NIST Cyber Security Framework
Updated: Jul 25, 2018
Planning a company's cyber security strategy is a considerable undertaking. While 10 years ago an information security manager had 2-3 security products to deal with, today's CISO needs to master knowledge of a massive array of risks and vulnerabilities, IT technologies, security solutions, training methods and much more.
Enter N.I.S.T's Cyber Security Framework
The NIST Cyber Security Framework is a comprehensive framework, attempting to envelope the different aspects of cyber security.
In this blog post will try to break down and explain the N.I.S.T cyber Security framework.
This is the top-level view of the main areas the framework approaches.
This model displays the different areas of concern cyber security should deal with in order to have a comprehensive program.
The model includes 5 areas which are:
This post as it evolves will cover these different areas and will attempt to explain the implementation process.
The Identification phase basically calls for a mapping and identification of the resources, procedures and assets of the company. It may seem trivial but this is one of the most difficult steps in any cyber security program.
Identification and mapping the company's information assets and then classifying them according to criticality to the business process and severity of impact is the cornerstone of the cyber security program for any organization.
This phase also calls for an understanding of the business environment. This understanding is essential to coupling cyber security efforts to the company's strategic goals and objectives, both internally and as a part of the sector the company operates in.
Governance is another aspect that has to be documented and taken into consideration with any cyber security program. This includes regulation and privacy consideration.
Finally, this phase calls for laying the foundations for a risk management process by assessing the cyber risk facing the company, determining the company's risk tolerance and defining a risk management process.
These processes require much of input and approval by senior management and stakeholders as the way the company deals with risk and its tolerance towards risk is a matter of business strategy and should include decision makers in the company.
Once identification has been done for information assets and the risk facing them, it is time to implement controls and other measures to protect the company's information assets.
Protection runs throughout company sections such as IT maintenance, training, HR and more.
Although general conception sees cyber security as mostly technological solutions, defensive technology is just one part out of six in the protection phase.
As protection measures are deployed, detection must also be put into place. Quick detection of an attack may mean the difference between success and disaster.
Protection and detection are not enough. Once an attack commences, you want to have response capabilities to try and thwart the attack.
An important part of cyber resilience is the recovery phase. After (and even during) response to a cyber attack, strong recovery delivers better resilience.