The Framework Profile main components are:
What is a cybersecurity framework?
A cybersecurity framework is a list of implementable controls (both technical and process), which in totality represent a cybersecurity program. Examples of controls include encrypting sensitive data, maintaining a policy to patch systems regularly, and inventorying IT assets. Controls vary based on the framework. These controls can be classified under specific subcategories like access controls. Some well-known cybersecurity frameworks are the NIST Cybersecurity Framework and ISO 27001. Cybersecurity controls help businesses manage cybersecurity risk and ensure businesses can recover after a cybersecurity event. Different sectors utilize frameworks to inform their security policies and security standards. The NIST cybersecurity framework is considered by most cybersecurity professionals to be the gold-standard for a cybersecurity program. According to Tenable, 70% of IT professionals said they adopted the NIST CSF framework because they consider it a best practice.
What organizations use the NIST cybersecurity framework?
According to NIST, the Cybersecurity Framework is used by about 30 percent of U.S. organizations, and that number is projected to be up to 50% by the end of 2020. The framework is considered a best practice because it integrates industry standards to help organizations manage their cybersecurity risks. Because the NIST CSF is so comprehensive, easy to understand, and meets many compliance requirements by default we recommend that businesses start their cybersecurity framework journey there unless their industry or regulatory body dictates they go elsewhere. For example, those in the healthcare industry must follow HIPAA controls and ensure compliance with these cybersecurity regulations. Contractors that work with the federal government must also comply with the NIST Cybersecurity Framework.
What are the 5 key functions of the NIST Cybersecurity Framework?
Identify: The identify function is concerned with the basis for building a comprehensive and effective cybersecurity program. The controls present in this group are centered around risk assessment, inventory of IT assets, and creating a comprehensive risk management strategy. To protect critical information and business data every organization must identify their specific risk factors and document where sensitive data is stored in their organization. By doing the appropriate activities like this you can ensure security controls are met and your critical infrastructure sectors are secured.
Protect: Organizations fulfill the protect function by implementing and creating detection processes for the adequate protection of data. These controls include practical functions like ensuring all employees receive adequate security awareness training, enforce access controls, IT asset management, and implement protective technologies in the form of anti-malware and anti-virus programs that are up to date and installed on all devices.
Detect: According to IBM, companies take about 197 days to detect and 69 days to contain a breach. This long detection and containment process costs businesses around the world millions of dollars every year. Unfortunately, many companies are not proactive in their cybersecurity risk management and only discover they have suffered a cyberattack when their business or customer data is found on the dark web or they become locked out of critical devices and infrastructure. The goal of the detect function is to encourage security continuous monitoring of your information systems and help detect a cybersecurity event before it spreads.
Respond: A cybersecurity event can happen to any business at any time. Even with the most careful consideration, your business could be just a few clicks away from a cyber attack. However, how your business responds to a cyber event is just as important as preventing an attack. The most important factor the response function covers is ensuring that your organization has the capacity to rapidly and efficiently respond to a cybersecurity incident. Response planning before a cyberattack ensures all stakeholders and members of your business know what to do in the event of an incident. They must know who to call, what to do, and how to inform anyone impacted by the incident calmly and efficiently.
Recover: The occurrence of a cybersecurity event does not have to mean total ruin for your business. Recovery planning ensures that your business reviews lessons learned from the security incident, begins planning for recovery from the incident, and testing the recovery processes after the incident. In the recovery function of the NIST CSF you will find informative references for restoring functionality to IT assets, critical infrastructure services, and best processes to ensure that your business systems are clean. Recovery from a cyberattack can be tough, and the total mitigation of cyber incidents is impossible even with the best security standards, but if your business can bounce back with a plan in place you will be far better prepared than other organizations who have suffered your fate. Go to nist.gov for more resources and information on the NIST Cybersecurity Framework and how your business can begin to implement the cybersecurity framework into your business environment.
If you are still unsure about cybersecurity frameworks and risk management after reading, we recommend you take advantage of the Touchstone Security© Free 60 Minute CISO Consultation. One of our qualified CISOs can help you better understand which requirements may affect your business. Please note that this section serves as an overview of common cybersecurity frameworks and requirements. We recommend speaking to an attorney or experienced cybersecurity professional if you have specific requirements or cybersecurity framework needs to meet.