Introduction to the NIST Framework
Cybersecurity Framework
Welcome, we are going to describe what is the cybersecurity framework of the National Institute of Standards and Technology, or commonly known as NIST, on their site they refer to it as a division of the United States Department of Commerce.
We will rank it as the NIST Cybersecurity Framework that helps businesses of all sizes understand, manage, and reduce their cybersecurity risk, as well as protect their computer networks and data.
In the open, the NIST Cybersecurity Framework is advice that organizations can follow if they choose, it is based on existing standards, guidelines, and best practices and is intended to help us better manage and reduce cybersecurity risk, in practice. I believe that it was created to make it easier for both internal and external interested parties to talk about risk management and cybersecurity, unifying criteria.
Outside the United States, this framework does not represent more than good practices, since it is not a universal law, a standard, an ISO norm, in Mexico it has no regulatory interference, I imagine that in many countries it is like that, let's not lose sight of this, so they don't try to wrongly sell us the concept.
Well, the National Institute of Standards and Technology (NIST) created the Critical Security Framework (CSF) so that private organizations in the United States could make a plan to secure critical infrastructure, we know that it has been translated into other languages, and it is used by the governments of Japan and Israel, among other places.
Specifically, I can tell you that the NIST Cybersecurity Framework (NIST CSF) tells people how to manage and reduce security risks in IT infrastructure, this means that it is not only profiled for the IT area, in the Nowadays, its field of integration to the business is much broader, in this way, the CSF is made up of standards, guidelines and best practices that can be used to prevent, detect and respond to cyberattacks.
I think the NIST CSF is more useful for smaller or less regulated organizations, especially those trying to raise awareness about security, this is from everyone's experience, however I find that larger organizations that already have a focused IT security program may find the framework less useful, it has a greater impact if you are starting with the cybersecurity plan of the business, and you still do not define yourself by any framework, framework, norm, standard, this is undoubtedly a topic of discussion inside the business.
“Industry private and the US government worked together to make the framework a voluntary measure”
The NIST Cybersecurity Framework is a global standard for cybersecurity that is used as the basis for many laws and other standards. NIST creates cybersecurity standards, guidelines, best practices, and other resources to meet the needs of Native American businesses, federal agencies and the public in general.
“The framework does a wide range of things, from providing specific information that organizations can use immediately to conducting long-term research that anticipates changes in technology and new challenges”
Again, let me tell you that some of the tasks that NIST has to do with cybersecurity are established by federal laws, executive orders and United States policies.
For example:
The Office of Management and Budget (OMB) requires all federal agencies to follow NIST's cybersecurity standards and advice for non-homeland security systems.
The needs of American businesses and the public drive NIST's cybersecurity work.
For those of us outside that country, we must work hard to engage stakeholders in setting priorities and ensure that our resources are used to address the most important cybersecurity issues facing them.
“Globally, NIST is working to better understand and manage privacy risks, some of which are directly related to cybersecurity”
It is my understanding that NIST's top priorities are cryptography, education and workforce, emerging technologies, risk management, identity and access management, measurement, privacy, trusted networks and platforms, I recommend having more attention in these areas.
What is the basic NIST cybersecurity framework?
The NIST Cybersecurity Framework (CSF) is made up of three main parts:
The purpose of these levels is to give stakeholders context, so they can determine to what extent their organizations display the traits of the framework, let's see:
Framework Core:
It is a list of desired cybersecurity activities and outcomes, written in clear and common language, that greatly assists organizations in their management and reduction of cybersecurity risk, while adding to the ways in which they already practice security cybernetics and risk management, in some places.
Frame Profile:
The Framework Profile is how an organization's needs and objectives, willingness to take risks, and resources match the desired outcomes of the Framework Core, then the profiles are primarily used to find and rank opportunities to improve security standards of an organization and reduce risk.
Implementation levels:
The framework's implementation levels show how an organization thinks about cybersecurity risk management, help them determine what level of rigour is right for them, and are often used as a way of talking about the chances of having risks. , mission priority and budget.
The functions are the most general level of abstraction of the framework, for comparison, however, they are like the backbone of the core of the framework, which is how all the other parts are tied together, there are five functions of the NIST cybersecurity framework:
NIST Framework Features
I'm sure these five functions were chosen by NIST, considering the most important parts of a complete and successful cybersecurity program, I really like it because it makes it easier for organizations to talk about how they manage cybersecurity risk at a high level and make decisions on risk management.
Identify:
The identify function helps an organization understand how to manage cybersecurity risk to systems, people, assets, data, and capabilities, one must understand the business context, the resources that support critical functions, and the risks related to cybersecurity, likewise allows an organization to focus and prioritize its efforts according to its risk management strategy and business needs.
Examples of result categories within this function:
Protect:
The Protect feature explains how to ensure critical infrastructure services are delivered, helps limit or stop the effects of a potential cybersecurity event.
Examples:
Detect:
The Detect function describes the right things to do to find out if a cybersecurity event has occurred, allows you to find cybersecurity events in a timely manner.
Examples:
Reply:
The response function includes the correct steps to take when a cybersecurity incident is encountered, helping to limit the effects of a potential cybersecurity incident.
Examples:
Recover:
The recovery function determines what needs to be done to keep resiliency plans up to date and repair capabilities or services that were affected by a cybersecurity incident, helps businesses return to normal operations quickly after a cybersecurity incident cybersecurity, in my experience, this lessens the damage caused by the incident.
Example:
NIST requires companies that sell goods and services to the federal government, either directly or/through another company, to follow certain security rules, therefore, companies in the United States and outside companies that do business with such companies and who work in the US federal supply chain, must follow both NIST Special Publication 800-53 and NIST Special Publication 800-171.
NIST 800-171 applies to small businesses that do not do business directly with the government, they have to follow federal compliance rules, on the other hand, prime contractors who do business directly with the government have been following compliance rules like NIST SP 800-53 for a long time.
Recommended by LinkedIn
The NIST 800-53 document is a comprehensive guide to making sure federal information systems are secure, it mentions that in general, DoD (Department of Defence) prime contractors, but not subcontractors working for major vendors, they must follow NIST 800-53, if they operate federal information systems on behalf of the government.
“For some, the gold standard for how to build a cybersecurity program is the NIST Framework, so now that you know what the NIST Framework is and how it works, you may be wondering how best to use it in our organization?”
Five most important steps for a successful implementation of the NIST framework
Establish a list of objectives:
Your company wants to use the NIST framework, which is great, the first step to achieving this is to make a list of data security goals, so you can measure how well you're doing, goals can be set based on responses to the following questions:
By setting goals, you can make an action plan, scope your security efforts, and make sure everyone in your organization knows what needs to be done.
Create a profile:
Although the NIST framework is a voluntary set of rules it can be used in many different industries, in my experience how it should be used for your business can be very different from how it should be used for a business in a different field, thus Similarly, you must create a profile that lists the specific needs of your business in order for the framework to be effectively tuned to meet those needs.
With the help of deployment tiers, your organization's security can go from Tier 1, which is reactive to security events, to Tier 4, which is proactive.
Set where you are now:
Doing a detailed risk assessment is the next step in implementing the NIST framework in your organization. A detailed risk assessment can tell your company which of your current cybersecurity practices and efforts are compliant with NIST standards and which need to be improved.
You can rate your security efforts on your own using open source or other software tools, or you can hire a cybersecurity expert to perform a comprehensive assessment for your organization.
Develop an action plan and conduct a gap analysis:
When risk assessment is carried out, the results should be shared with key stakeholders, in the results, there should be a list of weaknesses and threats to the organization's operations, assets and people.
Now that you have found the gaps or vulnerabilities in your cybersecurity needs, you can do an analysis to figure out how to fix the gaps and reduce the attack surface, using the scores from the risk assessment, your organization can make a plan for what to do next should be served first and in what order.
Implementation:
With a clear picture of your organization's current cybersecurity efforts from the risk assessment and gap analysis, and an idea of what you want to achieve from your goals and action plan, it's time to implement the Security Framework NIST Cybernetics.
I think it's important to remember that your cybersecurity efforts shouldn't stop when you implement the NIST framework, my advice to make the framework work is that it should be constantly monitored and improved to fit your business needs.
Negative situations without a cybersecurity plan
Both in terms of lost productivity and damage to a company's reputation, data breaches can have serious effects:
Business loss:
If your data is stolen, you could lose your job as a US government contractor and, in general, your company could lose many customers and lose revenue in the future.
Negative effect on reputation:
Customers don't want to give their private information to a company that has a bad reputation for not taking data security seriously, in which case, if you don't follow NIST standards, you could seriously damage your company's reputation.
Charges of a crime or a lawsuit:
If it turns out that a cybersecurity breach was caused by carelessness or that you put data at risk on purpose, you could be charged with a crime, your business could have to pay fines, or even be sued for breach of contract.
Impact on productivity:
A major data breach could have a huge effect on your company's productivity, as soon as you find out about a problem, you must fix it according to your cybersecurity and business continuity plan, we know that this takes resources away from other important tasks for you that can be used to address the breach, which is the emergency at hand.
Reflection topic:
What are the weaknesses of the NIST Cybersecurity Framework for Cloud Security?
As organizations use more complex multicloud and hybrid cloud environments to support long-term work-from-home strategies, the NIST cybersecurity framework overlooks the following important cloud security issues:
Audit files and reports:
Many organizations would be surprised to learn that there is no NIST standard that says that log files should be retained for more than 30 days, when you think about the amount of information that is in the logs, that is a very short amount of time, Let me tell you that this lack of retention makes it difficult for organizations, especially large companies, to report.
As a matter of fact, it often takes more than four months on average to find a data breach, the current 30-day limit is simply not enough, so by keeping audit logs longer, IT teams can be safe. That they have the forensic data they need to investigate potential causes of security incidents, if we do, this capability is also an important part of staying in line with data privacy laws like GDPR.
Shared responsibility:
Many people don't know who is in charge of cloud security, especially in enterprises using hybrid cloud or multi-cloud environments, high-end cloud platforms like SaaS have many security tasks driven by IT.
Identity and access management are shared responsibilities in PaaS and SaaS solutions, an effective implementation plan is needed to configure an identity provider, configure administrative services, establish and configure user identities, and configure service access controls.
More organizations are moving their business applications to cloud-hosted environments as part of digital transformation projects and working for the advancement of the common good (WFH), even as the “shared responsibility” model makes clear what an information provider cloud and its users need to do to keep their data safe, there are still issues with security and visibility monitoring applications that need to be fixed, I recommend you not ignore it, because as more companies move to the cloud to save money and improve the running their businesses, it is more important than ever to close these gaps to achieve the highest level of security.
Delegation of tenants:
NIST implies least-privileged access, but says nothing about tenant delegation or “virtual tenants,” so virtual tenants prevent administrators from messing with parts of the environment they don't belong to.
They allow administrators to control their “virtual” areas, which helps protect Microsoft 365 data and resources, especially when it comes to PII and intellectual property, it makes sense that a lack of tenant delegation leads to significant security issues, I recommend for organizations, especially large ones with many locations, that should consider using tools that help separate access to different business units to improve overall security.
Rules and roles for the administrator:
About 95 things can be said about Microsoft Application Manager, but neither Microsoft people nor enterprise IT people know what they mean, there are too many, so if a user is assigned the role of Application Manager application, it is almost impossible to know exactly what type of access that user has.
This creates security risks that aren't necessary IT staff have to do things like create new user accounts and change passwords as part of their jobs, but these tasks don't fit easily into a single role; they are more fluid, because of this, traditional security methods like role-based access control (RBAC) don't work as well.
Functional Access Control (FAC):
Functional Access Control (FAC) is a way to get the least privileged access, I take RBAC to be a way of thinking about it, definitely the FAC approach, it's NIST compliant, and it's a more granular way of deciding what a user can do. IT administrator, this allows organizations to grant the right amount of access to the right users, improving security.
Over the years, I've realized that security is the biggest issue for almost two-thirds of organizations when it comes to adopting the cloud, even if you don't want to accept it, it's not always a seamless transition, in the context of From this article I believe this makes the NIST Cybersecurity Framework a useful tool for IT leaders who want to keep data secure.
I remind you, maximize resources to shield our data, however, being realistic, I reiterate so that organizations know that following the recommended standards does not protect them from all possible security problems, the smaller the attack surface the better, reduce attack vectors, mitigate as soon as possible and what many companies do not want to do, train your employees in cybersecurity, with quality information.
Thank you very much for reading me, soon I will publish another complement of CIS and its controls and I will make a comparison between NIST and ISO/IEC 27001.
I hope you find this introduction to the NIST framework useful. Would it be interesting to see something about NIST compliance? What do you think?
His friend,