As a follow up to the webinar we presented, Compliance in the Era of the Cloud: Developing a Secure Access Strategy, I wanted to provide additional insights into NIST’s Cybersecurity Framework. I will discuss the remaining two Core Functions omitted from the webinar, discuss the Framework Implementation Tiers, and highlight what I find to be one of the simplest and most useful concepts of the framework; Framework Profiles.
The core of Core Functions
The Core Functions organize basic cybersecurity activities at the highest level. During the webinar, we discussed three of the five core functions and examples of how you can use OneLogin’s Enterprise Identity Management Solution to deploy safeguards in each of these functions:
- the Identify function involves the development of an organizational understanding of your risk environment to help manage cybersecurity events, and
- for our purposes we focused on identifying assets and asset owners;
- the Protect function deals with protecting assets from cybersecurity events; and
- the Detect function revolves around activities for detecting cybersecurity events.
The other two functions are similarly self-explanatory:
- the Respond function deals with responding to cybersecurity events; and
- the Recover function deals with activities for planning for and restoring services impacted by a cybersecurity event.
Core Functions help provide organizations with a guide to compartmentalize how cybersecurity risks are addressed. This enables organizations to tackle their risk management decision making process and address threats in more digestible pieces.
Implementation Tiers provide guidance, but not a maturity model
Building upon a theme of enabling rather than intimidating organizations working on their cybersecurity programs, the framework defines the use of Framework Implementation Tiers. These Tiers provide context to help organizations define how they are tackling cybersecurity risks and determine if and how they need to evolve to meet the requirements of another Tier.
For example, an organization that aligns with Tier 1 may have no formalized risk management policies but does react to risks ad hoc, while a Tier 3 organization has formal policies and a periodic and a repeatable risk management process. Organizations must determine based on aspects such as legal requirements, threat environment, and organizational constraints, what Tier is feasible to implement. In addition, the Tiers are not a maturity model, so if an organization finds that Tier 2 fits their needs, then they don’t have to adapt to meet other Tiers, even if feasible.
Framework Profiles help compare your “state of the union” to a target “future state”
Finally, the concept of Framework Profiles provides a concrete measuring and planning tool. By completing a Current Profile, an organization notes what Framework Categories and Subcategories they are concerned about and how they are meeting them. They can then compare their Current Profile with a Target Profile, which defines a future state of where they want or have to be. A snippet of what that could look like (omitted Function and Category for brevity):
|Subcategory||Current Profile||Target Profile||Analysis|
|ID.AM-1: Physical devices and systems within the organization are inventoried.||Manual inventory is performed quarterly based on serial numbers. Completeness of inventory is not assured.||All assets are tagged and scan be quickly scanned when performing inventory.||Deploying a new asset management system would not be within the 2015 budget unless other initiatives are delayed to free up resources.|
|DE.CM-8: Vulnerability scans are performed||Quarterly internal and external vulnerability scans are performed at the application and network levels.||No changes needed.||Process in place meets risk profile.|
Note that the Analysis column can be easily replaced with whatever considerations fits your needs like fiscal attributes, prerequisites, or internal or external factors that need to be considered. It’s a great tool to use when teeing up discussions with management regarding risk management investments or to simply plan out your short and long term cybersecurity goals.
In this blog post I covered some of the key elements of the NIST Cybersecurity Framework, but there is a lot more to it packed in a very concise document. If you have not had a chance to review it, you can access it from NIST’s site and keep an eye out for our future webinars.