The origin of the NIST framework in Cyber Sec can be tracked down memory lane, on matters related to the national and economic security of the United States of America; its reliance on the functioning of critical infrastructures.
In order to ensure the strengthening and long lasting of these infrastructures, the then president of the United States by the name Barack Obama issued an Executive Order 13636 (EO) (Executive Orders 13636 and 13691 Privacy and Civil Liberties Assessment Reports), “Improving Critical Infrastructure Cybersecurity” On February 12th 2013.
The issuance of the executive order calls for a voluntary development of Cybersecurity Framework which provides “prioritized, flexible, repeatable, performance-based, and Cost-effective approach.” Providing assistance to organizations utilizing critical infrastructure services to manage cybersecurity risk.
Note: EO, stands for Executive Order.
In the EO, critical infrastructures are categorised as “Systems and Assets be it physical, virtual, which are essential (vital) to the United States, that its incapacity or destruction of such systems or assets would have devitalizing impact on the Security, National Economic Security, National Public Health or Safety, and other related matters.”
The high increase in cyber-attacks, organizations who are responsible for the use of critical infrastructure, need to have emplace consistent, and iterative methods in Identifying, Assessing, and Managing cybersecurity risk. All critical infrastructures belonging to both Public, Private Owners and Operators; and other supporting entities which play a role in securing the nations infrastructures are inclusive.
Each of the sectors are responsible for critical functions that are supported by Information Technology (IT), Industrial Control Systems (ICS), and in most cases both (ICS & IT). In order to have a proper management of cybersecurity risk, understanding the security challenges and consideration specific to IT and ICS is essential. Considering different organizations carryout businesses peculiar to the services they provide, therefore organizational risk is unique, along with its use of IT and ICS. Hence, the application of the NIST Cybersecurity Framework will vary.
The Framework was developed in collaboration with industry, provides guidance on how an organization can manage cybersecurity risk.
Framework Objective and Reliance on Existing Standards:
The major objective of the framework, is to encourage organizations to consider the need of accessing their organization cybersecurity risk, as a priority similar to financial, safety, and operational risk while factoring in a larger systemic risk inherent to critical infrastructure.
The NIST Framework relies on existing standards, guidance, and best practises to attain best outcomes for an organization to manage their cybersecurity risk. Organizations are to rely on the practises that has been Developed, Managed, and Updated by industry, while a change in technology or its advancement and business requirements, will result into the Framework evolving.
Also adopting these standards, will assist in economies of scale to drive innovation and development of effective products, and services that meet identified market needs. It also will enable Market competition, which will foster faster diffusion of these technologies, discover the benefits by the stakeholders in these various sectors.
The NIST Framework, Cybersecurity is divided into Five Categories:
- Identify.
- Protect.
- Detect.
- Respond.
- Recover
A. Identify:
The Identify NIST Framework in Cyber Sec has five (5) categories.
- Asset Management (ID.AM)
- Business Environment (ID.BE)
- Governance (ID.GV)
- Risk Assessment (ID.RA)
- Risk Management (ID.RM)
B. Protect:
The Protect NIST Framework in Cyber Sec has six (6) categories.
- Access Control (PR.AC)
- Awareness and Training (PR.AT)
- Data Security (PR.DS)
- Information Protection Process and Procedures (PR.IP)
- Maintenance (PR.MA)
- Protective Technology (PR.PT)
C. Detect:
The Detect NIST Framework in Cyber Sec has three (3) categories
- Anomalies and Events (DE.AE)
- Security Continuous Monitoring (DE.CM)
- Detection Processes (DE.DP)
D. Respond:
The Respond NIST Framework in Cyber Sec has five (5) categories
- Response Planning (RS.RP)
- Communications (RS.CO)
- Analysis (RS.AN)
- Mitigations (RS.MI)
- Improvements (RS.IM)
E. Recover:
The Recover NIST Framework in Cyber Sec has three (3) categories
- Recovery Planning (RC.RP)
- Improvements (RC.IM)
- Communications (RC.CO)
In a subsequent article we will be discussing these frameworks in a tabular form, group them in their Categories, ID, Methodology, Subcategory (ID and Description), in other to give a clearer understanding on the framework workability and application.
Put your comments below in the comment section on your thoughts about this.