A Primer on the NIST Cybersecurity Framework

Adverse security events make the news daily; from compromised personal information to ransomware.  The IoT (Internet of Things) has opened up all kinds of new possibilities for the bad guys.   These internet-connected devices that we bring into our homes / businesses are being exploited.[1]

Is your organization prepared to handle an adverse security incident?   There is a lot to consider and it can be overwhelming.  Perhaps the first step is deciding on a framework to assess and continuously manage your risk.

The National Institute of Standards and Technology (NIST) has produced a Cybersecurity Framework (CSF) to provide guidance based on standards and best practices to manage and reduce cybersecurity risks. The Framework was developed in response to Presidential Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity(link is external), which was issued in 2013.

By 2020, more than 50% of organizations will use the NIST Cybersecurity Framework, up from the current 30% in 2015.”[2]  -Gartner

The CSF looks to become the gold standard.   It is also encouraging that organizations are recognizing and taking actions to reduce the cybersecurity risk. The NIST Cybersecurity Framework may be voluntary, but it offers potential advances for organizations across industries.

The Framework provides an assessment mechanism that enables organizations to determine their current cybersecurity capabilities, set individual goals for a target state, and establish a plan for improving and maintaining cybersecurity programs. It comprises three primary components: Profile, Implementation Tiers, and Core.

The Profile component enables organizations to align and improve cybersecurity practices based on their individual business needs, tolerance for risk, and available resources

Implementation Tiers help create a context that enables organizations to understand how their current cybersecurity risk-management capabilities stack up against the characteristics described by the Framework.

Tier 1 – Partial Risk management is ad hoc, with limited awareness of risks and no collaboration with others

Tier 2 –  Risk Informed Risk-management processes and program are in place but are not integrated enterprise-wide; collaboration is understood but organization lacks formal capabilities

Tier 3 – Repeatable Formal policies for risk-management processes and programs are in place enterprise-wide, with partial external collaboration

Tier 4 – Adaptive Risk-management processes and programs are based on lessons learned and embedded in culture, with proactive collaboration

This is a great assessment process that can be embraced by your business leaders as well as your technologists.

Next, there are five Core functions that make up the framework and the approach provides for flexibility.

“Functions can be performed concurrently and continuously to form an operational culture that addresses the dynamic cybersecurity risk.” [3]

Identify – this is the foundation.  One must understand the business assets, data, process and context to the business.   Asset management, governance, risk assessment and management are all defined here.

  • Protect– define and implement safeguards to prevent or limit the effect of a cybersecurity event.
  • Detect – define and implement continuous monitoring as well as anomaly detection.   The goal is for timely discovery of an event.
  • Respond – define the actions to be taken if an adverse event is discovered.  Containment and mitigation but also communications and continuous improvement
  • Recover – develop plans that support a timely recovery to normal operations.

These five functions are easy enough to understand.   Under each function are categories and sub-categories as well as relative references.   This framework provides the starting point and a common language for organizations to take the necessary steps to address cybersecurity.

[1] https://isc.sans.edu/forums/diary/The+Short+Life+of+a+Vulnerable+DVR+Connected+to+the+Internet/21543/

[2]  Gartner: Best Practices in Implementing the NIST Cybersecurity Framework January 21, 2016

[3] https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf


© Corporate Technologies, Inc.   |  Privacy & Legal