What makes an organization trustworthy? Don’t we all expect our data to be handled with sensitivity and privacy? How does the NIST CSF work? The National Institute of Standards and Technology (NIST) has released policies and practices to ensure digital security that apply to any organization, regardless of the services (government, financial, health, educational, NGO) they provide. NIST developed the NIST Cybersecurity Framework (CSF) to help organizations manage and reduce cybersecurity risks effectively. NIST CSF 2.0 is the latest version of this framework, featuring improved policies and updated guidance to address current cybersecurity challenges.
Advantages of adopting NIST CSF 2.0
• It serves as a tool for evaluating an organization’s cybersecurity maturity status, which helps set a benchmark for achieving the target maturity level.
• Ensures an improved cyber security posture and enhances cybersecurity resilience by improving the framework’s ability to withstand and respond to cyber events.
• Better communication within the organization helps identify potential cyber threats in the IT environment and allows for timely and appropriate measures to be taken to migrate these risks
What’s new in CSF 2.0
• NIST CSF 2.0 includes the new Govern function to lay down the groundwork to set up new rules and expectations for cyber security within an organization which includes:- creating policies, assigning roles and responsibilities, overseeing cyber security strategy,
• Attention is taken over Cybersecurity Supply Chain Risk Management to maintain a proper line between the customers, business partners, and the authority. This includes:- Implementing a management program, defining roles and responsibilities among the stakeholders, bringing clarity before contracting, by preparing a supply chain incident response plan.
• Guidance on CSF implementation by providing action-oriented examples. The NIST CSF 2.0 has also introduced a CSF Organisational Profile to evaluate the current maturity status and in turn, helps to achieve the targeting maturity level.
Integration of NIST CSF 2.0
Familiarizing Components
They are organized into three components:-
• Framework core is categorized into functions, categories, and subcategories, each targeted to perform a specific function.
• Framework Implementation Tiers help to classify the rigor of cybersecurity risk management practices. this provides an idea of how to resolve the issue over a context and helps to enhance the digital safety of the organization
• Framework profiles focus on the organization’s current and targeted security postures based on CSF core outcomes. It helps organizations to analyze and set new goals to ensure cyber security.
Each of these helps to build a connection between the organization and the cyber security activity they are going to perform.
CSF Core, Is the structured set of cybersecurity outcomes. These are classified into three levels:- Functions, Categories, and Subcategories.
Functions form the highest level forming Govern, Identity, Protect, Detect, Respond, and Recover which is voluntary in action
GOVERN (GV)
Its function is to set cybersecurity risk management by establishing communicative and monitoring cybersecurity policies. It also lays down the groundwork by creating policies, assigning roles and responsibilities, and overseeing cyber security strategy. key areas covered by the governance function include understanding the organizational context, strategy, and supply chain risks. By focusing on governance, organizations can build a strong foundation for their cybersecurity efforts ensuring they are well aligned with their overall goals and objectives.
IDENTIFY(ID)
This function ensures the organization is aware of the cyber security risks the company holds in areas including:- assets, data, information, applications, service providence, and employees. Also finds potential areas to develop thus making a guideline to improve the overall cybersecurity of the organization
PROTECT (PR)
This function focuses on implementing safeguards to manage the organization’s cybersecurity risks. This is done after identifying the risks and prioritizing them accordingly. This includes measures like:- managing identities, controlling access to the system, providing awareness training to employees, securing data, and ensuring the organization’s resilient technological infrastructure.
DETECT (DE)
This function focuses on identifying possible cyber attacks and by this organizations can easily detect suspicious activities within the network which in turn helps for the rapid responses to incidents.
RESPOND (RS)
This action-oriented system functions after detecting the incident by implementing effective measures with minimal impacts. Here the function is to understand the incident’s nature, scope, and root cause which in turn prevents any further damage, and also by documenting the cause and analyzing it over again as a case of study.
The CSF Core describes the respond function and its sub-categories in more detail for better application on risk managements in responds to the:-
Incident Management– functions in managing the incident with the involvement of third parties by putting out necessary action plans.
Incident Analysis– functions on the steps needs to follow while investigating an incident with proper guidelines and documenting each process for further analysis.
Incident Response Reporting and Communication-functions in managing and keeping proper provisions while engaging with stakeholders during crisis communication.
Incident Mitigation-functions on reducing the long terms effects by taking proper action during the peak period or the golden hour.
RECOVER (RC)
This function restores the assets post-incident. The aim here is a timely return with minimal long-term effects and also the implementation of steps to avoid the recurrence of incidents.
The integration starts by scooping the organizational profile by essentially outlining on the aspects of an organization that cybersecurity will cover which includes defining facts and assumptions that will guide the creation of the profile.
Gathering Information which involve collecting information to prepare a profile. this includes organizational policies, risk management priorities, enterprise risk profiles, business impact analysis registers, cybersecurity requirements and standards, practices and tools, and work roles. This should precisely describe the organization’s cybersecurity needs.
creation of a profile with relevant information comes the creation of a profile. Here comes the need to analyze the CSF outcomes that are relevant to the organization’s cyber security goals and challenges. Document the needful information for each outcome along with its respective risk management strategy.
Gape Analysis to analyze or bridge the gap between the current state and the target state, and identify the gaps needed to mitigate. A prioritized action plan is developed to address these gaps. This action plan could take the form of a risk register, report, or plan of action.
Implementing the action plan, and updating the profile addresses the gaps and moves the organization towards the target state. However continual improvement is needed as the system works digitally and demands threats and updated safety
