Back to Blog
GRC5 min read

NIST CSF 2.0 Series: The Protect Function (Part 4)

Identification without protection is just documentation. Here's how to implement controls that actually safeguard your critical assets.

This is Part 4 of our series on NIST CSF 2.0. Part 3 covered the Identify function and understanding what assets need protection.

The Protect function is where security gets tangible. After identifying critical assets and assessing risks, Protect implements the safeguards that reduce the likelihood and impact of cybersecurity events. This is the proactive work—building defenses before attacks occur.

What Protect Covers

The Protect function encompasses several categories:

Identity Management and Access Control — Managing who has access to what, ensuring only authorized users can reach critical systems and data.

Awareness and Training — Ensuring personnel understand their security responsibilities and can recognize threats.

Data Security — Protecting data through encryption, classification, and proper handling procedures.

Platform Security — Securing hardware, software, and infrastructure through configuration management and maintenance.

Technology Infrastructure Resilience — Ensuring systems can withstand and recover from adverse events.

Access Control: The Foundation

Access control failures are behind most security incidents. Effective access control requires:

Multi-factor authentication (MFA). Passwords alone are insufficient. MFA should be required for:

  • All remote access
  • All cloud applications
  • All administrative access
  • Any system handling sensitive data

Least privilege. Users should have only the access necessary for their job functions. This requires:

  • Role-based access control (RBAC) aligned to job functions
  • Regular access reviews (quarterly at minimum)
  • Prompt revocation when roles change or employment ends
  • Privileged access management (PAM) for administrative accounts

Identity lifecycle management. From onboarding to offboarding:

  • Standardized provisioning based on job roles
  • Clear processes for access changes
  • Timely deprovisioning when employees leave
  • Orphaned account detection and removal

Centralized identity management. Single sign-on (SSO) and directory services provide:

  • Unified authentication across applications
  • Centralized policy enforcement
  • Better visibility into access patterns
  • Simpler access reviews

Security Awareness and Training

Technical controls fail when users circumvent them or fall for social engineering. Effective training programs:

Address real threats. Training should cover the attacks employees actually face—phishing, business email compromise, social engineering—not abstract security concepts.

Happen continuously. Annual training doesn't build habits. Regular, short lessons reinforce awareness over time.

Include practical exercises. Phishing simulations test whether training translates to behavior change.

Are role-appropriate. Developers need different training than accountants. Technical teams need secure coding practices; finance teams need invoice fraud awareness.

Create a reporting culture. Employees should feel comfortable reporting suspicious activity without fear of blame for being wrong.

Data Security

Protecting data requires understanding what you have and applying appropriate controls:

Data classification. Not all data needs the same protection. Classify data by sensitivity:

  • Public: No restrictions
  • Internal: Business use only
  • Confidential: Need-to-know access
  • Restricted: Highest protection, limited access

Encryption. Encrypt sensitive data:

  • At rest: Database encryption, disk encryption, encrypted backups
  • In transit: TLS for all network communications
  • Key management: Secure key storage, rotation policies, access controls on keys

Data loss prevention (DLP). Controls that prevent unauthorized data exfiltration:

  • Monitoring for sensitive data in outbound communications
  • Blocking unauthorized transfers of classified data
  • Alerting on unusual data access patterns

Secure data handling. Processes for:

  • Secure data disposal (not just deletion)
  • Data transfer procedures
  • Handling of data in non-production environments

Platform Security

Systems need ongoing security maintenance:

Configuration management. Establish secure baselines for:

  • Operating systems
  • Applications
  • Network devices
  • Cloud resources

Use configuration management tools to enforce baselines and detect drift.

Patch management. Timely patching of vulnerabilities:

  • Prioritization based on risk (not just severity)
  • Testing before deployment
  • Defined SLAs for patch application
  • Tracking and reporting on patch status

Hardening. Reducing attack surface by:

  • Disabling unnecessary services
  • Removing default accounts and credentials
  • Limiting network exposure
  • Applying security benchmarks (CIS, vendor guidelines)

Protective Technology

Security tools that enforce protection:

Endpoint protection. Modern endpoint detection and response (EDR) solutions provide:

  • Malware prevention
  • Behavioral detection
  • Investigation capabilities
  • Remote response actions

Network security. Defense at the network layer:

  • Firewalls controlling traffic flow
  • Network segmentation limiting lateral movement
  • Intrusion prevention systems (IPS)
  • Secure network architecture

Email security. Protecting the primary attack vector:

  • Spam and phishing filtering
  • Attachment sandboxing
  • Link rewriting and protection
  • DMARC/DKIM/SPF for domain protection

Cloud security. For cloud workloads:

  • Cloud security posture management (CSPM)
  • Cloud workload protection
  • Identity and access management for cloud resources
  • Secure configuration enforcement

Common Protection Failures

Over-reliance on perimeter security. Assuming everything inside the firewall is safe. Defense in depth is essential.

Incomplete MFA deployment. MFA on VPN but not cloud applications. Attackers target the weakest entry point.

Inconsistent patching. Some systems patched, others forgotten. Legacy systems and shadow IT often go unpatched.

Training without reinforcement. Annual training completed and forgotten. Behavior change requires ongoing reinforcement.

Access accumulation. Users gain access over time and never lose it. Regular reviews and attestation are essential.

Getting Started

For organizations building or improving their Protect capabilities:

  1. Start with access control. MFA everywhere, least privilege enforcement, and regular access reviews provide significant risk reduction.

  2. Build awareness. Implement ongoing security awareness training with practical exercises.

  3. Encrypt sensitive data. At rest and in transit, with proper key management.

  4. Maintain systems. Patch management, configuration baselines, and regular hardening reviews.

  5. Layer defenses. No single control is sufficient. Build overlapping protections.

Next in the Series

Part 5 covers the Detect function—identifying security events and anomalies so you can respond before damage spreads.

Need help implementing security controls or building a protection program? Our security assessments and GRC Advisory services help organizations build effective defenses. Let's talk.

Jonathan Carpenter
Jonathan Carpenter
Founder, Anchor Cyber Security
Share:

Want to discuss this topic?

Let's talk about how these insights apply to your organization.

Get in Touch