NIST CSF Series #11: Protect – Information Protection Processes and Procedures (2)

Protect Function - Policies and Procedures banner

Function:   Protect  (PR)
Category:  Information Protection Processes and Procedures (IP)

“Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.”

This Category is large so will be broken into two sections, the first covering subcategories 1-6, the second covering subcategories 7-12.

PR.IP-7: Protection processes are continuously improved.

Organizations assess security controls in organizational information systems and the environments in which those systems operate.  Regular assessments identify weaknesses and deficiencies and provide essential information needed to make risk-based decisions.   Continuous monitoring facilitates ongoing awareness of threats, vulnerabilities, and information security requirements to support risk management decisions.

Process that require updating on a regular basis may include contingency and disaster recovery planning, and incident response planning.   These should reflect ongoing changes to the threat landscape and continuous improvement to security controls.

Regular assessments, whether internal or external plays a role in updating and continuously improving security.

Audit Considerations

Auditors may review policies and procedures related to continuous improvement.  These may be reflected in the “Target Proflie” and include action plans to show areas where the organization plans to improve its information security position.  Reports from ongoing audits, assessments, and vulnerability scanning as well as the management responses may be examined.


PR.IP-8:  Effectiveness of protection technologies is shared with appropriate parties.

Is the effectiveness of information protection tools measured and shared with appropriate individuals both inside and outside the organization?   Are there individuals who are authorized to share this information?

Audit Considerations

Auditors may determine if the organization participates or facilitates information sharing and analysis.   Does it have authorized individuals who can share information with authorized partners?

PR.IP-9:  Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recover) are in place and managed.

It is important that organizations develop and implement a coordinated approach to incident response.  This should include plans to share information with external parties, as necessary and effects on the supply chain.   This also is true with business continuity planning to make sure the organization can continue to provide services via alternative methods should systems be unavailable for any extended period.

Incident response plans should include a definition of personnel roles for handling incidents, standards for the time required to report anomalous events, 3rd part contacts, and testing plans.

Audit Considerations

Auditors will review incident response plans and evaluate how frequently they are updated and approved.

Applicable CIS Critical Controls:

CIS Control 19 –  Incident Response and Management

When an incident occurs, it is too late to develop the right procedures, reporting, data collection, management responsibility, legal protocols, and communications strategy that will allow the enterprise to successfully understand, manage, and recover.  

PR.IP-10:  Response and recover plans are tested.

Methods for testing contingency and incident response plans to determine the effectiveness of the plans and identify potential weaknesses include, for example, walk-through and tabletop exercises, checklists, simulations, and comprehensive exercises.  These should be scheduled and conducted on a periodic basis and especially after major component changes.

Mechanisms to backup system-level information and user-level information should be deployed and tested regularly.  To protect the integrity of information system backups, digital signature or cryptographic hashes may be considered.

Audit Considerations

Auditors may ask to see the formal backup and recovery plans and review backup procedures.  Additionally, they may want to verify that such data is accessible and readable.   A review of the results of testing exercises may be examined as well.

Applicable CIS Critical Controls:

CIS Control 10 –  Data Recovery Capability

When attackers compromise machines, they often make significant changes to configurations and software.  Sometimes these changes are subtle, potentially jeopardizing organizational effectiveness with polluted information.  A trustworthy data recovery capability to remove all aspects of the attacker’s presence on the machine is necessary.

PR.IP-11:  Cybersecurity is included in human resources practices (e.g. deprovisioning, personnel screening)

Screening of individuals who will have access to sensitive information is a critical protection factor that should be part of the recruiting and onboarding process.  Whether background checks are performed through HR or the hiring department, a check should be made for those who will have access to critical information or have administrative level access to information systems.

Additionally, processes for the timely deprovisioning of access for employees who separate must be in place and verified.

Audit Considerations

Auditors may review hiring practices to determine whether background checks/screening are performed for all employees.   Procedures for positions with access to sensitive information may be reviewed to determine if they are commensurate with a higher level of risk.   Separation procedures will be reviewed and verified to assure that accounts/access are disabled in a timely manner. 

PR.IP-12:  A vulnerability management plan is developed and implemented.

Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans.  Each organization should determine the required vulnerability scanning for all information system components that may include items such as networked printers that are sometimes overlooked.  Analysis and mitigation procedures should be in place.  Using common tools to express vulnerabilities such as the Common Vulnerabilities and Exposures (CVE) naming convention allows for easy communication internally and externally.

Audit Considerations

Auditors may obtain the organization’s vulnerability management plan and ensure it includes the following:

– Frequency of vulnerability scanning
– Method for measuring the impact (e.g. CVSS)
– Incorporation of vulnerabilities identified in other security control assessments (e.g. external audits)
– Procedures for developing remediation of identified vulnerabilities.
– Examining the organization’s risk assessment to ensure vulnerabilities identified during the vulnerability management process may be included.

Applicable CIS Critical Controls:

CIS Control 4 –  Continuous Vulnerability Assessment and Remediation

Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.  There is a constant stream of new information:  software updates, patches, advisories, and threat bulletins.   Understanding and managing vulnerabilities has become a continuous activity, requiring significant time, attention, and resources.

Organizations that do not scan for vulnerabilities and proactively address discovered flaws face a significant likelihood of having their computer systems compromised.