NIST CSF Series #13: Protect – Protective Technology

NIST CSF Protect: Protective Technology

Function:   Protect  (PR)
Category:  Protective Technology (PT)

“Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.”


PR.PT-1:  Audit/log records are determined, documented, implemented, and reviewed in accordance with policy.

Information systems will generate audit records containing information the establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.   The collection and review of these logs often requires automated tools to make review a manageable and effective task as well as provide guidance for response.

Records generated require review, analysis, and reporting to cover information security-related events.  These may range from monitoring account usage, remote access, wireless connectivity, configuration settings, communication at boundaries, and use of mobile code among a host of other potential log sources.   The log sources and use case for them should be documented.

Audit Considerations

Auditors may determine if audit logs are maintained and reviewed in a timely manner.  They may verify that the audit records contain significant detail and look to see if the breadth of log information coverage is adequate.

Applicable CIS Critical Controls:

CIS Control 6 –  Maintenance, Monitoring, and Analysis of Audit Logs

Deficiencies in security logging and analysis allow attackers to hide their location, malicious software, and activities on victim machines.  Even if victims know their systems have been compromised, without protected and complete logging records they are blind to the details of the attack and any subsequent actions taken by the attacker.  Without solid audit logs and adequate review, an attack may go unnoticed indefinitely and the particular damage done may be irreversible.


PR.PT-2:  Removable media is protected and its use restricted according to policy.

Sensitive information can be transported on removable media, including such devices as removable hard drives, flash drives, and DVD/CD.  Additionally, mobile devices and laptops that may transport media outside of controlled areas require consideration to control and protect sensitive information that may be on them.   Full disk encryption on laptops, encryption technology that can be deployed to removable media, and preventing the downloading of sensitive information to uncontrolled devices should all be considered.

Audit Considerations

Auditors may obtain a copy of an organization’s removable media policy and examine controls associated with the policy.   Controls may include:

–  User training
–  Encryption of removable media
–  Restricted access to removable media
–  Sanitization procedures for decommissioned media

They may also spot check systems to verify stated controls are in place.

Applicable CIS Critical Controls:

CIS Control 13 –  Data Protection

The loss of control over protected or sensitive data is a serious threat to operations and increases the risk of compromise.  Encrypting data provides a level of assurance that even if data is compromised, it is impractical to access the plaintext without significant resources, however controls should also be put in place to mitigate the treat of data exfiltration in the first place.


PR.PT-3:  Access to systems and assets is controlled, incorporating the principle of least functionality.

Access control policies control access between active entities or subjects (e.g. users or processes acting on behalf or users) and passive entities or objects (e.g. devices, files, records) in information systems.  Organizations must employ the principles of least privilege which ensures the processes operating at privilege levels are no higher than necessary to accomplish required business functions.

This also applies to unnecessary functions, ports, services, and protocols that are often installed by default but are left in place.   These should be removed where appropriate to prevent unnecessary avenues of attack.

Audit Considerations

Auditors may determine if the organization reviews functions and services provided by information systems or individual components of these systems to determine which functions and services are candidates for elimination.   A review of information systems to look for unnecessary or non-secured functions may be done as well.

Applicable CIS Critical Controls:

CIS Control 9 –  Limitation and Control of Network Ports, Protocols, and Services

Attackers search for remotely accessible network services that are vulnerable to exploitation.  Many software packages automatically install services and turn them on as part of the installation but never turn them off, leaving an organization exposed.  Unnecessary ports, protocols, and services need to be identified and eliminated.

CIS Control 14 –  Controlled Access Based on the Need to Know

Some organizations do not carefully identify and separate their most sensitive and critical assets from less sensitive information on their internal networks.  Once attackers have penetrated a network, they can easily find and exfiltrate information that is not appropriately separated.  Excessive access for individual roles provides a single point of access for an attacker to access and exfiltrate data.  Limiting access to only what is needed to perform a particular job function reduces this risk.


PR.PT-4:  Communications and control networks are protected.

Controlling where information is allowed to travel within an information system and between information systems help protect data and systems that provide transport of potentially sensitive information.  Additionally, protecting the devices used to provide communication requires secure configurations to be implemented and regularly tested.

Audit Considerations

Auditors may review controls related to communications to ensure the network is secure including network perimeter devices (e.g. firewalls, routers) and the physical security of those devices.  Logical network controls and protection to prevent unauthorized disclosure, such as encryption in transit, may be examined.

Applicable CIS Critical Controls:

CIS Control 11 –  Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

Default configuration are typically geared for ease-of-deployment, not security.  Open ports, default accounts, support for older protocols, and installation of unneeded software all present avenues for exploitation and compromise.  Providing a secure configuration and regularly testing against it is vital to protecting information.