In 2014, the National Institute of Standards and Technology (NIST) published its Framework for Improving Critical Infrastructure Cyber security. This cyber security framework was created in response to cyber security threats that have become increasingly prevalent in recent years.
Its purpose is to provide a set of industry best practices and standards for companies to manage risks. It’s not about just defending your system in the event of an attack. It’s about detecting potential risks before they have the opportunity to bring you to your knees. A breach in today’s culture of global connectivity is more than a matter of theft of personal data or financial losses. A breach when you’re doing business for the government can mean a threat to national security and the economy.
The NIST framework reminds us that “Cyber security threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation’s security, economy, and public safety and health at risk.”
Here we’ll discuss some key components of the framework and why they’re useful for every company regardless of size or sector.
Five Components of the NIST Cyber Security Framework
The NIST framework provides organization and structure in a world of multiple approaches to cyber security by assembling standard guidelines and practices that are more efficient. The guidelines are meant to be adaptable to your organization because you can’t use a one size fits all approach for security. Every business has unique threats, vulnerabilities, and risk tolerances.
The cyber security framework is made up of five functions, and it’s up to you to decide how to properly implement them in your organization.
- Identify – Assess the risks for all of your assets and develop strategies to mitigate them.
- Protect – Put the proper defense mechanisms in place for your IT system and its users.
- Detect – Put systems in place to proactively find threats before they become breaches.
- Respond – Be ready for a potential crisis before it happens by putting a notification and response plan in place.
- Recover – Have a comprehensive disaster recovery plan in place before an attack.
Creating a Target Profile for Your Organization
The cyber security framework by NIST recommends that you build a target profile for your company to pinpoint where you want to go when it comes to security. But in order to create your desired state, you must start with evaluating your current state. The process of creating your target profile could look something like this:
- Review your organization’s objectives and priorities.
- Determine the scope that those system objectives require.
- Determine the level of cyber security necessary to maintain those required systems.
- Identify which goals of the framework are currently being achieved in your organization and where you need to improve to create your current profile.
- Conduct a risk assessment that includes your operational environment and IT infrastructure.
- Develop a target profile that includes your company, customers, vendors, and business partners.
Implementing these activities in your business can be highly beneficial, but you must also consider the importance of requiring your service providers to implement them.
Cyber Security Requirements for Stakeholders
The NIST cyber security framework provides guidelines for your company to mitigate risks among the various stakeholders you do business with. By analyzing and understanding each stakeholder’s connection to your IT infrastructure, you can improve your cyber security posture.
This includes assessing everyone in your supply chain.
In addition to creating a profile for your ideal cyber security, the NIST also recommends creating a target profile of your specific risk management requirements for each vendor or service provider you interact with. For example, if you use a cloud services provider to back up your data offsite, you should hold them to stringent guidelines to protect you both.
Implementing this process for your business partners might include:
- Putting written requirements for cyber security in all of your contracts
- Letting your vendors know how you will verify and enforce those requirements
- Implementing measures on your end to verify that your stakeholders are adhering to your requirements
- Constantly managing and updating these activities as needed
Because the world is so interconnected, supply chain risk management (SCRM) is a critical component of the cyber security framework.
Buying Decisions
Your organizational requirements for cyber security can help you separate the wheat from the chaff when it comes to the companies you do business with. If companies in your supply chain aren’t willing to adhere to your standards, you have to decide if doing business with them is worth the risk.
While they may provide an excellent product or service, you can’t always afford the exposure. A breach can have a catastrophic global impact these days. You don’t want to end up in trouble with regulatory agencies or even worse, going out of business.
A Tool for Success
The five functions of the NIST cyber security framework are intended to be integrated simultaneously to help you achieve more effective outcomes. The goal is to equip you to better manage cyber security risks for your systems, assets, and data by highlighting best practices.
If you’re not sure how to create a target profile, or if you don’t know where to begin when it comes to incorporating this cyber security framework into your business, you can partner with an IT management partner like NIC.
We’ve been helping companies of all sizes enhance cyber security and implement IT best practices for many. Contact NIC for a free consultation.
