Now I don't know about you. But if you've been watching these episodes in order, you probably be in a little bit of a panic right now. We've got all of this, IT governance and risk management and security controls and processes and policies and Holy smoke, there is a lot to this. So if you were to walk into an organization that suddenly said, help us help us, we have no, IT security, just the organizational process is a massive, massive job. So how do you as an IT security professional, just start the process of making all this happen? Well, that is the job of what we call frameworks.
A framework is nothing more than a process idea, almost like project management, almost like a list of the big things you got to do as an IT security thing that helps you as a professional, provide the type of organization to give Good IoT security to your infrastructure. Now, a framework is not going to be much more than a bunch of boxes and a lot of overview stuff. But they are very, very important. There's lots of frameworks out there, there are regulatory frameworks that certain organizations absolutely must use. There's a lot of non regulatory or just organizations go, this is a really good way to do it. And some people abide by those.
We have national standards. We have international standards that define these types of frameworks. And there's also industry specific frameworks that are usually defined for one particular organization. To give you some examples of these types of frameworks. Well, I'm an NIS t guy. So let's start with probably the most famous of all of these frameworks good old sp 837.
This massive document is the first go to place for IT security professionals who want to be able to understand how to perform a risk management framework now. Keep in mind that this is also It's a national standard. And it's also at least in terms of United States federal organizations, it's a regulatory one as well. Now, for somebody like me, I just like the risk management framework. So it's not going to be regulatory, for me very much non regulatory. But as a private organization, these are free public documentation that everybody knows about them.
So we all tend to use them. Now a good example of a non regulatory would be the good old is a CA IT infrastructure. Now this is published by is a CA and a lot of people follow these guys as well. In the international world, good old ISO 27,000 definitely defines a risk management framework that people all over the world can use. Now, if you want to terrify yourself, just put in all kinds of fear in your life today or die. What you need to do is go into Google and I want you to type in risk management framework, hit Enter, and then don't look at the web results.
Look at the image results. There are Millions of these management frameworks. And they're all absolutely fine. Different types of people like to use different ones. But for me, because I'm an NIS t guy, what I'd like to do is take a minute, and let's go through the NIS t risk management framework. So what you're looking at right here, folks are the six steps of NIS T's risk management framework.
So what I want to do at this point is just do a quick run through on each one of these. So you can get an idea of the big steps that we use when it comes to organizing the IT security for our infrastructure. So number one, this is a big one. And that is categorize your information systems. Now what we're talking about big categorizing them, is that we really need to have an understanding, not only I'm not saying to just count routers, I mean, you definitely do that at this part in counting the number of Windows systems you have. But more importantly, you have to really categorize your workflows and your processes, and your vendors and all of your different organizational inputs and outputs.
And this is a big job and one of the most important first steps you can do when it comes to getting everything organized using this particular risk management framework. So you end up generating this huge list of different types of assets and workflows and processes. So the second thing you're going to have to do then is you're going to have to select security controls. Now, we've already covered security controls and other episodes. So I don't need to develop that again. But at this point, you need to start looking at all of the different things that are taking place.
And based on regulations and laws and standards and best practices and common sense, you start to say, Well, I want to do this, we're going to use big passwords. We're going to set everything to the WPA two shared key with a minimum of 30, character, password, whatever it might be, you begin to select all of these different controls. Now, interestingly enough, though, let's take a look at the third step and that is implement security controls that you would think well, if you're selecting them, aren't you implementing them Not at all, the process between somebody sitting at a desk going, Oh, these are good ideas, versus the screwdriver guys who actually have to start implementing all of these different types of controls can be a really big step. And as we start implementing different types of controls, all of a sudden, we'd run into little problems here and there.
But we need to appreciate that that is a big step and very important that we keep that separated from simply selecting the controls. Now, fourth, is assess the security controls. Now, this has always been a bit of a weird one to me, because if I'm applying to security control, I'm going to be watching what it does. But that's not what they're talking about here. What they're talking about is before we really put all this online, whatever it might be, let's verify that everything works the way that we want it to and do our best due diligence we can to make sure that if we require everybody to have a new password every 30 days that we understand that that is going to have some pretty big implementation issues and a lot of problems with administering As well as people forget their passwords. So that's where Step four is all about is we're assessing what that process is going to be.
And a lot of times in this particular case, this is all done through what we call a sandbox, a separate little network, where we're testing stuff to see how it all works. So Step five is the big one. Step five, is authorizing the controls. So we've got all this set up, everything's ready to rock and roll, we know how to do it, we've got the procedures down, we've assessed it, we feel that it works pretty good. At some point, there has to be some big boss up there who goes alright, let's do this. I'm willing to accept the risk and behalf of the company or organization, whatever it might be.
Let's, let's go ahead and authorize them. authorization becomes very important, especially if something goes wrong, and we need to point a finger at somebody. It's not necessary to fire people, but at least you know, lessons learned type scenarios. Understanding who makes the authorization can often be an important point in that framework. The next one is monitor and that's where Okay, everything's up and running and cooking. Let's watch the control.
Let's stay on top of this Ctrl. C, what it's doing is doing the job we wanted to is it restricting people too much? Is it mitigating or eliminating the risk, whatever it's designed to be implemented for. And let's make a judgement on it. So then what really happens is as it's been monitored, we really kind of repeat this whole process was, so we come right back to categorization. Now, in this case, we're not having to re inventory everything.
But what we're more doing now is that a result of the monitoring, we begin to understand things like for example, hey, the way these guys set up, this enterprise level RADIUS server really worked well. So maybe we can go ahead and categorize all of our wireless networks and put them all into RADIUS servers. So literally, what happens here is, is we take a look at all six of these steps, it becomes a big loop. And we just keep doing this and doing this and doing this. And the most important thing is, is you get to do it forever, and that's why they call it a job. So good luck to you.
It security professional