People, Processes, Technology, Data, and Facilities (PPTDF)

This is a somewhat contentious topic in the cybersecurity community. When you are discussing the scope of applicability for controls, is it:

• Limited to People, Processes& Technology (PPT)?
• Inclusive of data withPeople, Processes, Technology & Data (PPTD)? or
• Comprehensive to includephysical security with People, Processes, Technology, Data & Facilities (PPTDF)?

While we likely agree that the importance of robust cybersecurity controls cannot be overstated, the applicability of those controls is sometimes in question. These examples help demonstrate the applicable nature of controls:

• You cannot apply end user training to a firewall (technology).
• An employee (people) cannot have a secure baseline configuration applied.
• An Incident Response Plan (IRP) (process) cannot sign a NDA, use MFA or be patched.
• Controlled Unclassified Information (CUI) (data) cannot be assigned roles and responsibilities.
• Your data center (facility) cannot undergo employee background screening.

The PPTDF model, encompassing People, Processes, Technology, Data, and Facilities, provides a comprehensive approach to cybersecurity control applicability, as described below:

People

People are often considered the weakestlink in cybersecurity. Human error, negligence, or malicious intent can lead tosignificant vulnerabilities. To mitigate these risks, organizations implement human-specificcontrols such as:

• Security Awareness Training: Educatingemployees about cybersecurity best practices and potential threats.
• Access Controls: Enforcing theprinciple of least privilege to restrict access based on job roles.
• User Authentication and Authorization:Implementing strong authentication mechanisms and carefully managing userpermissions.

Processes

Effective cybersecurity processes areessential for identifying, responding to, and mitigating threats. Commonprocesses that exist as controls include:

• Incident Response Plans: Establishingwell-defined processes to respond promptly and effectively to security incidents.
• Regular Audits and Assessments:Conducting periodic assessments to identify vulnerabilities and measurecompliance with security policies.
• Change Management: Implementingcontrols to manage changes in technology and processes to avoid unintendedsecurity consequences.

Technology

The technological aspect ofcybersecurity involves deploying and configuring tools to protect againstthreats. Common technologies that exist as controls include:

• §Network Defenses: Filtering andmonitoring network traffic to prevent unauthorized access (e.g., firewalls,Intrusion Protection Systems (IPS), Data Loss Prevention (DLP), etc.).
• §Endpoint Protection: Installing antimalwaresoftware, Endpoint Detection and Response (EDR) tools to secure individualdevices, etc.
• §Encryption: Safeguarding data intransit and at rest through robust encryption mechanisms.

Data

Data is at the heart of the PPTDF model,making data protection truly the central focus of cybersecurity controls. There are many types of data that are considered sensitive/regulated that include, but are not limited to:

• Controlled Unclassified Information (CUI);
• Federal Contract Information (FCI);
• Personally Identifiable Information (PII);
• Cardholder Data (CHD);
• Export-Controlled Data (ITAR / EAR);
• Electronic Protected Health Information (ePHI);
• Intellectual Property (IP); Critical Infrastructure Information (CII);
• Attorney-Client Privilege Information (ACPI); and
• Student Educational Records (FERPA).

These datatypes have specificcontrols that aredictated by applicable laws, regulations or contractual obligations and include:

• Data Classification: Data must be categorized to apply the appropriate security measures.
• Limit Access: Data must be protected by limiting logical and physical access todata to individuals andsystems that have a legitimate business need.
• Avoid Redundant, Obsolete/Outdated, Toxic orTrivial (ROTT) Data: Data must be trustworthy, based on the data's currency,accuracy, integrity and/or applicability.
• Availability: Data must be available, which involves regularly backing up data and establishingeffective data recovery mechanisms that protects the integrity and confidentialityof the data being backed up and recovered.

Facilities

Physical security is often overlookedbut plays a crucial role in overall cybersecurity and data protection. Commonphysical controls include:

• Physical Access Control (PAC):Restricting physical access to any facility where systems or data exist. PACexists in more than datacenters and corporate offices. The concept of PACextends to home offices and Work From Anywhere (WFA) workers who still have anobligation to apply physical security protections to their systems and data.
• Surveillance Systems: Monitoring andrecording activities within facilities to detect and deter unauthorized access.
• Environmental Controls: Maintainingoptimal conditions for hardware to prevent damage or disruptions.

The PPTDF model shows that amulti-faceted approach to control applicability is indispensable, where it cancreate a resilient defense against a myriad of physical and cyber threats. Aproactive stance in implementing and refining these controls will be crucial insecuring the ever-expanding digital frontier.