The NIST cybersecurity framework is a constantly updated framework published by the National Institute of Standards and Technology and is a helpful framework that organizations can model and follow in order to improve and mature their security posture
In this article, we’ll go over key aspects of the framework, why you may want to use it, and how to begin applying it to your organization.
How Organizations Can Benefit From Using The NIST Framework
The NIST framework consists of best guidance, principles, processes, and practices that take direction from a government executive order designed to improve cybersecurity for various companies. Organizations can benefit from the framework in the following ways:
- Guidance: You’ll have a detailed breakdown of security principles and priorities
- Breadth of coverage: The framework goes beyond just prevention, giving the organization tools and capabilities to proactively protect itself.
- Accessibility: You’ll have implementation guidance that applies to any organization, whether you have a framework in place already or not.
- Flexibility: All organizations, whether large, small, new or old, are accounted for in the framework.
- Cost-effective: The implementation is designed to prioritize cost-effective actions as part of the framework.
The Core Functions of the NIST Framework
The NIST framework is made up of five functions that establish the foundation for an organization to manage its risk and protect its organization appropriately.
The framework also lists what kinds of tools and processes make up the component so you can identify any gaps you may have in your organization.
This refers to having an understanding of your organization’s cybersecurity needs, identifying the aspects of your environment and organization (such as assets, partners, devices, software), and identifying the parties, software, and departments involved in managing your company’s cybersecurity risk.
From there, you can begin to identify the key threats that pose the most risk to your organization based on your environment and potential vulnerabilities.
Recommended tools for this component include asset visibility and management and threat intelligence and alerting.
Processes and policies that make up this component include a documented risk tolerance framework, third-party/supply risk management, and clear lines of communication regarding who’s responsible for what aspect of cybersecurity.
The protect component is what’s considered traditional cybersecurity defense and protection where organizations prioritize what assets need protecting via identity management, enforcing authentication, and limiting permissions and access.
Additional steps include engaging in security awareness training, leveraging network segmentation, and having a data protection policy in place to prevent leaks, misconfigurations, or accidental exposures.
Here’s where the framework can really help, as it covers key steps and provides guidance beyond just prevention. In this component, you should prioritize tools and processes that will detect any unwanted intrusions or anomalous behavior.
This is best done by leveraging continuous monitoring and detection tools across various aspects of your organization like endpoints, email, and your network. The most helpful tools should flag known threats while also detecting if an authorized individual entered your network or if an inside actor is acting suspiciously.
Here’s where you should prioritize your communications, mitigation, analysis, and post-mortem as part of an overall response plan in case of a compromise or successful attack.
Planning ahead will help you stay proactive and identify required steps that can help you react faster and reduce the damage an attack may have on your network.
This can include bringing in an external response and recovery team who will conduct the forensic analysis needed so you’re able to understand how you were compromised to reduce the risk of it happening again.
This can almost be considered an extension or a pairing to the response phase as you’re taking the insights, information, and analysis from that phase to inform your recovery strategy and process.
Recovery incorporates internal and external communications such as managing PR, customer, and other stakeholder comms), working to restore full functionality to anything that was impacted in the attack, and identifying areas of improvement in case part of your network was severely impacted.
Components of The NIST Framework
There are three components to the NIST framework that help ensure as many organizations as possible can adopt it.
The NIST Core covers the functions we detailed above as well as categories, subcategories, and informative references. These functions should be performed concurrently and continuously — it’s less of a checklist and offers guidance on achieving cybersecurity outcomes and objectives.
Implementation tiers designate how an organization views their cybersecurity risk and how they should react accordingly. It’s not a reflection of an organization's maturity, it’s instead a reflection of the business and organizational need for cybersecurity risk management and what resources can reasonably be allocated.
The components making up the tier are:
- risk management process
- integrated risk management program
- external participation.
Tier 1: Partial
This tier takes on cybersecurity on an ad hoc basis and, for the most part, isn’t very aware of many of the risks posed to its organization. This is very much a reactive positioning that considers cybersecurity only when there’s an active need for it..
Tier 2: Risk-Informed
There is a higher degree of cybersecurity risk awareness and resources devoted to it based on the company’s needs, however, it’s not formalized, has few processes in place, and considerations largely stay internal. Meaning, third-party or vendor risk management is still not considered.
Tier 3: Repeatable
An organization in this tier has more formalized policies and practices and is continuously updated based on new information and shifting priorities in risk management.
The executive team is part of these discussions and external parties (such as vendors and partners) are considered as part of the overall cybersecurity strategy, ensuring there are controls and policies in place that address third-party risk.
Tier 4: Adaptive
Organizations in this tier are continuously researching and finding new threats, vulnerabilities, and exploits and reacting accordingly, investing in new tools, solutions, and products that can protect them against novel threats.
Risk tolerance is generally low and cybersecurity risk management is an integral part of the organization as a whole, being a critical voice in decision-making company-wide.
The profile essentially marries the core and tiers together, aligning the function within the core with the business needs and cybersecurity objectives based on your implementation tier.
By combining the two, you should be able to create a roadmap that leads up to your cybersecurity goals, taking into account what your organization can handle and what risk tolerance your company should adopt.
How to Implement the NIST Framework
It may seem daunting and intimidating to consider implementing this framework given all the different components involved but it’s important to understand that this framework was built with flexibility and ease in mind.
NIST provides a working step-by-step guide for implementing any kind of cybersecurity framework.
Prioritize and Scope
You should identify what objectives you need your business to meet and what kind of priorities require resourcing and investment. This will help you get a good understanding of what you can truly aim for in regards to cybersecurity.
This step will help you identify what processes, assets, requirements, and approaches are needed to actualize the scope of your cybersecurity program. You’ll be able to properly assess what threats and vulnerabilities your organization may be exposed to.
Create a Current Profile
Establishing a profile according to the categories and subcategories found within the NIST framework’s functions will give you a baseline to measure progress and success.
Conduct a Risk Assessment
Getting an understanding of your organization’s risk tolerance, business need for risk management and available resources can help you understand what tier you fall into and what objectives and outcomes you can realistically aim for.
Create a Target Profile
As part of goal-setting, you should have a profile in mind, with associated categories and subcategories, as a goal, that will help provide direction for your program.
Determine, Analyze, and Prioritize Gaps
By comparing your current profile and target profile, you can identify your gaps, steps, and actions required to reach your target. This will also help you in resourcing and finding appropriate vendors and solutions.
Implement Action Plan
By now, you should have a strong understanding of what steps are required, who you need to speak to, and how to move forward with your implementation. All that’s left to do is to move forward.
NIST Principles Can Be Used Across Various Frameworks
The NIST framework can be used by any organization and its principles can be leveraged even if you’re adopting a different framework or implementing a different cybersecurity program.
Basic principles like conducting a risk assessment and goal-setting can help you streamline and prioritize your actions.
This will also help you as you onboard major cybersecurity partners who may better assist you if you have defined goals and a good understanding of your organizational capabilities.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Josue Ledesma is a writer, filmmaker, and content marketer living in New York City. He covers information security, tech and finance, consumer privacy, and B2B digital marketing. You can see his writing portfolio on https://josueledesma.com/Writing-Portfolio