NIST Cybersecurity Framework: Protect Security Controls
Use safeguards to prevent or reduce cybersecurity risks.
Identity Management, Authentication, and Access Control
Identities and credentials are managed for authorized users and devices
Every account that can access your systems is a potential entry point. Managing identities centrally...
Identities are proofed and bound to credentials based on the context of interactions
A username and password alone is not sufficient authentication for business systems. Multi-factor au...
Users, services, and hardware are authenticated
Authentication is not just for human users. Service accounts, APIs, and physical devices also need v...
Identity assertions are protected, conveyed, and verified
When a user authenticates once and that identity is passed to other systems (federation, SSO, OAuth ...
Access permissions are defined in policy, enforced, and reviewed using least privilege and separation of duties
Over-permissioned accounts are a root cause of breaches going far beyond the initial point of entry....
Physical access to assets is managed, monitored, and enforced commensurate with risk
Digital security controls mean little if an attacker can walk into your office or data center and pl...
Awareness and Training
Personnel are provided with security awareness training to perform their work with cybersecurity risks in mind
Most breaches start with a human action: clicking a phishing link, using a weak password, or mishand...
Individuals in specialized roles receive role-specific cybersecurity training
General security awareness training is not enough for people with elevated access or technical respo...
Data Security
The confidentiality, integrity, and availability of data-at-rest are protected
Data at rest is data stored on disks, in databases, in backups, and in object storage. Without encry...
The confidentiality, integrity, and availability of data-in-transit are protected
Data moving between a browser and your server, between microservices, or between your systems and th...
Data are destroyed according to policy when no longer needed
Data you no longer need is still a liability. Every old customer record, decommissioned backup, or a...
Backups of data are created, protected, maintained, and tested
Backups are the last line of defense against ransomware, accidental deletion, and data corruption. A...
Technology Infrastructure Resilience
Networks and environments are protected from unauthorized logical access
Network segmentation and access controls are the barriers that prevent a compromised endpoint from b...
Technology assets are protected from environmental threats
Physical and environmental threats, including power failures, temperature extremes, fire, flooding, ...
Mechanisms are implemented to achieve resilience requirements in normal and adverse situations
Resilience is the ability to absorb disruption and keep running, or recover quickly when you cannot....
Adequate resource capacity to ensure availability is maintained
Systems that run near capacity are fragile: a traffic spike, a DDoS attack, or an infrastructure eve...
Platform Security
The hardware and firmware of platforms are managed
Hardware and firmware vulnerabilities are some of the hardest to detect and remediate because they s...
The software of platforms is managed, including operating systems and applications
Unpatched software is the most consistently exploited attack vector in breaches. Most successful att...
Data are destroyed according to policy when platforms or storage media are decommissioned
A decommissioned server still contains all the data it held while in service unless the storage medi...
Log records are generated and made available for continuous monitoring
Logs are how you know what happened. Without comprehensive logging, incident investigation is guessw...
Installation and execution of unauthorized software are prevented
Unauthorized software introduced by employees or attackers is a primary vector for malware, data exf...
Secure software development practices are integrated and their security is evaluated
Vulnerabilities introduced during development cost far more to fix in production than they would hav...