THE COMPLETE

NIST FRAMEWORK
COURSE
FOR CYBER RISK MANAGEMENT
 INTRODUCTION
A set of business best practices developed by the National Institute of Standards and
Technology with the objective of keeping the data protected while also being cost-effective
and flexible enough to be useful to almost any organization.

The NIST framework was formulated to not only address cyber threats but also help in
facilitating business objectives.

Core
framework

Implementation
tiers
The NIST framework
has three core
components

Profile

Hailed as one of the best cyber security frameworks because:

Integrates industry standards and best practices to help businesses manage cyber risks

Provides a foundation that allows all stakeholders to understand the organization's cyber
risks

NIST does not take a one-size-fits-all approach because all organizations have different
risks, threats and vulnerabilities and as a result, a unique perspective to address the
cybersecurity risk requirements and management is required.

NIST is mandatory for all federal agencies operating in the United States.

The Federal Information Security Management Act of 2002 (FISMA) outlines that federal and
state organizations must comply with specific NIST requirements.

It also extends to contractors that do business with these organizations.

 HISTORY
EXECUTIVE ORDER 13636

Signed on Feb 12, 2013 and states that "it is

the policy of the United States to

enhancethe security and resilience of the
Nation’s critical infrastructure and to
maintain a cyber environment that
encourages efficiency, innovation, and
economic prosperity while promoting
safety, security, business confidentiality,
privacy, and civil liberties"

THE NIST FRAMEWORK TIMELINE

Partial - At this level, the organization does not have formalized security processes and risk
is nearly always reactive to a situation. The organization lacks consistent risk management
practices.

Risk Informed - A Tier 2 cyber security risk management practices exist in an informal
capacity. Mostly reactive to risks.

Repeatable - Here the organization begins to understand risk management with an effective
formal policy that is updated regularly as changes occur in the business

Adaptive - At Tier 4, organizations are actively managing their cybersecurity practices,

including lessons learned from past incidents. By using continuous improvement models, the
organization is able to quickly adapt to new and emerging threats.
 THE FRAMEWORK PROFILE
The Framework profile is used to align the objectives of the Framework with the business
requirements, risk tolerance, and resources available to the organization.

Profiles are a way of identifying the current state of an organization as well as the desired
future state. Comparing the current and the desired profiles will identify gaps where risk
management activities need to be improved to meet the needs and desires of the
organization’s acceptable risk target.

THE NIST FRAMEWORK

The framework consists of 5 main functions that form its backbone.

1. Identification of assets 4. Respond to anomalies

2. Protection of assets 5. Recover from incidents

3. Detection of anomalies
 IDENTIFICATION
This is where we define what and where the most important assets of the organization are.
This function is broken down into 6 main activities:

01
ID.AM (ASSET MANAGEMENT)
A comprehensive inventory of all hardware
devices used and the software that runs on
them. This inventory is then used to map
the data flow between them as well as to
external vendors.

ID.BE
02 04
(BUSINESS ENVIRONMENT)
We must understand the overall business ID.RA (RISK ASSESSMENT)
environment to effectively protect it including This is where asset vulnerabilities as well
defining our role in the supply chain. This is as other internal and external threats are
also where we document our dependencies identified.
and resilience requirements.

03
05
ID.GV (GOVERNANCE)
ID.RM (RISK MANAGEMENT)
This is where all cyber security initiatives
are backed by policies approved by top What do we do with the risks we have
level executives. identified? There are three things you can
do with risk which are accept, mitigate or
transfer the risk.

06
ID.SC
(SUPPLY CHAIN MANAGEMENT)
Cyber supply chain is documented
including suppliers and third party
partners of systems & services.
 PROTECTION
This is where we define what and where the most important assets of the organization are.
This function is broken down into 6 main activities:

01
PR.AC (ACCESS CONTROL)
A strong identity management is crucial to
ensuring credentials are managed for
logical, physical and remote access to all
types of systems.

02 04
PR.IP
PR.AW
(INFORMATION PROTECTION
(AWARENESS TRAINING)
PROCESSES & PROCEDURES)
Our users can be our strongest security
These include Configuration & change
assets when they are properly trained.
management processes, Backups,
Planning & testing incident response &
business continuity.

03
05
PR.DS (DATA SECURITY)
This is where we make sure all data are
protected as well as establish guidelines for PR.MA (MAINTENANCE)
discontinuing data use and the disposal of Maintenance & repairs are performed
the assets that store the data. and also carefully documented.

06
PR.PT
(PROTECTIVE TECHNOLOGY)
This is where the real protection begins
including auditing as well as ensuring that
only devices that are needed to perform
specific functions are enabled.
 DETECT
Now that we have identified and protected our assets, it’s time to find out those trying to get
them.

01
DE.AE
(ANOMALIES & EVENTS)
Before we can identify an anomaly we need
to be able to establish what is normal in the
first place.

02
DE.CM
(CONTINUOUS MONITORING)
Constant redefining and fine tuning of what
is considered normal will help to identify
new events that may have previously gone
unnoticed.

03
DE.DP (DETECTION PROCESSES)
Threats can evolve and change and as
such our detection methods must change
as well.
 RESPOND
What do we do when there is an anomaly? There are 5 main activities here

01
RS.RP
(RESPONSE PLANNING)
We need to ensure our response plan is
active for all possible anomalies.

02
RS.CO (COMMUNICATION)
During an incident, clear and concise
communication is essential between all 04
involved parties.

RS.MI (MITIGATION)

03
The objective here is to isolate any affected
assets from an incident to prevent spread.

RS.AN (RISK ANALYSIS)

This step is most crucial for identifying the
appropriate response plan path.
05
RS.IM (IMPROVEMENTS)
Use techniques such as postmortem
discussions and root cause analysis
frameworks to ensure that the response to
each incident is appropriate.
 RECOVERY
The incident/attack has happened so how do we now recover from it and get back to normal?

01
RC.RP
(RECOVERY PLANNING)
If the business continuity plan fails from the
PR function, then the recovery plan is
activated.

02
RC.IM (IMPROVEMENTS)
Ensure that each time the plan is
implemented, lessons learned are
reincorporated back into the plan.

03
RC.CO (COMMUNICATIONS)
Communications are to engage public
relations to ensure recovery efforts are
communicated internally and externally
and our corporate reputation is restored.
 IMPLEMENTATION

Start with a self-assessment to determine where your current cyber security program ranks
within the tiers. Use the assessment results to develop a strategy to patch any vulnerabilities
detected and prioritize areas where there is a big difference between current and target
profiles. Create a heat map to assign a value to the profile of each task.

By subtracting the current tier from your target tier, you will end up with a number between 0
and 3. e.g if your target tier is 3 and you are currently on 1 the difference is 2. The bigger the
difference, the more the priority for that task.

Key stakeholders must be made aware of the assessment grade.

STEP 1. PRIORITIZE & SCOPE

This is where you determine the risk tolerance of the organization and which
business processes need the most protection.

STEP 2. ORIENTATION
Here you identify the threats and vulnerabilities that apply to the assets
identified.

STEP 3. DEVELOP A PROFILE

Assign a tier number to each activity or task
 STEP 4. CONDUCT A RISK ASSESSMENT
Here we evaluate our organization's procedures to determine how effective they
are against known and emerging threats.

STEP 5. CREATE A TARGET PROFILE

Here we determine our organization's desired outcomes.

STEP 6. ANALYZE & PRIORITIZE GAPS

Determine the largest gaps between current and desired target profiles. This
includes determining resources and business processes that need adjustments
to meet the desired target profiles.

STEP 7. IMPLEMENTATION
Take action here !!!

THE NIST SP 800-53

A set of guidelines and standards developed to help federal agencies and contractors to
meet the requirements presented by FISMA. The Federal Information Processing Standards
(FIPS) is another set of standards developed by the NIST to help federal agencies meet the
requirements.

It deals primarily with controls and safeguards necessary for securing federal information
systems and assets.The end goal is to maintain the integrity, confidentiality, and security of
federal information systems by implementing operational, technical, and management
safeguards.

ANALYZE - Understanding your information systems is the first step as well as assessing
potential threats. Automation systems for monitoring threats can be used.

EDUCATE - Employees must be educated. The SP 800-53 has a number of management

controls that the management team must be aware of.

ASSESS - Security systems in place should be assessed so possible improvements can

be made.

ADDITIONAL READING
https://www.nist.gov/cyberframework-53/rev-5/final

https://www.nist.gov/cyberframework/online-learning/uses-and-benefits-framework

https://www.nist.gov/cyberframework/resources

https://www.nist.gov/cyberframework/success-stories

https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final