A Beginners Guide to the NIST Cybersecurity Framework
The National Institute of Standards and Technology's (NIST) Cybersecurity Framework (CSF) was first published in February 2014. It was published in response to Presidential Executive order 13636, "Improving Critical Infrastructure Cybersecurity", which called for standardized security framework for critical infrastructure in the United States.
While there are many different frameworks for cybersecurity, the NIST CSF is recognized by many as a top contender to use when creating a cybersecurity strategy. At Mapletronics, we use NIST CSF as our framework of choice, and recommend it for our clients who do not have other frameworks that they must adhere to. While the NIST CSF is a great guideline for transforming the organizational security posture and risk management from a reactive to proactive approach, it is very complex and can be difficult to dive into and implement.
The NIST cybersecurity framework has many complexities, to help break it down we have put together this quick, high-level overview so non-technical people can gain some understanding.
The NIST CSF is comprised of five core functions known as the Framework Core. The functions are organized concurrently with one another to represent a security lifecycle. Each function has a very important place in the overall framework and is essential to a well-operating ssecurity
Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
Detect: Develop and implement the appropriate activities to identify the occurrence of a security event.
Respond: Develop and implement the appropriate activities when facing a detected security event.
Recover: Develop and implement the appropriate activities for resilience and to restore any capabilities or services that were impaired due to a security event.
Categories and Subcategories:
Here is where things begin to get complicated. There are 21 categories and over a hundred subcategories for each function mentioned above. The subcategories provide context to each category with reference to other frameworks such as COBIT, ISO, ISA, and others.
Tiers in the NIST CSF represent how well an organization views cybersecurity risk and the processes in place to mitigate risks. The main reasoning for tiers in the NIST CSF is too help organizations by giving them a benchmark on how their current operations stand. Here is a breakdown of each tier:
Tier 1 – Partial: Organizational cybersecurity risk is not formalized and managed in an ad hoc and sometimes reactive manner. There is also limited awareness of cybersecurity risk management.
Tier 2 – Risk-Informed: There may not be an organizational-wide policy for security risk management. Management handles cybersecurity risk management based on risks as they happen.
Tier 3 – Repeatable: A formal organizational risk management process is followed by a defined security policy.
Tier 4 – Adaptable: An organization at this stage will adapt its cybersecurity policies based on lessons learned and analytics-driven to provide insights and best practices. The organization is constantly learning from the security events that do occur in the organization and will share that information with a larger network.
An organization can use the NIST CSF to benchmark their current security posture. By going through each category and subcategory organizations can determine where they stand on the NIST CSF Tier scale.
A Multi-Faceted Approach to Security
One way to help wrap your head around the NIST CSF is to think of protecting your own home and the assets inside of it. When you protect your home there are many different security procedures you follow.
To begin protecting your home you probably have an idea of what you are protected, you know for example that you have small children in the home or a pet, as well as valuable electronics and documents. Knowing that you have assets and loved ones in your home to protect you most likely have a strategy in place to protect them for example you may have locks on all of your doors as well as an alarm system.
While this is great and meets one section of your home security needs you also most likely have other resources for if the locks and alarms don't keep out an intruder, including a plan to call police or have insurance in case things inside your home get damaged or stolen. To recover if an intruder made its way inside and things were stolen you likely have insurance to help recover and/or backup systems or documents.
All of these pieces mentioned above make up your home security "framework". A similar strategy should be used for your businesses data.
The NIST CSF works on the same principles mentioned above. It works to create a comprehensive strategy to identify your business's assets, protect them, detect any intrusion or risks, responds when necessary, and includes strategies to recover.
The NIST CSF is a wonderful starting place and continual tool to use as your organization benchmarks their current security standards and creates plans to implement stronger cybersecurity initiatives. While understanding the basics of the framework is a great first step in protecting your organization from potential threats, to being implementing the framework you most likely will need guidance from an expert in the industry.
Our team of security experts are here to help guide you through the challenges of modern day cybersecurity threats and are ready to discuss how you can begin closing the gaps in your current security strategies today. Schedule a free security consultation to talk to an expert today.