NIST Cybersecurity Framework: A compass for navigating the ocean of cyber risks
Table of Contents
Throughout our lives, we are fortunate to have different mentors, who guide us through the inscrutable paths of destiny. Parents, grandparents, teachers, bosses, friends… They all provide us with wisdom and knowledge and help us build our way of seeing the world. In the realm of cybersecurity, projects like the NIST Cybersecurity Framework also serve as compasses to guide organizations in the complex and ever-changing ocean of cyber risks.
With this tool, the U.S. National Institute of Standards and Technology (NIST) provides companies and institutions with a foundation on which to start working on cybersecurity.
In essence, the NIST cybersecurity framework is a set of best practices that organizations can draw upon to verify the level of risk to which their systems are exposed at all stages of their lifecycle. And, thus, implement security programs that minimize it.
This framework is composed of three basic elements:
- The core of the cybersecurity framework. Consists, in turn, of five functions, 23 categories, and 108 subcategories.
- Implementation levels.
- Profiles.
But the NIST cybersecurity framework goes beyond developing these components, as it also addresses how companies and institutions can use the framework to assess risk. As well as the steps involved in developing a security program and how the tool can be used to get the most out of it.
In the following, we will explore the key aspects of the NIST cybersecurity framework and its ability to improve the security posture of organizations.
1. A common language
NIST has become a methodological reference in the field of cybersecurity services thanks to its vast production of guides, frameworks, and materials. This body of knowledge is consulted by analysts and organizations around the world. This has led to its standardization. Thus, NIST tools, extremely generalist and broad are useful for any type of organization, software, and hardware. However, it is essential to combine them with other tools and customize them.
In this sense, the NIST cybersecurity framework serves as a basis for providing all actors involved in risk management with a common language in which to communicate.
Thanks to this framework, security risks can be easily understood and managed. This makes it possible for experts and other professionals involved in system security, whether internal or external to the organization, to understand and process all the information.
Hence, the NIST cybersecurity framework focuses on systematization, practicality, and adaptability. To be manageable by any type of organization, from companies to institutions, including associations. For any kind of professional. And with fully customizable objectives.
2. The core of the NIST cybersecurity framework
As the name implies, the core is the heart of this framework. And it provides a series of actions that can be taken to improve security risk management. Put another way, the core of the NIST cybersecurity framework is not a to-do list that serves as a checklist for all actions to be taken. Rather, it focuses on specific outcomes that can be achieved to improve the protection of systems.
2.1. Core elements
The core is, in turn, made up of four interrelated elements: functions, categories, subcategories, and informative references. The functions occupy the highest level and the subcategories the lowest. Thus, the five functions have several categories and each of them has subcategories that specify the exact result sought.
For example, the outcome «Response plan is executed during or after an incident» is the subcategory RS.RP-1, which is part of the category «Response Planning» (RS.RP), is itself included in the overall function «Respond» (RS). Informative references that can help organizations to achieve this result are specified next to it. Thus:
- The functions are the keystone of the NIST cybersecurity framework. They systematize and synthesize the security activities proposed by the framework.
- The categories, in turn, divide the functions into groups of security outcomes, such as Information Protection Processes and Procedures or Protection Technologies.
- The subcategories, as mentioned above, are the specific results to be achieved by the security activities. They do not cover all the vastness of such a complex area, but they offer a long list of key results.
- The informative references are standards, guidelines, and best practices, standardized and used worldwide, to achieve the outcomes. The NIST cybersecurity framework proposes a guide from the Institute itself but also references documents from other projects and entities such as the CIS guides or the COBIT framework.
2.2. Concurrent and Continuous Functions
The core functions of the NIST cybersecurity framework do not form a linear series, starting from the first phase (Identify) and ending in the fifth (Recover). Rather, they must be performed concurrently and continuously. If the organization succeeds in internalizing these functions in all its departments and areas, it will be able to develop a corporate culture that facilitates integrated risk management.
2.2.1. Identity
This function consists of developing an organizational understanding for the management of security risks. This includes:
- Identifying critical business processes and assets. That is, those essential to ensure business continuity.
- Understanding document information flows and knowing where data, especially sensitive data, is located.
- Inventory the organization’s hardware and software.
- Design security policies, stipulating how critical assets and processes are to be protected and what responsibilities each professional or team assumes.
- Detect threats and vulnerabilities. It is essential to have mechanisms in place to detect all risks, as well as optimal tools to respond to them.
2.2.2. Protect
This function develops and implements the necessary protections to guarantee the delivery of critical services. This function is fundamental in a scenario in which an attack or a vulnerability of the company’s assets occurs. And it seeks to:
- Manage access to assets and information. Implementing actions such as user authentication.
- Safeguarding sensitive data. It is essential to encrypt them and verify their integrity to ensure that no malicious changes have been made.
- Performing recurring backups.
- Securing devices. Install firewalls, control changes to configurations…
- Identify and remediate device vulnerabilities.
- Train and make users aware of cybersecurity issues.
2.2.3. Detect
The detect function aims to put in place appropriate actions to identify attacks when they happen. This involves:
- Test and update detection mechanisms.
- Know precisely the company’s data flow. In such a way the organization can identify unexpected events.
- Monitor log files.
- Be able to understand the extent and impact of the event.
2.2.4. Respond
It is not enough to detect and analyze attacks; it is also essential to be able to respond to them and thus contain their impact. In this regard, this function emphasizes:
- Testing response plans.
- Permanently updating response plans, incorporating the knowledge learned.
- Coordinating with all stakeholders involved, not only with those within the company but also with external parties, such as suppliers.
2.2.5. Recover
This function focuses on the need to develop and implement resiliency and restoration plans for services that may be affected by a cybersecurity event. To this end, it is essential to:
- Establish effective communication mechanisms.
- Update recovery plans regularly.
- Manage public relations and protect the company’s reputation.
3. Profiles
The NIST cybersecurity framework profile is the result of matching the core functions, categories, and subcategories with the organization’s interests, objectives, and needs. To do this, a company can map its current profile, i.e., what cybersecurity results it is already achieving. And, also, design its target profile. Or, in other words, the results it aspires to achieve, based on its characteristics and resources.
The comparison between one profile and another will show the existing gaps that need to be filled to achieve the desired results in risk management. This comparison will also allow the company to prioritize its resources to obtain the results that are in line with its business strategy. Not only in terms of cybersecurity, but in global terms.
In this way, the profiles become an exceptional functionality to customize the framework, prioritizing the results that are of interest to the organization. This is why we pointed out at the beginning of the article that the NIST cybersecurity framework is not a checklist, but a systematized document that provides a basis for assessing and optimizing risk management.
4. Implementation levels
The levels complement the core and the profiles. Through these, the organization can qualitatively assess its security practices. There are four levels:
- Partial
- Informed risk
- Repeatable
- Adaptive
Each level visibilizes a higher level of sophistication of the processes carried out by the organization. These four levels apply to three key elements:
- Risk management process.
- Integrated risk management program.
- External involvement.
Thus, if an organization has a level 1 risk management process, it means that practices are not systematized and vulnerabilities are managed reactively. On the other hand, if the Integrated Risk Management Program is at level 2, a company is aware of the risks at the organizational level, but has not implemented policies to manage them throughout the organization and communication is merely informal. On the other hand, if the level is level 1 again for external participation, it would mean that the organization does not collaborate with or receive information from any other entity and is unaware of the risks associated with the supply chain.
In light of the above, should all organizations aspire to level 4? The answer is no. While level 1 should be avoided because it implies a very high level of exposure to attacks, the move from a lower level to a higher one should respond to the business strategy, the company’s characteristics, the context, and the available resources. In other words, the levels are designed to support decision-making and influence target profiling.
5. Security risk assessment
The NIST cybersecurity framework‘s mission is to help companies optimize risk management and thus improve the security of their systems and assets. The results, profiles, and implementation levels allow companies to assess their current security actions and policies, compare them with their resources and objectives, and plan target profiles and implementation levels.
The framework has therefore become an excellent tool for any organization to evaluate its risk management. As well as the effectiveness of the investment that has been made to achieve the desired results. NIST argues that by using this tool, a company can:
- Make decisions on the implementation levels of the different elements, after determining current levels.
- Prioritize the security results that align with the company’s objectives and needs by developing target profiles.
- Compare the current profiles with the objectives. And, thus, observe and analyze whether the measures put in place are achieving the desired results.
- Measure whether the technical guidelines referenced for each security result in the framework are being implemented.
6. Optimization or creation of a security program
The document in which the NIST cybersecurity framework is developed has a section (the third) dedicated to giving examples of how the tool can be used to improve the security of organizations.
Some issues we have already addressed previously, such as assessing progress by comparing the current profile with the target. Others are aimed at improving communication with service providers or providing companies with all the knowledge they need when purchasing products or services.
6.1. From prioritization to implementation
Among all these examples, the creation or improvement of the organization’s security program, in seven steps, is worth mentioning:
- Prioritization and scoping. Business objectives are established and implementation levels are set. The framework allows companies to opt for different target implementation levels for each line of business, depending on their needs and characteristics.
- Guidance. Related systems and assets are identified and sources are consulted to detect vulnerabilities and risks.
- Creation of a current profile. In such a way that the current state of risk management is known.
- Conducting a risk assessment. The objective is to determine the probability of an event happening, as well as its possible impact on the organization.
- Designing a target profile. Based on the objectives set and the risks discovered, the framework is used to design a target profile with the expected results and related to the chosen level of implementation.
- Gap detection and prioritization. By comparing the two profiles, it is possible to determine the existing gaps. Then, an action plan is created and resources are allocated to execute it.
- Implementation of the action plan. Security practices are redirected to achieve the expected results. This can be done using the technical guides provided by NIST for each outcome.
In short, the NIST security framework is a tool for organizations around the world to evaluate their processes and practices. And to determine how to improve them. In addition, its management helps companies make fully informed decisions about their suppliers, the purchase of products and services, and the establishment and optimization of their security programs.
This article is part of a series of articles about NIST
- NIST Guidelines: a methodological underpinning for cybersecurity analysts
- NIST Cybersecurity Framework: A compass for navigating the ocean of cyber risks
- How to use the NIST Cybersecurity Framework to combat ransomware attacks
- The 4 keys to the NIST Cybersecurity Framework v2