In 2013, the President issued Executive Order (EO) 13636 entitled "Improving Critical Infrastructure Cybersecurity". The EO called for, among other things, the creation of a voluntary, risk-based, cybersecurity framework. During 2013 and early 2014, the National Institute of Standards and Technologies (NIST), working with government agencies and private industry, created what is now called the NIST CSF or Cyber Security Framework. We were a part of that process, participating in meetings around the country designed to create this framework.
The Framework consists of three parts – core, profile and implementation tiers. This design allows for different companies with different levels of exposure and risk tolerance to each adopt the framework in a way that is appropriate for them.
The framework, based on standards from COBIT, NIST, ISO and ISA, creates a common way for organizations to manage their organization’s cyber risk while at the same time allowing other organizations to assess that organization’s cyber risk posture.
Cyber risk is part of business risk and each organization has a different tolerance for risk, so the framework allows for this. Each organization has a different level of cyber security maturity (although the framework avoids this word) as well and the implementation tiers of the framework allow for this variability. Tier 1, also known as partial is the most basic implementation level. Tier 4 or adaptive is the most complete level of implementation. The tier selection process considers an organization’s current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives and organizational constraints.
The Framework Core consists of 5 Functions – Identify, Protect, Detect, Respond and Recover.
Functions contain categories. For example, the Identify function contains the asset management, business environment, governance, risk assessment and risk management strategy categories. Categories contain subcategories and each of these refers to one or more standards.
The CSF provides a framework to allow an organization to identify its assets, decide how to protect them, detect anomalies, respond to cyber security events and recover from cyber incidents.
The first step, Identify, is what we refer to as a risk assessment. During a risk assessment, we start identifying the key assets and vulnerabilities of the organization.
Once risks are identified and prioritized, the Protect, Detect, Respond and Recover steps can be addressed.
All of these steps are done in “tiers”, iteratively – kind of like peeling an onion. Depending on the organization’s risks and risk tolerances, the process will end at different points.
Cyber risk mitigation is a journey, not a destination. With each step in the process, the organization has an incrementally better cyber risk mitigation posture. As the cyber threat landscape changes – with new risks, new vulnerabilities, new businesses, the journey continues.
For more information on the CSF, go to NIST CSF .