In terms of cyber security and staying safe online, it’s a jungle out there. Phishing scams are increasing exponentially while ‘hackers for hire’ are using their skills to exploit whatever they can from businesses of all sizes. Throw in a pandemic that’s disrupted where and how people work and we have a cyber security horror show.
We’re not trying to be pessimistic. These are the realities and we need to collectively be educated about them and face up to them. From individual to corporate level, we need to protect our data, minimise exposure and mitigate risk. (If you’re a small business, Smile IT has put together a Cyber Security Checklist you will find useful in this regard. Chief Security Officers of larger companies will too).
Today we want to talk about a large-scale practical strategy that has emerged as the gold-standard for cybersecurity. It’s even forming a bedrock for much of the legislation and regulations developed pertaining to cyber-crime. It’s the NIST Cybersecurity framework and it’s becoming more important part of IT governance than ever before.
What is NIST?
NIST is the National Institute of Standards and Technology, part of the US Department of Commerce. It was established in 1901 to provide standards and guidelines on technology and science. Today it’s one of America’s oldest actual science labs and a major voice in cybersecurity regulation in the private and public sectors.
What is the NIST Cybersecurity Framework?
As cybercrime has become more prevalent over the last few years, governments across the world have seen the need for improved security and resilience. The US Government was no different, in 2013 signing an executive order to establish a cybersecurity framework that would protect national critical infrastructure.
NIST was selected to create this framework. It’s an ongoing, fluid project that evolves as the cybersecurity landscape advances. Developed through collaboration with stakeholders from the government, industrial and academic sectors, it’s designed to help organisations across the board strengthen their cyber defences.
If you’re starting your cybersecurity program from scratch or bolstering your current defences, the framework is an important guide. It provides targets, strengths and weaknesses, progress assessments and vital communication guidelines.
The Structure of the NIST Cybersecurity Framework
The risk-based approach of the framework is built on three pillars: Core, Profiles, and Implementation. Let’s look at these in a bit more detail, starting with the ore.
NIST Framework Core
NIST describes this as “a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors.” In essence it’s meant to be intuitive, easily understood and applicable to risk management of all sorts, not just cybersecurity.
It’s divided into five functions designed to cover the range of cybersecurity objectives most organisations would want to adopt. The categories are:
Identify: This is to establish what cybersecurity actions your company will take as you move forward. Its about developing context around your objectives and understanding your business and the risks its exposed to. The categories involved are asset management; business environment; governance, risk assessment; risk management strategy and supply chain risk management.
Protect: This category deals with implementing safeguards to minimise or contain cybersecurity threats. Its categories include identity management and access control; awareness and training; data security; information protection processes and procedures; maintenance; and protective technology.
Detect: If a cybersecurity event happens, it needs to be detected in a timely manner. This function is designed to ensure this happens. IT focuses on anomalies and events; continuous security monitoring and detection processes.
Respond: This is about developing an incident response plan, compliant with regulations in your sector. It’s a set of activities that occur when a cybersecurity incident takes place. Its categories include response planning; communications; analysis; mitigation and improvements.
Recover: If a cybersecurity event happens, this function deals with restoring services and implementing resilience steps to prevent it happening again. Its categories include recovery planning, improvements and communications.
NIST Framework Implementation
There are four tiers to the framework, designed to help your organisation characterise its cyber security practices. It illustrates how closely your risk management practices align with the characteristics in the framework. There are four tiers, each illustrating an ascending degree of adoption of the Framework Characteristics.
The four tiers are:
1: Partial;
2: Risk Informed;
3: Repeatable;
4. Adaptive.
The tier that an organisation finds themselves in doesn’t represent their maturity in any way. It’s rather a way of determining the level and feasibility of the steps they should take to boost their cyber defences.
NIST Framework Profiles
The Profiles allow organisations to identify the gaps between their cybersecurity strategy and the desired outcome according to the Framework. They can then optimise the framework in a manner to best suit their operating methodologies, objectives and cybersecurity requirements.
While of course it’s by no means compulsory, the NIST Cybersecurity Framework is an important cyber defence benchmark. Flexible enough to cater to any industry, it’s also constantly updating and adapting to the current environment. Organisations need to do the same. Remain vigilant, stay on top of your security defences and keep your data safe. This Framework will help you do that.
Are you a Brisbane company with concerns about your cyber security? Smile IT would love to help you out. We offer a formal standards-based Cybersecurity audit which maps directly to NIST and other popular security standards, such as ASD ‘Top 35’ and CIS.
Get in touch with any questions about the NIST Cybersecurity Framework, or how to improve your risk management and defences.
When he’s not writing tech articles or turning IT startups into established and consistent managed service providers, Peter Drummond can be found kitesurfing on the Gold Coast or hanging out with his family!