Posted on November 27, 2020 - by Justin Gratto - in Building Your InfoSec Program
The NIST Cybersecurity Framework is a comprehensive approach to security designed to help businesses better understand and manage their risk. If you’re looking for an approachable cybersecurity model that helps your organization adopt current best practices, then using NIST’s framework is a solid place to start.
In this guide, we cover the basics about the NIST Cybersecurity Framework. By the end, you’ll have a good sense of how this framework can help you improve your company’s cybersecurity strategy.
The National Institute of Standards and Technology is a non-regulatory agency that’s a part of the U.S. Department of Commerce. NIST conducts industrial research intended to advance the United States’ position as a technological and economic leader.
However, for some businesses, NIST is best known for its series of standards and best practices regarding cybersecurity. When you hear NIST mentioned, people often mean the NIST Cybersecurity Framework (sometimes abbreviated as NIST CSF) which helps organizations understand, organize, and manage information security.
The Cybersecurity Framework is the most popular of the frameworks provided by NIST. It is a voluntary set of standards created in 2014 and is often used by government agencies and contractors (though it is mandatory for U.S. federal agencies). A number of industries have broad adoption of the NIST framework, including higher education, transportation, and power grid organizations. NIST release an updated version in 2018, to refine and clarify some elements.
The NIST framework emphasizes the use of business drivers to guide a company’s overall cybersecurity strategy. In other words, you’ll primarily look at your data, personnel, devices, mission, stakeholders, and other details to develop an understanding of your cybersecurity risks and how to manage them.
The Cybersecurity Framework consists of three parts:
The Framework Core consists of five elements that work together to achieve specific cybersecurity outcomes. Each of these functions contains a series of categories or tasks that your cybersecurity strategy may include.
The Framework Implementation Tiers consider a company’s current risk management practices, threat environment, compliance requirements, and business details to identify where a business lies with its cybersecurity model. Although NIST recommends that companies at Tier 1 advance to Tier 2, the agency also notes that the Tiers are not maturity models. Companies should consider advancing to a higher tier when it’s cost-effective and reduces your cybersecurity risk.
This combines your business objectives and threat environment with any cybersecurity requirements and controls you may have. It reflects the alignment of your company’s organizational requirements, risk management, and resources that you need to meet both.
The Framework Profile will consist of your current (and desired) cybersecurity activities mapped onto the Core Functions above. Using that, you’ll identify your Tier then review your Profile against it to determine what you still need to accomplish.
Framework Profiles are useful because they let you compare the current state of your cybersecurity strategy with the desired target state. They may reveal gaps in your strategy or blind spots in your risk management objectives. They’re also a strong starting point when formalizing policies and procedures across an entire organization.
Some companies use one framework to set their security policies and the backbone of their program. But companies may also want to extend their information security program to achieve compliance with multiple frameworks (such as SOC 2 or the CIS Controls framework, which are covered within Securicy’s information security management platform) which can open up opportunities with different industries. Most frameworks have some overlapping best practices, so once you have one framework in place it becomes easier to meet the requirements of an additional one. Cybersecurity professionals love frameworks for a few reasons:
Developing cybersecurity policies can be a chore, but not if you have the right tools. If you’re just getting started developing your policies, pick up a free trial of Securicy to generate five free policies and see how you can use our platform to strengthen your security posture.
The NIST Cybersecurity Framework is one of the top frameworks available for businesses to implement and widely recognized. By using a framework like NIST, you can assure customers you’re able to protect their data and win over prospects to close bigger deals.