Is the NIST Cybersecurity Framework for me?
As cybersecurity continues to increasingly be at the top of everyone’s mind, the knowledge about how brute force attacks directly is linked to business risk is growing. Mitigating these risks does not solve the complete problem but it lowers the exposure to an increasingly more professional cyber crime community.
To get the best cybersecurity standard, The National Institute of Standards and Technology (NIST) is providing you and your business with a range of recommendations and frameworks across industries, but they particularly have excellent resources for cybersecurity. This work is carried out through the NIST Cybersecurity Framework (NIST CSF), which organizes cybersecurity activities into five broad actions: identify, protect, detect, respond, and recover from threats.
The NIST Cybersecurity Framework also provides a policy framework of computer security guidance. Frameworks create a common language for cyber that unifies the conversation around enterprise risk and security.
What’s in it for me?
Implementing the NIST Cybersecurity Framework can help your organization become more focused on protecting its critical assets. The framework is truly applicable to any organization regardless of size. It will give your business guidelines for updating your risk management approach and understand the importance of building a robust cybersecurity program.
What’s also great about NIST is their work to anticipate the future. They provide technical support systems, they improve measurement systems, and develop new technologies among other important things. So that fast-moving sectors can work in a secure and correct environment. Implemented properly, an organization will have the most powerful set of tools and procedures in place.
The 3 Parts of the Framework
The Cybersecurity Framework consists of three main components: Framework Core, Implementation Tiers and Profiles.
Part one: Framework Core
The NIST CSF is organized into five core functions also known as the Framework Core. Each function is essential to a well-operating security posture and successful management of cybersecurity risk.
The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities. Definitions for each function are as follows:
- Identify: What processes and assets need protection? Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
- Protect: What safeguards are available? Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
- Detect: What techniques can identify incidents? Develop and implement the appropriate activities to identify the occurrence of a security event.
- Respond: What techniques can contain impacts of incidents? Develop and implement the appropriate activities when facing a detected security event.
- Recover: What techniques can restore capabilities? Develop and implement the appropriate activities for resilience and to restore any capabilities or services that were impaired due to a security event.
With each of the Functions noted above, there are twenty-one categories and over a hundred subcategories. The subcategories provide context to each category with reference to other frameworks such as COBIT, ISO, ISA, and others.
Part two: Implementation Tiers
The framework then directs the user to Implementation Tiers. The tiers provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. It’s very much up to the individual organisation to decide what is appropriate during the Tier selection process. That is within existing guidelines, such as GDPR in Europe and other legal and regulatory requirements.
Part three: Framework Profile
Framework Profiles are an organization’s unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core. Framework Profiles are used to prioritise what actions are taken. It enables organizations to establish a roadmap for reducing cybersecurity risk. That will optimize the Cybersecurity Framework to best serve the organization.
Your next step
Implementing the NIST Cybersecurity Framework can help your organization become more focused on protecting its critical assets.
Leveraging the NIST CSF, organizations can work on their cybersecurity maturity in a time when threats are constantly on going. Having a qualified assessor review your organization’s cybersecurity program, specifically using NIST CSF, can also be helpful to identify risks that aren’t intuitively obvious but could cause serious disruption when they become a reality.