In today's rapidly evolving digital landscape, cybersecurity has become a top priority for organisations of all sizes and industries. With cyber threats growing in complexity and frequency, it's essential for businesses to establish robust cybersecurity practices to safeguard their assets and data. One valuable resource that organisations can leverage is the NIST Cybersecurity Framework.
What is the NIST Cybersecurity Framework?
The National Institute of Standards and Technology (NIST) Cybersecurity Framework is a comprehensive set of guidelines, standards, and best practices designed to help organisations manage and mitigate cybersecurity risks. Developed through collaboration between industry, government, and academia, the framework provides a flexible and scalable approach to cybersecurity that can be tailored to meet the unique needs of different organisations.
The NIST Cybersecurity Framework (CSF) is built around six core functions, with the recently released 2.0 update further expanding on these functions to include Categories, Subcategories, Profiles and Tiers.
The CSF Core components are a hierarchy of Functions, Categories, and Subcategories that detail each outcome. These outcomes can be understood by a broad audience, including executives, managers, and practitioners, regardless of their cybersecurity expertise.
Because the outcomes are sector-, country-, and technology-neutral, they provide an organisation with the flexibility needed to address its unique risks, technologies, and
mission considerations.
The Six Core Functions of NIST
Govern: A new addition to the NIST framework, Govern encompasses the organisation's cybersecurity risk management strategy, expectations, and policy establishment. It serves as the foundation upon which other functions operate, providing guidance on achieving and prioritising cybersecurity outcomes aligned with the organisation's mission and stakeholder expectations.
Identify: This involves understanding and managing cybersecurity risks to systems, assets, data, and capabilities. It includes activities such as asset management, risk assessment, and governance.
Protect: The Protect function focuses on implementing safeguards to ensure the security and resilience of critical assets and data. This includes activities such as access control, data protection, and security training and awareness.
Detect: Detecting cybersecurity events in a timely manner is crucial for minimizing the impact of potential threats. The Detect function includes activities such as continuous monitoring, anomaly detection, and incident response planning.
Respond: In the event of a cybersecurity incident, organisations must have a well-defined response plan in place to contain and mitigate the impact of the incident. The Respond function includes activities such as incident response coordination, communication, and recovery planning.
Recover: The Recover function focuses on restoring capabilities and services that were impaired due to a cybersecurity incident. This includes activities such as recovery planning, improving resilience, and conducting lessons learned exercises.
The NIST figure to the above illustrates the CSF Functions as a wheel because all of the Functions are interconnected.
An organisation categorises assets under IDENTIFY and takes steps to secure those assets under PROTECT.
Investments in planning and testing within the GOVERN and IDENTIFY Functions support the timely detection of unexpected events in the DETECT Function.
Additionally, they enable incident response and recovery actions for cybersecurity incidents in the RESPOND and RECOVER Functions.
Placed at the centre of the wheel, GOVERN informs how an organisation will implement the other five Functions.
By implementing the NIST Cybersecurity Framework, organisations can establish a proactive and risk-based approach to cybersecurity that helps to protect against a wide range of cyber threats.
CSF 2.0 - New features: Core Functions, Categories, Subcategories and Tiers
Each Core Function is named after a verb that summarises its contents (Govern, Identify, Detect).
Each Function is then divided into Categories, which are related cybersecurity outcomes that collectively comprise the Function.
Subcategories further divide each Category into more specific outcomes of technical and management activities.
CSF Organisational Profiles are a mechanism for describing an organisation’s
current and/or target cybersecurity posture in terms of the CSF Core’s outcomes.
CSF Tiers can be applied to CSF Organisational Profiles to characterise the rigour of an organisation’s cybersecurity risk governance and management practices. Tiers can
also provide context for how an organisation views cybersecurity risks and the processes
in place to manage those risks.
Key Benefits of the NIST Cybersecurity Framework:
Provides a common language for discussing cybersecurity risk management across different sectors and organisations.
Offers a flexible and adaptable approach that can be customised to suit the specific needs and risk profile of an organisation.
Helps organisations prioritise cybersecurity investments and allocate resources more effectively.
Enhances communication and collaboration between internal stakeholders and external partners.
Supports regulatory compliance and demonstrates due diligence in managing cybersecurity risks.
The NIST Cybersecurity Framework is a valuable resource for organisations seeking to enhance their cybersecurity posture and mitigate cyber risks. By adopting the framework's principles and best practices, organisations can build resilience, protect critical assets, and maintain trust with customers and stakeholders in an increasingly connected world.
If the NIST framework is a model your organisation is interested in learning more about, why not avail of our complimentary NIST assessment clinics. In an exploratory session, our security team will assess where your cybersecurity posture is at present, and what to do next in order to achieve maximum protection alongside the NIST guidelines.
To schedule a NIST assessment, get in touch with the Edge7 Networks team.
Stay tuned for our next blog post, where we'll explore practical steps for implementing the NIST Cybersecurity Framework within your organisation.