National Institute of Standards and Technology (NIST)

NIST Cybersecurity Framework  

Business frameworks play an integral part in the development of strategy and the execution of it. They provide a systematic approach to decision-making, allowing organisations to assess their current situation, identify areas for improvement, and develop plans for growth and success. 

Cyber Security is no different … “You need a framework!” 

Introduction 

The National Institute of Standards and Technology (NIST) is an American based organisation and part of the US Department of Commerce. 

The NIST Cybersecurity Framework (CSF) is one of the most widely used cybersecurity frameworks in the world including Australia. The CSF provides a basis for improved communication regarding cybersecurity expectations, planning, and resources needed to manage cybersecurity risks. 

It also offers a common vocabulary of high-level cybersecurity outcomes that can be used by any organisation regardless of its size, sector, or maturity to better understand, assess, prioritize, and communicate its cybersecurity efforts. 

CSF Core 

The CSF Core Functions are … GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND and RECOVER to organize cybersecurity outcomes at their highest level. 

CSF Organizational Profiles 

A CSF Organizational Profile describes an organization’s current and / or target cybersecurity posture in terms of the Core’s outcomes.  

The five (5) steps shown in the figure illustrate one way that a business could use an organizational profile to help inform continuous improvement of its cybersecurity.

 

STEP 1. 

Scope the Organizational Profile. 

An organization can have as many Organizational Profiles as desired, each with a different scope.  

Example: 

A Profile could address an entire organization or scoped to an organization’s financial systems to counter ransomware threats 

STEP 2. 

Gather the information needed to prepare the Organizational Profile. 

Example: 

Organizational policies, risk management priorities and resources, enterprise risk profiles, business impact analysis (BIA) registers, cybersecurity requirements and standards followed by the organization, practices and tools (e.g., procedures and safeguards), and work roles 

STEP 3. 

Create the Organizational Profile. 

Determine what types of information the Profile should include for the selected CSF outcomes, and document the needed information. 

STEP 4. 

Analyse the gaps between the Current and Target Profiles, and create an action plan. 

Conduct a gap analysis to identify and analyse the differences between the Current and Target Profiles, and develop a prioritized action plan (e.g., risk register, risk detail report, Plan of Action and Milestones [POA & M]) to address those gaps. 

STEP 5. 

Implement the action plan, and update the Organizational Profile. 

Follow the action plan to address the gaps and move the organization toward the Target Profile. An action plan may have an overall deadline or be ongoing.