www.isaca.org/resources/cobit
.
The NIST Cybersecurity Framework
In 2014, NIST issued the first version of its cybersecurity framework, officially known as the Framework for Improving Critical Infrastructure Cybersecurity, but commonly referred to as the NIST Framework (and often when speaking in the context of cybersecurity simply NIST). I refer to it simply as the Framework throughout the rest of this chapter.
The Framework was originally intended to apply to critical infrastructure such as the power grid, transportation systems, dams, government agencies, and so on. But the Framework quickly became popular in the private sector as well and is now considered one of the best overall tools for planning cybersecurity for large and small organizations, public and private.
The Framework is useful for any organization large enough to have a dedicated IT staff, even if that staff consists of just one person. No organization can or should implement every detail that is spelled out in the Framework. Instead, the Framework invites you to develop a solid understanding of the cybersecurity risks your organization faces and to implement a risk management strategy based on informed decisions about which security practices make sense for your organization.
In 2018, NIST issued a new version of the Framework, known as Version 1.1. The new version includes a section on self assessment and greatly expanded its coverage of the cybersecurity risk associated with business supply chains.
You can find the complete documentation for the Cybersecurity Framework Version at https://nist.gov/cyberframework/framework
. I strongly suggest you download the Framework document, print it out, and read it. It’s only about 50 pages.
The Framework consists of three basic components:
Framework Core: This section identifies five basic functions of cybersecurity:Identify: You must know, in detail, exactly what parts of your organization are vulnerable to cyberattack.Protect: You should take specific steps to protect those parts of your organization that you’ve identified as being vulnerable.Detect: This function involves monitoring your systems and environment so that you know as soon as possible when a cyberattack occurs.Respond: This function helps you plan in advance how you’ll respond when a cybersecurity incident occurs.Recover: According to the Framework, you must “Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or servers that were impaired due to a cybersecurity incident.” For example, if data was lost, you may need to restore the lost data from backup copies.Within each of these five basic functions, best practices, guidelines, and standards are presented focusing on specific cybersecurity outcomes, such as “Remote access is managed” or “Removable media is protected and its use restricted according to policy.”I offer more detail on the Framework Core later in this section.
Framework Implementation Tiers: This section describes four distinct tiers that represent an increasing level of sophistication in cybersecurity practices. As an organization invests more in cybersecurity, it moves up through the tier levels.
Framework Profile: This section discusses the use of profiles to indicate which specific outcomes in the Framework Core are implemented. You can create a current profile, which documents the current cybersecurity practices at your organization, and then create a target profile to represent where you’d like to be. Then you can devise a plan to move from the current profile to the target profile.
Each of the five functions of the Framework Core (listed earlier) is divided into several categories, which are in turn divided into subcategories. A simple numbering scheme is used to track the functions, categories, and subcategories. For example, the Identify function is designated by the identifier ID. Its first category is Asset Management, which is designated by ID.AM. The first subcategory under Asset Management is “Physical devices and systems within the organization are inventoried,” and it’s designated ID.AM-1.
Table 4-1 lists the five functions along with each function’s categories and the identifier for each category.
TABLE 4-1 The Functions and Categories of the NIST Framework Core
Function | Category | Identifier |
---|---|---|
Identify | Asset Management | ID.AM |
Business Environment | ID.BE | |
Governance | ID.GV | |
Risk Assessment | ID.RA | |
Risk Management Strategy | ID.RM | |
Supply Chain Risk Management | ID.SC | |
Protect | Identity Management and Access Control | PR.AC |
Awareness and Training | PR.AT | |
Data Security | PR.DS | |
Information Protection Processes and Procedures | PR.IP | |
Maintenance | PR.MA | |
Protective Technology | PR.PT | |
Detect | Anomalies and Events | DE.AE |
Security Continuous Monitoring | DE.CM | |
Detection Processes | DE.DP | |
Respond | Response Planning | RS.RP |
Communications | RS.CO | |
Analysis | RS.AN | |
Mitigation | RS.MI | |
Improvements | RS.IM | |
Recover | Recovery Planning | RC.RP |
Improvements | RC.IM | |
Communications | RC.CO |
In all, there are 23 categories across the five functions. Each of these categories is broken down into from 2 to 12 subcategories, for a total of 106 subcategories altogether.
The Framework doesn’t prescribe specific solutions for each of the 106 subcategories; it merely states the outcome to be achieved by each subcategory and invites you to design a solution that produces the desired outcome.
For