Hello, and welcome back to this next TomCast from GuardSight; we are a tactical cybersecurity-as-a-service organization dedicated to helping businesses protect their data, their assets, and their endpoints.
Today we are starting a new series of TomCasts that are going to focus on the National Institute of Standards and Technology, otherwise referred to as NIST. The TomCasts are going to introduce to you (if you haven’t heard of them before) various publications out there that help organizations establish and strengthen their cybersecurity posture. Today’s NIST focus will be the NIST Cybersecurity Framework, or the NIST CSF for short.
The CSF publication is a document that totals 54 pages in length, but the first 28 or so pages introduce the framework, the basics of the framework, and how to use the framework. The remaining pages contain appendices to support the rest of the publication to include figures outlining the core framework structure, supply chain information, and more.
So, why would this be of interest to any organizations out there? Well, as some businesses first start up and realize the need for some sort of cybersecurity posture, and as more seasoned businesses realize that a more structured cybersecurity infrastructure may be necessary, NIST saw the need to put together a document that would help organizations across the board.
The beauty of this is the fact that it shows how to put a basic cybersecurity framework in place. It isn’t overly stringent or restrictive; it allows for organizations to tailor the framework to their business objectives to ensure that the business can continue to function properly while establishing or maintaining a better level of cybersecurity. On page 2 of the CSF, this is spelled out rather clearly:
“The Framework is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure. Organizations will continue to have unique risks – different threats, different vulnerabilities, different risk tolerances. They also will vary in how they customize practices described in the Framework. Organizations can determine activities that are important to critical service delivery and can prioritize investments to maximize the impact of each dollar spent.
Ultimately, the Framework is aimed at reducing and better managing cybersecurity risks. To account for the unique cybersecurity needs of organizations, there are a wide variety of ways to use the Framework. The decision about how to apply it is left to the implementing organization.
For example, one organization may choose to use the Framework Implementation Tiers to articulate envisioned risk management practices. Another organization may use the Framework’s five Functions to analyze its entire risk management portfolio; that analysis may or may not rely on more detailed companion guidance, such as controls catalogs. There sometimes is discussion about “compliance” with the Framework, and the Framework has utility as a structure and language for organizing and expressing compliance with an organization’s own cybersecurity requirements.”
So, as you can see, the various contributors to this publication recognized that a document that was overly specific would not work here. Frameworks are just that; the target organizations then build upon those frameworks to develop their overall comprehensive cybersecurity strategy. Another example of this is the last paragraph on page 4:
“The Framework is adaptive to provide a flexible and risk-based implementation that can be used with a broad array of cybersecurity risk management processes.”
One of the key pieces of that particular sentence is the risk-based implementation. Previous TomCast’s have addressed risk management, so when you get a moment jump over to our TomCast page within GuardSight and have a listen. Risk-based approaches take into account the business objectives, and directly relate to the business impact analysis. A risk-based approach addresses the risk landscape across the entire organization and, if performed correctly, will ensure that the core business functions will be performed as securely as possible.
So, what was the point to all of that? Ok, in the simplest terms I can relay through this TomCast, if you are struggling with your cybersecurity posture, if you are a startup and want to make sure you get your cybersecurity presence established correctly, or if you are simply looking for a guide on ways to better bolster your cybersecurity infrastructure, open up your preferred browser and use your preferred search engine, then look up NIST CSF. You’ll be glad you did. This can be the document that kickstarts your organization on the way to a more risk-focused security posture and prepare you more comprehensively for compliance needs that your organization may be accountable for.
Also, if you want to kick the CSF implementation within your organization up a notch, there are certifications available that will certify that your organization is aligned with NIST best practices. Certifications of this nature can help external communication and collaboration as other businesses will then recognize that your organization has a well-known security framework in place.
We here at GuardSight thank you for taking the time to listen to this TomCast. For more information on various cybersecurity tips head on over to our website and check out more TomCasts. Those are located over on www.guardsight.com/tomcast. Or, if you would like more information on what GuardSight can do for you, head on over to www.guardsight.com and contact us. There are several free cybersecurity tools out there that can help you improve your overall security posture. We’d love to hear from you! Thanks!