Безпечна інтеграція в майбутнє


Безпечна інтеграція в майбутнє

Secured integration to the future

Secured integration to the future

NIST CSF — a standard worth knowing about

8 ITS

18.05.2023
IT Specialist's cybersecurity experts noted that there are a lot of publications on the Internet about the PCI DSS and ISO 2700 security standards. However, more information is needed on the NIST CSF standard. Naturally, many questions arise about what the NIST CSF standard is. This article will share the most essential information on this topic.
NIST is the National Institute of Standards and Technology in the United States. The NIST issues many standards, but we are interested in the one related to cybersecurity.
The NIST Cybersecurity Framework is a platform or guide containing recommendations for reducing organizational cybersecurity risks published by the US National Institute of Standards and Technology (NIST) based on existing standards, guidelines, and practices. The initiative to create this guidance came from the US presidential administration, as government agencies and governments are under constant cyberattacks. It was necessary to develop a unified guide for cybersecurity professionals and managers so that they could use common terminology. The result is a so-called framework document that forms a common conceptual framework.
A 2016 study showed that 70% of organizations surveyed consider the NIST Cybersecurity Framework the most popular best practice methodology for computer security. It has been translated into many languages, including Ukrainian. The standard is used to ensure reliable cybersecurity at critical infrastructure enterprises and government agencies worldwide. Commercial enterprises and organizations also use the NIST Cybersecurity Framework as the central reference point for building a perfect cybersecurity system.
The NIST Cybersecurity Framework is based on a hierarchical structure of the main approaches to information security (IS).
There are five functions of the NIST Cybersecurity Framework:
● Identify — Develop an organizational understanding to manage cybersecurity risks to systems, people, assets, data, and capabilities. The activities within the identified function are the foundation for the effective use of the platform. Understanding the business context, the resources supporting critical functions, and the associated cybersecurity risks enables the organization to focus and prioritize efforts in line with its business needs and risk management strategy. Examples of deliverable categories within this function include asset management, business environment, compliance, risk assessment, and risk management strategy.
● Protection - design and implement appropriate safeguards to ensure the delivery of critical services. The defense function supports the ability to limit or contain the impact of a potential cyber security threat. Examples of deliverable categories within this function include identity management and access control, awareness and training, data security, information security processes and procedures, maintenance, and protective technologies.
● Detection — develop and implement appropriate measures to identify cybersecurity events. The detection function enables timely detection of cybersecurity events. Examples of category deliverables within this function include anomalies and events, continuous security monitoring, and detection processes.
● Response - develop and implement appropriate activities to address a detected cybersecurity incident. The response function supports the ability to contain the negative impact of a cybersecurity incident. Examples of deliverable categories within this function include response planning, communications, analysis, mitigation, and remediation.
● Recovery — develop and implement appropriate measures to support resilience plans and restore any capabilities or services a cybersecurity incident has disrupted. The recovery function supports the timely resumption of normal operations to reduce the impact of a cybersecurity incident. Examples of deliverable categories within this function include recovery planning, improvement, and communications.
These core functions are divided into categories, and the categories are divided into subcategories. The result is 108 requirements that must be implemented.
The NIST Cybersecurity Framework references standards such as ISO 27001, COBIT, NIST SP 800-53, ANSI/ISA-62443, and many others. It combines the requirements of other standards, and standards that emerge in the future will be incorporated into the NIST Cybersecurity Framework.
There are 4 levels of implementation of the NIST Cybersecurity Framework:
Level 1: Partial
• Risk management process — organizational risk management practices for cybersecurity are not formalized; risk management is ad hoc and sometimes reactive. Information for prioritizing cybersecurity activities may not be directly available from organizational risk management objectives, the threat environment, or business/mission requirements.
• Integrated risk management program — knowledge of cybersecurity risk at the organizational level is limited. The organization implements cybersecurity risk management on an ad hoc, case-by-case basis through various experiences or information from external sources. The organization may not have processes to share cybersecurity information across the organization.
• External engagement — the organization does not understand its role in the broader ecosystem concerning its dependents and dependent objects. The organization does not collaborate with other organizations (e.g., customers, suppliers, dependents, hanging objects, ISAOs, researchers, and governments) or receive and share information (e.g., threat information, best practices, technologies). The organization is generally unaware of the supply chain cyber risks to the products and services it provides and uses.
Level 2: Risk-based
• Risk management process - risk management practices are approved by management but may not be established as organizational policy. Information for prioritizing cybersecurity activities and protection needs is directly derived from organizational risk management objectives, the threat environment, or business/mission requirements.
• Integrated risk management program — there is an awareness of cybersecurity risk at the organizational level, but no organization-wide approach to managing cybersecurity risk has been established. Cybersecurity information is shared informally within the organization. Consideration of cybersecurity in organizational goals and programs may occur at some but not all levels of the organization. Cyber risk assessments of organizational and external assets are performed but are not usually repeated or re-evaluated.
• External involvement - generally, the organization understands its role in the broader ecosystem about its addictions or for addicts, but not both. The organization collaborates with other organizations, receives information from other organizations, creates some of its data, and may share it with others. In addition, the organization is aware of the supply chain cyber risks associated with the products and services it provides and uses but does not act consistently or formally on those risks.
Level 3: Repeatable
• Risk management process — an organization's risk management practices are formally adopted and expressed as policy. Organizational cybersecurity practices are regularly updated based on applying risk management processes to changing business/mission requirements and the evolving threat and technology landscape.
• Integrated risk management program — there is an organization-wide approach to managing cybersecurity risks. Risk-based policies, processes, and procedures are defined, implemented as intended, and reviewed. Methods to effectively respond to changes in risk are consistently applied. Staff has the knowledge and skills to fulfill their assigned roles and responsibilities. The organization always and accurately monitors cybersecurity risks to organizational assets. Senior cybersecurity management and non-cybersecurity management communicate regularly on cybersecurity risk issues. Senior management ensures that cybersecurity is considered in all activities within the organization.
• External engagement — the organization understands its role, dependents, and dependent objects in the wider ecosystem and can contribute to a broader understanding of risk in the community. It collaborates with and regularly receives information from other organizations that complements internally generated information and shares information with other actors. The organization is aware of the supply chain cyber risks associated with the products and services it provides and uses. In addition, it typically acts formally to address these risks, including mechanisms such as written contracts to communicate baseline requirements, governance structures (e.g., risk management boards), and policy implementation and monitoring.
Level 4: Adaptive
• Risk management process — the organization adapts its cybersecurity practices based on past and current cybersecurity activities, including experience and forecasts. Through continuous improvement that incorporates best practices and cybersecurity technologies, the organization proactively adapts to the changing threat and technology landscape and responds to emerging complex threats promptly and effectively.
• An integrated risk management program is an organization-wide approach to cybersecurity risk management that uses risk information, processes, and procedures to address potential cybersecurity events. The relationship between cybersecurity risk and organizational objectives is clearly understood and considered in decision-making. Senior management monitors cybersecurity risks in the same context as financial and administrative risks. The organization's budget is based on understanding current and anticipated risk and risk resilience. Business units implement the executive vision and analyze system-level risks in the organization's risk resilience context. Cybersecurity risk management is part of the organizational culture and evolves from an awareness of past activities and ongoing awareness of activities on its systems and networks. The organization can quickly and effectively accommodate business/mission objectives changes concerning how risk is approached and communicated.
• External engagement - the organization understands its role, dependents, and dependent objects in the wider ecosystem and contributes to a broader understanding of risk by the community. It receives, generates, and reviews priority information that enables continuous analysis of its risks as the threat landscape and technology change. The organization shares this information internally and externally with other collaborators. The organization uses real-time or near-real-time information to understand and act consistently on cyber risks to the supply chain associated with the products and services it provides and uses. In addition, it actively communicates, using formal (e.g., agreements) and informal mechanisms to develop and maintain strong supply chain relationships.
Each requirement can be implemented at one of 4 levels.
There is also the concept of a Platform Profile ("Profile"), which is a specific degree of implementation of the Functions, Categories, and Subcategories by the business requirements, risk tolerance, and organization resources. The Profile allows organizations to create a roadmap for cybersecurity risk mitigation that is well aligned with organizational and industry objectives, considers legal/regulatory requirements and industry best practices, and reflects risk management priorities. Given the complexity of many organizations, they may decide to have multiple Profiles aligned to individual components based on their individual needs.
Platform profiles can describe specific cybersecurity measures' current or desired target state. The existing profile shows the state of cybersecurity that has been achieved so far. A target profile shows the results required to achieve the desired cybersecurity risk management objectives. Profiles support business/mission requirements and assist in communicating risk within and across organizations. The NIST CSF does not prescribe Profile templates, which allows flexibility in implementing cybersecurity activities.
Comparing the Profiles (e.g., Current Profile and Target Profile) can identify gaps that must be addressed to achieve cybersecurity risk management objectives.
The roadmap described above may include an action plan to address these gaps for each Category or Subcategory. The organization's business needs and risk management processes drive the prioritization of gap closure. This risk-based approach enables an organization to assess the resources (e.g., staffing, funding) required to achieve its cybersecurity objectives in a cost-effective and prioritized manner. In addition, the NIST CSF provides a risk-based approach in which the applicability and implementation of each Subcategory depend on the scope of the Profile.
IT Specialist specialists were trained and received NIST CSF Lead Implementer certificates.
We invite companies from the public and commercial sectors to undergo an assessment of their cybersecurity level using the criteria described in the NIST Cybersecurity Framework.
You will receive a report answering one crucial question:
«How ready is the company to repel attacks and counter modern threats?».
This will give you an understanding of which areas and processes of cybersecurity you need to focus on and invest resources in to maximise protection. We will help you benchmark your company against typical profiles of similar companies, develop and implement a cybersecurity improvement strategy, and help you execute it. Finally, we will check the measures taken and evaluate their effectiveness.
The leading information for this article was taken from the Ukrainian version of the NIST Cybersecurity Framework description.
Link to the official website of the NIST Cybersecurity Framework.
We invite you to a free consultation on assessing the company's cyber security level by the criteria described in the NIST Cybersecurity Framework.


Call Us

+38 (044) 390 81 90

Write Us

moc.tsilaicepsti-ym%40olleh

Meet for coffee

Sigma Business Center,Vatslav Havel Boulevard, 6, building 3,Ukraine, Kyiv, 03124


Call Us

+38 (044) 390 81 90

Write Us

moc.tsilaicepsti-ym%40olleh

Meet for coffee

Sigma Business Center,Vatslav Havel Boulevard, 6, building 3,Ukraine, Kyiv, 03124

Illustration


Зателефонувати

+38 (044) 390 81 90

Написати

moc.tsilaicepsti-ym%40olleh

Приїхати на каву

Бізнес-центр Sigma,
бульвар Вацлава Гавела, 6, корпус 3,
Україна, Київ, 03124

Illustration


Зателефонувати

+38 (044) 390 81 90

Написати

moc.tsilaicepsti-ym%40olleh

Приїхати на каву

Бізнес-центр Sigma,
бульвар Вацлава Гавела, 6, корпус 3,
Україна, Київ, 03124