In cybersecurity, due care means taking reasonable steps to secure and protect your company’s assets (including identities), reputation, and finances.
And importantly, legally “Due Care” is the standard of effort a reasonable person would exercise in the same situation or under similar circumstances. This standard of care is used in a tort action to determine whether a person/enterprise is negligent.
Due Care and the Guidelines and Regulations
As stated, due care refers to the care, attention, and precautions that a reasonable person or organization should take to prevent harm or loss to themselves or others.
But how does the cyber collective body determine what is reasonable? And how does the legal system determine what is “due care”?
Enter in the guidelines – especially the ones created by NIST – the National Institute of Standards and Technology.
NIST develops cybersecurity standards, guidelines, best practices, and other resources to meet the needs of U.S. industry, federal agencies and the broader public. Their activities range from producing specific information that organizations can put into practice immediately to longer-term research that anticipates advances in technologies and future challenges.
For due care the guidance that NIST creates is used to help decide what is “reasonable”.
Often cited standards to determine best practices in cybersecurity include:
NIST SP 800-53 – is an information security standard that provides a catalog of security and privacy controls for all U.S. federal information systems.
NIST CyberSecurity Framework (CSF) – is designed to help businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data.
NIST SP 800-171 – is a codification of the requirements that any non-Federal computer system must follow in order to store, process, or transmit Controlled Unclassified Information (CUI) or provide security protection for such systems. 800-171 is the basis for the certification model for the CMMC.
Identity Attestation and the NIST Guidelines
The stated guidelines have recommendations on a full range of cyber practices.
Identity and identity assurance is crucial to all the guidelines. The NIST CyberSecurity Framework (CSF), has been created as a “reasonable” baseline for any enterprise, whether conducting business with the US government or not – to conduct to ensure security and integrity of it’s IT resources.
It is considered, by many, to be the “go to” standard as a cyber baseline of reasonable and safe conduct.
NIST CSF 1.1
CSF 1.1 , the current CSF Framework, updated April, 2018, calls out for identity attestation and identity governance.
PR.AC – Identity Management, Authentication and Access Control
- Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
- Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
- Identities are proofed and bound to credentials and asserted in interactions
The guidance calls out the need for enterprises to conduct identity audits on their assets, especially around secured data (PHI, PII, CUI). They also extoll the value of implementing the principle of least privilege – which requires the review of entitlements by both technical and business owners to ensure that privileges are kept to a minimum.
NIST CSF 2.0
NIST has been working w/ the extended cyber community on updating the CSF – the result has been NIST CSF 2.0.
NIST, CSF 2.0 is intended to increase clarity, ensure a consistent level of abstraction, address changes in technologies and risks, and improve alignment with national and international cybersecurity standards and practices.
Amongst other – NIST CSF 2.0 calls out for governance of identities in the following section. (It is important to note that NIST CSF 2.0 has added a whole section on governance.)
GG.RR: Roles and Responsibilities
- Cybersecurity roles and responsibilities are coordinated and aligned with all internal and external stakeholders to enable accountability, performance assessment, and continuous improvement (formerly ID.GV-2)
- Roles and responsibilities related to cybersecurity risk management are established and communicated (formerly ID.GV-2, ID.AM-6, and DE.DP-1)
PR.AA: Identity Management, Authentication, and Access Control
- Access to physical and logical assets is limited to authorized users, processes, and devices, and is managed commensurate with the assessed risk of unauthorized access (formerly PR.AC)
- Identities and credentials for authorized users, processes, and devices are managed by the organization (formerly PR.AC-1)
- Identities are proofed and bound to credentials based on the context of interactions (formerly PR.AC-6)
- Access permissions, entitlements, and authorizations are managed and enforced, incorporating the principles of least privilege and separation of duties (formerly PR.AC-3 and PR.AC-4)
- Account activities and access events are audited and monitored to enforce authorized access (formerly PR.AC-1 and PR.AC-3)
YouAttest Executes on These Controls with Automated User Reviews:
The CSF categories and subcategories call out that enterprises not only have a policy and practice to provide entitlements – but have a process and practice to REVIEW the granted entitlements. This is where YouAttest comes in.
The functionality required is:
- A user access review (UAR) is a process that involves regularly reviewing access rights and entitlements for a company’s users. The goal is to limit the number of users, be the employees, contractors or/and partners who can access sensitive data (PII, PHI, CHI) to reduce data theft and other data misuse.
YouAttest has created and entire platform around the concept of UARs and enforcing the principle of least privilege by allowing business and resource owners to Identify and eliminate:
- Over-privileged accounts
- Ghost accounts
- Identify orphan accounts
And though cloud based and trivial to deploy and start using – the solution is able to enact entitlement validation on both cloud and on-premise resources.
And YouAttest creates the “evidence” of the audit – that proves to all, that the enterprise has, in fact, conducted regular “Due Care” to get the enterprise identities secure and compliant.
YouAttest disseminates attestation campaigns for certifying, revoking, or delegating the review of the enterprise entitlements and then creates the “evidence” (a report) needed to document “Due Care”. Designed from scratch by interviewing both IT Security and external auditors – YouAttest has quantified the process and eliminates all of the painful assembling of resources, user, managers and the manual process of the user access review.
YouAttest uniquely connects directly to the enterprise IAM (Azure AD, Okta, JumpCloud, Ping) and uses the IAM SSO for reviewing entitlements to BOTH IAM resources and siloed (non-IAM connected) resources.
YouAttest is the only cloud-based IGA platform that deploys in minutes via application SSO into your existing IAM platforms. Contact us to learn how YouAttest can automate your access review process and help your enterprise enact “Due Care” on your identities.