The National Institute of Standards and Technology (NIST) does a lot of things. From determining the best way to calculate octane content in gasolines to investigating the collapse of the World Trade Centers post 9/11, they've got their hand in a whole lot. And, they've been doing information security since the '70s. Fast forward 40+ years...
NIST's Cybersecurity Framework (CSF) is a policy framework for instituting IT security throughout your organization. I like it's simplicity and directness. Formulated to mirror incident response capabilities, the framework follows a logical progression of things required to:
Identify, Protect, Detect, Respond, and Recover
This sounds dandy but how can I use it? Well, the framework provides a way for organizations to describe their current cybersecurity posture, determine target/future posture, identify and prioritize improvement actions, assess their progress toward the target state, and communicate (internally and externally) about security risks.
Since they're talking about current and future states, does that remind you of anything? Cybersecurity maturity, perhaps? Yes, NIST recognizes that every organization is different so the CRF is NOT a set of requirements that you must adhere to or else. The Framework incorporates Tiers ranging from 'Partial' to 'Adaptive' so you can rate each cyber area according to your business goals, company size, risk tolerance, or whatever and no one can tell you you're wrong.
I think you get the picture. A typical NIST CSF engagement would look like this:
Identify your current and target cybersecurity profile by describing your existing activities with respect to the Framework Core. The Framework Core consists of best practices and references for each of the five functions above (Identify, Protect, etc.). Now, here's the useful part...we would review the Framework Core and, for each activity, we would determine the following:
- Whether your organization currently does it
- Whether your organization wants to do it
- How well you currently do it
- How well you want to do it
Once current and target baselines are established, it's then a matter of creating roadmaps and improvement plans to get from A to B. Or from A to B to C - you can have short-, mid-, and long-term goals.
These roadmaps are not trivial and I would expect them to include renovating (or establishing) your overall Cybersecurity Program. You also need resources, which means you'll need stakeholder involvement, C-level support, and budgets approved. Again, not trivial things. But at the end of the day, if the effort establishes communication lines, builds cybersecurity business processes, and forces your leadership to not only think about cybersecurity but to act on it, it makes it all worth it.
Give us a call for more information.