You Need to Implement The NIST Cybersecurity Framework, Now!

NIST (National Institute of Standards and Technologies), a division of the United States Department of Commerce, is in charge of developing metrics, standards, and technology to promote innovation and competitiveness in the field of science and technology. With the number of cybersecurity attacks on the rise, the NIST Cyber Security Framework was created to assist various organizations in improving their security posture. NIST CSF was created in conjunction with security professionals from the private sector and government agencies, and it is currently being used by a growing number of businesses throughout the world to design their own security frameworks. This article delves into the specifics of this framework as well as the advantages of implementing it.

What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework is a tool that may be used by organizations of any stature and in any industry to identify and manage cyber risks. This framework lays forth a set of guiding principles for identifying security risks and vulnerabilities in an organization’s IT infrastructure, as well as assisting in the development of security policies, procedures, and countermeasures to mitigate the risk posed by these threats.

The purpose of designing this framework is to provide organizations with guidance on cyber risk management that aligns with their overall business goals and assists them in making better decisions on the implementation of cost-effective security controls. The use of this framework is not mandatory, however, it is highly recommended.

Benefits of NIST CSF implementation:

Some of the benefits offered by the implementation of this framework are as follows:

  • Better understanding and improvement of an organization’s security posture
  • Identification of organization’s most valuable IT assets
  • Increased visibility into security threats, and the vulnerabilities present in the organization’s IT infrastructure
  • Better understanding of the security risks faced by the organization
  • Effective communication of these risks to the relevant stakeholders that helps them make educated business decisions
  • Development and implementation of cost-effective security controls
  • Very flexible framework and easily customized according to the organization’s business objectives and security requirements
  • Helps organizations build the foundation of a strong cyber security framework
  • Assists organizations achieve compliance with security laws and regulations

NIST Framework Components:

The NIST Cyber Security Framework is made up of three major components: Core, Implementation Tiers, and Profiles. The next section goes through each of these components in detail:

1. Core:

The core of the framework is a list of desired cyber security activities and outcomes, arranged in order of significance to the enterprise. The Core emphasizes the use of non-technical language to make it easier for different departments to share their outcomes. It also gives the organization guidance on how to incorporate this framework into its current cybersecurity and risk management processes. The Framework Core is comprised of five distinct functions comprised of several categories, subcategories, and informative references to existing security standards and recommendations relevant to each subcategory. These functions should not be performed only once, but rather on a constant basis in order to deal with emerging threats and risks. Each of these functions is discussed below:

Identify:

This function requires organizations to develop an understanding of the context in which it operates, their valuable information assets, critical business functions, and the infrastructure that supports these functions. This organizational understanding then assists in the identification of the risks faced by its people, systems, information assets, and capabilities. It also enables the organization to prioritize its efforts towards the management of these risks that are in line with its overall business and security requirements. The categories included in this function are given below:

Asset Management: This category requires the organization to carry out a comprehensive inventory of all the physical devices, systems, software, and applications. It also requires the mapping of information flows between different systems inside and outside the organization. Organizational assets must be classified according to their value/criticality with a clear definition of roles and responsibilities.

Business Environment: This category requires the organization to identify its role in the supply chain and critical infrastructure. It also requires the organization to understand and prioritize its objectives and mission-critical functions. The organization must also identify its reliance on third parties to fulfill any of these functions, as well as the requirements for their continuity.

Governance: This category requires the establishment of organizational policies and procedures that clearly identify roles and responsibilities across the organization. It also requires that all legal and regulatory obligations, as well as the requirements for cyber risk management, be addressed throughout the development of organizational policies and procedures.

Risk Assessment: This category requires the organization to identify, assess and prioritize the risks associated with its assets, mission-critical business functions/operations, reputation, and individuals.

Risk Management: This category necessitates that the organization devises a risk management strategy for dealing with the risk based on its severity (i.e. accept the risk, avoid the risk, transfer the risk or mitigate the risk). It also necessitates that the organization defines its risk appetite in proportion to its role in critical infrastructure.

Supply Chain Risk Management: This category requires the organization to document its third-party suppliers and contractors as well as establish the process for managing the risk associated with the supply chain. The organization should ensure that these contractors should maintain the same level of security that is required by the organization.

Protect:

This function requires the organization to develop and implement appropriate security controls in order to mitigate the risks due to different threats. These controls should be able to contain or minimize the damage caused due to a security incident. The categories included in this function are as follows:

Identity Management, Authentication, and Access Control: This category requires the implementation of suitable access controls in order to control and restrict unauthorized access to the organization’s facilities, as well as its physical and logical assets.

Awareness and Training: This category requires organizations to create and conduct cyber security awareness education programs for their employees. It also requires providing special training to the employees that will help them to carry out their job duties in a manner that is consistent with the organization’s security policies and procedures.

Data Security: This category requires the organization to safeguard both data at rest (stored on a device) and data in motion (data traveling over some network). It also necessitates the establishment of secure methods for data transfer, as well as for data removal and disposal. It also requires the establishment of suitable security controls to ensure the confidentiality, integrity, and availability of the data, as well as mechanisms to prevent data exfiltration.

Information Protection Processes and Procedures: This category requires that organizations examine, test, update, maintain, and implement their security policies, procedures, and processes on a regular basis. Some of the important processes covered by this category include configuration change control processes, data backup processes, incident response plans, disaster recovery plans, business continuity plans, data destruction processes, personnel screening, de-provisioning processes, and vulnerability management.

Maintenance: This category requires organizations to maintain their systems up to date and repair them in accordance with their security policies. Any remote repair should be approved and carried out in such a way that unauthorized access is prevented. All maintenance and repair actions should be properly logged.

Protective Technology: This category requires the organizations to employ protective technology that ensures the security of their valuable assets as well as guarantees the resilience of their critical infrastructure. The implementation of the protective technology must be carried out in a manner that is consistent with the organization’s rules, policies and procedures.

Detect:

This function requires organizations to implement appropriate security mechanisms to detect cybersecurity-related events in their environment. The categories included in this function are given below:

Anomalies and Events: This category necessitates the establishment of a baseline of regular network/system/user activities, as well as the anticipated data flows. Any abnormal activity is thus identified based on this established normal, as well as the event data correlation from various sources, which aids in evaluating the potential impact of the events.

Continuous Monitoring: This category requires organizations to monitor and detect security events related to their systems and assets, such as the network environment, physical environment, personnel activity, and activity of external service providers. These detection mechanisms must also be used to verify the efficacy of the protective measures employed by the organization.

Detection Processes: This category requires organizations to ensure that the roles and responsibilities for detection activities are properly defined. In order to ensure the detection of new security threats and events, detection protocols, processes, and mechanisms must be maintained, tested, and enhanced.

Respond:

This function requires that the organization develop and implement security mechanisms that must take appropriate actions once a security event is detected. The following are the categories covered in this section:

Response Planning: This category requires organizations to initiate and activate their response plan as well as the associated procedures and processes to deal with security events.

Communications: This category requires organizations to develop processes and protocols for sharing the information relating to incident response activities with the internal as well the external stakeholders.

Analysis: This category requires that the authorized personnel analyze the incident thoroughly, comprehend its impact, perform triage forensics, and categorize the incident. The company must guarantee that its analysis activities are carried out in such a way that they can guide response and support efforts.

Mitigation: This category requires the isolation of affected assets by authorized security personnel in order to prevent the security incident from spreading, mitigate the damage, and resolve the incident.

Improvements: This category requires organizations to improve the response plan/activities by incorporating the lessons learnt from the present or past incidents and revising the incident response policy and procedures. This necessitates the adoption of techniques such as post-mortem and root cause analysis to avoid the incident from recurring and to ensure a proper response plan.

Recover:

This function requires organizations to develop and implement security controls that can recover and restore assets or critical business functions/services that were affected by the security incident. The categories included in this function are as follows:

Recovery Planning: This category requires organizations to activate the recovery plans and processes to recover/restore critical services or infrastructure, during or after the occurrence of the security incident.

Improvements: This category requires organizations to improve their recovery plans, and processes by incorporating the lessons learnt from the past/present security incidents and updating them.

Communications: This category requires organizations to develop processes for communication of recovery activities with internal and external stakeholders as well as the top management of the organization. It also requires the organization to appoint special persons in charge of communication with the media relations and to take proper steps to ensure the restoration of the organization’s reputation.

2. Implementation tiers:

The NIST CSF tiers provide organizations with extra information that assists them in defining how they view the state of their cyber risk management program. These tiers aid in determining the degree to which cyber risk is incorporated into the organization’s overall risk management activities. The purpose of these tiers is to help stakeholders define the target implementation tier, as well as the level of commitment and resources needed to achieve the desired state. The NIST CSF divides implementation tiers into four different categories. It is not required for all areas of the organization to be at the same tier. Different sections with different tiers help you to more effectively manage your resources by focusing on the areas that require more attention. Each of these categories is described below.

Partial: In the organization, there is no formal cyber risk management program, and cyber issues are dealt with as they arise. Organizations have minimal understanding of their cyber risk, and it is not incorporated into their broader risk management processes. In terms of cyber risk management, each department operates independently and there is no information exchange within the organization. The organization does not share or receive information from external threat intelligence sources. The company is unaware of its place in the bigger ecosystem and the risks posed by the cyber supply chain.

Risk Informed: At this level, the organization understands the risk posed by cyber threats, but risk management is not integrated into an organization-wide policy. Information about cyber risk management is exchanged informally within the company. Internal and external threats are used in cyber risk management operations, however, these operations are very seldom repeated on a regular basis. Although the organization is aware of the cyber supply chain risks, it does not take official measures to address them.

Repeatable: The organization now understands the risks due to the cyber threats as there is a formal policy in place and it gets updated with the changes in the business or with the changes in the threat landscape. The organization recognizes cyber supply chain risks and acts formally upon its risk management program. The organization regularly receives and shares information with external sources regarding threat intelligence. There is effective communication of risks to relevant stakeholders of the organization.

Adaptive: The organization is constantly adapting and improving its cybersecurity practices by incorporating the lessons learnt from security incidents which helps the organization deal with new and emerging threats. The organization actively participates in sharing and receiving threat information from external sources and acts upon threat intelligence. There is a unified approach to risk management within the organization and all the employees/suppliers are made aware of the cyber risks through the implementation of security policies, procedures, and security awareness training programs.

3. Profiles:

The framework profile is used to align the core elements of the framework (Functions, categories, subcategories) to the organization’s business objectives, risk appetite, and the resources available for cyber risk management. Profiles are used to identify the current state of the organization’s security program as well the description of its desired target state. The current profile describes the present state of its cyber risk management program. The target profile is used to describe the efforts required to achieve the desired state of the cyber security risk management program. The comparison of current and target profiles assists the organizations to address the security gaps and formulate a plan to achieve the desired profile.

The description of these profiles is not rigid, allowing for a very flexible approach to the implementation of these profiles. Depending upon the sector in which it operates, every organization can develop a different profile based on its unique business objectives, the obligations for compliance with laws and regulations, and the requirements for cyber risk management.

Interested in information security governance, risk and compliance? Enrol in MCSI’s MGRC - Certified GRC Expert.