Adopting the NIST Cybersecurity Framework can help any organization improve its cyber readiness. Organizations that already have a security program based on regulatory compliance requirements such as HIPAA and SOX or industry standards such as PCI-DSS and ISO 27001 can use the framework to measure and communicate the current effectiveness of implemented policies and processes addressing cybersecurity risks. Organizations with no formal security program can leverage the framework as a road map to identify business security needs and take necessary steps to address cybersecurity risks to their data, operations, systems and employees.
The framework is a result of a 2013 Presidential Executive Order titled “Improving Critical Infrastructure Cybersecurity” which called for the development of a voluntary risk-based cybersecurity framework based on industry standards and best practices to help private sector organizations manage cybersecurity risks. Faced with the growing tide of cyber attacks against private business and organizations in industry sectors such as energy, financial services and healthcare that are critical to our economy, national security and very way of life, this order was an attempt to help these organizations defend against cybersecurity threats without create additional regulatory burdens. The resulting framework, released in 2014, creates a common language to address and manage cybersecurity risk in a cost-effective manner based on business needs and was the product of 10 months of collaboration between government and private sector security experts.
Benefits of adopting the Framework
There are four key benefits an organization can realize by adopting the NIST Cybersecurity Framework:
- Harmonize cybersecurity approaches and provide a common language for discussing cybersecurity risks within and across organizations and industries.
- Establish the right level of security for an organization based on business needs.
- Inform cybersecurity budget planning based in risk prioritization.
- Communicate cybersecurity risk comprehensively to senior leadership.
The framework consists of three primary components: Core, Implementation Tiers and Profile.
The Core provides a set of activities, outcomes, and informative references providing the detailed guidance for developing individual organizational risk management profiles. It consists of five concurrent and continuous functions which provide a high level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.
- Identify– Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
- Protect– Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
- Detect– Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
- Respond– Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
- Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
The Implementation Tiers provide context on how an organization views cybersecurity risk and processes in place to manage that risk. Tiers describes the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the framework.
- Tier 1 (Partial) – Risks are managed in an ad hoc manner with limited awareness of risks.
- Tier 2 (Risk Informed) – Risk management processes and program are in place but are not integrated enterprise-wide.
- Tier 3 (Repeatable) – Formal policies for risk management processes and program are in place enterprise-wide.
- Tier 4 (Adaptive) – Risk management processes and programs are based on lessons and predictive indicators derived from previous and current cybersecurity activities.
The Profile component represent cybersecurity outcomes based on business needs that an organization has selected from Core function categories. Profiles can be used to identify gaps and opportunities for improving an organization cybersecurity risk management posture by creating a “Current” Profile which represents the current organization risk management posture based on implemented policies, processing and controls and a “Target” Profile which represents the desired posture based on business needs. Gaps between the current and target profiles establish the baseline for implementation of the framework and improving an organization’s cybersecurity readiness.
Bottom Line – And Next Steps
The first step to improving organizational cyber readiness is an initial “fitness” assessment based on the framework. NIST has provided access to all framework related information including a Reference Tool to help organizations looking to implement the framework on their website.
Organizations that need help implementing the framework or want to learn more about its benefits can visit the MCGlobalTech CyberRx Risk Intelligence Solution which automates the framework and helps organizations determine their cybersecurity risk exposure and potential financial due to a successful data breach.