Cybersecurity standards and best practices addressing interoperability, usability, and privacy continue to be critical in this country (NIST, 2021). The NIST cybersecurity framework and safety and privacy catalog solutions were found after further study and analysis (NIST SP 800-53). NIST Cybersecurity supports companies of all sizes to manage and understand cybersecurity risks and mitigate them (FTC). The Gap analysis might incorporate NIST SP 800-53 to solve any problems that the M&A team identifies in practical terms.
Officials and managers of companies might perform illicit actions without being detected utilizing business IT assets.
What it is: Continuous Monitoring (Automated Control).
- What it does: Increased knowledge of internal and external vulnerabilities is gained via continuous monitoring programs. The application allows the management of security permits and controls in complicated settings for different corporate information systems.
- How the control performs its objective: The control utilizes automation and human involvement to examine warnings and anomalies within the structure of the information system. It helps to defend and offend the organization from different dangers.
DE.CM-3: Staff behavior is monitored for possible cybersecurity occurrences. (NIST SP 800-53 Rev. 4 AC-2, AU-12, AU-13, CA-7, CM-10, CM-11).
A business continuity/resolution strategy was not in place for the corporation. Due to the loss of servers and workstations, it could not continue operations.
What it is: Incident Response Plan (Manual Control).
- What it does: This control offers a road plan for the organization to respond to unavoidable events. To sustain capabilities, it requires a high-level approach for the whole company.
- How the control performs its objective: The inspection allows all employees to be admitted in the case. The strategy is created strategically to make the company more efficient in carrying out activities.
RC.RP-1: During or after a cybersecurity event, a recovery strategy is implemented. (NIST SP 800-53 Rev. 4 CP-10, IR-4, IR-8).
Storage media for workstations and servers were not backed up in a remote place, leaving the firm unrecovered for proof of the law enforcement confiscation of storage media.
What it is: Alternate Storage Site (Manual Control).
- What it does: Duplicates of organizational information in a geographical area other than the primary storage site are utilized at other storage locations. These are generally designed to perform critical business activities.
- How the control performs its objective: The organization installs information backups and duplicates at a remote site. The company and stakeholders’ policies and processes throughout this period will decide the timing of the information.
PR.IP-4: Backups of information are conducted, maintained, and tested. (NIST SP 800-53 Rev. 4 CP-4, CP6, CP-9).
Continuous monitoring allows the staff of IT/Cyber Security to detect rogue people early in the attack phase. They are not just regular users but administration accounts. Continuous monitoring would have notified the harmful behavior if implemented inside the company’s information systems to make the individual responsible. With more network visibility and transparency, internal and external risks may be reduced.
The Recovery Plan would narrow the gap by alerting employees of their responsibility to recover from unanticipated occurrences more efficiently. Reacting to events may be a problem for businesses that do not have a strategy, where everyone knows how to heal business processes and their role. During the recovery phase, alternate storage locations function because the organization has an area that can work as if it were the primary area. With a physical location, the availability rises, and any interruptions become visible to consumers. These ideas should be put into practice to remedy the M&A team’s problems. The apps were solely based on the NIST cybersecurity and Data Protection and Security Catalogue (NIST SP 800-53). All these are basic implementations that can be enhanced by further strengthening actions.
References
FTC. (n.d.). Understanding the NIST Cybersecurity Framework. FTC.
NIST. (2021). Cybersecurity. Nist.Gov.
NIST. (2018). Framework for Improving Critical Infrastructure Cybersecurity. NIST.
NIST. (n.d.). Security and Privacy Controls for Federal Information Systems and Organizations. NIST.