Cookie Settings
Operationally Necessary Cookies
Analytics Cookies
Advertising Cookies
GLOSSARY
NIST CSF (The National Institute of Standards and Technologies Cyber Security Framework ) is a set of standards to help companies improve their overall cybersecurity posture. The NIST CSF defines a set of best practices that enables IT organizations to more effectively manage cybersecurity risks. Organizations can voluntarily use this framework to assess their cyber risks and set plans for improving or maintaining their security posture over time. The framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. In addition, the framework provides a common taxonomy and structure for cybersecurity by assembling standards, guidelines, and practices that are working effectively today.
The NIST CSF framework consists of three main parts: the framework core, the implementation tiers, and the framework profiles. The framework core is a set of cybersecurity activities, outcomes, and informative references common across all sectors and critical infrastructure. Elements of the core provide detailed guidance for developing individual, organizational profiles. Framework profiles will help an organization align and prioritize its cybersecurity activities with its business objectives and requirements, risk tolerances, and resources. The tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk, which will help in prioritizing and achieving cybersecurity objectives.
The NIST CSF framework offers a flexible way to address cybersecurity. It applies to organizations relying on technology, whether their cybersecurity focuses primarily on information technology, industrial control systems, and connected devices more generally, including the Internet of Things. In addition, the framework can assist organizations in addressing cybersecurity as it affects the privacy of customers, employees, and other parties.
It is important to note that the NIST CSF framework is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure. Organizations will have unique risks, including different threats, different environments, and different risk tolerance and will need to modify and customize the framework. Organizations can prioritize Investments to maximize the impact of each dollar spent. The goal of the framework is to reduce and better managing cybersecurity risks.
The framework core is a set of cybersecurity activities, desired outcomes, and relevant references common across critical infrastructure sectors. The core represents industry standards, guidelines, and practices that allow for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level. The NIST CSF framework consists of 5 concurrent and continuous functions. These include:
When considered together these functions provide a high level, strategic view of the life cycle of an organization’s management of cybersecurity risk. The framework then identifies the key categories and subcategories which are discrete outcomes for each function. It then matches them with an example informative reference such as existing standards guidelines, and practices for each subcategory.
The framework implementation tiers provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. Tiers reflect a progression from informal reactive response to approaches that are agile and highly risky informed. During the tiers selection process, an organization should consider its current risk management practices, threat environment, legal and regulatory requirements, business and mission objectives and organizational constraints such as available budgets. The four tiers are:
A framework profile represents the outcomes based on business needs that an organization is selected from the framework categories and subcategories. The profile can be characterized as the alignment of standards and practices to the framework core in a particular implementation scenario.
Profiles can be used to identify opportunities for improving cyber security posture by comparing a current profile with a target profile. A current profile defines the as is state, and a target profile defines the to be or desired state. To develop a profile, an organization can review all of the categories and subcategories, based on business and mission drivers in a risk assessment, determine which are most important. The current profile can then be used to support prioritization and measurement of progress towards the target profile, factoring in other business needs including cost-effectiveness and areas such as innovation. Profiles can be used to conduct self-assessments and communicate within an organization, or between organizations.
Comparison of profiles may reveal gaps to be addressed to meet cybersecurity risk management objectives. An action plan to address these gaps to fulfill a given category or subcategory can contribute to the roadmap described above. Prioritizing the mitigation of gaps is driven by the organization’s business needs and risk management process. This risk-based approach enables an organization to gauge the resources needed to achieve cybersecurity goals in a cost-effective, prioritized manner.
In summary, the cybersecurity risk framework is designed to reduce risk by improving the management of cybersecurity risk to organizational objectives. Ideally, organizations using the framework will be able to measure and assign values to the risk along with the cost and benefits of steps taken to reduce risk to acceptable levels. Organizations using the NIST CSF are better able to manage and measure its risk, expense, and benefits of different cybersecurity strategies. Over time, NIST CSF helps organizations develop a more rational, effective, approach to cybersecurity strategy and investment.