The National Institute of Standards and Technology (NIST) in the USA has produced a framework to help organisations align their cyber security defence planning and protect the infrastructure from being compromised by the threat of cybercrime.
NIST Cyber Security Framework (CSF) gives private sector organisations a framework of policies and controls to help prevent attacks from cyber criminals and detect and respond to ones that do gain access.
In the following video, the National Institute of Standards and Technology explains more about the NIST framework’s original aim, the standards, guidelines, and best practices behind it.
Why Is It Recommended?
Subcontractors and contractors working with the federal government must follow NIST security standards. If a contractor has a history of NIST non-compliance, they are at risk of being excluded from government contracts in the future.
What About Everyone Else?
NIST guidelines can help keep your systems protected from malicious attacks and human error. Following the framework will help your organisation meet the requirements for the Health Insurance Portability and Accountability Act (HIPPA) and the Federal Information Security Management Act (FISMA), which are mandatory regulations.
Organisations lean into NIST compliance as an industry standard due to the benefits it can bring. NIST culture is vital for private companies to promote a better understanding of data handling.
NIST and ISO 27001
Both NIST and the International Organization for Standardization (ISO) have industry-leading approaches to information security. The NIST Cybersecurity Framework is more commonly compared to ISO 27001, the specification for an information security management system (ISMS).
What Are the Commonalities Between ISO 27001 and NIST?
Both offer frameworks for managing cybersecurity risk. The NIST CSF framework will be easy to integrate into an organisation that wants to comply with ISO 27001 standards.
The control measures are very similar, the definitions and codes are very similar across frameworks. Both frameworks have a simple vocabulary that allows you to communicate clearly about cybersecurity issues.
What Is the Difference Between ISO 27001 and NIST?
Risk maturity, certification, and cost are some of the differences between NIST CSF vs ISO 27001.
Risk Maturity
If you are in the early stages of developing a cybersecurity risk management plan or trying to mitigate prior failures, the NIST CSF may be the best choice. ISO 27001 is a good choice for mature organisations seeking a more worldwide recognised framework.
Certification
ISO 27001 offers certification via third-party audit that can be costly but can enhance your organisation’s reputation as a business that investors can trust – NIST CSF doesn’t offer that kind of certification.
Cost
The NIST CSF is available for free, while the ISO 27001 charges for access to their documentation – a start-up company might want to start their cybersecurity risk management program with NIST Cyber Security Framework and then make a bigger investment in the process as they scale with ISO 27001.
NIST vs ISO 27001: Which One Is Right for Your Business?
What is right for your business is dependent on maturity, goals, and specific risk management needs. ISO 27001 is a good choice for mature organisations that face external pressure to certify.
Your organisation may not be ready to invest in an ISO 27001 certification journey yet or maybe at a stage where it would benefit from the clear assessment framework offered by the NIST framework.
The NIST CSF framework can be a strong starting point to your ISO 27001 certification journey as your organisation matures.
Regardless of whether you’re starting with NIST CSF or growing with ISO/IEC 27001, a proactive and efficient information security management system will help you reach organisational compliance.
NIST Cyber Security Framework – What Are the Five Core Functions?
The highest level of abstraction in the framework is the Five Core Functions. They are the foundation of the framework core, and all other elements are organised around them.
Let us take a deeper look at the NIST Cybersecurity Framework’s five functions.
Identify
The identify function can help develop an organisational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
For betting understanding in a business context, an organisation can focus and prioritise its efforts, consistent with its risk management strategy & business needs, because of the resources that support critical functions and the related cybersecurity risks.
Protect
The Protect function outlines suitable safeguards to ensure the delivery of critical infrastructure services. It’s possible to limit or contain the impact of a potential cybersecurity event with the help of the Protect function.
Detect
Suitable activities to identify the occurrence of a cyber event are defined by the Detect function. The Detect function allows the timely discovery of cybersecurity events.
Respond
Appropriate activities are included in the respond function to take action regarding an identified cybersecurity incident. The respond function helps support the ability to contain the repercussions of a potential cybersecurity incident.
Recover
The Recover function identifies activities to maintain resilience plans and restore services affected by a cybersecurity incident. The Recover function helps timely recovery to normal operations to reduce the consequences of a cybersecurity incident.
Following these five functions is advised as best practice as they’re not only applicable to cyber security risk management functions but to risk management as a whole.
NIST Cyber Security Framework – What Are the Four Tiers?
The degree to which an organisation’s cyber security risk management practices exhibit the characteristics defined in the framework is referred to as the tier.
Tier 1 to tier 4 describes an increasing degree of rigour and how well-integrated cybersecurity risk decisions are into broader risk decisions. The degree to which the organisation shares & receives cybersecurity info from external parties.
Tiers don’t necessarily represent maturity levels; the organisation should decide the desired tier.
Businesses should ensure that the selected level meets organisational goals, reduces cybersecurity risk to levels acceptable to the organisation, and is feasible to implement.
Tier 1 – Partial
- The Risk Management Processes: Cybersecurity risk management is usually performed ad hoc/reactive at tier 1 organisations. Regarding the degree of risk that those activities address, cybersecurity activities are typically performed with little to no priority.
- The Integrated Risk Management Program: Communication and management of cyber risk are challenging for these organisations due to the lack of processes associated with it. The lack of consistent information is one of the reasons the organisation works with cybersecurity risk management on a case-by-case basis.
- The External Participation: There is a lack of understanding of the role of the supply chain, dependants, and dependencies by these organisations in the business ecosystem. Without knowing where it sits in the ecosystem, a tier 1 organisation does not effectively share information with third parties. The business is unaware of the supply chain risks that it accepts and passes on to other members.
Tier 2 – Risk-Informed
- The Risk Management Processes: While risk management practices are approved by management, they are not usually established as policies within tier 2 organisations. While risk management practices aren’t standard, they inform the prioritisation of cybersecurity activities along with the threat environment and the business requirements.
- The Integrated Risk Management Program: There is an awareness of the risk at the organisational level, but it is not standard practice for the entire organisation. It is not standard for consideration to be given to cybersecurity in organisational objectives on the whole. It is not typical for a cyber risk assessment to be repeated frequently.
- The External Participation: Tier 2 organisations don’t understand their role in the ecosystems regarding dependency or dependants. While they are aware of the risk associated with their supply chain, organisations do not typically act on it.
Tier 3 – Repeatable
- The Risk Management Processes: Risk management practices have been formally approved by tier 3 organisations and are now an organisational policy. Changes in business requirements & changing threat landscape are some of the changes that these practices are updated on a regular basis.
- The Integrated Risk Management Program: The approach to managing cybersecurity risk is an organisation-wide one. Policies, processes, and procedures are reviewed to ensure they are risk-informed. There are ways to respond effectively to changes in risk, and personnel have the knowledge and skills to perform their roles. Business-side executives and senior cybersecurity executives frequently communicate about cybersecurity risks.
- The External Participation: Organisations contribute to the broader understanding of risks by understanding their role. They work with other entities that coincide with internally generated information shared with other entities. They are aware of the risks associated with their supply chains and act on them. Agreements drafted by the organisation will communicate baseline requirements, governance structures, and policy implementation and monitoring.
Tier 4 – Adaptive
- The Risk Management Processes: Lessons learned and predictive factors are included in the current and previous cybersecurity practices adapted by these organisations. Continuous improvement involves incorporating advanced cybersecurity technologies and techniques and actively adapting to changing threats and technology landscapes.
- The Integrated Risk Management Program: The link between objectives and cybersecurity risk is clearly understood by tier 4 organisations. Senior executives watch cybersecurity risk in the same way as financial risk and other risks. The budgeting decisions are based on understanding the current and potential risk environment. From an awareness of previous activities and continuous awareness, the risk of cybercrime is integrated into the organisation’s culture.
- The External Participation: Tier 4 organisations receive, generate, and contribute to the understanding of the risk. The organisation uses real-time information to understand and act on supply chain risks, further integrating information to internal and external stakeholders. A formal process is integrated into their documentation with their dependants and dependencies.
What Is a NIST Cybersecurity Framework Profile?
Profiles are an organisation’s special alignment of their requirements and objectives, risk appetite, and resources against their desired outcomes of the framework core.
Profiles can identify opportunities for improving cybersecurity posture by comparing a ‘current’ profile with a ‘target’ profile.
Profiles are used to improve the cybersecurity framework to serve the business best. The framework is voluntary, so there isn’t a right or wrong way to do it.
To create a current-state profile, an organisation must map their cybersecurity requirements, mission objectives, operating methodologies, and current practices. They’ll need to map against the subcategories of the framework core.
The requirements and objectives can be compared against the organisation’s current state to gain an understanding of the gaps.
A prioritised implementation plan can be created through the creation of these profiles and the gap analysis. The priority, size of gap, & estimated cost of corrective actions help plan and budget for improving your organisation’s cybersecurity.
What is NIST Special Publication 800-53?
NIST SP 800-53 is known as the National Institute of Standards and Technology Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organisation.
It was established to encourage and assist innovation and science by promoting and maintaining a set of industry standards.
NIST SP 800-53 is a set of guidelines & standards that help federal agencies and contractors meet their cybersecurity requirements. Special Publication 800-53 deals with the security controls or safeguards for federal information systems and businesses.
NIST, What Advantages Does Compliance Offer?
NIST lays out the fundamental protocol for companies to follow when they want to achieve compliance with specific regulations, such as HIPAA and FISMA.
It’s important to remember that complying with NIST isn’t a complete assurance that your data is secure. NIST tells companies to inventory their cyber assets using a value-based approach in order to find the most sensitive data and prioritise protection efforts around it.
NIST standards are founded on best practices from several security documents, organisations, publications and are designed as a framework for federal agencies and programs requiring strict security measures.