The NIST Cybersecurity Framework provides guidance that leverages existing standards and practices, helping organizations to improve their management and reduction of cybersecurity risks. One of the key benefits the framework provides is integration and alignment with broader Enterprise Risk Management (ERM) processes.
These processes refer to the techniques and procedures employed by businesses to control risks and take advantage of opportunities connected to the accomplishment of their goals. ERM offers a framework for managing risks, which often entails identifying specific occurrences or conditions that are pertinent to the organization's goals (threats and opportunities), evaluating their impact and likelihood, coming up with a response plan, and monitoring the process.
Businesses protect and enhance value for their stakeholders (e.g. owners, employees, consumers, and regulators) by identifying and taking proactive measures to handle risks and opportunities. The NIST framework provides a common language for an organization's stakeholders (both internal and external) to understand, manage, and articulate cybersecurity risks. Some of its key uses include:
helping to identify and prioritize cybersecurity risk
by aligning policy, business, and technological approaches to risk management
managing cybersecurity risk across entire organizations
Five essential functions organize the framework – Identify, Protect, Detect, Respond, Recover. These functions help break down the lifecycle for managing cybersecurity over time. Each of these functions will be expanded on now so that you can gain deeper insights into how the framework helps you to reduce your cybersecurity risk.
Identify critical business processes and assets – What activities of your business must continue to be viable? Examples include maintaining a website to retrieve payments or securely protecting customer/patient information.
Document information flows – It is critical to understand what type of information your company collects, uses, and where the data is stored and flows, particularly when contracts and external partners are involved.
Maintain hardware and software inventory – Understanding your enterprise's computers and software is critical because these are frequently the entry points for security attacks. This inventory could be as straightforward as an Excel spreadsheet.
Establish policies for cybersecurity that address roles and responsibilities – Policies and procedures need to clearly define expectations for how cybersecurity activities protect your data and systems while supporting critical enterprise processes. Cybersecurity policies should be integrated with other aspects of enterprise risk management (e.g., financial and reputational).
Identify threats, vulnerabilities, and risks to assets – Establish and manage risk management processes to identify, assess, and document internal and external threats in risk registers. Ensure that risk responses are identified and prioritized, that they are carried out, and that the results are monitored.
Manage access to assets & information – Create separate accounts for each employee. Ensure that users only have access to the information, computers, and applications required for their jobs. Authenticate users before granting them access to information, computers, and applications (e.g., passwords and multi-factor techniques). Control and monitor physical device access.
Protect sensitive data – If your company stores or transmits sensitive data (e.g. PII - personally identifiable information), ensure it is encrypted on computers when it's at rest and while being transferred to third parties. Consider using integrity checking to help ensure that only authorized changes to the data are made. When data is no longer needed or required for compliance purposes, securely delete and/or destroy it.
Conduct regular backups – Many operating systems include backup capabilities; software and cloud solutions that can automate the backup process are also available. To protect yourself from ransomware, keep a frequently backed-up set of data offline.
Securely protect your devices – Consider installing host-based firewalls and other security solutions, for example, endpoint security software (Managed AV software or EDRs). Control changes to devise configurations and apply uniform configurations to devices. Disable device services/features that are not required. Determine that a policy exists and that devices are disposed of.
Manage device vulnerabilities – Keep the operating system and the applications installed on them up to date (e.g. avoiding End Of Life issues); this will help keep computers and other devices safe. Enable automatic updates if possible. Explore the use of software tools to scan devices for vulnerabilities and remediate those with a high likelihood and/or impact.
Train users – Train and retrain all users regularly (as a condition of employment) to ensure that they know cybersecurity policies and procedures. This should include clarity on their specific roles and responsibilities.
Establish effective detection processes – Develop and test processes and procedures that detect unauthorized entities and actions on both networks and the physical environment. This should also include personnel activity. Ensure that employees understand their roles and responsibilities for detection and reporting, both within the organization and from the perspective of external governance and legal authorities.
Maintain and monitor logs – Logs are an important tool to help identify anomalies across the business' computers and applications. They record events (e.g. changes to systems or accounts, the initiation of communication channels). Consider using software tools to aggregate logs and look for patterns or discrepancies from expected network behavior.
Know the expected data flow for your business – Understand what and how data is expected to flow in the business. So, you are more likely to notice when the unexpected occurs. Customer information may be exported from an internal database and exit the network in an unpredictable data flow. If you have outsourced work to a cloud/managed service provider, you can talk to them about how they track data flows and report on unforeseen events.
Understand the impact of cybersecurity events – When a cybersecurity event is detected, it is important to act quickly and thoroughly to determine the scope and depth of the effect. Communicating event information to appropriate stakeholders will help maintain good relations with partners and others (potentially including investors), as well as improve policies and processes.
Ensure response plans are tested – It is critical to test response plans to ensure that everyone understands their roles in plan execution. The more prepared the organization is, the more effective your response will be. This includes being aware of any required information sharing or legal reporting obligations.
Check that response plans are updated – Testing the response plan is likely to reveal flaws. Keep response plans up to date with lessons learned (e.g. conduct retrospectives).
Coordinate with internal and external stakeholders – Your organization's response plans and updates must include all key stakeholders and external service providers. They have the potential to improve planning and execution.
Communicate with internal and external stakeholders – Effective communication is essential for recovery. Recovery plans must carefully account for what and how. When the information is shared with various stakeholders, all interested parties receive the information they require while avoiding disseminating inappropriate information.
Ensure recovery plans are updated – Testing execution, like response plans, will raise employee and partner awareness and highlight areas for improvement. Make sure to keep recovery plans up to date with new information.
Manage company reputation/public relations – One critical aspect of recovery is maintaining the business's reputation. When developing a recovery plan, consider how to manage public relations. This is to ensure that information sharing is accurate, complete, and timely, avoiding a poor and reactionary response.
Establishing or Improving a Cybersecurity Program
The seven steps below show how an organization can apply the NIST framework to develop a new cybersecurity program or improve an existing one. To continuously improve cybersecurity, these steps should be repeated as appropriate.
Step 1: Prioritize and Scope – Establish the business objectives and high-level organizational priorities. From this, strategic cybersecurity implementation decisions can be made. This can be followed by determining the scope of assets and systems that support the selected business line/process. The framework can be tailored to support different business lines or processes within the business, each with its own business requirements and risk tolerance.
Step 2: Asses Systems, Assets & Regulatory Requirements – Identify related assets and systems, regulatory requirements, and the overall risk approach. Consult sources to identify threats and vulnerabilities that may apply to the identified systems and assets.
Step 3: Establish a Current Profile – Create a profile by establishing which of the NIST framework's Category and Subcategory outcomes are currently being met. Noting that an outcome has been even partially achieved will help support subsequent steps by providing baseline information.
Step 4: Conduct a Risk Assessment – This assessment can take into account the overall risk management process or previous risk assessment activities. This involves examining the operational environment to determine the chance of a cybersecurity event occurring and its potential impact on the business. Here, it is important to identify emerging risks and leverage cyber threat information from internal and external sources.
Step 5: Create a Target Profile – Here, a Target Profile is developed that focuses on the evaluation of the framework Categories and Subcategories that describe the desired cybersecurity outcomes. It's also possible to define custom Categories and Subcategories to account for specific organizational risks. The process can also consider the requirements and influences from external stakeholders (e.g. customers and business partners).
Step 6: Determine, Analyze, and Prioritize Gaps – To identify gaps, compare the Current Profile and the Target Profile. Develop a prioritized action plan to close gaps based on mission drivers, costs and benefits, and risks in order to achieve the outcomes outlined in the Target Profile. Determine the resources (e.g. funding and workforce) that are required to close the gaps. Using Profiles in this way helps make informed decisions about cybersecurity activities, assists with risk management, and enables cost-effective, targeted improvements.
Step 7: Implement Action Plan – Decide which actions to take to close any gaps identified in step 6, and adjust current cybersecurity practices to achieve the Target Profile. The framework identifies some informative reference examples related to the Categories and Subcategories to provide additional guidance. It is important to determine which guidelines, standards, and practices (including sector-specific), work best.
The NIST framework does not provide a fixed solution to cybersecurity risk management and always needs to be tailored to an Organization's specific needs. There will be unique risks, different threats, security vulnerabilities, and risk tolerances. Organizations will also differ in how they customize the framework's practices. It is recommended to identify key activities for critical service delivery and prioritize investments to maximize cost efficiency and return on investment.
NIST can be used in a variety of ways to account for unique cybersecurity needs. It is the responsibility of the implementing organization to decide how to use it. There are many ways to apply the framework.
As the industry provides feedback on implementation, the framework will continue to evolve. When it is used more extensively, lessons learned will be fed back into future versions of the framework. This will ensure that NIST meets the needs of critical infrastructure owners and operators in an ever-changing environment of new threats, risks, and solutions. It also means that NIST will continue to provide a guiding light to help Organizations reduce their cybersecurity risks, strengthening consistency across industries and giving a common language and structure to work to.
About the Author
Hazem has been in the software and M&A industry for more than 26 years. As a managing partner at RingStone, he works with private equity firms globally in an advisory capacity. Before RingStone, Hazem built and managed a global consultancy, coached high-profile executives, and conducted technical due diligence in hundreds of deals and transformation strategies. He spent 18 years at Microsoft in software development, incubations, M&A, and cross-company transformation initiatives. Before Microsoft, Hazem built several businesses with successful exits, namely in e-commerce, software, hospitality, and manufacturing. A multidisciplinary background in computer engineering, biological sciences, and business with a career spanning a global stage in the US, UK, and broadly across Europe, Russia, and Africa. He is a sought-after public speaker and mentor in software, M&A, innovation, and transformations. Contact Hazem at firstname.lastname@example.org.