Youattest Logo

Meeting NIST CSF ID.GV-4 Recommendations via Access Reviews and Internal Controls

With the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CFS V1.1) passed in 2014, came a voluntary outline for the establishment of practices to reduce cybersecurity risks to critical infrastructure.

ID.GV-4: Governance and risk management processes address cybersecurity risks

 Based on existing best practices, the Framework was designed with five Functions in mind: identify, protect, detect, respond, and recover. Covering the entire spectrum of cybersecurity goals that an organization should follow, it is structured so that organizations can create a cybersecurity program with the highest levels of risk management for their needs.

Split into six categories, the Identify Function is designed to establish an organization’s understanding of cybersecurity risk management and how to focus their efforts on developing a program that is best suited to their needs. The Governance category specifically covers “the

policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk,” as outlined in the Framework.

One aspect of Governance, NIST CSF ID.GV-4 is outlined as “governance and risk management processes [to] address cybersecurity risks.” With much of the Framework based on standards already in practice, much of the Framework maps with existing publications, such as the FFIEC’s Cybersecurity Assessment Tool.

While the Federal Financial Institutions Examination Council (FFIEC) was established to detail the principles to be followed by financial institutions, their recommendations on cybersecurity can be followed by organizations in other industries as well. As part of their assessment tool mapping with the Framework, the FFIEC recommends that “designated members of management are held accountable by the board or an appropriate board committee for implementing and managing the information security and business continuity programs.” The appointed management of an organization is then responsible for issuing a report on the state of these programs, at least annually, to the board for review. Organizations should also implement cybersecurity strategies with their information security practices.

These internal controls are factored into the identity governance strategies of an organization. As a component of information security management, organizations should regularly conduct access reviews to ensure their information and sensitive data remains safe from attacks. During an access review, designated individuals review authorizations given to their system’s users, enabling them to access sensitive information. Through the review process, it should be confirmed that only individuals who require access to the information are granted access, revoking it from those who do not need it. This periodic review allows organizations to confirm that they are remaining compliant with federal regulations and that their information remains secure.

While the NIST CSF is voluntary, organizations that follow the guidelines can establish a comprehensive and complete cybersecurity program. With risks properly managed and protected against, organizations can feel secure that their data is safe from unauthorized access and breaches. It also ensures that organizations follow the best-established practices so that they avoid gaps in their cybersecurity management programs that hackers and criminals can exploit.

A quantified way to conduct access reviews is to utilize YouAttest cloud-based access review system.

YouAttest automates the creation and review of these access reviews.  To learn more about YouAttest, please  register for our next webinar with QoS Consulting Solutions featuring Stacey Cameron and Shannon Noonan.   Or write us @

Garret Grajek, CISSP, CEH
CEO of YouAttest