The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce. NIST cybersecurity framework consists of standards, guidelines, and best practices to manage cyber security risks and improve the standard of critical infrastructure.
NIST cybersecurity framework explained
The framework has three sections, each emphasises the important link between business objectives and cybersecurity activities. The three components are:
- The Core – Comprises four elements; Functions, Categories, Sub-categories and Informative References
- The Implementation Tiers – Describe the maturity of the organisation’s cybersecurity posture
- The Profiles - The alignment of the Functions, Categories, and Subcategories with the business requirements, risk tolerance, and resources
The framework’s Core consists of concurrent and continuous, basic cyber security functions:
- Identify – In order to develop the strategy an organisation must identify their systems, people, assets, data and capabilities
- Protect – Develop and implement appropriate controls
- Detect – Develop and implement a strategy for breach detection
- Respond – Develop and implement a suitable Incident response plan
- Recover – Develop and implement a disaster recovery plan
The framework Tiers are:
- Partial – Ad hoc and reactive risk management. Cyber security activities are not aligned to organisational risk objectives/business requirements.
- Risk Informed – Risk management activity is approved by management but there may not be a company wide policy. Cyber security activities are informed by organisational risk objectives/business requirements.
- Repeatable – Risk management practices are formally approved and detailed in a policy. Cybersecurity activities are regularly updated based on changes to the organisations risk objectives/business requirement. Changes in the threat landscape and the state of technology are considered.
- Adaptive – Through a process of continuous improvement, the organization actively adapts to a changing threat and technology landscape and responds in a timely and effective manner to evolving, sophisticated threats.
A Profile enables organisations to establish a roadmap for reducing cybersecurity risk that is well aligned with the business objectives, considers legal/regulatory requirements and industry best practices, and reflects risk management priorities. Profiles support business requirements and aid in communicating risk within and between organisations.
Talk with an Expert
Speak with a solutions expert or architect. Give us a call or leave a message. Our team is ready for your business.