The NIST Cybersecurity Framework provides guidance on how to manage and reduce IT infrastructure security risk.
NIST created the CSF to help private sector organizations in the United States develop a roadmap for critical infrastructure cybersecurity.
Its goal is to encourage organizations to prioritize cybersecurity risks - similar to financial, industrial/personnel safety and operational risks.
Another objective of the framework is to help include cybersecurity risk considerations in day-to-day discussions at organizations.
The framework is both voluntary and performance based, meaning organizations are not required to follow it.
While designed primarily for government and private sector organizations, public companies can also use the NIST Cybersecurity Framework.
The U.S. government and NIST provide several tools to help organizations get started with cybersecurity programs and assessments.
NIST does not use the term comply when it comes to the CSF. If an organization chooses to follow the framework, NIST uses the term leverage - as in an organization will leverage the NIST Cybersecurity Framework.
In February 2013, President Obama, issued Executive Order 13636: Improving Critical Infrastructure Cybersecurity, which called for the development of a voluntary cybersecurity framework that would provide a prioritized, flexible and performance-based approach to aid organizations in managing cybersecurity risks for critical infrastructure services.
While multiple federal agencies were tasked with developing elements related to this executive order, NIST was assigned to develop a cybersecurity framework with input from private industry.
The framework core, as described by NIST, is the set of cybersecurity activities and desired outcomes common across any critical infrastructure sector.
The framework implementation tiers provide context around an organization's cybersecurity risks and processes to put in place to manage risks.
The tiers describe the level at which an organization's cybersecurity risk management practices follow the characteristics defined in the CSF. A tier 1 organization, for example, is one that's ranked as partial, described as having limited awareness.
Tier 2 is risk-informed, tier 3 is repeatable and tier 4 is adaptive, meaning the organization can best react to cybersecurity threats.
The framework profiles describe the current state of an organization's security program, as well as compare the current state to the desired state.
The goal of a profile is to aid organizations in establishing a roadmap for reducing cybersecurity risk.
Identify refers to developing an understanding of how to manage cybersecurity risks to systems, assets, data or other sources.
Detect defines how a cybersecurity event is identified.
Respond defines what actions are taken when a cybersecurity event is detected.
The goal of these functions is to provide a strategic view of the cybersecurity risks in an organization.
This Cyber News was published on www.techtarget.com. Publication date: Mon, 08 Jan 2024 19:43:04 +0000