One of the more interesting developments in the compliance world is the National Institute of Standards and Technology (NIST) Cybersecurity Framework. This framework is a result of Executive Order (EO) 13636, “Improving Critical Infrastructure Cyber Security,” which directed NIST, in cooperation with the private sector, to develop and issue a voluntary, risk-based cyber security framework that provides U.S. critical infrastructure organizations with a set of industry standards and best practices to better manage cyber security risks.
While the adoption of the Cybersecurity Framework is optional for now, it can be used by critical infrastructure industries and commercial organizations to build and strengthen their cyber security prevention, detection, response and improvement capabilities. The framework does not introduce new standards or concepts; it leverages and integrates industry leading cyber security practices that were developed by organizations, including NIST and the International Organization for Standardization (ISO). This is exciting news for our clients since many of the standards and best practices we support are referenced within the framework.
The framework provides an assessment mechanism that enables organizations to determine their current cyber security capabilities, set individual goals for a target state and establish a plan for improving and maintaining cyber security programs. The framework compliments, not replaces, an organization’s risk management process and cyber security program. It includes three main components: framework core, framework implementation tiers and framework profiles.
Components of the Cybersecurity Framework:
• Identify: Develop your organizational understanding on how to manage cyber security risks to systems, assets, data and capabilities.
• Protect: Develop and implement the appropriate safeguards necessary to ensure delivery of critical infrastructure services.
• Detect: Develop and implement the appropriate activities to identify the occurrence of a cyber security event through continuous monitoring.
• Respond: Develop and implement the appropriate activities to take action regarding a detected cyber security event through incident response.
• Recover: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cyber security event.
Each of the core functions is further divided into categories tied to programmatic needs and particular activities. The outcomes of activities point to informative references, which are specific sections of standards, guidelines and practices that illustrate a method to achieve the outcomes associated with each subcategory.
• Tier 1 (Partial): Your organization’s cyber risk management profiles are not formalized, and are managed on an ad hoc basis. There is a limited awareness of your organization’s cyber security risk at the enterprise level, and an enterprise-wide approach to managing cyber security risk has not been established.
• Tier 2 (Risk Informed): Your organization has established a cyber risk management policy that is directly approved by senior management — though not yet on an enterprise-wide basis. There is some effort by senior management to establish risk management objectives related to cyber security, to understand your organization’s threat environment and to implement cyber security procedures with adequate resources.
• Tier 3 (Repeatable): Your organization is operating with formal cyber security procedures, which are regularly updated based on changes in risk management processes, business requirements and the changing threat and technology landscape. Cyber personnel are well-trained and can adequately perform their duties. Your organization also understands its dependencies and business partners, and receives information from them, which allows for collaboration and risk-based management decisions.
• Tier 4 (Adaptive): Your organization adapts its cyber security practices in real time based on lessons learned and predicative indicators derived from current and past cyber security activities.
With continuous improvement incorporating advanced cyber security technologies, real time collaboration with partners and continuous monitoring of activities on their systems, your organization’s cyber security practices can rapidly respond to sophisticated threats.
Why should I be an early adopter of the Cybersecurity Framework?
38North offers the following Cybersecurity Framework services:
Cybersecurity Framework Gap Analysis (Current Profile): This is perfect for organizations that want to get started with the Cybersecurity Framework. 38North uses the framework to compare your organization’s current security activities with those outlined in the framework core. We create your current profile and measure how well your organization is achieving the outcomes described in the core categories and subcategories, aligned with the five high-level functions: identify, protect, detect, respond and recover. We’ll also provide a cost estimate to align your organization with the Cyber Security Framework, identify the risks and challenges, and point out the most critical action items.
Cybersecurity Framework Risk Assessment: We conduct a detailed risk assessment based on your current profile to determine the likelihood of cyber security events, and the impact such events could have on your organization. We then present you with a detailed roadmap with prioritized recommendations on how to remediate weaknesses with existing or new management, operational and/or technical countermeasures.
Cybersecurity Framework Implementation Support (Target Profile and Action Plan): Now that the risks have been identified based on your current profile, you need to develop your target profile. The target profile will document all applicable framework categories and subcategories in the context of your organization’s desired cyber security outcomes. 38North will develop an action plan based on the delta between your current and target profiles. And existing process, resources, infrastructure, systems and investments will be re-used if possible before new protective measures are considered.