Cybersecurity risks, like financial and reputational risks, are business risks. The NIST Cybersecurity Framework (CSF) focuses on the use of business factors that guide the activities to respond to cybersecurity risks as an integral part of the organizational risk management processes.
The framework consists of three parts:
- The framework core
- A framework profile
- Framework implementation tiers
The Framework Core
The framework core is a set of cybersecurity activities, desired outcomes and references that are common to all critical infrastructure sectors. It provides detailed guidelines for the development of individual organizational profiles.
A Framework Profile
Through the use of profiles, the framework will help the organization align cybersecurity activities with business requirements, risk tolerance and resources.
Framework Implementation Tiers
Framework implementation tiers provide a mechanism for organizations to observe and understand the cybersecurity risk and the processes in place to manage that risk.
Since the framework refers to recognized global standards for cybersecurity, it can be used by any organization and can serve as a model for international cooperation in strengthening cybersecurity for critical infrastructures.
Organizations have unique risks, different threats, different vulnerabilities and varied risk tolerances, all of which will influence how the practices of the framework are implemented.
Definition of Critical Infrastructure
Critical infrastructure can be defined as systems and assets so vital that the incapacity or destruction of such systems and assets would have a critical impact on national economic security or public health or safety, or any combination of those matters.
The CSF offers a risk-based approach that uses metrics to continuously improve cybersecurity. Though it was originally intended to support critical infrastructure providers, it is applicable to any organization wishing to manage and reduce the risk of cybersecurity. The CSF helps improve risk management of each organization and ultimately reduce the risk of cybersecurity worldwide.
As part of its Cybersecurity Nexus (CSX) program, ISACA offers a step-by-step guide for the implementation of NIST CSF. The activities and processes that are proposed can help to determine what to do in each phase, but are not prescriptive and should be adapted to meet individual organizational goals:
- CSF Step 1: Prioritize and Scope: COBIT Phase 1: What are the drivers?
- CSF Step 2: Orient
- CSF Step 3: Create a Current Profile: COBIT Phase 2: Where are we now?
- CSF Step 4: Conduct a Risk Assessment
- CSF Step 5: Create a Target Profile: COBIT Phase 3: Where do we want to be?
- CSF Step 6: Determine, Analyze and Prioritize Gaps: COBIT Phase 4: What needs to be done?
- CSF Step 7: Implement Action Plan: COBIT Phase 5: How do we get there?
- CSF Action Plan Review: COBIT Phase 6: Did we get there?
- CSF Lifecycle Management: COBIT Phase 7: How do we keep the momentum going?
The challenges and opportunities lead to risk assessments and priorities, and foster organizational commitment and ownership. Thus, successful governance and management processes are institutionalized in the organizational culture.
Juan Carlos Morales, CISA, CISM, CGEIT, CRISC
IT governance and risk management consultant and trainer
COBIT 5 accredited trainer