Inside the NIST Framework to Improve Cybersecurity

By Karen A. Frenkel  |  Posted 04-10-2014 Email Print this article Print

President Obama's Executive Order 13636, "Improving Critical Infrastructure Cybersecurity," issued a year ago, established U.S. policy for maintaining a cyber environment that encourages "efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties." The Order calls for a voluntary, risk-based cybersecurity framework. The National Institute of Standards and Technology (NIST) recently released the framework, a set of industry standards and best practices to help organizations manage cybersecurity risks. The NIST framework is not intended to replace existing processes, but to complement business and cybersecurity operations. Enterprises can use the framework as part of their processes for identifying, assessing and managing cybersecurity risk. An organization can overlay its current process onto the framework to find "gaps in its current cybersecurity risk approach and to develop a roadmap to improvement." The framework is a collaboration between industry and government and consists of standards, guidelines and practices. For a copy of the framework, click here.

  • Technology-Neutral NIST Framework Provides a Mechanism for Enterprises to:

    1. Describe their current cybersecurity posture, 2. Describe their cybersecurity goals, 3. Identify and prioritize opportunities for improvement in continuous and repeatable processes, 4. Assess progress toward cybersecurity goals, 5. Communicate about cybersecurity risk
    Technology-Neutral NIST Framework Provides a Mechanism for Enterprises to:
  • Part 1: The Framework Core

    NIST's Framework has three parts: the Framework Core, the Framework Implementation Tiers and the Framework Profiles. Framework Core is a set of cybersecurity activities, desired outcomes, and references common to critical infrastructure sectors.
    Part 1: The Framework Core
  • Part 2: The Framework Implementation Tiers

    Framework Implementation Tiers describe how much an organization's cybersecurity risk management practices reflect the characteristics defined in the framework. Tiers include informal, agile responses that are informed about risk.
    Part 2: The Framework Implementation Tiers
  • Part 3: Framework Profiles

    A Framework Profile represents outcomes based on business needs. It is an alignment of standards, guidelines, and practices with the Framework Core in a particular scenario. Enterprises can compare a current profile with a target profile to prioritize and measure progress toward the target profile.
    Part 3: Framework Profiles
  • Framework Core Activities

    The Core presents cybersecurity outcomes that could be helpful to managing cybersecurity risk. There are five functions: Identify, Protect, Detect, Respond, Recover
    Framework Core Activities
  • Identify Risks to the Enterprise

    The Identify Function helps organizations understand how to manage cybersecurity risk to their systems, assets, data and capabilities. Categories within this function include asset management, business environment, governance, risk assessment and risk management strategy.
    Identify Risks to the Enterprise
  • Develop and Implement Safeguards

    The Protect Function supports the ability to limit or contain the impact of a cybersecurity event. Examples of outcomes include access control; awareness and training; data security; information protection processes and procedures; maintenance; and protective technology.
    Develop and Implement Safeguards
  • Detecting a Cybersecurity Event

    The Detect Function helps enterprises discover cybersecurity breaches quickly. Examples of outcomes include anomalies and events, security continuous monitoring, and detection processes.
    Detecting a Cybersecurity Event
  • Responding and Containing a Breach's Impact

    The Respond Function supports the ability to contain the impact of a cybersecurity event by preparing: a response plan; communication; analysis, mitigation, and improvements.
    Responding and Containing a Breach's Impact
  • Recovery and Resilience

    The Recover Function helps restore any capabilities impaired due to a cyber-attack. It supports timely recovery to normal operations. Examples of outcomes include recovery planning, improvements and communications.
    Recovery and Resilience
Karen A. Frenkel writes about technology and innovation and lives in New York City.


Submit a Comment

Loading Comments...
Thanks for your registration, follow us on our social networks to keep up-to-date