Consequently, cyber attacks have become more widespread and sophisticated, impacting the critical infrastructures of many organizations and gaining access to their most valuable assets. Besides investing in technology, organizations should turn to relevant policies and industry standard frameworks to better inform their practices. It’s a critical step toward keeping data and systems secure and managing cybersecurity risk effectively.
A cybersecurity framework is a set of standards, guidelines, common language and best practices that organizations use to better manage cybersecurity risks and improve their cybersecurity programs. These highly beneficial tools also help organizations communicate more soundly, both internally and with third parties in areas that include sharing information about attacks.
One such framework is the NIST Cybersecurity Framework, widely considered the gold standard for addressing and managing security risk in a cost-effective way, based on the business needs of an organization. While we mentioned it briefly in our incident response article, today we’ll delve deeper into the NIST Cybersecurity Framework and get familiar with its components and guidelines.
NIST Cybersecurity Framework 101
Created by the National Institute of Standards and Technology (NIST), a government agency that works in many areas of technology, this framework for improving critical infrastructure cybersecurity filled the gap created by a lack of unified standards for cybersecurity and risk management across organizations.
This particular set of standards, guidelines and practices is considered a staple for any organization working to build or improve its cybersecurity program, as well as its ability to detect, respond, prevent and recover from cyber attacks.
NIST describes the Framework as a risk-based approach to cybersecurity risk management and as such, it contains three components: Core, Implementation Tiers and Profiles. Each component fortifies the connection between activities that drive the operational and financial results of a business and cybersecurity activities in that business.
The Framework Core is a combination of cybersecurity activities that presents industry standards, guidelines, practical references and key industry cybersecurity outcomes for managing cybersecurity risk. It’s made of five Functions that present a general view of the lifecycle of an organization’s risk management process. Each of these Functions consists of Categories and further Subcategories, which are matched with examples—Informative References that contain existing standards and guidelines for each Subcategory.
Implementation Tiers (or just Tiers) provide organizations with a way to evaluate their current cybersecurity posture, how they view risk, and what processes they have in place to manage cybersecurity risk. They reflect approaches to managing risk that range from informal and reactive to more risk-informed and resilient.
Framework Profile components represent the ‘outcome’ part of the framework, based on the business needs that an organization has chosen from the framework’s categories and subcategories. They can be used to detect weak points and opportunities, as a means to improve their security posture by comparing their current profile with a target one.
As mentioned, the NIST Framework Core provides a compilation of activities that help organizations achieve specific outcomes, all with practical examples that will guide them to those outcomes. It contains references to industry standards, guidelines, and practices that allow for the communication of cybersecurity activities and outcomes across the organization. Designed to improve existing cybersecurity practices in an organization, the Core’s four elements—Functions, Categories, Subcategories, and Informative References—are directed at specific goals:
Functions organize basic cybersecurity activities at their highest level, which are to Identify, Protect, Detect, Respond, and Recover. They act as an outline for security measures and processes that all organizations should have in place. Functions can help organizations in communicating cybersecurity activities across organizations from high-level operations to the executive level, and present a security lifecycle, aiding in addressing threats and learning from previous activities.
Categories represent segments of functions and present groups of cybersecurity activities that are more detailed than the generalized functions. Some examples of categories are data security, awareness training, access control, among others.
Subcategories go further into detail than categories, showing specific outcomes as well as technical and management activities. They support each achievement of an outcome for a category. Examples include established information security policies, identified and documented vulnerabilities and network threats and the like.
Informative References speaks to specific industry standards, guidelines and practices. They are citations to related cybersecurity activities from other standards or guidelines and they provide additional information on how to achieve outcomes in each subcategory.
The 5 Core Functions
Now that we have a general overview of the Framework Core, it’s important to get into the nitty gritty of each of the functions and their categories and how you can implement them in your organization.
The first of the Framework’s five functions, Identify also provides the foundation for all other cybersecurity activities. Following this function, your organization will be able to pinpoint all critical systems and assets of your infrastructure, increasing visibility which is of the utmost importance with advancements in cloud computing and the increase in shadow IT. After all, you can’t secure what you can’t see. At the same time, it helps prioritize actions that will protect the critical areas first, as they usually hold the most sensitive data (such as intellectual property, customer data, and financial records. Categories in the Identify function are: Asset Management, Business Environment, Governance, Risk Assessment, and Risk Management Strategy.
Once the critical infrastructure and assets are identified and prioritized in the first function, it’s time to prioritize your cybersecurity activities around protecting them. True to its name, the Protect function boosts your organization’s capability to minimize effects from cybersecurity incidents and helps you develop the defenses it needs. It also focuses on awareness over threats across the entire organization and puts focus on both protective technology and processes. Categories in the Protect function are: Access Control;, Awareness and Training, Data Security; Information Protection Processes and Procedures, Maintenance, and Protective Technology.
While going through the first two functions you successfully identified the assets and infrastructure in need of protecting and developed safeguards around them, there’s still a chance that you’ll suffer a security breach or incident. This is why the Detect function has you developing and implementing measures to allow the successful detection of security events in a timely manner. Categories in this function include Anomalies and Events, Security Continuous Monitoring, and Detection Processes.
Once you’ve detected a security incident, what comes next? Responding to it. The Respond function is concerned with developing and implementing cybersecurity activities that will respond to a detected security incident and minimize its effects in the scenario of a full-fledged cyber attack. Its categories include Response Planning, Communications, Analysis, Mitigation, and Improvements (many of which we have detailed in our article exploring incident response).
After you’ve suffered a security breach or an incident, however important your actions were during detection and response, your actions in the aftermath are equally important. Addressing the Recover function, your organization will work to develop and implement a plan for the restoration of any systems affected by the incident, reducing impact while enhancing resilience following any future recurrence of the attack. Recover function categories include Recovery Planning, Improvements, and Communications.
Framework Implementation Tiers
The NIST Framework wasn’t designed to be used by all organizations on a one-size-fits-all basis. Depending on their current cybersecurity posture they might have advanced risk management practices as well as security programs, while small and medium-sized businesses might only be starting to build their own and aren’t that risk-aware.
The Implementation Tiers range from Tier 1 to Tier 4, and NIST highlights the fact that they don’t represent maturity levels, but are geared towards how an organization views cybersecurity risk and the processes they have in place to mitigate it. They encourage organizations to consider moving up to Tier 4, but only when that is considered a proper solution to reduce their risk level while at the same time realistic, based on cost-effectiveness. The Tiers are defined by three points: Risk Management Process, Integrated Risk Management Program and External Participation.
Tier 1: Partial
Tier 1 marks the beginning of the cybersecurity risk management journey for your organization. At this Tier, organizational risk management practices are not formalized and are executed in a reactive, rather than proactive, manner. There is also a lack of prioritization of cybersecurity activities along with limited awareness of cybersecurity risks and threats across the organization. Risk management, if present, is performed on a case-by-case basis and the organization isn’t equipped with processes that enable information sharing within, nor does it have any in place for collaborating with third parties.
Tier 2: Risk Informed
At Tier 2, an organization is beginning to formalize its cybersecurity program and risk management process. Management has approved risk management practices while an organization-wide policy hasn’t yet been established—but the prioritization of cybersecurity activities is well-informed, based on the threat landscape and business objectives. Organization-wide cybersecurity awareness exists, and the staff has required resources to perform their cybersecurity activities. There is still no formal external sharing of cybersecurity information, although the organization does know its part in the ecosystem.
Tier 3: Repeatable
Now we arrive at the more advanced cybersecurity programs. Here, risk management practices are formally presented as a policy and cybersecurity practices are regularly updated with the changes in the organization’s risk exposure, threat landscape, and business needs. The entire organization maintains a high level of awareness, with staff possessing the right skills and knowledge to perform their roles and cybersecurity duties. The organization is aware of its relationship with partners and the ecosystem and has an open cybersecurity information sharing tunnel that enables collaboration.
Tier 4: Adaptive
If you find your organization at Tier 4—congratulations! This means that you have reached the holy grail of adaptive approach to cybersecurity risk management, and that your cybersecurity practices are regularly refreshed with a look at both past incidents and lessons learned, as well as the current threat landscape and future predictions. Responding to threats is advanced, adaptive and performed in a timely fashion. Cybersecurity culture across the organization is at its highest level, and the organization actively shares information with partners, contributing to the betterment of responding to cybersecurity events while equally ingesting outside information.
The Framework Profile acts as a conjunction of the Functions, Categories, and Subcategories with business needs, tolerance to cybersecurity risk and the current resources the organization possesses. Using the Profile, your organization can work to establish a process for reducing risk that is aligned with industry best practices, regulatory compliance and business goals. At the start, you can use Profiles to determine your current state as well as the desired state of specific cybersecurity activities, and creating the Current and Target Profile can help you identify any gaps that need to be addressed on your road of advancing your cybersecurity posture and risk management.
How to use the NIST Cybersecurity Framework
Now that you’re familiar with all the details and components of the NIST CSF framework, you are ready to implement it into your organization. But what are all the ways in which you can use the Framework? Should you ditch your existing processes and replace them with this industry standard? Quite the contrary. NIST recommends organizations use the Framework as a way to complement their current cybersecurity practices, determine the gaps in their current risk approach and begin working on improvements.
As a powerful risk management tool, the Framework can be used in these three distinct ways:
Review your current cybersecurity practices
Using the cybersecurity activities described in the Framework Core, your organization can conduct a basic review of your current practices and see how they compare to different Tiers. Do they achieve desired outcomes from the five functions? How does your Current Profile compare to the Target Profile? Thus, the review identifies gaps and room for improvement (which can follow the Framework, or not exactly). You might even discover that you are achieving the desired cybersecurity outcomes and manage risk appropriately; this is why using the Framework as a reference point is an effective tool for seeing where you stand.
Developing or improving your cybersecurity practices
Among the best ways to use the NIST Cybersecurity Framework, in our opinion, are to begin creating your cybersecurity practices, or to improve them. Starting with identifying business goals and priorities, your organization can then begin making decisions around securing assets and systems that will be the focal point of improvement or development of new practices. Next is the identification of threats and vulnerabilities in those systems and assets. Following those steps is the risk assessment process that will help your organization determine the likelihood of a security incident and the impact it can have—all of which will help in building your Current Profile.
After the current profile and going over the desired cybersecurity outcomes, you can create the Target Profile. A comparison between the two can give you an actionable and prioritized plan for improving your existing cybersecurity practices. All of the Categories, Subcategories and Profiles can be customized to your business objectives, current risk, threat landscape and budget, as well as be further corroborated by external information from industry specific data, standards, regulations and the like.
Communicating cybersecurity expectation with stakeholders
As it’s operated by using common language, the NIST CSF can be used to communicate requirements and current risk management practices to stakeholders. By using the Current Profile, you can showcase where the organization stands at that moment, and compare it with competitors or industry averages. With the Target Profile, you can communicate to stakeholders or even external service providers (NIST gives an example of a cloud provider) the requirements to achieve a greater level of risk management in the organization. For a CISO, the NIST Cybersecurity Framework can be an irreplaceable asset for board-level communication.
While it might seem as though the NIST Cybersecurity Framework is a long, complex and challenging standard to understand and implement in your organization, it’s a worthwhile process as a widely used framework in both government and private sectors. The benefits of implementing the Framework are clear: it provides a better understanding of current security risks and ways to manage it, prioritizes activities, identifies mitigation strategies, measures the ROI of cybersecurity investments, it can be as cost-effective as you need it to be, and it improves communication with stakeholders across all departments using common language.