By Jerry Hughes
It is no secret that within the last year the Information Security community has been developing and adopting specific initiatives to mitigate the effect of cybersecurity attacks. Cybersecurity is a subset of Information Security processes for protecting information by preventing, detecting, and responding to attacks within Cyberspace (e.g. Internet, Telecommunications networks, computer systems).
In support of these efforts, and efforts directly related to the President’s Executive Order 13636 to bolster critical infrastructure cybersecurity, the National Institute of Standards and Technology (NIST) has developed and distributed the Cybersecurity Framework. It is important to understand that the framework has been designed to complement new or existing cybersecurity and risk management programs. NIST does not intend for the framework to replace existing programs or serve as a stand-alone program.
In order to take advantage of the framework as a tool it is important to understand the key elements of the framework and how they may be leveraged efficiently.
The Cybersecurity Framework has three major components: the core, the implementation tiers, and the profile. Each component has been developed with a specific purpose. An organization may utilize one or all of the components of the framework to create new or enhance existing processes or controls that are already in place.
A set of cybersecurity activities, documented “desirable outcomes,” and industry references makes up the framework core. The activities consist of five functions that to be considered concurrently and continuously: Identify, Protect, Detect, Respond, and Recover. These functions are designed to form an overview of the lifecycle of the management of cybersecurity risks. The framework implementation tiers provide an informal measurement of the organization’s adoption and implementation of the attributes defined in the framework. There are four tiers in the framework ranging from partial to adaptive.
An organization can integrate its risk management processes, information environment, threats, objectives, and constraints as part of a tier selection process to characterize its environment. The tiers are not permanent and as the environment evolves, progressively or regressively, an assessment can be completed to reselect the appropriate tier.
The third component of the framework, the profile, serves as an aggregation of standards and processes that are in place with respect to the framework core. The profile component of the framework can also be utilized as a self-assessment tool to identify control gaps or general opportunities for improvements in the organization’s cybersecurity posture.
A Great Starting Point
Organizations are presented with the opportunity to utilize a tool that was initially developed to address national critical infrastructure vulnerabilities to improve their own cybersecurity posture. Each of the three components that make up the Cybersecurity Framework may be leveraged independently or cohesively as needed. The framework also includes an outline for implementing or improving a cybersecurity program within an organization.
A great starting point for any organization looking to take advantage of this tool would be to scope and conduct an assessment of their cybersecurity control environment. The results of the assessment would serve as a snapshot of the current cybersecurity status and provide momentum for kicking off efforts for implementing a new, or improving an existing, cybersecurity program.
Jerry Hughes is managing partner and senior executive IT auditor at Compass IT Compliance, North Providence, R.I. Mr. Hughes can be reached at JeHughes@compassitc.com.