The NIST Cybersecurity Framework is a set of guidelines and best practices for organizations seeking to improve their information security posture. While originally intended for the critical infrastructure sector, it has been widely adopted around the world across all industries as one of the most recognized standards.
Version 1.1 of the framework was released in April 2018 with an extended focus on protection of supply chains. This development is especially noteworthy now that supply chain attacks are on the increase, and supply chains have become an un-governable size without proper strategy. The NIST CSF is now the most popular security framework in North America.
Understanding the main parts of the framework
NIST Cybersecurity Framework compliance encompasses three main components. The first is the framework core, which refers to a set of information security activities mapped to desired business outcomes.
One of the main advantages of the framework is that it uses key business drivers to guide cybersecurity strategy, rather than focusing directly and exclusively on technology itself. There are five concurrent and continuous functions in the framework, which deal with the entire risk-management lifecycle: Identify, Protect, Detect, Respond, and Recover. Each function area is further broken down into categories and subcategories giving actionable advice and additional resources.
The next part of the framework concerns implementation tiers. These describe the degree to which an organization’s existing risk-management practices align with the measures outlined in the framework. The range covers four tiers from partial implementation to adaptive security, which is the highest.
The third and final part is the framework profile. Profiles represent the unique alignment of an organization’s requirements, objectives, and current environment. It also addresses resources and risk appetite against the desired outcomes taken from the framework core. Profiles help organizations identify areas most in need of improvement and prioritize remediation measures accordingly.
The importance of security awareness training
Implementing the entirety of the framework can be time-consuming and complicated, but the benefits are indisputable. However, in order for the implementation to be successful, it is vital that it has the complete support of management and any other key stakeholders. This is where NIST Cybersecurity Framework training comes in.
The (ISC)2, the world’s leading nonprofit cybersecurity organization, recommends that security leaders, decision-makers, and corporate stakeholders take an introductory course to the NIST Cybersecurity Framework. This will give them the opportunity not only to fully understand why it is so important, but also how to broadly apply it in their organizations.
Mapping your entire computing environment
The first step towards actually implementing the framework is to build a complete inventory of your computing assets, including all networking components and data-bearing devices. Then, leaders should build out their risk profiles and prioritize their remediation strategies. The NIST Cybersecurity Framework mapping process can be lengthy and arduous, especially in today’s highly complex hybrid and multi-cloud computing environments. However, it is very important simply because you cannot expect to protect what you do not know about.
Applying protection and detection measures
The second and third function areas of the framework cover protective measures and detective measures respectively. Protective measures include categories like identity management and authentication and access control, awareness and training, and data security. Precisely how companies address these measures is up to them, but common methods include anti malware, intrusion detection and prevention, and enterprise-grade firewalls.
The Detection function encompasses areas like continuous monitoring, detection processes, and the management of anomalies and events. These functions can be outsourced in the form of managed detection and response (MDR) or security incident and event monitoring (SIEM) services.
Implementing incident response and recovery
The fourth and fifth function areas of the framework concern how organizations respond to an incident and how they recover from a disaster respectively. Incident response plans primarily serve to stop attacks in progress and mitigate their effects. By contrast, recovery places an emphasis on what to do in a worst-case scenario, such as a data breach. Every organization, no matter the sophistication of its prevention and detection measures, should take the view that it is not a matter of if a disaster will happen, but when.
When preparing for NIST Cybersecurity Framework compliance, business leaders must build a robust incident response and recovery plan that takes into consideration their appetite for risk, the criticality of specific systems, and their recovery time and point objectives (RTO/RPO).
Charles IT is a premier compliance and information security expert in Connecticut. Contact us today to schedule your first assessment!
