NIST Cybersecurity Framework

The NIST Cybersecurity Framework (NIST CSF) provides a policy framework of computer security guidance for how private sector organizations can assess and improve their ability to prevent, detect, and respond to cyber attacks. It "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes." Version 1.0 was published by the US National Institute of Standards and Technology in 2014, originally aimed at operators of critical infrastructure. Is being used by a wide range of businesses and organizations, and helps shift organizations to be proactive about risk management.[1][2][3]

A security framework adoption study reported that 70% of the surveyed organizations see NIST's framework as a popular best practice for computer security, but many note that it requires significant investment.[4]

It includes guidance on relevant protections for privacy and civil liberties.[5]

Overview

The NIST CSF is designed with the intent that individual businesses and other organizations use an assessment of the business risks they face to guide their use of the framework in a cost-effective way.

The framework is divided into three parts, "Core", "Profile" and "Tiers". The "Framework Core" contains an array of activities, outcomes and references which detail approaches to aspects of cyber security. The "Framework Implementation Tiers" are used by an organization to clarify for itself and its partners how it views cybersecurity risk and the degree of sophistication of its management approach. Finally, a "Framework Profile" is a list of outcomes that an organization has chosen from the categories and subcategories, based on its business needs and individual risk assessments.

An organization typically starts by using the framework to develop a "Current Profile", which describes its current cybersecurity activities and what outcomes it is achieving. It can then develop a "Target Profile", or adopt a baseline profile that has been tailored to better match its critical infrastructure sector or type of organization. It can then take steps to close the gaps between its current profile and its target profile.

Functions and categories of cybersecurity activities

The NIST CSF organizes its "core" material into five "functions" which are subdivided into a total of 22 "categories". For each category, it defines a number of subcategories of cybersecurity outcomes and security controls, with 98 subcategories in all.

For each subcategory, it also provides "Informative Resources" referencing specific sections of a variety of other information security standards, including ISO 27001, COBIT, NIST SP 800-53, ISA 62443, and the Council on CyberSecurity Critical Security Controls (CCS CSC, now managed by the Center for Internet Security).

Here are the functions and categories, along with their unique identifiers and definitions, quoted straight from the category column of its spreadsheet view of the core of the standard.[6]

Identify

"Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities."

Protect

"Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services."

Detect

"Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event."

Respond

"Develop and implement the appropriate activities to take action regarding a detected cybersecurity event."

Recover

"Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event."

See also

References

 This article incorporates public domain material from the National Institute of Standards and Technology document "NIST Cybersecurity Framework".

  1. "Workshop plots evolution of NIST Cybersecurity Framework". FedScoop. Retrieved 2016-08-02.
  2. HealthITSecurity. "NIST Cybersecurity Framework Updates, Clarification Underway". Retrieved 2016-08-02.
  3. PricewaterhouseCoopers. "Why you should adopt the NIST Cybersecurity Framework". Retrieved 2016-08-04.
  4. "NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds". Information Week Dark Reading. Retrieved 2016-08-02.
  5. HealthITSecurity. "HIMSS: NIST Cybersecurity Framework Positive, Can Improve". Retrieved 2016-08-02.
  6. "Cybersecurity Framework Core (Excel)". NIST.  This article incorporates text from this source, which is in the public domain.

External links

This article is issued from Wikipedia - version of the 8/12/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.