Open in app

Sign in

Write

Sign in

NIST Framework:- Absolute Beginners Approach

Kaustubh
7 min readNov 4, 2021

--

Risk Management Begins here!!

The National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF), first published in February 2014, helps organizations and businesses of all sizes understand, manage and reduce cyber security risk and protect networks and data. This is a voluntary framework which means one can modify it according to the needs of the business. It also helps to decide where to focus time and money for optimal cyber security protection.

Photo by Daniel Tausis on Unsplash

Didn't Get it?

Another way of explaining NIST CSF is to think of protecting your personal assets like your car.

Photo by Benjamin Brunner on Unsplash

You first think of all the Risks that your car is having at any point in time. It can start from accident, engine damage, theft of wheel or an entire car, flat tire, Rust, Faults in AC, ECU or Internal computer malfunction, etc. Once you have identified the risks, you start to take precautionary measures like taking insurance for covering accidental damage, getting the car serviced timely to prevent mechanical breakdowns, painting the rusted parts, etc. Once you have taken all the precautionary measures, you continue to monitor your entire car in a timely manner for the things that can go wrong in the future and stay prepared for any unwanted happening. If you are a well-organized person, then you can document these things and have a playbook kind of thing which you can refer to instantly when you face any problem and this is what NIST has done for helping businesses address IT risks and stay safe from cyber attacks.

NIST Cyber Security Framework is not as easy as I made it to look above. It in fact has many complexities. Now let us look at a high-level overview of this framework.

NIST CSF framework is comprised of five core functions known as framework core. To represent a lifecycle, these functions are organized concurrently with one another. Each of these functions has an important place in the overall framework and is essential for well-operating security.

Identify

  • This is the first step in which identification of all the IT assets happens that are susceptible to risks.
  • In car example above, we identified all the things that can go wrong with car. Similarly in the identification phase, we make list of all the equipment, software, and data that is used including laptops, tablets, and POS devices.
  • This identification phase can go in deep like identifying roles and responsibilities for vendors, employees, and anyone else with access to sensitive data.

Protect

  • In this step, appropriate safeguards are developed and implemented to protect from any cyber-attack and contain the damages just in case.
  • In car example above, we implemented measures on the car to mitigate risks. Similarly, an organization must control access to digital and physical assets, provide awareness education and training, put processes into place to secure data, maintain baselines of network configuration and operations to repair system components in a timely manner and deploy protective technology to ensure cyber resilience.

Detect

  • In this phase, the aim is to assess whether the company's assets are already compromised or are there any active attempts being carried out to compromise the company's assets.
  • In the car example above, we are monitoring car even after every measure is taken to detect if anything can go wrong in the future and stay alert about it. Similarly, this function analyzes how the organization’s cybersecurity team determines a breach has happened.
  • The adoption of continuous monitoring solutions that detect anomalous activity and other threats to operational continuity is required to comply with this Function. An organization must have visibility into its networks to anticipate a cyber incident and have all information at hand to respond to one. Continuous monitoring and threat hunting are very effective ways to analyze and prevent cyber incidents in ICS networks.

Respond

  • If by any means there remains a vulnerability and a cyberattack happens, then the organization must have the ability to contain the impact. If a breach is detected, the team must respond to it quickly.
  • You can now relate this to the car example that what will happen to the car if not responded in time to the risks. The longer a cyberattack continues, the more damage critical functions may be exposed to.
  • The respond function aims to minimize damage by promoting a rapid response. It outlines the actions that the team can and should perform depending on the cybersecurity breach’s severity and type. To comply with this, a company must have a response plan to define communication lines among the appropriate parties, collect and analyze information about the event, perform all required activities to eradicate the incident, and incorporate lessons learned into revised response strategies.

Recover

  • There is a high possibility that after a cyber attack, Business operations are disrupted. This phase aims to bring everything back on track. The recover function aims to get back any data that might have been lost as a result of a breach or attack.
  • It also deals with restoring services to critical systems that may have been damaged because of the incursion. It further provides a chance to identify what activities will support the organization’s cybersecurity infrastructure resilience in the future.
  • In addition to recovery planning and determining where improvements can be made, the recovery function also requires communicating with both internal and external stakeholders (for example, employees and customers) regarding the incident.

There are over 21 categories and over a hundred subcategories for each function mentioned above. These subcategories are with reference to other frameworks such as COBIT, ISO, ISA, etc.

Now once you have implemented risk management practices, you need a classifier that you can use to determine how well implementation has been done. Suppose you serviced your car but there was no availability of winter suitable engine oil for your car. For now, the problem is fixed but once winter arrives in a few months, problems in the engine might start arriving if oil is not changed. So this is a kind of repeatable risk.

Now, this is where Tiers comes into the picture. NIST has defined four Framework Implementation Tiers. These Tiers classify organizations according to how well risk management practices have been implemented. They range from tier 1 to tier 4. Each of the Implementation Tiers is broken down into three main components: Risk Management Processes, Risk Management Program, and External Participation

Risk management processes point to the processes and ways that the organization approaches cybersecurity risk

The degree to which an organization practices an integrated risk management program indicates to leadership the degree to which an organization has centralized its cyber risk data and can make decisions from that information.

External participation points to the organization’s awareness within the greater business ecosystem in which they participate.

https://www.nist.gov/sites/default/files/images/2018/02/06/tiers.png

Tier 1- Partial

  • Risk Management Process:- In this tier, risk management is performed as the risk arrives ahead. There are near to no plans for risk management. No prioritization of risk is done based on its degree of impact.
  • Integrated Risk Management Program:- Since there is no risk management program, the organization works on risk management on a case by case basis as there is no consistent information.
  • External Participation:- Organizations in this tier lacks an understanding of the business ecosystems like position in the supply chain, dependents and dependencies. So they are generally unaware of supply chain risks that it accepts and the risks that it passes on to other members of ecosystem.

Tier 2- Risk-Informed

  • Risk Management Processes:- In this tier, risk management practices are approved by management but are not typically implemented as organization-wide policies. Though risk management practices are not standard, prioritization of Cyber Security activities is done alongside organizational risk, threat environment and business requirements.
  • Integrated Risk Management Program:- Though risk management program exist but it is not standardized across whole organization and information around cyber security is only shared informally. A risk assessment may occur bur it is not standard and not done periodically.
  • External Participation:- Organizations like this typically receive information but not share it out, and while they’re aware of the risk associated with their supply chain, they do not typically act on it.

Tier 3- Repeatable

  • Risk Management Process:- Organizations in this tier have formally approved risk management practices. They are expressed and implemented as policy. Since there exist well-documented policies, they are regularly updated and changed based on changing business requirements and changing threat landscape.
  • Integrated Risk Management Program:- There is organization-wide approach for managing risks. All the policies, procedures and approaches related to managing risks are defined, implemented and reviewed timely. Also there are methods in place to respond effectively to changing risks and the personnel are skilled enough to perform their roles properly. There happens regular communication with senior executives regarding Cyber risks.
  • External Participation:- Collaboration with third-party entities happens regularly since they have knowledge about internally generated information. The organizations are aware of risks associated with their supply chain and act formally on those risks, including implementing written agreements to communicate baseline requirements, governance structures, and policy implementation and monitoring.

Tier 4 — Adaptive

  • Risk Management Process:- These organizations fine-tune their cyber security practices based on previous and current activities including lessons learned in the past. They implement a process of continuous improvement including incorporating advanced cybersecurity technologies and practices, actively adapting to a changing threat and technology landscape.
  • Integrated Risk Management Program:- Cyber Risks are monitored in the same way as financial and organizational risks. They make budget decisions based on the current and potential risk environments.
  • External Participation:- The organization uses real-time information to understand and act on supply chain risks since there is information shared between internal and external stakeholders. They also have a formalized process integrated into their documentation with their dependencies and dependents.

Do follow Me on Linkedln :) :- https://www.linkedin.com/in/kaustubh-chude-3124801a7/

Risk Management
Cyber Security
Information Security
Security Management
Securityframework

--

--

Kaustubh

Written by Kaustubh

6 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams