Improving Cyber Readiness with the NIST Cybersecurity Framework
1 like326 views
The NIST Cybersecurity Framework, developed in response to a 2013 presidential executive order, helps organizations improve their cybersecurity readiness through voluntary guidelines based on best practices. It consists of three primary components: core, implementation tiers, and profiles, enabling organizations to assess and manage cybersecurity risks tailored to their business needs. The framework provides benefits such as a common language for cybersecurity discussions, aids in budgeting for cybersecurity efforts, and helps communicate risks to senior leadership.
Improving Cyber Readiness with the NIST Cybersecurity Framework
- 1. January 2017 page 1 The NIST Cybersecurity Framework Adopting the NIST Cybersecurity Framework can help any organization improve its cyber readiness. Organizations that already have a security program based on regulatory compliance requirements such as HIPAA and SOX or industry standards such as PCI-DSS and ISO 27001 can use the framework to measure and communicate the current effectiveness of implemented policies and processes addressing cybersecurity risks. Organizations with no formal security program can leverage the framework as a road map to identify business security needs and take necessary steps to address cybersecurity risks to their data, operations, systems, and employees. Background The framework is a result of a 2013 Presidential Executive Order titled “Improving Critical Infrastructure Cybersecurity” which called for the development of a voluntary risk-based cybersecurity framework based on industry standards and best practices to help private sector organizations manage cybersecurity risks. Faced with the growing tide of cyber attacks against private businesses and organizations in industry sectors such as energy, financial services, and healthcare, which are critical to our economy, national security, and very way of life, this order was an attempt to help these organizations defend against cybersecurity threats without creating additional regulatory burdens. The resulting framework, released in 2014 after ten months of collaboration between government and private sector security experts, creates a common language to address and manage cybersecurity risk in a cost-effective manner based on business needs. Benefits of adopting the Framework There are four key benefits an organization can realize by adopting the NIST Cybersecurity Framework: Harmonize cybersecurity approaches and provide a common language for discussing cybersecurity risks within and across organizations and industries. Establish the right level of security for an organization based on business needs. Inform cybersecurity budget planning based in risk prioritization.
- 2. January 2017 page 2 Communicate cybersecurity risk comprehensively to senior leadership. Framework Components The framework consists of three primary components: Core, Implementation Tiers, and Profile. The Core provides a set of activities, outcomes, and informative references providing the detailed guidance for developing individual organizational risk management profiles. It consists of five concurrent and continuous functions which provide a high level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
- 3. January 2017 page 3 The Implementation Tiers provide context on how an organization views cybersecurity risk and processes in place to manage that risk. Tiers describes the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the framework. Tier 1 (Partial) – Risks are managed in an ad hoc manner with limited awareness of risks. Tier 2 (Risk Informed) – Risk management processes and program are in place but are not integrated enterprise-wide. Tier 3 (Repeatable) – Formal policies for risk management processes and program are in place enterprise-wide. Tier 4 (Adaptive) – Risk management processes and programs are based on lessons and predictive indicators derived from previous and current cybersecurity activities. The Profile component represents cybersecurity outcomes based on business needs that an organization has selected from Core function categories. Profiles can be used to identify gaps and opportunities for improving an organization’s cybersecurity risk management posture by creating a “Current” Profile which represents the current organization risk management posture based on implemented policies, processing, and controls and a “Target” Profile which represents the desired posture based on business needs. Gaps between the current and target profiles establish the baseline for implementation of the framework and improving an organization’s cybersecurity readiness.
- 4. January 2017 page 4 Bottom Line - And Next Steps The first step to improving organizational cyber readiness is an initial “fitness” assessment based on the framework. NIST has provided access to all framework related information including a Reference Tool to help organizations looking to implement the framework on their website. Organizations that need help implementing the framework or want to learn more about its benefits can visit the MCGlobalTech CyberRx Risk Intelligence Solution which automates the framework and helps organizations determine their cybersecurity risk exposure and the potential financial impact of a successful data breach. Source: https://www.nist.gov/cyberframework
- 5. January 2017 page 5 About William McBorrough William J. McBorrough is an Information Assurance and Cyber Security leader with an extensive background managing, designing, and implementing medium and large enterprise physical and information technology security solutions and programs. Mr. McBorrough is Co-Founder and Managing Principal at MCGlobalTech, a Washington, DC-based Information Security Management Consulting firm where he helps clients in the public and private sectors build Risk-Focused Security Programs. Mr. McBorrough has served on the faculty of various universities including University of Maryland University College, EC-Council University, George Mason University and Northern Virginia Community College where he has conducted research and taught graduate and undergraduate courses relating to cybersecurity, cybercrime, cyberterrorism, and information security and assurance. He is a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified in Risk Information System Control (CRISC), Certified Ethical Hacker (CEH) and HITRUST Certified Common Security Framework Practitioner (CCSFP).