Learn about NIST's Cybersecurity Framework

 

Learn about NIST's Cybersecurity Framework

The Cybersecurity Framework of the National Institute of Standards and Technology, NIST, is a tool for managing risks associated with information security and although it is a voluntary adoption framework, it offers different advantages. Here we tell you more about this.

What is the NIST Cybersecurity Framework and what is it for?

For some years, information security or cybersecurity has become more relevant in organizations, so much so that they have designed and executed programs to protect their information, their most important asset, and to act in the best way against a cyber-attack because, as with financial or reputational risks, cyber risk generates a negative impact on business objectives. With software like Pirani ISMS Suite you can easily identify, manage and control these risks.

Faced with this, there are different international standards that offer good practices for the implementation of an information security management system. ISO 27001 is one of the best known, but not the only one.

In fact, the Cybersecurity Framework of the National Institute of Standards and Technology (NIST), which depends on the US Department of Commerce, was developed taking into account the controls and processes presented by already accepted cybersecurity standards, including: NIST SP 800-53, ISO/IEC 27001:2013, COBIT 5 and CIS CSC. Version 1.0 of the Framework was released in February 2014 and version 1.1 in April 2018.

As NIST itself explains, the Framework "is a methodology with a focus on reducing the risk linked to cyber threats that may compromise information security."

And what is it for? The NIST Framework, which due to its simplicity and flexibility adapts to organizations of any sector or size, allows understanding, managing and reducing the probability of occurrence of a cyber risk thanks to the adequate protection of their networks and data.

It can be used as a reference to establish a cybersecurity program or system or to review and identify opportunities that help complement and improve the existing one.

How is the NIST Cybersecurity Framework composed?

This Framework, also known as the Cybersecurity Framework, is composed of three parts: the core, the implementation levels, and the profiles of the Framework.

1. The core

It is a set of activities to achieve cybersecurity results, refers to industry standards, guidelines and good practices. This core is made up of five functions, simultaneous and continuous, that must be followed to implement or complement a good information security program.

These functions are:

In addition to these five functions, the core of the Framework consists of three other elements: categories, subcategories and information references; Everyone works together to manage the risks associated with information security.

2. Levels of implementation of the Framework

They offer context on how an organization views cybersecurity risk and the processes and programs to manage it.

NIST's selection of these levels takes into account risk management practices, legal and regulatory requirements, business objectives, cybersecurity requirements, among others.

"The levels support organizational decision-making on how to manage cybersecurity risk, as well as which dimensions of the organization are of highest priority and could receive additional resources."

There are four levels and are defined by the risk management process, the integrated risk management programmed and external participation:

To determine the desired level, NIST recommends organizations ensure that the level they select meets their goals, is easy to deploy, and decreases cyber risk to their assets and data.

3. Framework Profiles

It refers to the alignment of functions, categories, and subcategories with the organization's business requirements, risk tolerance, and goals.

These profiles serve to describe the current or objective state of the activities carried out in cybersecurity. The current profile talks about the results that are being achieved, while the target profile shows the results that are required to achieve the objectives set in cyber risk management.

How can you use the NITS Cybersecurity Framework in your company?

As mentioned, this Framework is adaptable to organizations of any sector, country and size, and can be used in different ways:

 

1. Review and compare existing cybersecurity practices within the organization with those presented at the core of the Framework to see if the expected results are being achieved and determine what things should or can be improved to further reduce cybersecurity risk.
   
   
2. Create a new cybersecurity program or upgrade an existing one. The Framework proposes the following steps to do so:

·       Prioritize and determine scope: Identify business objectives and high-level priorities to make decisions regarding the scope of the cybersecurity program.

·       Guidance: Identify systems and assets related to program scope, regulatory requirements, and overall risk approach.

·       Create a current profile: Develop a current profile to see what results by category and subcategory of the Core Framework are being achieved.

·       Perform a risk assessment: analyze the environment to understand the likelihood of an event occurring

·       Create an objective profile: This profile focuses on the evaluation of the categories and subcategories of the core of the Framework that indicate the expected results of the organization.

·       Determine, analyze and prioritize gaps: compare the current profile and the target profile to see what the gaps are and create an action plan to address them and be able to achieve the expected results of the target profile. In addition, the funds and personnel required to overcome these gaps must be determined.

·       Implement the action plan: finally, implement the action plan and adjust cybersecurity practices to achieve the target profile.

Other ways in which the NIST Framework can be used is to communicate cybersecurity requirements to stakeholders or make purchasing decisions about information-related products and services.

As you have seen throughout this article, the NIST Cybersecurity Framework is another valid option that exists to implement appropriate programs in organizations to manage and guarantee information security.