Considered the current standard for cyber security frameworks, the National Institutes of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity is aimed at any operator of critical infrastructure. It was first created in 2014, and its importance was reaffirmed again in 2016 in an executive order requiring federal agencies to report and outline cyber risk mitigation strategies in line with the framework.
Though the initial costs of implementation are considerable, nearly two-thirds of CISOs have been using at least part of the framework, while 83% of those not utilizing the framework plan to adopt parts of it within the coming year.
What makes this framework so popular and effective?
Five Core Functions
The core functions of NIST’s framework are broken into five straightforward categories: Identify, Protect, Detect, Respond, and Recover. When treated as a single, holistic process, they become a singular pathway to effective cybersecurity risk management.
An organization must first understand its technological environment and strive for full visibility of all assets, data, systems, and interconnecting components. Organizations should plot their current level of exposure and create policies and procedures that manage and mitigate the risks associated with that exposure.
Vulnerability assessments and cloud risk assessments are great techniques to help identify vulnerabilities as part of an organization’s overall strategy.
Controlling access to critical and integral assets – both digital and physical – is the first step to protection. Securing data, repairing components quickly, deploying protective technology, and providing employees access to continuous education and awareness are all necessary to secure data.
Examples include access control, data security, maintenance, training, and information protection processes. Penetration testing can provide a snapshot of where more protection is needed.
Continuous monitoring to detect threatening or unusual activity will aid in limiting the frequency of cyber incidents and limit the damage when they do occur. Furthermore, threat hunting will aid in the prediction and prevention of threats.
Utilize application security to expeditiously identify risks in some of the more vulnerable areas of your system.
In the event that a cyber attack is not prevented, an organization should have a previously crafted (and tested) response plan that includes clearly defined lines of communication, methods of data collection and analysis, any and all methods of threat eradication, as well as a mechanism for recording and learning from the threat so as not to experience it again.
To minimize downtime, organizations should include a recovery strategy with action points dictated in a prioritized manner to get the company fully up and running as soon as safely possible. This plan may include coordination with third parties.
Framework Tiers and Profiles
NIST also provides contextregarding how organizations currently view their risks and outcomes based on business needs in relation to the framework. The former are known as Framework Implementation Tiers, and the latter are known as Framework Profiles.
These tiers describe the degree, ranging from Tier 1 to Tier 4, that an organization exhibits the five core functions. Tier 1 describes “partial” adoption, and Tier 4 describes “adaptive” adoption. During the selection of tier, an organization should not only consider its current risk management strategies, but also its threat environment, organizational constraints, mission objectives, and any regulatory concerns.
The profiles can be understood as aligning standards, guidelines, and best practices to the core functions. Organizations can compare their “Current” profile to the “Target” profile to see how far they are from the desired level of security. These profiles change from organization to organization and vary based on business drivers and risk assessments, with prioritization and measurement of progress also factoring in cost-effectiveness and innovation.
Security program development from a trusted third party like Sentek Cyber can assist in understanding both the Framework Tiers and Profiles and adopting new protocols to fit the high standards provided by NIST.