First off what is the National Institute of Standards and Technology (NIST)? It is considered a voluntary framework that consists of standards, guidelines and best practices to manage cybersecurity-related risk. As we all know, cybersecurity threats have been known to increase in complexity and connectivity within critical infrastructure systems. Cybersecurity has caused the nation’s economy, public safety and health to be at risk and it has also been known to put many organizations at risk as well. In general, NIST was created to help support the creation of cybersecurity risk framework. NIST is used to help identify priority, flexible, repeatable, performance-based and cost-effective ways that will help organizations better manage their security and controls and as a way to help them manage their cyber risk levels.
With increased pressures from external and internal threats, organizations have to come up a more consistent way to help identify, assess and manage their cybersecurity. The approach can be used on any organization size, exposure level or sophistication level within cybersecurity. The framework can also be used in any area of technology including information technology, industrial technology, cyber-physical systems and connected devices. Since technology has expanded so much, the framework has to be open enough to support all devices regardless of brand and types. Understanding business drivers and security usage in the organization before one is able to manage the cybersecurity risk is one of the most effective ways to make NIST work for any organization.
The framework allows one to provide ways to:
- Describe their current cybersecurity posture
- Describe their target state for cybersecurity
- Identify and prioritize opportunities for improvement within the context of the continuous and repeatable process
- Assess progress towards the target state
- Communicate among internal and external stakeholders about cybersecurity risks
The framework was created to go with other processes within an organization such as a cybersecurity program and risk management process but it’s not meant to replace it.
The framework consists of three parts: the Framework Core, the Framework Implementation and the Framework Profile. The Framework Core: allows one to present industry standards, guidelines, and practices that allows communication to occur concerning cybersecurity activities and outcomes within the organization. There are also five concurrent and continuous functions that go along with the framework core which include identify, protect, detect, respond and recover.
Each Framework Core is as followed:
- Identify- develops and organizational understanding to help manage cybersecurity risk to systems, people, assets, data and capabilities
- Protect- develops and implements appropriate activities to help identify the occurrence of a cybersecurity event
- Respond- develops and implements appropriate activities to take action regarding a detected cybersecurity incident
- Detect- develops and implements appropriate activities to identify the occurrences of a cybersecurity event
- Recover- develops and implements appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to the cybersecurity incident
The Framework Implementation: provides context on how an organization views cybersecurity risk and the processes in place to manage that risk. It has tiers that range from Partial (Tier 1) to Adaptive (Tier 4). Organizations should consider a few ideas when it comes to the selection process of tiers, ideas include current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives and organizational constraints. Each tier meaning is as followed: Tier 1 is considered the partial tier, tier 2 is considered the risk informed tier, tier 3 is considered the repeatable tier and tier 4 is considered the adaptive tier. All tier levels are based on awareness levels, practice types and contact level with externals.
Framework Profile: is based on business needs that were part of the framework categories and subcategories. Profiles are also used to self-assess and communicate within and between the organization as well.
For continuous improvement one should follow these steps and repeat if needed:
Step 1: Prioritize and scope
Step 2: Orient
Step 3: Create a Current Profile
Step 4: Conduct a Risk Assessment
Step 5: Create a Target Profile
Step 6: Determine, Analyze and Prioritize Gaps
Step 7: Implement an Action Plan
In conclusion, the framework for improving the critical parts of cybersecurity can be used with companies of various sizes and types. The cost of cybersecurity has grown largely in the last few years due to organizations not implementing protocols to help protect against it. Using the framework to help see business processes and security specifications will be very beneficial to each and every organization that decides to use it. The framework created by NIST was not created to get rid of any security program or risk management process, but to advance it by adding in additional processes that will benefit the program even more than before. By using the framework, one would better understand how to identify, protect, detect, respond and recover from an incidents that may happen and learn from them. As things change and recommendations have been made the framework will get updated based the information provided, in order to become more helpful and effective over time. The framework does not work for everyone the same way so, organizations need to learn how to make it work for them based on their business needs and security requirements, since that will be the only way to make this framework more effective and efficient.
Reference:
NIST.gov (2018, April 16). Framework for Improving Critical Infrastructure Cybersecurity. Retrieved from https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
MillerOnCyber 