What is NIST? Do we need NIST?
The increased connectivity and complexity of infrastructure systems expose more and more cybersecurity threats in modern society. They also place the security of countries, economy, and public safety in risks. Cybersecurity risk is similar to financial and reputational risk, and impacts the revenue of organizations. To address these risk, the president issued executive order to establish a policy of United States to enhance the security of critical infrastructure and maintain a secured cyber environment encouraging innovation and economic prosperity while improving safety, security, business confidentiality, privacy, and civil liberties.
Thus, NIST cybersecurity Framework, which is a set of industry standards and best practices to help organizations manage cybersecurity risks, is established. The Framework is a result of collaborative efforts of government and private organizations and manages risks cost-effectively based on business needs. It is flexible to meet individual organizations’ need and can be applied to a wide range of industries including information technology and Internet of Things.
The Framework is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure. Since organizations own different cybersecurity vulnerabilities, risks, and risk tolerance, the way to address cybersecurity risks should be varied from organizations. Organizations should manage their risks by determining their risk tolerance and prioritizing their cybersecurity investment. The Framework plays a role in reducing and better managing the risks.
The Framework consists of the Framework Core, the Framework Implementation Tiers, and the Framework Profile. The Framework Core is a set of desired outcomes, cybersecurity activities, and often taken to be a reference of infrastructure sectors. By applying the Framework Core, we can have a guideline/standard to present cybersecurity activities and create a high-level strategic view of the lifecycle of risk management of an organization. The Framework Core currently consists of 4 elements — Functions, Categories, Subcategories, and Informative References.
The functions of The Framework Core currently consists of 5 elements — Identify, Protect, Detect, Respond, Recover — they help organizations express their management of cybersecurity risks by organizing information, implementing risk management decisions, responding to threats, and learning from previous activities. These features are also consistent with existing event management methods and help to show the impact of investments on network security. Categories, Subcategories, and Informative References subdivide the outcomes into specific program needs or activities.
The Framework was developed focusing on guiding organizations to manage cybersecurity activities and handle cybersecurity risks. Also, it enables organizations incorporating privacy and civil liberties as parts of cybersecurity program. Now, the Framework is elastic to be adopted by organizations across all industries. Due to its flexibility, it can be adopted internationally without obstacles. The Framework is a great tool for managing cybersecurity risks.
Based on the above reasons, I definitely recommend a company to follow the NIST Standards.
First of all, the Framework can complement an organization’s cybersecurity risk management program. Organizations can leverage the Framework to enhance current risk management program while aligning with existing industry practice. For the organizations don’t have cybersecurity program, they can use the Framework to initial one to protect their organizations.
Second, organizations can find iterative and consistent approaches to address the increasing cyber risk regardless of the size, location, industry of the organization. The Framework is keeping evolving with new threats and advanced technology. Framework version 1.1 was already released in 2018, which made updates on authentication and identity, self-assessing cybersecurity risk, managing cybersecurity within the supply chain and vulnerability disclosure. The new version of Framework is based on the feedback from various industries and reflects the practical business needs.
Last but not least, the Framework will scale across countries and the outcomes do not limit by the border. Its wide flexibility can help organizations to enhance their cybersecurity while meeting the local legal requirements and market needs.
The Framework both provides guidance to individual organizations and improves the cybersecurity of national critical infrastructure.
Referenece: