1.- NIST Cybersecurity Framework
Core Explained
As a gold standard for cybersecurity in the United States and the foundation for many
new standards and regulations starting to emerge today, the National Institute of
Standards and Technology’s (NIST) Cybersecurity Framework is more crucial than
ever. Developed as a public and private sector collaboration led by NIST under a
presidential executive order to improve critical infrastructure cybersecurity, the NIST
Cybersecurity Framework core functions soon scaled beyond high-level energy and
critical infrastructure - its outcomes-based approach allowed it to apply to almost any
sector and any business size. This framework profile comprises three main pillars: the
Framework Core, Profiles, and NIST Implementation Tiers. Here, we’ll dive into the
Framework Core and the five core functions: Identify, Protect, Detect, Respond, and
Recover.
NIST defines the framework core on its official website as a set of cybersecurity
activities, desired outcomes, and applicable informative references common across
critical infrastructure sectors. The Core presents industry standards, guidelines, and
practices that allow for communication of cybersecurity activities and mission objectives
across the organization from the executive level to the implementation/operations at a
high level. The NIST CSF categories, or core functions, contribute to building a strong
business foundation and help identify cybersecurity legal and regulatory requirements.
Keep reading for a NIST Cybersecurity Framework summary and guide.
What are the Five Elements of the NIST Cybersecurity
Framework?
NIST CSF: Identify
The first function of the framework, NIST defines the Identify function as calling on the
need to "develop the organizational understanding to manage cybersecurity risk to
systems, assets, data, and capabilities.” The focus is on the business and how it relates
to cybersecurity risk, especially taking into account the resources at hand. The outcome
Categories associated with this function, for example, are:
1. Asset Management
2.
3.
4.
5.
Business Environment
Governance
Risk Assessment
Risk Management Strategy
The NIST Identify function lays the groundwork for your organization's cybersecurity
actions moving forward. Determining what exists, what risks are associated with those
environments, and how it relates to your business goals is crucial to success with the
Framework.
Successful implementation of the Identify function leads organizations to grasp all
assets and environments apart of the enterprise, defining the current and desired states
of controls to protect those assets and a plan to go from current to desired states of
security. The result is a clearly defined state of an organization’s cybersecurity posture
articulated to both technical and business-side stakeholders.
NIST CSF: Protect
Overall, NIST states that the Framework key functions to aid an organization in
expressing its cybersecurity risk management by organizing information, sharing
sensitive information, enabling cybersecurity risk management decisions, addressing
threats, and improving by learning from previous activities.
The Protect function of the Framework Core is essential because its purpose is to
develop and implement appropriate safeguards to ensure critical infrastructure services
delivery. The Protect Function supports the ability to limit or contain the impact of a
potential cybersecurity event. According to NIST, examples of outcome Categories
within this Function include Identity Management and Access Control, Awareness and
Training, Data Security, Information Security Protection Processes and Procedures,
Maintenance, and Protective Technology.
Where Identify focuses primarily on baselining and monitoring, Protect is when the
Framework becomes more proactive. The Protect function covers categories such as
access control and awareness and training. The manifestation of these categories and
the Protect function as a whole is seen in two- and multi-factor authentication practices
to control access to assets and environments and employee training to reduce the risk
of accidents and socially engineered breaches.
With breaches becoming increasingly common, employing proper protocols and policies
to reduce a breach’s risk is becoming especially crucial. The framework’s Protect
function is the guide and dictates the necessary outcomes to achieve that goal.
NIST CSF: Detect
The Detect function requires the development and implementation of the appropriate
activities to recognize the occurrence of a cybersecurity event.
"The Detect function enables the timely discovery of cybersecurity events. Examples of
outcome Categories within this Function include Anomalies and Events; Security
Continuous Monitoring; and Detection Processes."
The Detect function of the Framework Core is a critical step to a robust cyber program the faster a cyber event is detected, the faster the repercussions can be mitigated.
Examples of how to accomplish steps towards a specific Detect function:
1. Anomalies & Events: Prepare your team to have the knowledge to collect and
analyze data from multiple points to detect a cybersecurity event.
2. Security & Continuous Monitoring: Make your team monitor your assets 24/7 or
consider using an MSS to supplement.
3. Detection Processes: Attempt to know about a breach as soon as possible and
follow disclosure requirements as needed. Your program should be able to detect
inappropriate access to your data as quickly as possible.
Detecting a breach or event can be life or death for your business, making the Detect
function of the Cybersecurity Framework critical to both security and business success.
Following these standards and best practices and implementing these solutions will help
you scale your program and mitigate cybersecurity risk.
NIST CSF: Respond
NIST defines the Respond function as "Develop and implement appropriate activities to
take action regarding a detected cybersecurity incident.”
"The Respond Function supports the ability to contain the impact of a potential
cybersecurity incident. Examples of outcome Categories within this Function include
Response Planning, Communications, Analysis, Mitigation, and Improvements.".
The Respond function employs response planning, analysis, and mitigation activities to
ensure that the cybersecurity program is continuously improving.
Starting with an incident response plan is a vital first step to adopting the Respond
function - ensuring compliance with necessary reporting requirements encrypted and
transmitted securely for a given location and industry. An excellent next step is a
mitigation plan - what are the steps your team will take to remediate identified risks to
your program and organization?
NIST CSF: Recover
The Framework Core then identifies underlying key Categories and Subcategories for
each Function and matches them with example Informative References such as existing
standards, guidelines, and practices for each Subcategory (NIST).
According to the NIST framework, Recover is defined as the need to "develop and
implement the appropriate activities to maintain plans for resilience and restore any
impaired capabilities or services due to a cybersecurity event.
The Recover Function supports timely recovery to normal operations to reduce the
impact of a cybersecurity event. Examples of outcomes for this Framework's Core
function include Recovery Planning, Improvements, and Communications.
NIST CSF Recover includes these areas:
1. Recovery Planning: Recovery procedures are tested, executed, and maintained
so that your program can mitigate the effects of an event sooner rather than later
2. Improvement: Recovery planning and processes are improved when events
happen, and areas for improvement are identified and solutions put together
3. Communication: Coordinate internally and externally for greater organization,
thorough planning, and execution
The Recover function is essential not only in the eyes of the business and security team
but also in that of customers and the market. Swift recovery with grace and tactfulness
puts businesses in much better positions internally and externally than otherwise.
Aligning a recovery plan will help ensure that, if a breach occurs, the company can stay
on track to achieve the necessary goals and objectives and distill important lessons
learned.
Implementing the NIST Framework
Core
Cybersecurity based on the NIST Cybersecurity Framework can be a challenge.
Regardless of how challenging it could be, it will be worthwhile. Given that the
Framework is based on outcomes rather than specific controls, it allows organizations to
build from a strong foundation and supplement to achieve compliance with new
regulations as they emerge. The core functions: identify, protect, detect, respond and
recover; aid organizations in their effort to spot, manage and counter cybersecurity
events promptly. The NIST control framework will help empower continuous compliance
and support communication between technical and business-side stakeholders.
CyberStrong has unmatched access to NIST Cybersecurity Framework mappings and
is customizable to controls you define. To learn more about CyberStrong, the various
data security frameworks and cybersecurity frameworks, NIST, and more, contact us.
Subscribe to the CyberSaint blog and receive industry news and updates delivered
weekly straight to your inbox:
Business Email*
2.- The NIST Cybersecurity
Framework Implementation
Tiers Explained
The National Institute of Standards and Technology (NIST) Cybersecurity Framework
Implementation Tiers are one of the three main elements of the Framework the Framework Core, Profile, and Implementation Tiers. The implementation tiers
themselves are designed to provide context for stakeholders around the degree to
which an organization’s cybersecurity program exhibits the characteristics of the NIST
CSF. NIST explicitly states that the CSF Implementation Tiers are not designed to be a
maturity model. Instead, these management tiers are designed to illuminate and provide
guidance to the interaction between cybersecurity risk management and operational risk
management processes. In short, the NIST Cybersecurity Framework Tiers are
designed to provide a clear path to roll cyber risk into the overall organizational risk of
the enterprise. Much like the Profiles and the Framework Core, the Implementation
Tiers are designed to act as a benchmark to take stock of current cybersecurity risk
management practices and help organizations develop plans to improve their
cybersecurity posture. In this post, we’ll explore each of the four Implementation Tiers
as you work to understand how your organizational structure might fit in this scoring
model.
Each of the Implementation Tiers is broken down into three main components: Risk
Management Processes, Risk Management Program, and External Participation with
their own respective functions, categories, and subcategories. Risk management
processes point to the processes and ways that the organization approaches
cybersecurity risk. The degree to which an organization practices an integrated risk
management program indicates to top level management the degree to which an
organization has centralized its cyber risk data and can make decisions from that
information. With strategic planning, leadership can make cybersecurity decisions in
conjunction with the company's overall goals and objectives. Finally, external
participation points to the organization’s awareness within the greater business
ecosystem in which they participate.
NIST Cybersecurity Framework
Implementation Tiers
Tier 1 - Partial



Risk Management Processes: At Tier 1 organizations, cybersecurity risk
management is typically performed in an ad hoc/reactive manner. Furthermore,
cybersecurity activities are typically performed with little to no prioritization based
on the degree of risk that those activities address.
Integrated Risk Management Program: The lack of processes associated with
cyber risk management makes the communication and management of that risk
difficult for these organizations. As a result, the organization works with
cybersecurity risk management on a case-by-case basis because of the lack of
consistent information.
External Participation: These organizations lack a greater understanding of
their role in the greater business ecosystem - its position in the supply chain,
dependents, and dependencies. Without an understanding of where it sits in the
ecosystem, a Tier 1 organization does not share information with third-parties
effectively (if at all) and is generally unaware of the supply chain risks that it
accepts and passes on to other members of the ecosystem.
Tier 2 - Risk-Informed



Risk Management Processes: Risk management practices, while approved by
management, are typically not established as organizational-wide policies within
Tier 2 organizations. While risk management practices are not standard, they do
directly inform the prioritization of cybersecurity activities alongside
organizational risk objectives, the threat environment, and business
requirements.
Integrated Risk Management Program: The awareness of cybersecurity risk
exists at the organizational level, but it is not standardized organization-wide, and
the information around cybersecurity is only shared informally. While some
consideration for cybersecurity exists in organizational objectives, it is not
standard. A cyber risk assessment may occur, but it is not standard and
periodically repeated.
External Participation: Tier 2 organizations understand either their role in the
ecosystem in terms of dependencies or dependents, but not both. Organizations
like this typically receive information but do not share it out, and while they’re
aware of the risk associated with their supply chain, they do not typically act on it.
Tier 3 - Repeatable




Risk Management Processes: Tier 3 organizations have formally approved risk
management practices, and are expressed as policy. These practices are
regularly updated based on changes in business requirements and changing
threat landscape.
Integrated Risk Management Program: In this tier, there is a higher-level
organization-wide approach to managing cybersecurity risk. Risk-informed
policies, processes, and procedures are defined, implemented, and reviewed.
There are methods in place to consistently respond effectively to changes in risk,
and personnel possess the knowledge and skills to perform their roles. Senior
cybersecurity, board of directors, and business-side executives communicate
regularly regarding cybersecurity events and risk.
External Participation: Tier 3 organizations understand their role in the
ecosystems and contribute to the broader understanding of risks. They
collaborate with other entities regularly that coincide with internally generated
information that is shared with other entities. These organizations are aware of
the risks associated with their supply chains and act formally on those risks,
including implementing written agreements to communicate baseline
requirements, governance structures, and policy implementation and monitoring.
Tier 4 - Adaptive



Risk Management Processes: These organizations adapt their cybersecurity
practices based on previous and current cybersecurity activities, including
lessons learned and predictive factors. They implement a process of continuous
improvement - including incorporating advanced cybersecurity technologies and
practices, actively adapting to a changing threat and technology landscape.
Integrated Risk Management Program: Building on Tier 3, Tier 4 organizations
clearly understand the link between organizational objectives and cybersecurity
risk. Senior executives monitor cybersecurity risk in the same context as financial
risk and other organizational risks. These organizations base budgeting
decisions on an understanding of the current and potential risk environment.
Cybersecurity risk is integrated into the organizational culture and evolves from
an awareness of previous activities and continuous awareness.
External Participation: Integrating itself further into the ecosystem beyond Tier
3, Tier 4 organizations receive, generate, and contribute to the understanding of
the ecosystem around risk. Further integration of sharing information to internal
and external stakeholders, the organization uses real-time information to
understand and regularly act on supply chain risks. They also have a formalized
process integrated into their documentation wit their dependencies and
dependents.
What The Implementation Tiers
Mean for You
As we’ve discussed, the NIST CSF Implementation Tiers are not meant to be seen as a
maturity model. Instead, look at these as benchmarking tools and clear directions to
improve how your organization approaches cybersecurity. Seek out NIST CSF
assessment solutions that enable you to score using the Implementation Tiers; this
enables you to score your organization as you complete an assessment rather than
after the fact. From there, it is a matter of illustrating your findings clearly and
compellingly, soliciting buy-in from all relevant stakeholders, and using the CSF to make
progress towards your goal Tier.
2.- Conducting a Cyber Risk
Assessment: A Step-by-Step
Guide
Cyber risk has become increasingly pervasive in almost every industry. From the
new SEC cyber regulations to industry standards like the NIST CSF and HIPAA,
regulatory bodies are rolling out rules for companies in all verticals to bolster
cybersecurity. Cyber risk management is a core part of day-to-day business and is a
determining factor in the success or failure of an organization.
Security and risk teams must first identify which assets are most vulnerable by
conducting a cybersecurity risk assessment to understand what risks exist and how to
manage them. By regularly conducting risk assessments for cybersecurity, security
professionals better understand what threats exist and what needs to be prioritized to
decide a course of action for mitigating these risks.
What are the different approaches
for cyber risk assessments?
Cyber risk assessments are the base layer of your cybersecurity program. Several
organizations provide methodologies and outlines for guiding the cyber risk assessment
process. Professionals should select their approach based on the maturity of their cyber
program, company size, industry, and regulations they must comply with.
Many frameworks offer guidance, but the two most common are the NIST
Cybersecurity Framework (CSF) and ISO/IEC 27001. The NIST CSF is organized into
five main functions that help organizations scale and mature their operations to monitor
and mitigate risk successfully. ISO 27001 is an internationally recognized standard that
outlines best practices for establishing, implementing, maintaining, and continually
improving an Information Security Management System (ISMS). It includes risk
assessments as a crucial component for identifying risks and treating information
security risks effectively.
Security and risk professionals can add an additional dimension to assessment
information by using quantifiable models for risk analysis, like FAIR or CyberInsight,
CyberSaint’s unique VERIS, and MITRE-based risk model. Quantifiable risk models can
assign financial value based on the results of an assessment. Considering the potential
magnitude and frequency of risk, the FAIR model can give a dollar value to each
potential risk. By generalizing risk into financial terms, security professionals can
communicate the impact of cyber to business-side leaders and Board members.
Quantitative cyber risk assessments help professionals prioritize risk mitigation activities
based on the risk's magnitude and potential financial impact. This sense of order helps
business-side leaders understand the return on security investment (RoSI) and security
operations.
In addition to framework-based cyber risk assessment and quantitative analysis,
security teams should regularly conduct vulnerability assessments, threat intelligence
analysis, and penetration testing. These processes help round out an overall cyber risk
management program assessment. The security team should know the most critical
cybersecurity threats, the strength of their cyber defense, and the developing trends
around different threat tactics.
Now that we’ve reviewed the different analyses that need to be conducted for cyber risk
assessments, let’s walk through a step-by-step process for identifying, analyzing, and
addressing cyber risks.
3.- How to Conduct a Cyber Risk
Assessment
1. Identify and Prioritize Assets: Identify all critical assets, including hardware,
software, data, and intellectual property. Categorize them based on their
importance and value to the organization to prioritize risk assessment efforts.
Security professionals can only know what to protect if they know what assets
currently exist.
2. Threat Modeling: Use threat modeling techniques to identify potential threats
and attack vectors that could target the identified assets. Understand the tactics,
techniques, and procedures (TTPs) commonly employed by threat actors.
3. Vulnerability Assessment: Perform vulnerability scans and assessments to
identify system, application, and network weaknesses and security gaps. Patch
or mitigate these vulnerabilities to reduce the likelihood of successful attacks.
4. Historical Incident Analysis: Review past security incidents and breaches
within the organization or similar industries to gain insights into the types of
threats faced and the effectiveness of existing security controls. A crucial part of
success is learning from mistakes. Do not ignore past mistakes; use them as an
opportunity to grow from and implement new measures to correct them.
5. Risk Scenarios: Develop cyber risk scenarios that describe specific cyber
threats and their potential impact on critical assets. Analyze the likelihood and
possible consequences of these scenarios. The following are examples of risk
scenarios and the analyses that should be conducted.
1. Example Scenario 1: Phishing Attack
1. Threat: A threat actor sends convincing phishing emails to
employees, attempting to steal login credentials.
2. Attack Vector: The attacker crafts emails that appear to come from
a trusted source, such as the company's HR department,
requesting employees to update their account details through a
malicious link.
3. Potential Impact: Several employees fall victim to the phishing
attack, and their login credentials are compromised.
4. Consequences: Attackers gain unauthorized access to critical
systems and sensitive data, leading to potential data breaches,
financial loss, and reputational damage.
2. Example Scenario 2: Ransomware Attack
1. Threat: A cybercriminal distributes ransomware through a malicious
email attachment or compromised website.
2. Attack Vector: An employee unknowingly opens the infected
attachment or visits the compromised website, triggering the
ransomware download.
3. Potential Impact: The ransomware encrypts critical files and data,
rendering them inaccessible.
4. Consequences: The organization experiences a disruption in
business operations, data loss, and possible financial losses due to
downtime and potential ransom payment.
3. Consider Real-World Incidents: Refer to past cyber incidents and data
breaches in the industry or other organizations to inspire and model some
scenarios. This practice can provide insights into common attack vectors
and their potential impact.
4. Prioritize Scenarios: Evaluate and prioritize the identified cyber risk
scenarios based on their potential impact and likelihood. Focus on
procedures with high severity and higher chances of occurrence.
5. Validate Scenarios: Test the plausibility of the scenarios by discussing
them with stakeholders and conducting tabletop exercises or simulations
to simulate how the organization would respond to such incidents.
6. Document and Review: Record each cyber risk scenario, including the
threat details, attack vector, potential impact, and consequences. Review
and update the strategies periodically to reflect changes in the threat
landscape and business environment.
6. Business Impact Analysis (BIA): Conduct a BIA to understand the potential
financial, operational, reputational, and legal impacts of cyber incidents on the
organization. BIA can include using the FAIR model, which is used to financialize
potential risk impact.
7. Data Classification: Classify data based on sensitivity and criticality to help
focus cybersecurity efforts on protecting the most valuable information.
8. Control Assessment: Evaluate the effectiveness of existing security controls
and measures. This practice includes assessing the implementation and
configuration of firewalls, intrusion detection systems, access controls,
encryption, etc.
9. User Awareness and Training: Evaluate the level of cybersecurity awareness
among employees and conduct security training sessions to improve the overall
security posture. Utilize regular cyber training sessions and newsletters to ensure
employees are educated on current threats, tactics, and security measures.
10. External Threat Intelligence: Utilize external threat intelligence sources to stay
informed about emerging threats and vulnerabilities relevant to the organization.
11. Regulatory Compliance: Ensure compliance with relevant cybersecurity
regulations and standards, such as GDPR, HIPAA, PCI DSS, etc., as noncompliance can lead to significant risks.
12. Quantitative and Qualitative Analysis: Combine qualitative analysis (based on
expert judgment and experience) with quantitative analysis (using metrics and
data) to assess and prioritize risks more effectively. Security teams can use
models like FAIR or CyberInsight for quantitative analysis and NIST 800-30 for
qualitative research.
13. Continuous Monitoring: Establish continuous monitoring mechanisms to detect
and respond to evolving cyber threats in real time. Gartner has
recognized Continuous Control Monitoring (CCM) as a crucial part of cyber
risk management. Learn what Gartner says about CyberSaint and CyberSaint’s
unique approach to CCM with continuous control automation (CCA).
14. Third-Party Assessments: Engage external security experts or firms to conduct
independent assessments to gain an objective view of the organization's security
posture.
15. Regular Updates: Perform periodic risk assessments to adapt to changing
business environments, new threats, and technological advancements.
By employing these tactics, security teams can conduct a comprehensive cyber risk
assessment, enabling them to make informed decisions about risk treatment and
mitigation strategies. Remember your security team must perform cyber risk
assessments regularly to clearly and accurately understand the risk posture. Security
and business leaders can confidently make business decisions based on accurate
insights, which cannot be done with dated security information.
Performing cybersecurity risk assessments must be a cornerstone of your cyber risk
management process. Learn more about CyberSaint’s automated cyber risk
assessment and management approach in a demo.
Subscribe to the CyberSaint blog and receive industry news and updates delivered
weekly straight to your inbox:
Business Email*