NIST recommends that organizations implement this process in order to best establish or update cybersecurity programs. Cybersecurity programs, or proposed programs, are compared to the five high-level functions of NIST CSF. These five functions are:
- Identify
- Protect
- Detect
- Respond
- Recover
These five functions are used to condense core cybersecurity risk concepts so that the organisation can assess how well its cybersecurity programme is performing and where improvements can be worked on. Similarly, these five functions serve as (optional) best practises to implement in order to build a stronger cybersecurity programme.
The NIST Cybersecurity Framework includes a seven-step process to help implement a new cybersecurity programme or improving an existing one. The typical implementation process entails creating a “Current Profile,” which depicts current cybersecurity risk management processes. You then describe procedures to transition from your present profile to the target profile and construct a “Target Profile” where you want your cybersecurity programme to be.
Here is the seven-step process to implement the NIST Cybersecurity Framework:
Step1: Prioritize And Scope
This step requires the organisation to determine organisational or mission objectives as well as high-level organisational priorities. This information enables the company to make strategic cybersecurity implementation decisions and define the extent of the systems (and other assets) that will support it. It is vital that you identify all of your critical systems and assets in order to prioritise their protection.
Step 2: Orient
After completing Step 1, the organisation should identify relevant systems and assets, regulatory requirements, and the overall risk approach for the programme. The organisation should then identify these systems’ and assets’ weaknesses and threats.
Following that, you must identify the risks and vulnerabilities that are relevant to the systems and assets specified in the scope. For example, risk and vulnerability assessments and threat modelling will be more important in a largely IT-related perspective.
The goal of this stage is to continue the implementation of an organization’s cybersecurity programme.
Step 3: Create A Current Profile
The next step in the process requires you to create a “Current Profile” indicating all the existing security controls and the corresponding outcomes being achieved. To determine which outcomes are fully or partially realised, you must use the Categories and Subcategories described in the Framework core. Partially achieved articles should be noted so supporting baseline information regarding subsequent steps can be provided.
In order to assess which, control outcomes are being achieved, the Current Profile should incorporate every control specified in the NIST CSF.
Step 4: Conduct A Risk Assessment
Following the creation of your current profile, you need to conduct a Cybersecurity risk assessment to analyze your environment and identify the likelihood of cybersecurity events as well as the possible impact they could have on your organization.
This risk assessment may be guided by past risk assessment activities or the overall risk management approach of the organisation.
This risk evaluation should not only focus on problem areas, but also on what works effectively.
Step 5: Create A Target Profile
After completing stages 1–4, you should be able to establish a Target Profile, which represents the desired state of your cybersecurity programme. Organizations are permitted to create additional Categories and Subcategories based on their specific organisational risks.
When creating this profile, adopt a cautious or sensible approach. Risk appetite should also be evaluated, as this decides which risk category or vector the organisation is willing to accept.
Step 6: Determine, Analyze And Prioritize Gaps
Based on the Current and Target Profiles listed in the above step, the organisation evaluates, analyses, and prioritises any gaps that exist. To achieve the outcomes of the Targeted Profile, the identified gaps must be assessed in order to establish a prioritised action plan based on corporate goals, cost-benefit analysis, and risks. In this step, you must also determine the resources needed to fill the gaps. All of the measures taken thus far should assist you in implementing cost-effective, targeted improvements.
Step 7: Implement Action Plan
After identifying the gaps that must be filled, you must specify and carry out the steps required to fill the indicated gaps. To meet the Target Profile, existing cybersecurity systems and procedures may need to be modified or new ones established.
This is an iterative process, and your business can repeat individual phases as many times as necessary to strengthen your cybersecurity.
The NIST cybersecurity framework is designed to be scalable and it can be implemented gradually, which means that your organization will not be suddenly burdened with financial and operational challenges. It contributes to the establishment of a solid security foundation because it is based on outcomes rather than specific controls. This will make compliance easy for your firm and keep you prepared for new rules as they develop.
Some organizations discover that repeating Step 2 frequently enhances risk assessment quality. These stages are a guide for organisations and are not intended to be one-size-fits-all, so modify them as needed for your organization.
Recent Comments