NIST
cybersecurity
Principles of the NIST Cybersecurity Framework
The Cybersecurity Framework or NIST Framework is a guide developed to provide a structured approach to managing and improving an organization's cybersecurity. This framework consists of three main components: the Core, Profiles, and Action Plans.
When we talk about the core of the NIST Framework, we refer to a set of activities and recommended practices for managing an organization's cybersecurity risks.
The core is divided into five main functions:
- 🔍 Identify
- 🛡️ Protect
- 🚨 Detect
- 🚑 Respond
- 🔄 Recover
Detailed Functions of the NIST Framework 🔍
1) Identification of Critical Systems and Information Assets 🏢
The identification function of the NIST Framework focuses on developing an organizational understanding to manage cybersecurity risks. This involves:
- Understanding the business context and the resources that support critical functions 🏭
- Identifying critical systems, information assets, vulnerabilities, and threats 💻
- Creating a complete inventory of information assets (systems, networks, data, applications) 📊
- Assessing vulnerabilities and weaknesses in systems and networks 🔍
- Taking proactive measures to protect against potential cyberattacks 🛡️
- Prioritizing security efforts in line with risk management strategies and business needs 📈
This function enables organizations to understand their risks and take effective measures to protect their critical assets.
The categories included in this function are:
| Asset Management | Identify the physical and software assets within the organization to establish an asset management program. 📦 |
|---|---|
| Business Environment | This refers to the entire business environment that supports the organization, including all stakeholders for understanding and prioritization. 🏢 |
| Governance | Identify all legal, regulatory, and operational policies of the organization to define the governance program. 📜 |
| Risk Assessment | Identify all threats and risks to the organization's internal and external resources. ⚠️ |
| Risk Management Strategy | Identify any strategy to manage risks, establishing risk tolerance. 🎯 |
| Risk Management | Identify all risk management strategies, such as defining priorities, risk tolerances, and assuming risk in organizational decisions. 🧠 |
2) Protection of Information Systems 🛡️
The protection function in the NIST Framework focuses on implementing security measures to prevent and mitigate cyber risks. This includes:
- Protection of assets and information systems 🔒
- Access management and user control 🔑
- Implementation of security policies and controls 📋
- Preparation to respond to incidents 🚨
- Limiting the impact of cybersecurity events 🛑
The main objective is to reduce the likelihood and impact of cyberattacks through preventive and mitigation measures.
Categories within this function include
- Access Control and Authentication: Protect identity management within the organization to provide access control only to authorized individuals. 🔐
- Awareness and Training: Organization personnel must be educated according to their particular cybersecurity needs, and awareness must be created about each cybersecurity responsibility. 🎓
- Data Security: Establish security strategies to protect the confidentiality, integrity, and availability of information. 🔏
- Information Protection Processes and Procedures: Information systems and assets must be managed and maintained by effective security policies. 📘
- Maintenance: Any repair or maintenance performed on security system facilities must be in accordance with the organization's policies and procedures. 🔧
- Protective Technology: The security and resilience of information systems must be managed by security solutions. 🖥️
3) Detection and Response to Security Incidents 🚨
This function implements monitoring systems and tools to identify malicious or suspicious activities in organizational systems, such as firewalls, intrusion detection systems, and data loss prevention. Once an incident is detected, response is vital to contain and mitigate damage.
NIST defines an incident response lifecycle consisting of four main phases: preparation, detection and analysis, containment and eradication, and recovery.
This structured approach enables organizations to effectively handle security incidents and minimize their impact.
Categories within this function include
- Preparation: In this stage, we create an incident response plan that establishes roles and responsibilities, as well as procedures to follow in the event of a security incident. 📝
- Detection and Analysis: In this stage, we use detection tools as mentioned above to identify and analyze the incident. We also collect and examine audit logs and perform forensic analysis to determine the nature and scope of the incident. 🔍
- Containment and Eradication: Once we know the magnitude of the incident, we take appropriate measures to contain it and prevent its spread. This may involve disconnecting affected systems, removing malware, and applying security patches. 🛑
- Recovery: After containing and eradicating the incident, we proceed to recover the affected systems. This can be achieved by restoring data from backups, rebuilding compromised systems, or implementing additional security measures. 🔄
Among the detection categories within the cybersecurity framework are:
| Anomalies and Events | The organization must record any detected anomaly and analyze them for complete understanding. 🔎 | |
|---|---|---|
| Continuous Security Monitoring | Security systems must be monitored to identify any event and verify the effectiveness of protection. 👀 | |
| Detection Processes | These are the processes implemented and tested for anomalies and events. 🕵️ |
4) Recovery and Business Continuity 🔄
This function focuses on ensuring that an organization can quickly recover from a security incident and maintain the continuity of its business operations through plans and actions that minimize the impact on the organization's operations.
The framework recommends a systematic approach to facilitate the fulfillment of this function.
- Response Planning: Ensure that response planning processes are executed during and after an incident. 📅
- Communications: Policies must be flexible enough to allow coordination among all internal and external stakeholders. 📢
- Analysis: For effective response and recovery activities, analyses must be conducted. 📊
- Mitigation: The organization must manage appropriate activities to stop the spread and mitigate the effects of cybersecurity risks. 🛡️
- Improvements: Improvement activities must be managed based on experience gained from any current or past detection or response activity. 📈
5) Risk Management ⚖️
This function focuses on identifying, assessing, and mitigating risks associated with an organization's information assets.
Risk management involves a systematic and proactive approach to identifying and addressing information security risks. NIST recommends following a risk management process consisting of the following stages:
- Asset Identification: In this stage, an organization's information assets are identified and classified. This may include confidential data, critical systems, network infrastructure, and any other element valuable to the organization. 🏢
- Risk Assessment: Once assets have been identified, the risks associated with each are assessed. This involves identifying potential threats, existing vulnerabilities, and the impact a security incident could have on the assets. 🔍
- Risk Analysis: In this stage, a detailed analysis of the identified risks is performed. This involves evaluating the likelihood of a security incident occurring and the potential impact on information assets. Quantitative and qualitative risk analysis tools and techniques can also be used. 📊
- Risk Mitigation: Once the risks are understood, mitigation measures are developed and implemented to reduce the likelihood of security incidents and minimize their impact. These measures may include implementing security controls, updating software, training staff, and improving internal processes. 🛡️
💡 Understanding these principles will help us greatly in our careers as cybersecurity analysts, since sometimes we may join an organization where there is no security system in place, and our first task will be to implement one. In those cases, we can use the NIST Cybersecurity Framework as a guide to know where to start our work and what steps to follow.