We all see the headlines, increasing in number by week, about various cyber attacks happening across both the U.S. and the world. Many business leaders lose sleep worrying about a cyber event happening to their business. And every business leader knows security must be top of mind, but it is also an overwhelming task.
Where does your business even begin? Are there standards and recommendations you can use to plan your security strategy? The answer is yes!
The National Institute of Standards and Technology (NIST) has created a framework that provides exactly this. Let’s explore what the NIST cybersecurity framework is, and how using it can help your business reduce risk and increase cybersecurity protection.
NIST Cybersecurity Framework and Its Elements
According to NIST , “The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. The Framework consists of three parts: the Framework Core, the Implementation Tiers, and the Framework Profiles.” Let’s break these down:
- The Framework Core is a set of cybersecurity activities, outcomes, and informative references that provide detailed guidance for developing individual organizational Profiles.
- The Framework Profiles help an organization to align and prioritize its cybersecurity strategy with its business requirements, risk tolerances, and resources.
- The Implementation Tiers provide a way for organizations to approach managing cybersecurity, and helps in prioritizing and achieving cybersecurity objectives.
Essentially, the Core provides the guidelines, the Profiles help align them to your specific organization, and the Tiers assist in implementing and prioritizing those guidelines.
NIST has extended itself to align to verticals, providing guidelines for specific industries such as healthcare (SP 800-66). They continue to expand to other areas as well, such as providing a guide for conducting risk assessments.
Why Use the NIST Framework?
Why use this framework? Simply put, it takes the guesswork out of the equation.
By using NIST and a framework, it gives you something to measure your cybersecurity posture against . It provides government standards to protect your data and assets, from your technical infrastructure to security policies, and gives a structure to follow.
You can use it almost as a checklist, and it can help to identify gaps in your security. Whether an element of your security strategy is missing entirely or just partially complete, when you have the framework, you know what kind of controls you should have. This is especially useful for those organizations not under compliance regulations, who do not have any specific requirements they can measure against for security.
"By aligning a business to a framework, even if the business is not under any compliance regulations, allows the businesses current security posture to be measured against a series of standards. This allows for recognition of immature controls and gaps in the businesses security posture. Aligning a business against standards is the best way to identify and improve the businesses security level." says NetGain's Director of Security Scott Logan.
Be advised: the framework provides minimum requirements for security. It is not all-encompassing, and you should reference other requirements for your organization. For example, if you are HIPAA compliant, NIST suggests certain backup parameters, but HIPAA requires you to backup your data a certain way. Having the proper security team behind you will help you to implement the NIST framework, and go beyond it to optimize your specific organization’s security posture.
By using NIST, you are aligning your business to a recommended level of security control that is set standard by the government. This helps your business to stay protected, while giving you structured guidelines to help your organization understand how to build its security strategy.