Blog

Simplifying NIST Cybersecurity Standards & Framework

By |

Now that cybercrime is becoming more advanced, how can cybersecurity protocols evolve to keep fighting against cyber theft? The National Institute of Standards and Technology’s (NIST) Cybersecurity Framework or CSF was created to help businesses combat cybercrime by providing a standard that they can follow to keep their online resources protected. Even now, the NIST is constantly updating its procedures. Such updates include the release of the NIST SP 800-53A revision, which provides a methodology to ensure and verify that the security and privacy outcomes of organizations are being achieved.

These updates are driven by the persistence and evolution of cyber attacks. A write-up on the cybersecurity skills gap by Maryville University notes how businesses are set to lose $8 trillion to cybercrime over the next five years – and very likely more – as we grow increasingly connected in the digital realm. Inadequate cybersecurity coupled with increased internet connectivity heightens the chances of a cyberattack, putting valuable information at risk of falling into the wrong hands. Though the NIST framework is voluntary, businesses should consider adopting the CSF as a structure to figure out cybersecurity measures that suit and serve the organization well. The framework can be tricky to comprehend, so we’ll break its main parts down to make things easier.

Understanding NIST CSF

Understanding nist csf - sectrio
Understanding NIST CSF

The CSF consists of the core, tiers, and profile, aligning cybersecurity activities with your business’s resources and requirements.

The Core

The core is a set of cybersecurity activities, outcomes, and references to achieve those outcomes. It provides standards, guides, and practices that can be communicated and adopted at all levels of the business. The core’s functions organize basic cybersecurity measures and provide tasks to manage incidents. These are:

  • Identify: Take note of your assets such as your equipment, systems, software, and data.
  • Protect: Back up and encrypt data regularly, as well as limit access and control to it. Use security software to keep your systems protected. Train employees on cybersecurity and walk them through any security measures and protocols before, during, and after a cyberattack.
  • Detect: Monitor activity regularly to quickly and easily point out anything suspicious or unauthorized and manage the potential threat.
  • Respond: Have a clear response plan and frequently communicate with those involved in containing the attack. Be transparent about whose data is at risk and notify them immediately. Make changes to weak points in the plan and test new efforts to make policy improvements that can provide better protection in the future.
  • Recover: Address the affected equipment or information and have it repaired or restored to the best of your capabilities. Update all parties on the event and the changes to protocols, and work together to improve security.

Within these functions are categories containing specific tasks that need to be accomplished, such as “asset management” and “risk assessment.” Categories are further divided into sub-categories with more particular tasks. Informative references are guidelines and practices to be followed to achieve the outcomes under the sub-categories.

Tiers

Overview of NIST Cybersecurity Implementation Tiers

The implementation tiers assess the company’s cybersecurity measures and processes, how well they work and if they adhere to the CSF standards. They range from tier one to four:

  • Tier One (Partial): Cybersecurity protocols are informal and inconsistent.
  • Tier Two (Risk-informed): The business is aware of risks and has more cybersecurity measures, but there are no organization-wide policies.
  • Tier Three (Repeatable): Risk management policies are formal and company-wide; they consistently provide sufficient protection.
  • Tier Four (Adaptive): The business completely adopted the CSF. Threat detection is proactive and evolving.

Knowing which tier your business falls under can help you improve to reach the next tier and eventually achieve more efficient, proactive cybersecurity.

Profiles

Framework profiles describe the current or desired state of the organization’s cybersecurity protocols. The Current Profile details the business’s cybersecurity outcomes that are presently being achieved. The Target Profile lays out the outcomes that need to be completed to get to the desired cybersecurity management goals. Comparing the two can help address the gaps and areas for improvement to reach the Target Profile.

As noted by Virginia Tech, cybercrimes are constantly evolving and not limited to attacks on individuals but on institutions as well. The CSF may be optional, but its standards and practices are essential in protecting your business and its information in the digital age. For more information about the NIST and its revisions, you can check out our post on possible CSF updates.

Want to learn more about OT security? Talk to an OT cybersecurity expert from your industry now.

Join us at the Sectrio OT security conference in Bucharest in November, sign up now

Sectrio - 18th edition subex user conference
Sectrio – 18th Edition Subex User Conference

We are giving away threat intelligence for free for the next 2 weeks. Find out how you can sign up and try out our threat intelligence feeds

Defence in depth without contextual threat intelligence is an unlit alley 1
Simplifying NIST Cybersecurity Standards & Framework - Sectrio

Download our cybersecurity awareness kits  

Tool kit-cam-2022
Simplifying NIST Cybersecurity Standards & Framework - Sectrio

Find out what is lurking in your network. Go for a comprehensive 3-layer threat assessment now

Join our Cybersecurity Awareness Month campaign

Comprehensive asset discovery with vulnerability and threat assessment 1200 × 630px
Comprehensive Asset Discovery with Vulnerability and Threat Assessment

See our solution in action through a free demo

Avatar of cait torin
Cait Torin is a freelance writer with an interest in all things technology. When she’s not writing or researching the latest tech innovations, you can find her at home with her cat or at the beach with a book in her hand.

Subscribe to Newsletter

Related Posts

Protect your IoT, OT and converged assets with Sectrio