NIST - Framework - Quick Start - Guide

Download as pdf or txt
Download as pdf or txt
You are on page 1of 3

Getting Started with the NIST

Cybersecurity Framework: A Quick Start Guide


What is the NIST Cybersecurity Framework, and how can my organization use it?

The NIST Cybersecurity Framework1 is voluntary guidance, based on existing standards, guidelines, and
practices to help organizations better manage and reduce cybersecurity risk. It fosters cybersecurity risk
management and related communications among both internal and external stakeholders, and for larger
organizations, helps to better integrate and align cybersecurity risk management with broader enterprise
risk management processes as described in the NISTIR 82862 series.
The Framework is organized by five key Functions – Identify, Protect, Detect, Respond, Recover. These five
widely understood terms, when considered together, provide a comprehensive view of the lifecycle for
managing cybersecurity over time. The activities listed under each Function may offer a good starting point
for your organization:

IDENTIFY
Develop an organizational ● Establish policies for cybersecurity that include
understanding to manage roles and responsibilities – These policies and
cybersecurity risk to: systems, procedures should clearly describe your
assets, data, and capabilities. expectations for how cybersecurity activities will
protect your information and systems, and how
they support critical enterprise processes.
● Identify critical enterprise processes and assets Cybersecurity policies should be integrated with
– What are your enterprise’s activities that other enterprise risk considerations (e.g.,
absolutely must continue in order to be viable? financial, reputational).
For example, this could be maintaining a
website to retrieve payments, protecting ● Identify threats, vulnerabilities, and risk to
customer/patient information securely, or assets – Ensure risk management processes are
ensuring that the information your enterprise established and managed to ensure internal and
collects remains accessible and accurate. external threats are identified, assessed, and
documented in risk registers. Ensure risk
● Document information flows – It’s important to responses are identified and prioritized,
not only understand what type of information executed, and results monitored.
your enterprise collects and uses, but also to
understand where the data is located and flows,
especially where contracts and external partners
are engaged. “We adopted the CSF as the foundation of our
● Maintain hardware and software inventory – cybersecurity practice back in 2014 and so it
It’s important to have an understanding of the drives all of our standards, all of our strategies,
computers and software in your enterprise all of our architectures, and all of our
because these are frequently the entry points of communications.”
malicious actors. This inventory could be as
MICHAEL LEWIS
simple as a spreadsheet. POLICY AND FRAMEWORK ADVISOR
CHEVRON
1
https://www.nist.gov/cyberframework
2
https://csrc.nist.gov/publications/detail/nistir/8286/final
PROTECT
● Conduct regular backups – Many operating
Develop and implement the systems have built-in backup capabilities;
appropriate safeguards to
ensure delivery of services. software and cloud solutions are also available
that can automate the backup process. A good
practice is to keep one frequently backed up set
of data offline to protect it against ransomware.

● Manage access to assets and information – ● Protect your devices – Consider installing
Create unique accounts for each employee and host-based firewalls and other protections such
ensure that users only have access to information, as endpoint security products. Apply uniform
computers, and applications that are needed for configurations to devices and control changes to
their jobs. Authenticate users (e.g., passwords, device configurations. Disable device services or
multi-factor techniques) before they are granted features that are not necessary to support
access to information, computers, and mission functions. Ensure that there is a policy
applications. Tightly manage and track physical and that devices are disposed of securely.
access to devices.
● Manage device vulnerabilities – Regularly update
both the operating system and applications that
● Protect sensitive data – If your enterprise stores
are installed on your computers and other devices
or transmits sensitive data, make sure that this
to protect them from attack. If possible, enable
data is protected by encryption both while it’s
automatic updates. Consider using software tools
stored on computers as well as when it’s
to scan devices for additional vulnerabilities;
transmitted to other parties. Consider utilizing
remediate vulnerabilities with high likelihood
integrity checking to ensure only approved
and/or impact.
changes to the data have been made. Securely
delete and/or destroy data when it’s no longer ● Train users – Regularly train and retrain all users
needed or required for compliance purposes. to be sure that they are aware of enterprise
cybersecurity policies and procedures and their
specific roles and responsibilities as a condition
of employment.
DETECT
Develop and implement the
appropriate activities to identify ● Know the expected data flows for your
the occurrence of a enterprise – If you know what and how data is
cybersecurity event.
expected to flow for your enterprise, you are
much more likely to notice when the
● Test and update detection processes – Develop unexpected happens – and unexpected is never
and test processes and procedures for detecting a good thing when it comes to cybersecurity.
unauthorized entities and actions on the Unexpected data flows might include customer
networks and in the physical environment, information being exported from an internal
including personnel activity. Staff should be database and exiting the network. If you have
aware of their roles and responsibilities for contracted work to a cloud or managed service
detection and related reporting both within provider, discuss with them how they track data
your organization and to external governance flows and report, including unexpected events.
and legal authorities.
● Maintain and monitor logs – Logs are crucial in ● Understand the impact of cybersecurity events –
order to identify anomalies in your enterprise’s If a cybersecurity event is detected, your enterprise
computers and applications. These logs record should work quickly and thoroughly to understand
events such as changes to systems or accounts as the breadth and depth of the impact. Seek help.
well as the initiation of communication channels. Communicating information on the event with
Consider using software tools that can aggregate appropriate stakeholders will help keep you in
these logs and look for patterns or anomalies from good stead in terms of partners, oversight bodies,
expected network behavior. and others (potentially including investors) and
improve policies and processes.
RESPOND
Develop and implement the ● Coordinate with internal and external
appropriate activities to take stakeholders – It’s important to make sure that
action regarding a detected your enterprise’s response plans and updates
cybersecurity event. include all key stakeholders and external service
providers. They can contribute to improvements
● Ensure response plans are tested – It’s even in planning and execution.
more important to test Response plans to make
sure each person knows their responsibilities in
executing the plan. The better prepared your
organization is, the more effective the response
is likely to be. This includes knowing any legal "Small businesses have much to gain by working
reporting requirements or required information through the Framework. They can use it to build
sharing. a cybersecurity program from scratch or help
strengthen an existing program.”
● Ensure response plans are updated – Testing
the plan (and execution during an incident) CARRIE JOHNSON
inevitably will reveal needed improvements. Be MANAGER - GOV’T & EXT. RELATIONS
SDN COMMUNICATIONS
sure to update Response plans with lessons
learned.

RECOVER
Develop and implement the
appropriate activities to maintain ● Ensure recovery plans are updated – As with
plans for resilience and to restore Response plans, testing execution will improve
any capabilities or services that employee and partner awareness and highlight
were impaired due to a cyber- areas for improvement. Be sure to update
security event. Recovery plans with lessons learned.

● Communicate with internal and external ● Manage public relations and company
stakeholders – Part of recovery depends upon reputation – One of the key aspects of recovery
effective communication. Your recovery plans is managing the enterprise’s reputation. When
need to carefully account for what, how, and developing a recovery plan, consider how you
when information will be shared with various will manage public relations so that your
stakeholders so that all interested parties information sharing is accurate, complete, and
receive the information they need but no timely – and not reactionary.
inappropriate information is shared.

You might also like