged, it will be easy for organizations to see who had access to information, when they were allowed access, and the duration their access was permitted. This is key to protecting sensitive information, as it may be crucial when responding in the event of a cyber attack. 

Policies with organizations should be created so that they are required to log the resulting data from an access review, otherwise it could be inadvertently lost. The access reviews enable organizations to paint a clear picture of how and by whom their data is being used, which should be valuable information on their safety. Without access reviews, organizations cannot gain an understanding of what they have allowed its members to access.

With a thorough understanding of the NIST CSF, organizations can employ best-practice measures to protect critical infrastructure from malicious actions. Since the Framework is based on existing practices and protocols, likely many aspects are already implemented within cybersecurity protocols. This reduces the burden placed on organizations; instead of needing to implement an entirely new cybersecurity program, they can modify existing ones to fit the Framework’s recommendations.

A quantified way to conduct access reviews is to utilize YouAttest cloud-based access review system.

YouAttest automates the creation and review of these access reviews.  To learn more about YouAttest, please  register for our next webinar with QoS Consulting Solutions featuring Stacey Cameron and Shannon Noonan.   Or write us @

Garret Grajek, CISSP, CEH
CEO of YouAttest