In May, my role was expanded to include Chief Information Security Officer (CISO). Since that date, I have been building trust with the team, as well as connecting with internal and external stakeholders. I have also been re-educating myself, going back to basics with key cybersecurity approaches, methodologies and frameworks.
This article provides a summary of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), also known as the NIST CSF.
The NIST CSF is a set of guidelines for mitigating organisational cybersecurity risks, based on established standards, guidelines, and practices. It includes three primary components:
Core: Desired cybersecurity outcomes organised in a hierarchy and aligned to more detailed guidance and controls.
Profiles: Alignment of an organisation’s requirements and objectives, risk appetite and resources using the desired outcomes of the NIST CSF Core.
Implementation Tiers: A qualitative measure of organisational cybersecurity risk management practices.
The NIST CSF is intended to be a “living document” that is continuously refined, improved, and evolved, hopefully keeping pace with technology and threat trends, whilst integrating lessons learned.
The full NIST CSF v1.1 can be downloaded below:
The Framework Core includes 5 functions (listed below), covering 23 categories and 108 subcategories, with 6 informative references. The informative references include ISO 27001, COBIT, NIST SP 800-53, ANSI/ISA-62443, and the Council on CyberSecurity Critical Security Controls.
Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
Protect: Develop and implement the appropriate safeguards to ensure the delivery of critical infrastructure services.
Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity incident.
Recover: Develop and implement the appropriate activities to ensure resilience and restore capabilities impacted by a cybersecurity incident.
The Framework Core is available as a downloadable CSV, linked below:
The Framework Profile is a list of outcomes that an organisation has chosen from the categories and subcategories, based on its needs and risk assessments.
Typically, an organisation would start by developing the “Current Profile” which describes the cybersecurity activities and what outcomes are being achieved.
This leads to the development of a “Target Profile”, resulting in a gap analysis and defined actions to mature from the “Current Profile” to the “Target Profile”.
Finally, the Implementation Tiers, provide a consistent structure to benchmark cybersecurity risk management practices, helping organisations develop plans to improve their cybersecurity posture.
It is essential to note the Implementation Tiers are not designed to be a maturity model, instead providing visibility across cybersecurity risk management and operational risk management processes.
The four Implementation Tiers are outlined below:
Tier 1 (Partial): Organisations with limited security processes defined and implemented, resulting in low cybersecurity maturity, lacking sponsorship and prioritisation.
Tier 2 (Risk Informed): Organisations that understand the risks and are actively addressing compliance requirements. However, they are not addressing broader (organisation-wide) security concerns and/or policy gaps.
Tier 3 (Repeatable): Organisations that have executive-approved risk management and cybersecurity best practices defined and implemented. Organisations that are prepared to respond to cybersecurity threats, and risks, whilst proactively addressing vulnerabilities.
Tier 4 (Adaptive): Organisations that utilise advanced adaptive cybersecurity practices, where behaviours and/or events are proactively analysed to protect from or adapt to threats before they happen. In parallel, organisations that continuously assess risk and automatically provide proportional enforcement as required.
For more details regarding the NIST CSF, I recommend reviewing the “NIST Cybersecurity Framework Explained” virtual session from Tom Conkle and Kelly Hood. It was presented at the RSA Conference in 2018 but is still relevant today.
The NIST CSF is a powerful resource for SMB and Enterprise organisations across the globe, providing a robust framework to identify cybersecurity outcomes and a methodology to assess and manage those outcomes.