Top 5 NIST Cyber Security Framework (CSF) Controls Regarding Identity Governance and YouAttest

The NIST CyberSecurity Framework offers solid guidance for how organizations should select and maintain customized security and privacy controls for their information systems. 

A key part of the assessment and authorization (formerly certification and accreditation) process for federal information systems is selecting and implementing a subset of the controls (safeguards) from the Security Control Catalog (NIST 800-53, Appendix F) .

Organizations that work with the federal government are also required to comply with NIST 800-53 to maintain the relationship.  However, the standard provides a solid framework for any organization to develop, maintain and improve their information security practices – and is the basis for security for many private institutions and service companies.

Image #1:  Identity Governance is a key component of the NIS Cybersecurity Framework (CSF) and the associate control catalog: 800-53 r5.

 

Identity is key throughout the guidance.   It is throughout all of the listed functions: Identity (ID), Protect (PR), Detect (DE), Respond (RS) and Recover (RC).    

Top 5 Identity Governance Controls for 800-53r5

ID.GV-2

Information security roles & responsibilities are coordinated and aligned with internal roles and external partners

Identity Governance Role:

To meet this control an enterprise must quantify all relevant roles associated with information security and then ensure that these roles are quantified and attested by knowledgeable parties (the managers).     

This is exactly what YouAttest user access reviews accomplish.

PR.AC-1  

Identity and Credentials are issued, managed, verified, revoked and audited for authorized devices, users and processes

Identity Governance Role:

There is a lot of  Identity and Access Management (IAM) block and tackling in this control.   But there is also a governance portion that spells out that identities should be reviewed for their roles and privileges.

YouAttest is designed specifically to meet the identity attestation portion of PR.AC-1.   

PR.AC-4

Access permissions and authorized are managed, incorporating for the principle of least privilege and separations of duties.

Identity Governance Role:

A managed identity is an audited identity – governance must be an active part of enterprise identity management to meet this control.

YouAttest allows enterprises to review their roles and permission to insure that privileges are limited to the access required to do the role. 

PR.AC-6

Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

Identity Governance Role:

Enforcing the Principle of Least Privilege is the key objective of identity governance.  It requires not only a mature IAM system – but and actual IGA process.

It is nearly impossible for any organization of over 100 users to enforce this principle without a tool that goes through the roles and privileges and then identifies and helps eliminate excess privileges.   YouAttes is the easiest tool to use to effect the PR.AC-6, principle of least privilege, control

PR.PT-3

The principle of least functionality is incorporated by configuring systems to provide only essential capabilities.

Identity Governance Role:

Systems, devices, resources do NOT exist in a void.   They need to have access to these systems to conduct relevant functionalities – especially concerning PII (Personal Identifiable Information) and PHI (Personal Health Care information).

YouAttest is an automated tool to ensure the users allowed access to these systems are attested to and documented. 

Honorable Mentions

ID.AM-6

Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established.

Identity Governance Role:

Identity governance does NOT stop at the enterprise (identity) boundaries.  User and roles must be reviewed for partners, contractors and customers to ensure that the relevant access privileges are not exceeded.

YouAttest enables an enterprise to review both internal and external data sources for user privileges. 

ID.GV-4

Governance and risk management processes address cybersecurity risks.

Identity Governance Role:
This control specifies that governance, and thus identity governance needs to be part of the cyber security plan to address risk.   Especially with the burgeoning of cloud (SAAS, PAAS and IDAAS) services – identity becomes the key control for their resources.

YouAttest offers a full suite of identity attestation functionality for attesting and documenting the roles/privileges of users throughout the enterprise.

PR.AC-3

Remote access is managed. 

Identity Governance Role:
Remote access is one more component that is quantified by not only the tools but by the grouping and roles of users allowed the privilege.  These roles must be reviewed in a well governed enterprise. .

YouAttest enables an enterprise to review remote access privileges – a key target of attacks for hackers.. 

PR.AT-2

Privileged users understand roles & responsibilities.

Identity Governance Role:
Privileged users are the most important aspect of identity governance.   A large part of an enterprises security posture is based on it’s policies, practic and governance of the privileged identities and identity groups.

YouAttest is utilized by all it’s customers for reviewing the privilege users.  The offering allows automated and auto-schedule review of these identities.  

PR.DS-1

Data–at-rest is protected.

Identity Governance Role:

Data-at-rest, and Data Loss Prevention is often the most important PURPOSE of an identity governance program.  It is vital that roles/privileges are frequently audited and monitored to insure the principle of least privilege (PR.AC-6) is applied to access to this data  

YouAttest insures the access to the resources (the enforcement points) that control access to the data is limited to legitimate, attested, users

PR.IP-5

Policy and regulations regarding the physical operating environment for organizational assets are met

Identity Governance Role:
Physical access is key part of any security policy.  And like data, web, remote access is best organized by standard identity management principles of quantified group roles/privileges.  These groups must be audited to meet security and compliance objectives.   

YouAttest enables an enterprise to review group privileges with an automated an easy to use gui-based platform. .

DE.DP-1   

Rules and responsibilities for detection are well-defined to ensure accountability.

Identity Governance Role:
Threat detection and response are crucial roles in a secure IT enterprise.   These roles must be quantified and audited to insure the right personnel have acces to the tools and data to identify and then respond to threats.   This is the role of identity governance.   

YouAttest enables an enterprise to review the identity and threat group privileges with an automated and easy to use gui-based platform. .

RS.CO-1

Personnel know their roles and order of operations when a response is needed.

Identity Governance Role:
IAM enables and enforces who has access to the threat detection tools, data and response mechanism.  IGA ensures that the right people have access to these tools and the proper approvals were in place to ensure that only the proper people have access to the corporate important resources.  

YouAttest enables an enterprise to review the access privileges to this tools and data. 

Summary

YouAttest is an automated user access review tool that helps organizations analyze and monitor user access policies. It allows businesses to quickly identify any potential security threats or anomalies and verify user identities and credentials. With YouAttest, companies can trust that they are always in compliance with security regulations and standards, including NIST SP 800-53 PR.AC-1, and access to data is restricted to attested to, authorized users.

Contact us today to learn more about how YouAttest can help improve your user access reviews for compliance and better identity security.

Facebook
Twitter
LinkedIn

More
articles