2. Classify and Categorize the University’s Systems
Next, classify and categorize the systems and data that your organization uses. This may be a broad analysis of all IT and data assets, or in the case of zero-trust architectures, it might be more narrowly focused on your institution’s “protect surface” of critical assets. In either case, the focus of this effort is to assign each system a classification (usually based on data sensitivity) and to categorize systems based on like attributes so you can assign common controls.
3. Conduct Comprehensive Threat Modeling
Threat modeling requires an organization to consider risks to data and IT assets in the context of its overall business and regulatory environment. In this phase, it helps to establish a repeatable process for assessing risk and identifying the highest-priority systems to review.
A repeatable risk assessment process such as the NIST Risk Management Framework, coupled with appropriate system classification and categorization, will help your institution identify and assign security controls consistently over time.
4. Select and Implement Security Controls
With your systems classified and risks assessed, you should have a good sense of your highest priorities for control selection. Security controls are safeguards that ensure that a particular security policy is enforced, or that violations are reported. Security controls may be technical, administrative or physical in nature and are often grouped into families. NIST Special Publication 800-53 identifies 18 discrete control families ranging from physical access to system and information integrity.
To successfully implement security controls, IT teams must translate those controls into technical configuration, administrative processes or physical controls. Thankfully, several resources can help with this. The U.S. Department of Defense publishes Security Technical Implementation Guides that provide step-by-step instructions for implementing control families on various platforms. Additionally, the Center for Internet Security offers baseline configurations for many systems. These benchmarks can be used both to configure a system initially and to monitor it over time for compliance with a given set of controls.
In this phase, it’s important to consider not just the controls but also the metrics needed to accurately assess the security architecture’s effectiveness. Measuring baseline compliance, patching cadence or vulnerability scan results over time can help you understand where your architecture is working effectively and where it needs attention.
5. Monitor, Adapt and Continually Improve the Controls
Finally, an organization must monitor and evaluate the effectiveness of its security controls over time. NIST Special Publication 800-137 offers guidance that integrates security monitoring in the Risk Management Framework and provides technical, business and executive insight into security posture. It describes a family of information security continuous monitoring tools and their key requirements.
Integration both with help desk and inventory systems and with security information and event management and log aggregation tools is key. Tools that support the Security Content Automation Protocol can continually monitor SCAP-capable endpoints and alert if they deviate from an established baseline.