As cyberattacks across the world increase in frequency and sophistication, companies are constantly working to improve detection capabilities, discover hidden vulnerabilities, and implement security strategies to counter modern attacks. In an effort to help government departments and private organizations improve their cybersecurity measures, the National Institute of Standards and Technology (NIST) published a set of rules, guidelines, and standards known as the NIST Cybersecurity Framework. Originally intended as just guidelines, the framework has become the gold standard for building a cybersecurity program across industries.
NIST Cybersecurity Framework is a leading practice guidance on how both internal and external stakeholders of organizations can manage and reduce cybersecurity risks. It lists organization-specific and customizable activities associated with managing cybersecurity risk and it is based on existing standards, guidelines, and practices. According to Gartner, as of 2015, 30% of U.S. organizations use the NIST Cybersecurity Framework, and this is expected to rise to 50% by 2020.
The Cybersecurity Framework consists of three main components:
The NIST CSF is composed of 5 functions, 23 categories, and 108 subcategories. The subcategories represent the desired outcomes and are the baseline for the NIST CSF assessment to evaluate the organization’s achievement of the desired outcomes. Each subcategory statement is based on leading practices from informative references like COBIT 5, ISO 27001:2031, NIST 800-53 Rev 4, ISA, CIS CSC, ISA 62443-2-1:2009, and ISA 62443-3-3:2013. They are meant to provide organizations with a starting point for implementing practices to achieve the Framework’s desired outcomes.
These 5 functions are not only applicable to cybersecurity risk management, but also to risk management at large.
1. Identify – Organizations must first fully understand their current environment to ensure they can successfully manage arising cybersecurity threats at various levels, including data, systems, and assets. Conducting a NIST Cybersecurity Framework assessment will help identify your risks within your industry or business context.
2. Protect – Once organizations have a better understanding of their cybersecurity risks, they can evaluate whether their cybersecurity safeguards offer sufficient protection, or if changes or additional controls are appropriate to ensure delivery of services.
3. Detect – Timely detection is crucial as it allows the proper threat mitigation response to be initiated quickly. The detection part of the NIST Cybersecurity Framework defines the essential processes necessary to identify cybersecurity events.
4. Respond – The NIST Cybersecurity Framework also includes the response domain that involves boosting the capacity of containing the adverse effects of cybersecurity events. It consists of all activities used by an organization once cybersecurity threats or incidents are detected.
5. Recover – This function allows you to highlight the best processes to achieve business resilience. It seeks to quickly restore impaired services, capabilities, and capacities to ensure everything is working as intended.
The four tiers illustrated below are used to represent the degree to which an organization’s cybersecurity risk management practices exhibit the desired outcome described in the 108-subcategory statement. The Tiers range from Partial achieved (Tier 1) to Adaptive (Tier 4).
Profiles are an organization’s unique alignment of its organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core. Profiles can be used to identify opportunities for improving the organization’s current cybersecurity maturity levels by comparing a “Current” Profile with a “Target” Profile.
Share