The NIST Cybersecurity Framework: An Introduction to the 5 Functions
To accompany our recently launched National Institute of Standards Technology (NIST) 800-171 Assessment Services, we thought it might help to dig a little deeper into the Cybersecurity Framework and its crucial five functions.
A Quick Overview of the Basics of the NIST Cybersecurity Framework
The NIST Cybersecurity Framework is also known as the Framework for Improving Critical Infrastructure Cybersecurity (“The Framework”). The Framework was originally developed and deployed for the purpose of serving as the primary communications tool and cybersecurity measure between academic institutions or the United States Government—including any or all of its various agencies—and any non-governmental organizations that own, operate or supply critical infrastructure to a particular governmental body.
Basically, The Framework establishes the necessary processes and fundamental controls for optimal cybersecurity for organizations in all sectors, whether doing business with federal bodies or not. Further, it offers enterprises of all sizes—including small and medium-size businesses—the opportunity to apply risk management principles and best practices.
At its core, The Framework allows all types of organizations the ability to regularly upgrade security strategies and to build and maintain a resilient critical infrastructure to manage cybersecurity risks.
Take a Closer Look at the 5 Functions of the NIST Cybersecurity Framework
The Five Functions of the Framework all work continuously and concurrently, and they are the backbone of the Framework around which all other important elements orit and organize.
The elements comprising the Five Functions were chosen because they stand for the five pillars of a successful and holistic cybersecurity program. These functions are particularly effective because they work together as a shortcut in assisting organizations determine and express their management strategies of cybersecurity risk at high levels while still easily facilitating risk management decisions.
Each function is critical to the Framework, so let’s take a look at each one in its own right, as well as how it works in tandem with the other functions.
Identify is the first function in the Framework and its purpose is to create an organizational understanding of the management of cybersecurity risk to an organization’s systems, data, assets and overall capabilities.
As the first function, Identify is the point at which you evaluate the context of your business. Once you’ve done that, you can proceed to assess the systems you have to help you support your critical business activities and what cybersecurity risks lie in wait in today’s threat landscape. Finally, the Identify Function allows you to prioritize your cybersecurity efforts and strategies to mitigate your company’s risk.
Keep in mind that the Identify Function is not static, like the Framework itself, and is constantly growing and evolving. Threats, systems and people change at a rapid pace, so it is important to constantly stay vigilant and regularly repeat this crucial function.
Following are the five key categories covered by the Identify Function, along with details about their respective purpose:
Asset management identifies personnel, data, devices, systems and facilities used to achieve core business purposes.
Defines the organization’s objectives, mission, stakeholders and general activities.
Covers policies, procedures and processes necessary to monitor and manage the business’s legal, risk, regulatory, environmental and operational requirements.
The understanding of the cybersecurity risks to all organizational operations, assets and individuals.
Risk Management Strategy.
The establishment of an organization’s constraints, priorities, risk tolerances, which are used to support operational decisions.
After IT leaders perform all five steps in the Identify Function, they can move on to the Protect Function of the Framework, which provides an outline of the possible appropriate safeguards intended to ensure proper functioning and effective delivery of critical infrastructure services. The Protect Function supports your ability to limit and contain any impact resulting from a cybersecurity event.
Explore more details about the six categories within the Protect Function:
Limits access to at-risk assets and any associated facilities to authorized processes, devices and users. Limitations also cover access to authorized transactions and activities.
Awareness and Training.
Easy access to cybersecurity awareness education for the organization’s personnel and partners. Such training empowers your team to perform their information security-based responsibilities, pursuant to the organization’s policies, procedures and agreements.
Management of company’s information and records in accordance with the business’s risk strategy developed to protect the integrity, confidentiality and availability of vital information.
Information Protection Processes and Procedures.
Security policies, procedures and processes maintained and used to manage the protection of the organization’s information assets and systems.
Performed in accordance with the organization’s policies and procedures, the maintenance and any necessary repairs of the industrial control and information system components.
Technological security includes any solutions procured, managed and used to ensure optimal security and resilience of systems and assets.
The Detect Function is important because it defines the requisite activities needed to identify the occurrence of a cybersecurity event. This function also helps to allow for the timely discovery of a cybersecurity event. Basically, once you have your identification criteria and means of protection, you need solid alert tools and strategies to notify you know when a dangerous cybersecurity event is on the horizon.
The Detect Function features three very important categories:
Anomalies and Events.
Ensuring that any anomalies and events are detected in as timely a manner as possible. This category requires you and your IT team to both detect and understand each individual event. You need to determine the definition of “detection in a timely manner,” according to any relevant regulations for your organization, as well as your sense of responsibility to your stakeholders.
Security Continuous Monitoring.
Monitoring your assets and information in real-time, or at discrete intervals, allows you to identify cybersecurity events and to ensure the effectiveness of protective measures regarding the network and physical activities.
Proper maintenance of detection processes helps ensure readiness at all times to reliably provide awareness of anomalous events.
The Respond Function includes all activities that you may use to take action once you have detected a cybersecurity incident. This function supports the ability to contain the negative impact of any type of cybersecurity event.
Following are five categories encompassed within the Respond Function:
Response planning allows for timely response to detected cybersecurity events by well-maintained and properly executed processes and procedures.
Response activities regarding communications between your organization and your internal and external stakeholders.There are times when such occurrences may include the need to communicate with law enforcement agencies.
Analysis is performed during the Respond Function to ensure proper response and support recovery activities.
Mitigation activities are important to perform so you can prevent the expansion of a cybersecurity event while also mitigating its effects and neutralizing or eradicating the event.
Each time an organization works through response activities, there are new opportunities to improve the process by incorporating lessons learned through the current and any previous detection and response sessions.
The Recover Function offers a chance to identify the best activities to maintain plans for organizational resilience. This function also provides the opportunity to restore any capabilities and services that might have been impaired as a consequence of a cybersecurity incident.
With this important function, it means you have performed all the necessary functions to arrive at the best possible outcome for your organization when dealing with a cybersecurity event.
Following are the three important categories within the Recover Function:
1. Recovery Planning.
The processes and procedures used during Recovery are executed and maintained, giving you the chance to ensure timely restoration of systems and assets involved with a cybersecurity event.
Incorporating lessons learned during Recovery planning and processes can help you to improve for future activities and possible cybersecurity events.
In order to restore activities, it is important to coordinate with internal and external parties. Such parties may include Internet Service Providers, victims, vendors, owners of attacking systems and coordinating centers.
The 5 Functions of the Framework Work Together to Offer You a High-Level Risk Management Approach
Each of these functions work together to offer you a strategic approach to effective high-level risk management strategies for optimal cybersecurity in your organization.
Would You Like to Learn More About the NIST Cybersecurity Framework?
If you are working with a federal agency, or you are planning to, you may need more information about your cybersecurity responsibilities in such an environment. Our team at I.S Partners, LLC. can help you determine just what you need to do to achieve and maintain compliance in any environment.
Call us at 215-675-1400, launch a chat session or send us a message to learn more!