One of the most common drawbacks of cybersecurity frameworks and standards is that they fail to make a sufficiently compelling case to business leaders. Many focus on the needs of IT teams and exhibit high technological complexity and technical challenges for implementation. Others are biased towards specific types of computing infrastructure or even specific vendors.
The NIST Cybersecurity Framework takes a different approach. It makes clear from the outset that cyber-risk is business risk. To that end, it is more a risk-management framework, and that is something business leaders are very familiar with. The NIST CSF controls span five function areas, 23 categories, and 108 subcategories to ensure comprehensive coverage.
The framework serves as voluntary guidance, drawing from widely adopted best practices and
existing guidelines and standards. It also gives organizations complete flexibility over how they implement the framework and how they prioritize their information security strategies. Version 1.1, published in 2018, also places a greater emphasis on protecting supply chains.Introducing the NIST Cybersecurity Framework phases
The NIST security control categories span five function areas that cover the entire lifecycle of cybersecurity-related incidents. Each of the 23 NIST CSF control categories are broken down into subcategories, of which there is a total of 108. These are directly tied to desired business outcomes. For example, the very first subcategory addresses physical device inventorying.
In addition to the Framework Core detailed above, there are two other main components – the Framework Implementation Tiers and the Framework Profile. The tiers provide context as to how the organization views its cybersecurity risk and how it manages it. The profiles represent the desired outcomes, prioritizations, and controls adopted specifically for your organization.
#1. Identify
The first phase of implementing the framework deals with evaluating your current environment and building out your risk profile. This involves inventorying every information-bearing device or virtual machine that makes up your environment and defining the roles and responsibilities of your stakeholders and workforce.
#2. Protect
The next phase deals with the protective measures to be applied to mitigate the risks identified in the first phase. This function area encompasses the technical, physical, and administrative measures required across six primary categories:
#3. Detect
The third phase covers an organization’s ability to detect threats and maintain full visibility over its computing environment. This plays a vital role in advanced and proactive security, since it guards against new and unknown threats as well.
#4. Respond
Next, organizations must have a clearly defined and documented process for responding to threats. This is vital for stopping attacks in progress and mitigating their effects before they lead to far-reaching consequences:
#5. Recover
The fifth and final stage is all about preparing for the worst-case scenario. Regardless of how sophisticated your detection and response capabilities are, it is vital that you have a process in place for recovering from an incident, such as a data breach, with as little damage to your business, clients, and stakeholders as possible.
Charles IT is Connecticut’s premier compliance and information security expert. We offer the full range of managed technology solutions and consultancy services to ensure your business is up to speed with the latest threats. Get in touch today to schedule a meeting!