A control framework is a guide against which an organization can align and categorize its internal controls. When it comes to data security, having a strong internal control framework is critical to minimizing risk. Considering the number of control frameworks available, why use NIST? We break down the key benefits, and four initiatives to set your organization up for a successful adoption of the NIST Cybersecurity Framework.
Why Use NIST?
National Institute of Standards and Technology (NIST) Frameworks, and the NIST Cybersecurity Framework (NIST CSF) in particular, contain guidance from professionals using a common language and methodology that complements your current control environment. Organizations of all sizes in every industry need solid guidance for data security, which is why NIST Cybersecurity Framework was created. By design, the NIST Cybersecurity Framework is extremely flexible since the focus is on outcomes instead of a prescriptive set of rules.
Why Is NIST Important?
NIST plays an important role in an organization’s cybersecurity control environment by offering guidance on security measures that should be in place. The lack of consistency and need for a comprehensive framework is exactly why NIST is critical to all organizations. NIST provides a uniform and proven framework for identifying systems at risk of exposure, implementing controls, detecting and responding to breaches, and finally recovering data.
Why Regulatory Compliance Is Not Enough to Manage Risks, Especially Cyber Risk
After understanding why NIST is important, a growing number of organizations have begun implementing cybersecurity software in hopes of strengthening internal controls and information security programs beyond regulatory requirements, such as Sarbanes-Oxley (SOX). This push for more maturity and readiness is the result of several factors, including recent data breaches, pressure for higher levels of data accountability, security and privacy, and the tools available to help organizations in cybersecurity preparedness.
Among the accelerators is the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (also known as the Cybersecurity Framework or CSF). While NIST standards, frameworks, and best practices have been primarily adopted by federal and state governments, both private and public organizations have begun using it as a baseline to develop, implement or expand their cybersecurity programs.
This article will take a look at four initiatives that can help organizations adopt the NIST Cybersecurity Framework and ultimately protect information technology (IT) critical infrastructure and sensitive assets beyond the basic, defined regulatory requirements.
High-Level Benefits of NIST Cybersecurity Framework: What to Gain by Adopting This Framework?
The NIST CSF is focused on building cyber resiliency and security measures, shifting an organization’s stance toward cyber attacks from reactive to a prepared state. It is not a standard or a rigid regulation like SOX, but can be tailored in different ways, regardless of the level of adoption or customization. There are several benefits for organizations that successfully adopt NIST CSF, including:
- Helps establish a consistent methodology, taxonomy and approach regarding risk management, from the executive to the operational level.
- Defines an organization’s risk-tolerance and target state for cybersecurity.
- Provides executives with necessary data points to prioritize cybersecurity initiatives and investments.
- Provides processes for continuous improvement and program assessment to reach target state.
- Redefines the governance structure of teams in charge of cybersecurity to a more inclusive model, involving other business units and stakeholders.
Getting Started: How can my organization facilitate adoption of the NIST Cybersecurity Framework?
Organizations planning to or currently adopting NIST CSF often ask a very simple question: What steps does my organization have to take to successfully adopt NIST CSF for data security measures?
The effort of implementing NIST CSF may vary greatly between organizations, depending on their size, complexity, maturity level, and the risk appetite. According to NIST, compliance with (or adoption of) CSF can be confusing and mean different things to different stakeholders. With this in mind, the following are four essential initiatives to help organizations to successfully adopt NIST CSF.
Must-Have #1: Classify the data handled by your organization
A common misstep for organizations is to implement safeguards around sensitive data without having adequately classified the data. This could result in inadequate, insufficient, or unnecessary controls, or worst, not knowing what data actually requires safeguards. Below are the types of questions that your organization should be able to answer in order to have a data classification policy and process. Otherwise there may be a higher risk of exposure when it comes to protecting sensitive data.
- What types of data does the organization handle, store, process, and/or transfer?
- What volume of each data type does the organization handle (both received and generated)?
- What regulatory requirements apply to each data type?
- What safeguards do we currently have in place for sensitive data?
- Who owns each data type, including internal and external owners?
- Who has access to each data type?
- Where does each data type reside within my organization; where does it come from and what are the outputs (both hardcopy and electronically)?
It is essential for an organization that strives to have a mature cybersecurity function to adequately classify data handled across business and information technology (IT) processes. There are many approaches to data classification; however, the main objective is to create awareness and a path for data owners and users to comply with safeguards adopted by your organization.
A practical approach to classifying data
1. Information gathering.
To understand what types of data executives and process owners manage on a day-to-day basis, cybersecurity professionals must engage these individuals about where the data is coming from, and what are the outputs. A great way to do this is via online surveys, which should be customized to your organization and for the specific team providing the information.
2. Data analysis.
Once surveys are completed, data must be studied, follow-ups conducted, and normalized outputs prepared. Data visualization tools are a great way to dissect data in a way that is easy to understand by the different stakeholders.
3. Facilitated sessions.
With the data analysis in-hand, cybersecurity teams should validate findings, gaps, and potential risks with the executive leadership team and data owners. This dialogue helps create a higher level of awareness and helps refine the understanding of the current environment and potential risks.
4. Develop classification schema, policy, and process.
Assess the different classification schemas and define your own; it is recommendable to have at least three (3) classification levels. This will have a great impact on resources needed, complexity of the environment, and safeguards investment for each data classification.
5. Socialize classification schema with key stakeholders.
As a final but crucial step, circle back with all stakeholders to gather final pieces of feedback on the environment, the actual policy, and the process that will be used to classify the data. Many times, stakeholders offer significant feedback once they see the final product.
If an organization is to be successful in engaging users, the entire population should be trained not only on the data classification policy and processes but also on the significance and value realized by the organization.
Must-Have #2: Conduct cybersecurity/risk assessment
For organizations trying to reach a higher level of cybersecurity readiness, they must first assess their current cybersecurity practices to identify gaps and weaknesses; this will enable them to understand exposure and risk levels. Performing a risk assessment 1) improves awareness throughout the organization, 2) enables leadership to manage current risks, gaps, and weaknesses, 3) identifies people, processes, and technologies currently available, 4) provides visibility of the performance of the cybersecurity and risk management functions, and 5) sheds light on critical data points to create a roadmap and reach target maturity levels.
The frequency with which cyber risk assessments are performed also has an impact on the breadth and depth of these assessments. For instance, organizations that perform cyber risk assessments more frequently may find that repetition enables their assessors to gain a better understanding of the organization’s security functions allowing them to expand the scope or target of the assessments. The main components to perform a cybersecurity assessment may vary based on a number of factors, but the following showcases the basics to cover during an assessment:
Define a baseline.
While there are extensive frameworks available that can be used as a baseline to assess cyber or information security maturity, a good practice is to define the high watermark for each security category. This can be achieved by mapping the standards, frameworks, and regulatory requirements applicable to your environment and defining the highest level of maturity that makes sense based on the data sensitivity, resources available, and regulatory requirements. Following the NIST CSF categories might be a good starting point but it is not a must.
Assessment results are only as good as the input into the process. It is extremely important to identify the proper stakeholders to bring into the discussions during the risk assessment. Involving only executives may result in a “should-be” state as opposed to current practices, while involving staff that is too junior might result in inaccurate, incomplete or irrelevant data.
Submit information requests.
Assessments are more dynamic in nature than audits and documentation gathering is typically less onerous. Gaining an understanding and gathering data, including documentation, can be achieved by issuing a survey-type request. Once results are back and analyzed, holding a facilitated session to validate information and findings together with stakeholders is essential to make sure no details were misunderstood or left out.
Define gaps and desired remedial actions.
Upon validation of the assessment results, the cybersecurity team should work on the refinement of the actual gaps, associated risks, remedial actions, and overall desired cybersecurity outcome. Then stakeholders must confirm remedial actions are in-line with business needs, requirements, and that these results are fed into the overall cybersecurity plan.
Must-Have #3: Establish the desired target state
Organizations with a mature cybersecurity program typically have a desired future state clearly defined and in alignment with business requirements, initiatives, and risk appetite. In fact, NIST CSF states the definition of a profile (or target state) should be determined during implementation of the framework. The definition of a target state not only is a necessity for the adoption of NIST CSF, but it also specifies the identification, analysis, and prioritization of gaps to be addressed between current and future state. In addition, a desired target state:
- Accelerates the creation of a NIST CSF implementation roadmap by providing a holistic picture of the cybersecurity desired outcomes.
- Monitors the progress made regarding achieving cybersecurity objectives.
- Assists with the definition of resources needed to address gaps, including providing critical data for a cost-effective, targeted cybersecurity plan.
The definition of a target state should not be cumbersome once the organization has assessed its current state and defined remedial actions. A common approach is to map assessment results to a metric for each category of controls, per NIST CSF. For instance, the target state could be to close the gap between personnel trained on cybersecurity awareness (80%) and the desired result (100%).
Must-Have #4: Define governance structure
Traditionally, executive leadership and corporate boards looked at cybersecurity merely from a metrics and compliance perspective; however, in recent times boards have broadened their understanding of how cyber risks pose a threat to their businesses. With this change of perspective, executives are now taking a more active role in the establishment of safeguards, including instituting cyber security functions with new governance bodies.
By implementing a robust governance structure, organizations can:
- set the right tone-at-the-top and allow it to permeate to department leads.
- ensure data security and privacy obligations are met (whether regulatory or not).
- enable executive leadership to monitor cybersecurity roadmap progression and achievements.
- provide a holistic view of risks throughout different business functions to make sure they are in alignment with strategic objectives.
A strong cybersecurity governing body is inclusive of key functions of the organization and not only the departments that have a direct responsibility for safeguarding sensitive data and critical infrastructure. Organizations of all sizes are in need of establishing a governance structure that aligns with their environment. Companies should consider creating cybersecurity leads and organizations beyond a few internal subject matter experts. Typically, this should be led by a C-level position (e.g., Chief Information Security Officer) with a team to support its operations. This position is in charge of policy, process, and standards development, as well as providing subject matter guidance. Smaller organizations may benefit from a hybrid approach in which staff from other departments, such as IT, may play a hybrid role between their original function and the newly created cybersecurity function.
Companies should also consider establishing cybersecurity committees. The committees are typically tasked with the strategy definition and to provide overall guidance for the program. They can be broken down by subject matter such as policy development, technology, regulatory and compliance, and privacy. Each employee, department lead, executive, and corporate board member should gain a universal understanding of cyber security regardless of the business function.
Organizations that understand why NIST Cybersecurity Framework is important usually decide to adopt the NIST Cybersecurity Framework to help protect information technology critical infrastructure and maintain data security beyond the safeguards offered by merely complying with regulatory requirements. By performing the initiatives outlined, your Information Security or Risk Officer can set your organization up for a successful adoption of the NIST Cybersecurity Framework.
AuditBoard’s integrated compliance management solution can help you realize the benefits of NIST Cybersecurity Framework. Our platform can help you manage your cyber and information security frameworks, risk assessments, and compliance processes, including the NIST Cybersecurity Framework, as well as your audit programs and reporting. Learn more today!
Sam Arias was a Director of Product Solutions at AuditBoard and an experienced cybersecurity professional with over fourteen years of experience. Sam is skilled in helping organizations strengthen their security processes and practices and advises on using technology to manage these risks.