A Quick Guide to the NIST Cybersecurity Framework

October 26, 2021 at 04:06 pm EDT

The NIST Cybersecurity Framework provides security guidelines for a company to improve cyber resilience. Here is a quick guide to the framework.

Key Points:

The NIST Cybersecurity Framework provides a methodology for companies to manage cyberattack risks.
The major framework functions are Identify, Protect, Detect, Respond and Recover.
Using profiles, a company assesses its current standards and practices and identifies its target level of cybersecurity resilience.

Every month brings a new form of cyberattack. Just as a company fends off the current ransomware or phishing attack, a newer and more malicious attack appears on the horizon. The best defense is a formal strategy for cyber resilience, both to ward off attacks and to handle and recover from those that break through. The Cybersecurity Framework documented by the National Institute of Standards and Technology (NIST)[1]lays out practical guidelines and standards for both public agencies and private companies to manage cyberattack risks and maintain cyber resilience.

What Is the NIST Cybersecurity Framework?

Originally designed for critical infrastructure systems, the NIST framework can be applied to organizations in any sector. Companies can implement as much of the framework as is practical and cost-effective for their current business environment, on a voluntary basis.

This is not the only cybersecurity framework. Using general frameworks, such as the International Organization for Standardization (ISO) 27001 and 27002 standards, a company can validate cybersecurity readiness to their customers and partners. Other cybersecurity frameworks protect data in specific sectors, such as finance, energy and healthcare.

The purpose of the NIST Cybersecurity Framework is to help organizations assess and manage risk, as well as communicate that strategy to internal and external stakeholders. It's intended to facilitate communications throughout the company - from end users to the executive suite. Companies can also use the framework to communicate and coordinate risk management activities with business partners throughout their supply chain.

Why Your Company Needs a Cybersecurity Framework
Today's reliance on technology and interconnected systems increases vulnerability to cyberattacks. Additionally, it's critically important in the current environment to ensure the security of user and customer data. The NIST Cybersecurity Framework can minimize cyberattack vulnerabilities that expose private data.

Organizations can use the NIST Cybersecurity Framework to marry business objectives with security objectives either by creating a new cybersecurity program or improving an existing one. Additionally, the framework is flexible, so companies can implement what fits their business priorities and risk tolerance.

Using the framework won't eliminate all exposure, but if attacked, the cyber resilience plan will help companies respond and recover. And since a company is often only as secure as its supply chain partners, the NIST Cybersecurity Framework can help establish cyberattack protection requirements with partner companies.

The NIST Cybersecurity Framework Explained
NIST continuously evolves the Cybersecurity Framework in collaboration with industry, under the Cybersecurity Enhancement Act of 2014. The original target audience was critical infrastructure organizations, such as utilities, transportation and healthcare, but now any company can take advantage of the NIST Cybersecurity Framework recommendations and strategies. In fact, companies across the globe have implemented this framework,[2]and NIST has recently increased efforts to extend its tools to small and midsize businesses.[3]The framework focuses on global standards and best practices, and it is technology neutral.

As a cyber resilience framework, the NIST Cybersecurity Framework specifies a set of activities to achieve defined outcomes for mitigating cyber risk and recovering from attacks.

The Framework Core comprises five functions: Identify, Protect, Detect, Respond and Recover. Within each function are categories and subcategories, which consist of activities and recommended references that describe standards and practices for achieving the goals of each function.
Four Implementation Tiers define the degree to which an organization implements the framework - from basic implementations (Tier 1) to more advanced and agile security plans (Tier 4).
Profiles describe the current and desired state of security. The Current Profile represents a company's existing practices and standards, while the Target Profile represents the cyber security resilience the company wants to achieve.

The next section more fully explains the three components.

Key Functions of a NIST Cybersecurity Framework

Critical to the NIST Cybersecurity Framework are the five Core Functions, which are intended to be executed concurrently and continuously:

Identify: For this function, a company identifies its critical resources and the risks associated with those resources. For example, for ransomware attacks, the company might identify users as the main entry-point risk - especially users working remotely -and also prioritize company data to be protected. Categories under this function include Asset Management, Business Environment, Governance, Risk Assessment and Risk Management Strategy.
Protect: This is where the company develops safeguards to ensure continuous delivery of business functions. Using the same example of ransomware attacks, the company may employ multiple actions, such as strengthening email securityby training users, warning them not to open suspicious emails, implementing artificial intelligence to screen and discard phishing emails before being delivered to users, and using two-phase authentication to make it more difficult for attackers to steal credentials. And to protect the data, the company may create offsite backups. Categories under Protect include Identity Management and Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, Maintenance and Protective Technology.
Detect: For this function, the company develops methods to discover an intrusion or attack. For example, the company can monitor user logins for anomalies or be on the lookout for ransomware-delivery trojans. Ideally, the ransomware trojan can be detected before it drops its payload. Categories for Detect include Anomalies and Events, Security Continuous Monitoring and Detection Processes.
Respond: After a successful attack, the company must be prepared to notify the appropriate stakeholders and halt the intrusion. After a ransomware attack, for example, a company with offsite data backups should be able to respond without paying the ransom. Categories here are Response Planning, Communications, Analysis, Mitigation and Improvements.
Recover: In this step, a company restores any damaged resources to normal operation. In a ransomware attack, that means restoring the data from an offsite backup and cleansing user devices. Categories are Recovery Planning, Improvements and Communications.

Many factors affect the Cybersecurity Framework Tier that a company will choose to implement. The level of risk and a company's risk tolerance, regulatory requirements, supply chain security requirements and business constraints are just a few. The four Tiers are:

Tier 1, Partial: Characterized by an informal and reactive approach to cybersecurity risk, in this Tier organizations respond on a case-by-case basis without coordinating with business partners.
Tier 2, Risk Informed: Awareness of risk but no company-wide program is implemented. Some limited cooperation with business partners.
Tier 3, Repeatable: Risk management is set as company-wide policy and regularly reviewed. In this Tier, companies collaborate with outside entities via agreements with supply chain partners.
Tier 4, Adaptive: Organizations in this Tier continuously improve cybersecurity practices organization-wide, adopting advanced technologies to face changing threats. They proactively monitor their supply chain environment, in which they have formal agreements.

A company's NIST Cybersecurity Framework Profile represents a company's security environment and risk tolerance.

Current Profile: A company's self-assessment of its cybersecurity readiness, which may uncover weaknesses in its policies and procedures.
Target Profile: A company's desired level of cybersecurity readiness.

By comparing its Current Profile with its Target Profile, a company can measure the costs and benefits of its cybersecurity activities and develop an action plan to advance to the Target Profile.

How to Get Started with Your Cybersecurity Framework

If you are interested in creating a new cybersecurity framework for your organization, or improving your current cybersecurity practices, you can do so in a few steps:

Identify your business's mission and the resources that need to be protected. Also consider any regulatory and privacy requirements and identify related threats. From that information, describe your priorities and assess your risks and risk tolerance.
Develop your Current Profile. List the practices already in place as well as outcomes achieved or partially achieved. Conduct a risk assessment to determine the likelihood of an event and the resulting impact. It's important to be up to date on current threats.
Develop your Target Profile. For any vulnerabilities uncovered in the Current Profile, identify additional practices and standards to implement. If the Target Profile seems unreachable with current staffing, consider adding resources.
At each step, communicate the state of cybersecurity risk to internal and external stakeholders.

The Bottom Line

Implementing a cybersecurity framework is not a job that's "one and done." Cybercriminals don't rest and neither can a business. Assessing risk should be repeated at intervals because achieving cybersecurity resilience is an ongoing process. Using the NIST Cybersecurity Framework, organizations can determine where their security vulnerabilities lie and how to limit and manage cyberattacks.

[1]"Framework for Improving Critical Infrastructure Cybersecurity," National Institute of Standards and Technology

[2]"NIST Marks Fifth Anniversary of Popular Cybersecurity Framework," National Institute of Standards and Technology

[3]"Small and Medium Business Resources," National Institute of Standards and Technology

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

Thanks forSubscribing

You will receive an email shortly

Take me back to the article please

Attachments

Original document
Permalink

Disclaimer

Mimecast Limited published this content on 26 October 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 26 October 2021 20:05:03 UTC.

Mimecast Limited Announces CEO Changes	Jan. 16	CI
Mimecast Limited acquired Elevate Security, Inc.	Jan. 03	CI
Mimecast Limited Appoints Janet Prosper as Chief Human Resources Officer	Nov. 28	CI
Mimecast Announces Protection for Microsoft Teams to Strengthen Essential Collaboration Tools	23-07-25	CI
Cyware Announces Technology Partnership with Mimecast to Extend Cyber Fusion with Advanced Email Security	23-06-20	CI
Mimecast and Carahsoft Partner to Provide Advanced Email and Collaboration Security Solutions to the Public Sector	23-06-13	CI
Stellar Cyber and Mimecast Partner to Deliver Automated, Scalable Phishing Attack Mitigation Solution	23-06-12	CI
Mimecast Limited Announces Management Appointments	23-04-25	CI
Mimecast Limited Names David Helfer as Chief Revenue Officer	23-01-31	CI
Mimecast Limited Announces Executive Changes	23-01-24	CI
Mimecast Partners With Okta to Safeguard Enterprises from Insider Threat Attacks	22-11-08	CI
Mimecast Limited Appoints Norman Guadagno as Chief Marketing Officer	22-11-02	CI
Mimecast Limited Appoints Rafe Brown as President and Chief Operating Officer	22-09-13	CI
Berenberg Bank Terminates Coverage on Mimecast Following the Completion of its Acquisition by Pemira Holdings	22-05-23	MT
Mimecast Finalizes Take-Private Sale to Permira, No Longer Trades on Public Markets	22-05-19	MT
Mimecast Limited(NasdaqGS:MIME) dropped from NASDAQ Composite Index	22-05-19	CI
Mimecast Limited(NasdaqGS:MIME) dropped from S&P 1000	22-05-19	CI
Mimecast Limited(NasdaqGS:MIME) dropped from S&P 400 Application Software (Sub Ind)	22-05-19	CI
Mimecast Limited(NasdaqGS:MIME) dropped from S&P 400 Information Technology	22-05-19	CI
Mimecast Limited(NasdaqGS:MIME) dropped from S&P Composite 1500	22-05-19	CI
Mimecast Limited(NasdaqGS:MIME) dropped from S&P 400	22-05-19	CI
Mimecast Limited(NasdaqGS:MIME) dropped from S&P Software & Services Select Industry Index	22-05-19	CI
Mimecast Limited(NasdaqGS:MIME) dropped from S&P TMI Index	22-05-19	CI
Mimecast Limited(NasdaqGS:MIME) dropped from S&P Global BMI Index	22-05-19	CI
Permira completed the acquisition of Mimecast Limited.	22-05-18	CI

Mimecast

Equities

MIME

GB00BYT5JK65

A Quick Guide to the NIST Cybersecurity Framework

Latest news about Mimecast

Chart Mimecast

Company Profile