Initially developed for critical infrastructure, the National Institute of Standards and Technology established a framework for improving cybersecurity, now referred to simply as NIST CSF. At the core of the framework exists five functions, and 22 categories within those five functions, which have become the standard for many organizations worldwide. By digging into the purpose of each function, we uncover the framework’s advantages and how it can improve your organization’s resilience to cybercrime.
“Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.”
One of the most crucial steps in protecting your organization from cyber-attacks is identifying vulnerabilities. In order to do that, you need to know what assets you have and how those assets are valued by cybercriminals. This is known as risk assessment. Without it, you cannot develop a risk management strategy. And an organization without a risk management strategy is one whose day-to-day operations have no defense against a continuously growing environment of cybercrime.
By analyzing what you have and what you do, you can then identify vulnerabilities and focus your efforts from a top-down system per your business needs.
“Develop and implement the appropriate safeguards.”
Protecting your organization starts with the people of your organization, which means awareness and compliance training. It means developing stringent policies to mitigate your risk and punishing users who circumvent those policies. It means routinely auditing your users, so you know who has access to what, and updating access controls accordingly.
Safeguards also include investing in the appropriate technologies to monitor your networks, and maintaining both hardware and software components so they never fall behind updates leaving them vulnerable to security holes.
“Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.”
Detecting threats in a timely manner is the difference between suffering a massive breach and eliminating the threat before it has a chance to do any real damage. To assist you in this area, there are many software and hardware companies that offer services like real-time network monitoring, intrusion detection, phishing campaigns, etc. But this also comes down to a human issue in that employees need to stay alert and be on the lookout for potential attacks at all times.
“Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.”
Your entire cybersecurity strategy is only as good as your incident response plan. Why? Because this is always a “when, not if” environment. Your team needs to have the proper procedures in place so they can quickly assess a potential attack, and know immediately how and where to report said attack. Think of it as an emergency plan that establishes a set of protocols — a step-by-step policy — to mitigate further damage and increase the success of recovery.
“Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.”
Unfortunately, security events happen and they happen often. A proper recovery plan, however, at least mitigates the fallout and helps you pick up the pieces and restore systems back to the full strength in a timely manner. It’s also a chance to implement any lessons learned from the incident into your awareness program, thereby strengthening your defense against future attacks. Without a recovery plan, your organization will be scampering to resolve issues it’s not prepared to deal with, which costs time and money and increases the scope of damage.
Each function serves a specific purpose and together they create a cycle in which the organization continuously identifies its weaknesses and builds on its strengths. Security awareness programs greatly benefit from continuous learning as a way of training employees. NIST CSF takes that to the next level by applying it to every aspect of running a business. To learn more about the framework and what it can do for your organization, be sure to check out the official website, which has a ton of great resources such as FAQs, instructional videos, presentations, and much more: https://www.nist.gov/cyberframework