Listen to: "The NIST Cybersecurity Framework: An Introduction to the 5 Functions"
The NIST Cybersecurity Framework gives organizations a five-point structure to improve their cybersecurity posturing. While this is not regulatory, it is widely considered best practice — and as such, it offers organizations powerful ways to take charge of their cybersecurity strategy. By using the NIST Cybersecurity Framework, organizations can assess their exposure, evaluate their cybersecurity measures, and decrease risk.
Let’s take a closer look at what NIST entails and how can each of the five points work to improve cybersecurity.
“50% of American organizations are expected to have implemented the NIST CSF by 2020.” – Gartner IT research and NIST.
What Is the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework was developed to assist organizations in becoming proactive about managing their risk. The NIST CSF is regularly used for cybersecurity planning and is trusted because of its reputation as a best practice.
The NIST Cybersecurity Framework includes a core of prescriptive activities and control techniques for improving cybersecurity. NIST cybersecurity implementation tiers help every type organization perform a self-assessment of its cybersecurity risk and mitigation strategies. The tiers help stakeholders understand how the organization compares to its peers and see where improvements are needed.
- Tier 1: Partial
- Tier 2: Risk-Informed
- Tier 3: Repeatable
- Tier 4: Adaptive
The framework encourages organizations to develop a current profile of data protection, then identify the targeted implementation tier. The tiers provide ways to measure improvement. Benchmarking allows organizations to determine opportunities where they can make the most direct improvements. By comparing their current level with their desired tier, organizations can then close the gaps between the two and create a road map that outlines actionable steps.
In this way, the NIST CSF encourages the continual improvement of security strategies, critical infrastructure, and mitigation of cybersecurity risks. It also helps the organization connect its business requirements, risk tolerance, and resources to the cybersecurity plan for greater clarity.
History of the NIST Cybersecurity Standards
The NIST CSF is also known as the Framework for Improving Critical Infrastructure Cybersecurity. It was originally developed in 2014 and deployed for the purpose of serving as the primary communications tool and cybersecurity measure between academic institutions or the United States Government—including any or all of its various agencies—and any non-governmental organizations that own, operate or supply critical infrastructure to a particular governmental body.
The NIST framework established a fundamental processes and controls for optimal cybersecurity for organizations in all sectors, whether doing business with federal bodies or not. Today, it offers enterprises of all sizes—including small and medium-size businesses—the opportunity to apply risk management principles and best practices.
5 Points of the NIST Cybersecurity Framework
These five elements stand for the five pillars of a successful and holistic cybersecurity program assisting organizations in developing a high-level cybersecurity risk management strategy.
The five functions of the NIST CSF all work continuously and concurrently. They act as the foundation upon which all other important elements are built for effective high-level risk management.
The NIST CSF requires organizations to understand their environment fully in order to manage cybersecurity risks at the data, asset, and systems levels. This is the point at which you evaluate the context of your business.
To comply with this aspect of the framework, organizations must thoroughly inventory and identify their assets. It is not enough to know what assets the organization owns; you must understand how the different pieces are connected and what roles or responsibilities employees have regarding data. Following are the five key categories within this function:
- Asset Management – identifies personnel, data, devices, systems and facilities used to achieve core business purposes.
- Business Environment – Defines the organization’s objectives, mission, stakeholders, and general activities.
- Governance – Covers policies, procedures, and processes necessary to monitor and manage the business’s legal, risk, regulatory, environmental, and operational requirements.
- Risk Assessment – The understanding of the cybersecurity risks to all organizational operations, assets, and individuals.
- Risk Management Strategy – The establishment of an organization’s constraints, priorities, risk tolerances, which are used to support operational decisions.
Keep in mind that the identify function is not static, like the framework itself; it’s constantly growing and evolving. Threats, systems, and people change at a rapid pace, so it is important to constantly stay vigilant and regularly repeat this crucial function.
Only once you have a full and accurate picture of these risks can you determine how your current cybersecurity policies protect your organization — and where they fall short. This function supports the ability to limit and contain any impact resulting from a cybersecurity event. The goal is to determine how current cybersecurity policies protect your organization — and where they fall short. Below are the six categories of safeguards designed to mitigate the impact of cyberthreats which fall under protection:
- Access Control – Access to your assets and network should be limited to the least possible privileges. Role-based access should be utilized for facility access, running processes, and user access to allow just enough access for each process/user to perform their job functions. Awareness and Training – Easy access to cybersecurity awareness education for the organization’s personnel and partners. Such training empowers your team to perform their information security-based responsibilities, pursuant to the organization’s policies, procedures, and agreements.
- Data Security – Management of the company’s sensitive data in accordance with the business’s risk strategy developed to protect the integrity, confidentiality, and availability of vital information.
- Information Protection Processes & Procedures – This refers to security policies, procedures, and processes maintained and used to manage the protection of the organization’s information assets and systems.
- Maintenance – Performed in accordance with the organization’s policies and procedures, maintenance also includes any necessary repairs of the industrial control and information system components.
- Protective Technology – Utilize a mixture of manual and automated tools to efficiently ensure optimal security and resilience of your systems and assets.
Speed matters when it comes to threat mitigation. Detection defines the requisite to identify the occurrence of a cybersecurity event. This NIST CSF function should secure the timely discovery of a cybersecurity event. The following categories support the quick detect dangerous cybersecurity events on the horizon so that the proper response can be put into action.
- Anomalies and Events – Ensuring that all anomalies and events are detected as quickly as possible. This category requires you and your IT team to both detect and understand each individual event. You need to determine the definition of “detection in a timely manner,” according to any relevant regulations or compliance obligations for your organization and the responsibility owed to stakeholders.
- Security Continuous Monitoring – Monitoring your assets and information in real-time, or at defined intervals, allows you to identify cybersecurity events and to ensure the effectiveness of protective measures for the network and physical activities.
- Detection Processes – Proper maintenance of detection systems to ensure their readiness at all times to reliably provide awareness of detected anomalous events.
This function supports the ability to contain the negative impact of any type of cybersecurity event. Response covers all activities that you may use to take action once a cybersecurity incident is detected. To do this, your organization must create a detailed response plan and analyze the effectiveness of response following actual cybersecurity events. The five categories encompassed in this function are:
- Response Planning – Allows for timely response to detected cybersecurity events by well-maintained and properly executed processes and procedures.
- Communications – Response activities regarding communications between your organization and your internal and external stakeholders. There are times when such occurrences may include the need to communicate with law enforcement agencies depending upon the sensitive data your organization is holding.
- Analysis – Reviews done during response activities to ensure the correct process is followed and support recovery activities.
- Mitigation – Activities performed to prevent the expansion of a cybersecurity event while also mitigating its effects and neutralizing or eradicating the event.
- Improvements – Each time an organization works through response activities, there are new opportunities to strengthen the process by incorporating lessons learned through detection and response. Your team should review what worked and what didn’t work and update your response plan accordingly.
Getting back to business as usual is a top priority. To streamline and speed up recovery, it’s crucial to develop a plan before you need it. This function offers a chance to identify the best activities for organizational resilience. It aims to restore capabilities and services that were impaired as a result of a cybersecurity incident. This entails recovering data that was lost, restoring capacities that were impaired, and ensuring everything is functioning as intended.
Following are the three important categories within the recover function:
- Recovery Planning – Organize recovery processes and procedures according to priority. The actions that are most critical to protecting systems and assets should be placed at the beginning of the plan. During the recovery, your team should be able move from highest priority down the list to quickly accomplish tasks.
- Improvements – After the systems are running again, your organization should review the event and take note of important lessons learned in the process. The recovery plan should then be updated to reflect what you’ve learned.
- Communications – In order to restore activities, it’s important to coordinate with internal and external parties. Such parties may include internet service providers, victims, vendors, owners of attacking systems, and coordinating centers.
Get more information about National Institute of Standards Technology (NIST) 800-171 Assessment Services.
Gain Peace of Mind About Your Cybersecurity
Knowing more about the NIST Cybersecurity Framework, you can review your organization’s posturing with a critical eye and make changes that deliver powerful protection from cyberthreats. Let I.S. Partners assist you with IT assurance. We offer cybersecurity assessments modeled on the NIST Cybersecurity Framework. These assessments help you move from being reactive to being proactive.