National Institute of Standards and Technology (NIST)
NIST Cybersecurity Framework
Business frameworks play an integral part in the development of strategy and the execution of it. They provide a systematic approach to decision-making, allowing organisations to assess their current situation, identify areas for improvement, and develop plans for growth and success.
Cyber Security is no different … “You need a framework!”
Introduction
The National Institute of Standards and Technology (NIST) is an American based organisation and part of the US Department of Commerce.
The NIST Cybersecurity Framework (CSF) is one of the most widely used cybersecurity frameworks in the world including Australia. The CSF provides a basis for improved communication regarding cybersecurity expectations, planning, and resources needed to manage cybersecurity risks.
It also offers a common vocabulary of high-level cybersecurity outcomes that can be used by any organisation regardless of its size, sector, or maturity to better understand, assess, prioritize, and communicate its cybersecurity efforts.
CSF Core
The CSF Core Functions are … GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND and RECOVER to organize cybersecurity outcomes at their highest level.
Can we use this image OR do we need to get someone from “UPWORK” to redraw it? … Please discuss with Andrew / legal reasons etc.
CSF Organizational Profiles
A CSF Organizational Profile describes an organization’s current and / or target cybersecurity posture in terms of the Core’s outcomes.
The five (5) steps shown in the figure illustrate one way that a business could use an organizational profile to help inform continuous improvement of its cybersecurity.
Can we use this image OR do we need to get someone from “UPWORK” to redraw it? … Please discuss with Andrew / legal reasons etc.
STEP 1.
Scope the Organizational Profile.
An organization can have as many Organizational Profiles as desired, each with a different scope.
Example:
A Profile could address an entire organization or scoped to an organization’s financial systems to counter ransomware threats
STEP 2.
Gather the information needed to prepare the Organizational Profile.
Example:
Organizational policies, risk management priorities and resources, enterprise risk profiles, business impact analysis (BIA) registers, cybersecurity requirements and standards followed by the organization, practices and tools (e.g., procedures and safeguards), and work roles
STEP 3.
Create the Organizational Profile.
Determine what types of information the Profile should include for the selected CSF outcomes, and document the needed information.
STEP 4.
Analyse the gaps between the Current and Target Profiles, and create an action plan.
Conduct a gap analysis to identify and analyse the differences between the Current and Target Profiles, and develop a prioritized action plan (e.g., risk register, risk detail report, Plan of Action and Milestones [POA & M]) to address those gaps.
STEP 5.
Implement the action plan, and update the Organizational Profile.
Follow the action plan to address the gaps and move the organization toward the Target Profile. An action plan may have an overall deadline or be ongoing.
CSF Tiers
An organization can choose to also use Tiers to inform its Current and Target Profiles.
Tiers characterize the rigor of an organization’s cybersecurity risk governance and management practices, and they provide context for how an organization views cybersecurity risks and the processes in place to manage those risks.
Can we use this image OR do we need to get someone from “UPWORK” to redraw it? … Please discuss with Andrew / legal reasons etc.
Table ‘A’ Notional Illustration of the CSF Tiers
Tier | Cybersecurity Risk Governance | Cybersecurity Risk Management |
Tier 1.
Partial |
Application of the organizational cybersecurity risk strategy is managed in an ad hoc manner.
Prioritization is ad hoc and not formally based on objectives or threat environment |
There is limited awareness of cybersecurity risks at the organizational level.
The organization implements cybersecurity risk management on an irregular, case-by-case basis.
The organization may not have processes that enable cybersecurity information to be shared within the organization.
The organization is generally unaware of the cybersecurity risks associated with its suppliers and the products and services it acquires and uses.
|
Tier | Cybersecurity Risk Governance | Cybersecurity Risk Management |
Tier 2.
Risk Informed |
Risk management practices are approved by management but may not be established as organization- wide policy.
The prioritization of cybersecurity activities and protection needs is directly informed by organizational risk objectives, the threat environment, or business / mission requirement. |
There is an awareness of cybersecurity risks at the organizational level, but an organization-wide approach to managing cybersecurity risks has not been established.
Consideration of cybersecurity in organizational objectives and programs may occur at some but not all levels of the organization.
Cyber risk assessment of organizational and external assets occurs but is not typically repeatable or reoccurring.
Cybersecurity information is shared within the organization on an informal basis.
The organization is aware of the cybersecurity risks associated with its suppliers and the products and services it acquires and uses, but it does not act consistently or formally in response to those risks
|
Tier | Cybersecurity Risk Governance | Cybersecurity Risk Management |
Tier 3.
Repeatable |
The organization’s risk management practices are formally approved and expressed as policy.
Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed.
Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business / mission requirements, threats, and technological landscape. |
There is an organization-wide approach to managing cybersecurity risks. Cybersecurity information is routinely shared throughout the organization.
Consistent methods are in place to respond effectively to changes in risk. Personnel possess the knowledge and skills to perform their appointed roles and responsibilities.
The organization consistently and accurately monitors the cybersecurity risks of assets. Senior cybersecurity and non-cybersecurity executives communicate regularly regarding cybersecurity risks. Executives ensure that cybersecurity is considered through all lines of operation in the organization.
The organization risk strategy is informed by the cybersecurity risks associated with its suppliers and the products and services it acquires and uses.
Personnel formally act upon those risks through mechanisms such as written agreements to communicate baseline requirements, governance structures (e.g., risk councils), and policy implementation and monitoring.
These actions are implemented consistently and as intended and are continuously monitored and reviewed
|
Tier | Cybersecurity Risk Governance | Cybersecurity Risk Management |
Tier 4.
Adaptive |
There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
The relationship between cybersecurity risks and organizational objectives is clearly understood and considered when making decisions.
Executives monitor cybersecurity risks in the same context as financial and other organizational risks. The organizational budget is based on an understanding of the current and predicted risk environment and risk tolerance.
Business units implement executive vision and analyse system-level risks in the context of the organizational risk tolerances.
Cybersecurity risk management is part of the organizational culture. It evolves from an awareness of previous activities and continuous awareness of activities on organizational systems and networks.
The organization can quickly and efficiently account for changes to business / mission objectives in how risk is approached and communicated. |
There is an organization-wide approach to managing cybersecurity risks. Cybersecurity information is routinely shared throughout the organization.
Consistent methods are in place to respond effectively to changes in risk. Personnel possess the knowledge and skills to perform their appointed roles and responsibilities.
The organization consistently and accurately monitors the cybersecurity risks of assets. Senior cybersecurity and non-cybersecurity executives communicate regularly regarding cybersecurity risks.
Executives ensure that cybersecurity is considered through all lines of operation in the organization.
The organization risk strategy is informed by the cybersecurity risks associated with its suppliers and the products and services it acquires and uses.
Personnel formally act upon those risks through mechanisms such as written agreements to communicate baseline requirements, governance structures (e.g., risk councils), and policy implementation and monitoring.
These actions are implemented consistently and as intended and are continuously monitored and reviewed
|
Categories
Each Core Function of the Cybersecurity Framework is divided into Categories, which are related cybersecurity outcomes that collectively comprise the Function.
Table ‘C’ CSF 2.0 Core Function and Category names and identifiers
Function | Category | Identifier |
Govern (GV) | Organizational Context | GV.OC |
Risk Management Strategy | GV.RM | |
Roles, Responsibilities, and Authorities | GV.RR | |
Policy | GV.PO | |
Oversight | GV.OV | |
Cybersecurity Supply Chain Risk Management | GV.SC | |
Identify (ID) | Asset Management | ID.AM |
Risk Assessment | ID.RA | |
Improvement | ID.IM | |
Protect (PR) | Identity Management, Authentication, and Access Control | PR.AA |
Awareness and Training | PR.AT | |
Data Security | PR.DS | |
Platform Security | PR.PS | |
Technology Infrastructure Resilience | PR.IR | |
Detect (DE) | Continuous Monitoring | DE.CM |
Adverse Event Analysis | DE.AE | |
Respond (RS) | Incident Management | RS.MA |
Incident Analysis | RS.AN | |
Incident Response Reporting and Communication | RS.CO | |
Incident Mitigation RS.MI | RS.MI | |
Recover (RC) | Incident Recovery Plan Execution | RC.RP |
Incident Recovery Communication | RC.CO |
These categories will resonate with those charged with operationalizing risk management within an organization and simplify the process of developing your cybersecurity policies, plans & procedures.