NIST CSF

Companies are always attempting to enhance threat detection, find hidden vulnerabilities, and

develop security tactics to prevent new threats as cyberattacks become more frequent and

sophisticated around the world. The National Institute of Standards and Technology (NIST)

created the NIST Cybersecurity Framework (NIST CSF) to assist government agencies and

private businesses in improving their cybersecurity procedures. Initially intended as a set of

instructions, the framework has evolved into the gold standard for developing a cybersecurity

system across all industries.

NIST CSF:

The National Institute of Standards and Technology (NIST) originated the Cybersecurity

Framework to address the lack of cybersecurity standards by offering a consistent set of rules,

guidelines, and standards for businesses to use across industries. The NIST Cybersecurity

Framework (NIST CSF) is widely regarded as the gold-standard for building a cybersecurity

program. Whether you're just starting out with a cybersecurity program or already have one in

place, the framework may help by acting as a high-level security administration tool to assess

cybersecurity risk across the organization.

The NIST CSF is a cross-industry solution on the basis of standard cybersecurity technical

language. The Framework is simple to comprehend and use. The tool can be used to achieve

various risk assessment and risk management goals aimed at bettering your company's

cybersecurity posture.
Main goals of NIST CSF:

The NIST CSF's goals are determined by the scale, industry, and purposes of the company.

However, three different NIST CSF aims, characterize the overall tool:

1. Performing due diligence on cybersecurity.

2. Keeping cybersecurity preparedness and resiliency in check.

3. Identifying what you do and do not require.

1. Performing due diligence on cybersecurity: Every year, C-level officials fail to do proper

cybersecurity due diligence, leading to a loss of assets such as data breaches, financial

expenses, negative publicity, and service disruption for clients and customers. Failures

in cybersecurity due diligence can also be caused by a lack of financial planning or a

misallocation of labor to guarantee that even the most basic risk assessments are

carried out. The Framework, a basic approach, can aid in cybersecurity due diligence.

The NIST CSF can be used to help your business identify and analyze whether the

security policies in force are safeguarding high-risk targets/assets as part of due

diligence. The Framework can also be used to uncover security flaws in third-party

transactions, such as sensitive data controls, procedures, and categories. Planning for

Disaster recovery, Business continuity, and resiliency can all be addressed as part of

the cybersecurity due diligence. Preventing the loss of assets, reputational damage,

consistency in delivering services to consumers, and penalties and perhaps judgements

against a business for compliance violations are all advantages of achieving this goal.
2. Keeping cybersecurity preparedness and resiliency in check : This goal is to help a

company maintain its cybersecurity preparedness and resiliency. The Framework that

can assist your company improve its cybersecurity position by looking at three key risk

assessment areas:

a. The efficacy of cybersecurity controls and their core functions: These "core"

functional areas are utilized to establish the organization's top tier or functions of

cybersecurity controls. The purpose of the core functions is to assist senior

executives and the entire organization in gaining a better knowledge of the

comprehensive risk(s), as well as management's requirement to reduce

cybersecurity threats. This helps in addressing five core areas, Identify, Protect,

Detect, Respond, Recover.

b. The control implementation tiering level: Tiering levels are concise definitions of

the maturity degree of the cybersecurity controls in place. Each control is

assessed for overall effectiveness as well as how the company went about

putting the control in place to limit risk. There are four stages that provide context

for the organization's overall cybersecurity process management: Partial, Risk-

Informed, Repeatable, Adaptive.

c. A profile of the company's cybersecurity posture: Following the completion of a

NIST CSF assessment, the company will have access to metrics and data that

will help them evaluate which cyber risks are most capable of harming their

operations. The portfolio can also be used to assess and evaluate the company's

relationships with third-party service vendors.

measures are required and why they are required when it comes to budgeting. This

manner, you pay a fair price for a control that is worth the expense of protecting the

asset while not surpassing the asset's true cost. Also, the NIST CSF can be used as a

management tool to help reach benchmarks, define a risk management roadmap, and

prioritize resource use and distribution. Finally, the NIST CSF urges companies to tailor

their auditing procedures to their specific needs.

Five basic functions or components of the NIST CSF:

The NIST Cybersecurity Framework can be used in five areas of your business: Identify,

Protect, Detect, Respond, and Recover.

1. Identify: This task entailed determining the critical functions of a business as well as the

cybersecurity dangers that could threaten those functions. Detecting current dangers,

recognizing existing digital assets, and assigning organizational roles are all part of this

process. The purpose of this position is to raise corporate understanding of how to

handle cyber risks to critical information and capabilities.

2. Protect: It establishes the safeguards that are required for critical infrastructure services

to be delivered. Once critical operations have been recognized, the organization may

concentrate its cybersecurity efforts on them. Simply put, this function improves the

industry's potential to counteract the consequences of a cybersecurity breach.

3. Detect: The organization must have the essential measures in place to be able to swiftly

identify cyber threats and other difficulties. This job requires constant monitoring and
 threat hunting in order to spot any unusual action or abnormalities as quickly as

possible.

4. Respond: This feature aids a company's capability to cope with the consequences of a

suspected cyber event by taking appropriate action. Cyber catastrophes can be

mitigated using a variety of tactics, including response preparation, assessment, and

reduction.

5. Recover: Finally, a comprehensive plan is needed to regain any damaged

competencies or procedures as a result of a cybersecurity incident. According to NIST,

the output categories of this function are:

a. Ensuring that the organization's disaster recovery measures are in effect to

reestablish assets or property that have been impacted as a result of a

cybersecurity incident.

b. Enhancements are being developed based on experience gained and an

evaluation of existing strategies.

Challenges of implementation of NIST CSF and COBIT 2019 framework:

One concern is that NIST has decided and does not provide detailed implementation

recommendations, instead relying on industry variables in determining how the CSF is used.. I

understand why NIST is hesitant to share even a sample recipe because what it provides as

agile advice is sometimes misinterpreted as hard, prescriptive standards. But how do I put this

helpful structure to work for my company? COBIT 2019 is now available!

and communicating security policies and actions. To ensure that security and privacy are

successfully governed and managed, we'll focus on merging COBIT 2019 with NIST

guidelines. Although the NIST frameworks are well-targeted — for instance, employability,

cyber-physical platforms, privacy, and the Internet of Things – they aren't intended to

encompass all facets of information and technology in an organization. From budgeting to

planning to transition management and operations, the COBIT framework makes it easy to

carry a systematic commitment to everything. Although COBIT does not go into as much

information about security as the NIST standards, integrating the two can help you build and

maintain what you require.

Conclusion:

Information is the most valuable asset. To protect sensitive information, the organization

should have a robust cybersecurity architecture in place. When correctly applied, the NIST

cybersecurity approach can help your firm deal with cyber incidents. Furthermore, regardless

of how robust your software is, some of your company's divisions will be attacked at some

point. As a result, it's also crucial to organize forward of time for what you'll do if you discover a

(hopefully minor) data leak, as well as how you'll get your systems back to normal. Respond

and Recover functions in the NIST cybersecurity framework are essential reenergizing

engines.
References:

National Institute of Standards and Technology (2018), Framework for Improving Critical

Infrastructure Cybersecurity, Version 1.1

Balbix. What is NIST CSF? https://www.balbix.com/insights/nist-cybersecurity-framework/

S. E. Williams. (2020). Objectives of NIST CSF. Available at: https://www.cybrary.it/blog/key-

objectives-of-the-nist-cybersecurity-framework/

Greg W. (2019). Connecting COBIT to NIST CSF. Available at:

https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2019/connecting-cobit-2019-

to-the-nist-cybersecurity-framework