The NIST Cybersecurity Framework provides a systematic methodology for managing risk in your organization across the entire incident lifecycle. Although the framework is not intended to replace an organization’s risk-management practices, it can help standardize your strategy by managing risk company-wide.
Alongside the Framework Core and Implementation Tiers, Profiles are a core component of the framework. Since compliance with the framework is not a legal mandate, businesses have complete flexibility over how they apply it. This is important given that no two companies look the same when it comes to managing risk.
One of the first steps towards implementing the framework is to define your current and target profiles. Your current profile indicates existing information security outcomes being achieved, while the target profile details those you want to achieve in the future. These NIST CSF profile examples serve as the basis for your entire framework adoption strategy.
Who uses the NIST Cybersecurity Framework?
The framework was originally written with critical infrastructure in mind, which includes assets considered essential to the functioning of society and the economy. For example, public health and agriculture are often deemed part of critical infrastructure. However, the framework has since been adopted by organizations across every industry as a way to add value and better prepare for future unknowns.
As one of the world’s leading authorities on information security, NIST draws from numerous best practices, regulatory standards, and other frameworks. The Framework Core is broken down into five function areas, 23 categories, and 108 subcategories and dozens of resources, such as national and international standards and compliance regimes. The function areas are at the top of this hierarchy, and are meant to highlight the role of each individual stage of the risk-management lifecycle.
Since you can’t protect what you don’t know, the first function area concerns identifying your information-bearing resources and the risks facing them. The first step is to create an up-to-date list of all equipment and software you use, including virtual computing resources such as cloud-hosted apps and virtual machines and servers.
People play a vital role too. To that end, proven NIST CSF profile examples always address the unique roles and responsibilities of your stakeholders, employers, suppliers, and everyone else who may have access to sensitive data. Risks should also be qualified and quantified in order to prioritize their remediation effectively.
The next function area concerns the security measures put in place to mitigate the risks facing your business and its information assets. For example, your target NIST CSF profile examples might mandate multifactor authentication for all account-based services, such as those hosted in the cloud. Other vital protective measures include endpoint encryption for company laptops and other devices, as well as end-to-end encryption for all data in transit. This function area also incorporates data backup processes, as well as policies for securely disposing of old data and devices.
Protective measures can only go so far to protect an organization’s assets. There is far more to a robust information security strategy than simply implementing reactive measures such as antimalware. You also need the capability to detect potential threats and security violations in real time.
Every asset under your responsibility should be monitored around the clock using a solution such as security incident and event management (SIEM). Devices and accounts must also be monitored for unauthorized or suspicious access attempts.
The fourth function area of the framework concerns what businesses are supposed to do in the event of an incident. Your target NIST profile should incorporate established protocols for investigating unusual activities, such as multiple failed login attempts or access attempts from unusual devices or locations.
A robust response plan should serve to stop incidents in their tracks, before they lead to data breaches, unplanned system outages, or other disasters with far-reaching consequences.
Unfortunately, no matter how robust your protective, detection, and response measures are, a disaster can still happen. This is why every organization should take the approach that it is not a matter of if a threat will make it past your defenses, but when.
The fifth and final function area of the framework addresses what to do after an attack in order to minimize any long-term damage. Your target profile should include methods for repairing and restoring equipment and data and keeping stakeholders and customers informed about your recovery activities. Once again, the roles and responsibilities of your employees should be clearly specified so that everyone on your team knows exactly what to do should the worst happen.
Charles IT is Connecticut’s premier compliance and security expert. We will help your business grow with expert guidance and dependable technology solutions. Get in touch today to learn more!