If you’re a cybersecurity professional, chances are that you are familiar with the National Institute for Standards and Technology Cybersecurity Framework (NIST CSF). An understanding of the NIST Cybersecurity Framework (CSF) standard is critical for any company seeking to conduct business with a US Government agency, and increasingly more private-sector entities – and organizations abroad – are leveraging the NIST CSF to build their cybersecurity programs.
So, to start with the basics, what is the NIST CSF?
The NIST CSF (Cybersecurity Framework) is a cybersecurity framework developed by the National Institute of Science and Technology (NIST) to help organizations understand and better manage their cyber risk. NIST CSF is utilized by thousands of organizations around the world, including public-sector and private-sector and non-profit entities.
What are the core capabilities of the NIST CSF?
The framework is broken into five central capabilities: Identify, Protect, Detect, Respond, and Recover.
- Identify: Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
- Protect: Develop and implement appropriate safeguards to ensure delivery of critical services.
- Detect: Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.
- Respond: Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.
- Recover: Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident
Each capability of NIST is an excellent starting point examining the state of your cybersecurity program. In this blog, we’ll focus on the first one: identifying and understanding the risk environment.
Understanding The Business Environment
As the starting point to the NIST CSF, the Identify stage is made up of a number of subcategories, including a cybersecurity assessment of your business environment. A cybersecurity assessment is the best tool for understanding your risk environment and is an even better tool when performed continuously. It allows an organization to determine what NIST controls are already in place and which controls are the most relevant to your organization.
Whether performed internally or contracted to a third party, your cybersecurity assessment depends on your organization’s specific needs. Many organizations work with NIST CSF and have dedicated teams to that conduct internal assessments of the business environment, which helps accelerate the process because an organization’s employees have the benefit of deeper familiarity with the business and the controls that are already in place.
At the same time, third parties or external assessors can bring greater expertise with the variety of frameworks and can also help provide an outside perspective that might make it easier to spot issues that may not be caught by internal assessors. Too many companies look at assessments as something you either pass or fail, a painful and annoying requirement for compliance audits, but approached properly, they are a necessary precursor to building the best cybersecurity strategy for your business environment.
A crucial category of NIST’s CSF “Identify” stage is asset management. Visibility and understanding of your assets are vital because you can’t protect what you don’t know. This step is almost the simplest but can be deceptively complicated in today’s work environment, especially as many companies have cloud-based and on-premises based infrastructures.
A cybersecurity team should continually maintain a list of all the assets that are deployed in the organization, including, but not limited to, employee-issued laptops, corporate servers, networking equipment, and mobile devices, to name a few. Asset management should also extend to virtual machines, both those running on VM hosts in an organization’s data center as well as cloud environments such as Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS). Additionally, non-corporate owned assets, like employee’s personal mobile devices, pose unique risks to an organization if they are accessing corporate resources from a phone or tablet that is not managed by the IT/Security team; these must also be included in your asset management strategy.
The software running on corporate machines should be included in your asset management strategy for the simple reason that third-party software also holds corporate data. For example, an Enterprise Content Management platform (ECM), like Microsoft SharePoint or Box, is the repository for an organization’s sensitive business documents. Awareness is vital in risk-based planning, and an organization must be aware of its users, the users’ applications, and the devices that run them.
Once the assets are identified, it’s essential to understand their role within your business. Understanding what corporate employees do daily, and how they are using authorized corporate systems, and how that work contributes to your company’s overall mission is critical to building a security strategy that protects and enables the business. In addition, understanding your internal dependencies will help identify critical systems that need more robust protection. Not all servers, for example, are created equal. One may be essential to your company’s ability to deliver goods or services, and even a 24-hour outage could be catastrophic, while other systems could be down for weeks without a material impact on your business’s bottom -line. Risk, therefore, needs to be understood in the context of your business, and this can be one of the most valuable steps in an assessment process.
Governance, Risk Assessments, & Supply Chain Risks
Governance is a key part of asset management and your holistic risk strategy, as it’s important for IT teams to understand the lifecycle management of assets, software, and identities that help comprise an organization’s attack surface. Your governance policies should be continually reviewed and maintained in a central location. Cybersecurity governance rules created by your IT team can be compared against legal and regulatory requirements that might exist based on your industry.
After these details are collected, it’s time for risk assessments. Identify the risks that your asset collection might face and how they would impact business operations. Quantitative analysis strategy plays a huge role in the effectiveness and efficiency of these assessments. Scenarios can be ranked not just by imprecise severity terms (i.e., low, medium, or high) but instead with specific dollar value estimates. Costs can be estimated based on the number of assets that would be impacted by an attack, the steps needed to respond, and the long-term damage that an attack would do.
The final stage in your assessment should be a comprehensive look at your supply chain risks. Analyze the other organizations you depend on to perform operations and how prepared you are for disruption on their side. For example, the recent ransomware attack against NEW Cooperative delayed grain shipments to hundreds if not thousands of chicken producers who relied on them. Ensuring business continuity is a major part of your overall strategy.
At the end of this assessment process, identifying and creating the risk management strategy becomes a much simpler task. You will understand how your organization works in more detail, the critical assets that require the most protection, and what mitigation strategies will provide the most significant return on investment. Finally, you might identify some potential scenarios where it is simply not feasible to build an in-house mitigation strategy; those are where you should look for insurance-based solutions to protect the organization. Ultimately the goal is to minimize the corporate attack surface, and following the NIST cybersecurity framework is an indispensable building block towards your approach to risk and ever-changing threats.