Introduction 

Data is the most valuable asset which is the reason why data security has become an international agenda. Data breaches and security failures can put the world economy at risk. Realizing the need for the national and economic security, the president of United States issued an executive order to develop a cybersecurity framework to help reduce cyber risks. 

Cybersecurity Framework NIST

Hi folks, today I come with another interesting post on cybersecurity. So first let's have a look at the agenda of today's post. To begin with we will see how the US government recognize the need for reliable function to secure the national and economic infrastructure to improve critical infrastructure security. Next, we'll discuss the importance of cybersecurity frameworks and why it is required in an organization. Then I'll be telling you about different types of Frameworks moving on. I'll tell you about the competence of cybersecurity Frameworks that make it up all and after discussing the framework. I'll tell you what steps are required to implement frameworks in an organization. Finally, I'll describe a common flow of information and decisions at the different levels within an organization.

How US Government Realise the Need for Reliable Function to Secure National and Economic Infrastructure 

Recognizing the National and economic security of the United States depends on the reliable function of critical infrastructure. The president issued executive order 13636, which is improving critical infrastructure cybersecurity. 

In February 2013 the order directed NIST to work with stakeholders to develop a voluntary framework based on existing standards guidelines and practices for reducing cyber risks to critical infrastructures. The cybersecurity Enhancement Act of 2014 reinforced NIST's executive order 13636 rule created through collaboration between industry and government. The voluntary framework consists of standards guidelines and practices to promote the protection of critical infrastructure, the prioritized flexible repeatable and cost-effective approach of the framework helps owners and operators of critical infrastructure to manage cybersecurity related risks. 

Now according to section 7 of executive order the Secretary of Commerce shall direct the director of the National Institute of standards and technology that could lead the development of a framework to reduce cyber risks to critical infrastructure. The cyber security framework shall include a set of standards methodologies procedures and processes that align policy business and technological approaches to address cyber risks. The cybersecurity framework shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible.

Why Do We Need Cybersecurity Framework 

Now, let's see, why exactly do we need a cybersecurity framework? Let's tackle that question. So the framework will help an organization better understand, manage and reduce its cybersecurity risks. It will assist in determining which activities are most important to assure critical operations and service delivery in turn that will help prioritize investments and maximize the impact of each dollar spent on cybersecurity. It results in a shift from compliance to action and specifies outcomes by providing a common language to address cybersecurity risk management. 

It is especially helpful in communicating inside and outside the organization that includes improving communications awareness and among IT planning and operating units as well as senior executives of organizations.

It gives you a measure of where you are and where you need to go. It can be implemented in stages or degrees which make it more appealing to business. 

It has built-in maturity models and gap analysis. So you don't need additional maturity models on top of CSF organizations also can readily use the framework to communicate current or desired cybersecurity postures between a buyer or supplier. 

What is Cybersecurity Framework 

Now, let's see what exactly is a cybersecurity framework. The framework is voluntary guidance based on existing standards guidelines and practices for organizations to better manage and reduce cybersecurity risks. In addition to helping organizations manage and reduce risks. It was designed to foster risk and cybersecurity management communications amongst both internal and external organization stakeholders.

Types of Data Security Frameworks

Now, let's see the types of cybersecurity frameworks that we have. 

PCI DSS 

The first type of framework is PCI DSS which stands for payment card industry and data security standards. It is a set of security control required to implement protected payment account security. It is designed to protect credit cards, debit cards and cash card transactions.

ISO 2701 and 2700

The second type of framework that we have is ISO 2701 and 2700, it stands for International organization for standardisation. Nowadays, the best practices recommendations for information security management and information security program elements are from this framework. 

CIS

The third type of framework is CIS which stands for critical security controls, it's a prescribed arrangement of activities for cyber protection that gives particular and noteworthy approaches to stop the present most inescapable and perilous attacks. A key advantage of these controls is that they organize and sent a few activities with high outcomes.

NIST Framework 

Last but not the least, we have the NIST framework and this framework is made for improvising critical infrastructure cybersecurity, with a goal to improve organization's readiness for managing cybersecurity risk by leveraging standard methodologies and processes. Out of all the Frameworks. We just discussed this is the most popular framework.

NIST Framework was developed in the February of 2013 after the US presidential executive order. It was designed to address national and economic challenges and it is supposed to be voluntary at least for private sectors. 

Objectives of NIST Cybersecurity Frameworks 

Now, let's discuss the objectives of NIST framework. So the cybersecurity Frameworks prioritized flexible and cost-effective approach, it helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security. The framework was developed to be adaptable, flexible and scalable by an organization. Also, it should improve organization's readiness for managing cybersecurity risks. The framework was designed to be flexible and performance-based and it should be cost-effective.

It should leverage standard, methodologies, processes and should promote technological advancement and innovation and it should be actionable across Enterprise focus on outcomes. 

Components of NIST Cybersecurity Framework 

Now, let's discuss the components of the NIST cybersecurity framework. The cybersecurity framework consists of three main components namely the core implementation, tires, and profiles. The framework core provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand. 

The core guides organizations in managing and reducing their cybersecurity risks in a way that is complementing and organization's existing cybersecurity and risk management processes.

Next we have the framework implementation tiers which assists an organization by providing context on how an organization views cybersecurity risk management. The tiers guide organization to consider the appropriate level of rigor for the cybersecurity program and are often used as a communication tool to discuss the risk appetite, mission, priority, and budget.

Last but not least is the framework profiles which are in organization's unique alignment of their organizational requirements and objectives risk appetite and resources against the desired outcomes of the framework core profiles are primarily used to identify and prioritize opportunities for improving cybersecurity at an organization. 

Framework Tire

Let's discuss the framework tires. Now the tires describe the degree to which an organization cybersecurity risk management practices exhibit the characteristics defined in the framework. 

The tires range from partial which is tier 1 to adaptive which is tier 4 and describe an increasing degree of rigor and how well-integrated cybersecurity risk decisions are into broader risk decisions and the degree to which an organization shares and receive cybersecurity information from external parties. 

Tires do not necessarily represent majority, levels organization should determine the desired tire ensuring that the selected level meets organizational goals, reduces cybersecurity risks to the level acceptable by the organization and is feasible to implement fiscally and otherwise.

Framework Core

The core is a set of desired cybersecurity activities and outcomes organized into categories and aligned into informative references.

The framework core is designed to be intuitive and to act as a translation layer to enable communication between multidisciplinary teams by using simplistic and non-technical language.

The core consists of three parts, functions, categories and subcategories. The core includes five high-level functions, which are: identify, protect, detect, respond and recover. These five functions are not only applicable to cybersecurity risk management, but also to risk management at a whole. 

The core asks an organization to identify what processes and assets need to be protected, now after assessing that you need to find what protection is available. Then you need to find out what techniques can identify the threats and what techniques can contain the impact of an incident and finally the core defines what techniques can restore the capabilities of the organization before the attack.

Framework Core Functions

All right. Now, let's dive deeper into the functions to see what these functions actually do and what purpose they serve. So the functions are at the highest level of abstraction included in the framework. They act as the backbone of the framework core that all the other elements are organized around. 

Cybersecurity Framework NIST


Framework Core Function: Identify 

So the first function identify, it helps develop an organizational understanding to manage cybersecurity risk, the systems, people assets, data and capabilities. The activities in the identify functions are foundational for effective use of the framework, understanding the business context, the resources that support critical functions and related cybersecurity risks enable an organization to focus and prioritize its efforts consistent with this risk management strategy examples of outcome categories within this function include asset management business environment governance risk management and risk assessment.

Framework Core Function: Protect 

Now, the next type is the protect function. To develop and implement appropriate safeguards, to ensure delivery of critical services, the protect function supports the ability to limit or contain the impact of a potential cybersecurity event. Example of outcome categories within this function include, identify management and access control, awareness and training, data security, information protection processes and procedures, maintenance and protective technology. 

Framework Core Function: Detect 

The next kind of function is the detect function. So this is used to develop and implement appropriate activities to identify the occurrence of a cybersecurity event. The detect function enables timely discovery of cybersecurity events Example of outcome categories within this function includes: anomalies and events security, continuous monitoring and detection processes.

Framework Core Function: Respond 

Now next we have the respond function. This is used to develop and implement appropriate activities to take action regarding a detected cybersecurity incident. The respond function supports the ability to contain the impact of a potential cybersecurity incident. The outcomes category within this function includes response planning,  communications, analysis, mitigation and improvements.

Framework Core Function: Recover

Last but not the least we have the recover function, it's used to develop and implement appropriate activities to maintain plans for resilience and restore any capabilities or services that were impaired due to a cybersecurity incident. The recovery function supports timely recovery, the normal operations to reduce the impact from a cybersecurity incident. Examples of outcome categories within this function include recovery planning, improvement and communications. 

These five functions were selected because they represent the five primary pillars for a successful and holistic cybersecurity program.

They aid organizations in easily expressing their management of cybersecurity risk at a high level and enabling risk management decisions. 

Framework Profile 

Okay. Now, let's understand the last component of the NIST framework. NIST recommends that the framework be customized in a way that maximizes business value and that customization is referred to as a profile. Profiles are an organization's unique alignment of their organizational requirements and objectives, risk appetite and resources against the desired outcomes of the framework core. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a current profile with the target profile. Profiles are about optimizing the cybersecurity framework to best serve the organization. 

The framework is voluntary. So there is no right or wrong way to do it. One way of approaching profiles is for an organization to map their cyber security requirements mission, objectives and operating methodologies along with the current practices against the subcategories of the framework core to create a current state profile these requirements and objectives can be compared against the current operating state of the organization to gain an understanding of the gaps between the two. 

Steps to Implement Cybersecurity Framework 

Now the following steps illustrate how an organization could use the framework to create a new cybersecurity program or improve on an existing program. These steps should be repeated as necessary to continually improve cybersecurity. 

The first step is to prioritize and scope the organization, identifies its business mission, objectives and high-level organizational priorities. With this information the organization makes strategic decisions regarding cybersecurity implementations and determines the scope of systems and assets that support the selected business line or process. The framework can be adapted to support the different business lines or processes within an organization which may have different business needs and associated risk tolerance. Risk tolerances may be reflected in a target implementation.

Step 2 is to orient yourself, once the scope of cybersecurity program has been determined for the business line or process, the organization identifies related systems and assets regulatory requirements and overall risk approach the organization then consults sources to identify threats and vulnerabilities applicable to those systems and assets. 

So step 3 is to create a current profile the organization develops a current profile by indicating which category and subcategory outcomes from the framework core are currently being achieved. If an outcome is partially achieved, noting this fact will help support subsequent steps by providing baseline information. 

The fourth step is to conduct a risk assessment. This assessment could be guided by organizations overall risk management process or previous risk assessment activities. The organization analyzes the operational environment in order to discern the likelihood of a cybersecurity event and the impact that the event could have on the organization. It is important that the organization identify emerging risks and use cyber threats.

So the fifth step is to create a target profile. The organization creates a target profile that focuses on the assessment of the framework categories and subcategories describing the organization's desired cybersecurity outcomes. Organizations may also develop their own additional categories and subcategories to account for unique organizational risks. The organization may also consider influences and requirements of external stakeholders such as sector, entities, customers and business partners when creating a target profile. The target profile should appropriately reflect criteria within the target implementation to you. 

The sixth step is to determine analyze and prioritize gaps. The organization compares the current profile and the target profile to determine gaps next. It creates a prioritized action plan to address gaps reflecting mission drivers costs and benefits and risks to achieve outcomes in the target profile. The organization then determines resources including funding and workforce necessary to address the gaps. Using profiles in this manner encourages the organization to make informed decisions about cybersecurity activities, support, risk management and enables the organization to perform cost-effective targeted improvement.

The last step is to implement action plan. The organization determines which actions to take to address the gaps if any identified in the previous step and then adjust its current cybersecurity practices to achieve the target profile for further guidance. The framework identifies examples informative reference regarding the categories and subcategories, but organizations should determine which standards guidelines and practices including those that are sector-specific work best for their needs. And organization repeats the steps as needed to continuously assess and improve its cybersecurity, for instance, organizations may find that more frequent repetition of audience step improves the quality of risk assessment. 

Furthermore, organizations may monitor progress through iterative updates to the current profile subsequently comparing the current profile to the target profile. Organizations may also use this process to align their cybersecurity program with their desired framework implementation deal. 

Now the framework helps guide key decision points about the risk management activities through the various levels of an organization for supporting risk management. It describes a common flow of information and decisions at the following levels within an organization. The levels are executive, business process and implementations or operations. The executive level communicates mission priorities, available resources and overall risk tolerance to business process. The business level or process level uses the information as input into the risk management process and then collaborates with the implementation or operation level to communicate business needs and create a profile. The implementation or operation level the implementation or operations level communicates the profile implementation progress to the business level.

The business level uses this information to perform an impact assessment, next the business level management reports the outcomes of that impact assessment to the executive level to inform the organization's overall risk management process and to the implementation operation levels for awareness of business impact. 

Okay, guys, that was it for me, for the topic of cybersecurity Frameworks. We discussed how NIST has actually changed the whole cybersecurity environment since it was released in the February of 2013. I hope you all learned something valuable. That's it for me. Goodbye. I hope did justice to the topic and I also hope you have enjoyed reading the post. Please be kind enough to share it and you can comment any of your doubts and queries and we will reply them at the earliest do look out for more posts on this blog.

Print this post