The Framework Core is not a checklist that you can simply complete and forget about. It’s a compilation of actions for your organization to complete on an ongoing basis, all concurrent and working together to protect your data. The structure of the Framework is based on desired cybersecurity outcomes your organization should be working toward.
One desired outcome, for example, is that "physical devices and systems within the organization are inventoried." These outcomes act as specific goals companies should strive to meet. They also help to educate stakeholders in your company - leaders and employees alike - on the objectives you’re working to achieve. The Framework Core outcomes allow you to easily gauge the success of your efforts and measure the impacts of your actions.
So, let’s say your organization inventoried all of your solutions and systems, as recommended by the Framework Core. After completing your inventory, you identified 20 devices that were not password protected and at least one data breach was traced to a non-protected device. After taking action to require password protection, no data breaches were detected on any of your inventoried devices. That is a clear mark of success for your organization.
The Framework Core has an organizational structure that simplifies the application of the Framework to your company. The Framework Core is broken down into five Functions - Identify, Protect, Detect, Respond, and Recover. These Functions are high-level groupings of cybersecurity activities. Think of them as the five general classifications that all cybersecurity activities will fall under. We’ll take a closer look at these specific categories in a later section.
Now to the NIST Framework Core, the meat of the NIST Cybersecurity Framework.
These are the specific objectives and recommended actions your organization should take to promote cybersecurity.
The five Functions of the Framework Core are broken up into multiple Categories. These Categories address specific activities under each Function, like “Asset Management” or “Identity Management and Access Control”. These Categories are broken down even further into Subcategories focused on specific activities that contribute to securing the desired outcome of the Functions.
Let’s look at a specific example.
The Function - Identify - pertains to identifying and categorizing all systems and solutions your company uses that could house or transfer sensitive data. As part of the Identify Function, the category of Asset Management contains a number of actions you need to take, including inventorying your physical devices and systems.
In addition to Functions, Categories, and Subcategories, the Framework Core also includes Informative References. These references are specific sections of recommended actions that provide instruction on how to achieve the desired outcome of each Subcategory. While these references are illustrative of key actions to take, they are not exhaustive. They act to supplement the Subcategory objectives.
The Framework Core is essentially a well-organized set of steps that provide a methodology and process for protecting your data and setting cybersecurity standards in your organization. Remember, the Cybersecurity Framework Core is designed to augment the cybersecurity practices you have already established. It acts as a universal skeleton for the security measures and processes that all organizations should have in place. So, as you explore the Functions below, consider how they relate to your current efforts and how they can supplement your data security measures in the future.
Explore the five Functions of the NIST Cybersecurity Framework, and learn more about adopting these Functions into your own data security processes.
Identify is the first of the five Functions of the NIST Framework, and it acts as a foundation for all other activities. This Function requires companies to identify all software solutions and systems that play a role in your critical infrastructure. The Identify Function plays two important roles: increases transparency into the solutions that are being used and helps to prioritize actions that protect critical systems first.
In terms of transparency, a common problem that organizations face is shadow IT devices. There are devices that aren’t provided or approved by your company but are still being used. It could refer to an employee accessing their email account through their personal mobile device, or an employee bringing their personal laptop to work instead of using tools provided by their employer.
When you don’t know exactly which devices are being used and for what purpose, it can be nearly impossible to protect the data stored, accessed, or transferred using these devices. Each unauthorized device that’s used could be a potential for a hacker to gain access to your data.
The Identify Function also helps your company identify and prioritize which systems should be protected first. If you identify all systems in your company and determine that secure data is concentrated to solutions in one department, you can take the steps to protect those systems first.
Many companies don’t have the time or resources needed to adequately protect their data. That’s why prioritization is key. If you can’t protect all data at all points, you can at least take steps to protect the most sensitive data.
The following Categories fall under the Identify umbrella:
Risk Management Strategy
The next Framework Function is Protect. This Function is focused on reducing the number of cybersecurity events that could occur within your organization and limiting the impact if one does occur. While many companies may know that they need to protect their data, they may not be aware of what steps they should take. Fortunately, the Protect Function offers a number of actions that will increase your data security.
Companies should be thoroughly aware of the risks associated with a data security breach. Not only can it disrupt your organization’s entire operations, but it can also seriously impact the credibility of your business. If a customer trusts you with sensitive financial information, for example, but that information is stolen during a data security breach, you can understand how that customer would be hesitant to trust you with their data again.
A failure to protect your solutions and systems can also have compliance consequences, too. The recommendations found in the NIST Cybersecurity Framework overlaps in some areas with the mandates of government compliance measures, like HIPAA or ITAR. So, if you fail to protect your data, not only could you lose business, but you could also be subject to fines or even jail time if you’re not compliant with government regulations.
The Protect Function encompasses the following Categories of data protection:
Despite your best efforts, there’s a chance that a data security breach can still occur. It could be due to human error, a common cause of cybersecurity events or your company could just be the target of a highly sophisticated hacker. Regardless of the cause, the Detect Function outlines how you can develop and implement measures that will help you detect the occurrence of a cybersecurity event.
While it’s essential that you are able to detect a cybersecurity threat, detecting these threats in a timely manner is equally important. As the amount of time a cybersecurity event goes unnoticed increases, the threat to your company grows, as well.
You may imagine a data breach happens like they are shown on movie or television, with red alerts and sirens. However, it can take days, months, or even a year to detect a data breach. In fact, more than 25% of data breaches that occurred in 2016 went undetected for more than a month, and 10% of breaches went undetected for more than an entire year.
Imagine the information hackers were able to glean during those long stretches of time. Not only was all existing data those companies possessed exposed to a breach, but all newly received data was also exposed to risk, too.
Here are the Categories of activities that fall under the Detect Function:
As important as it is to detect cybersecurity events, it’s equally important that you respond to them rapidly and effectively. The fourth Function, Respond, offers guidelines on how to develop and implement processes to follow when a cybersecurity event is detected.
These Respond procedures should make it possible for key stakeholders in your company to address and contain any attack with speed. While the other preceding Functions – Identify, Protect, and Detect – are all focused on mitigating the risk of a cybersecurity event, the Respond Function has an enormous impact on the outcome of an event if it occurs. An effective response protocol can contain an event and minimize the amount of damage that occurs. An ineffective response protocol that fails to contain an event could have serious consequences for your organization.
As part of the Respond Function, you will create a plan of action that is communicated to your team members, ensuring that those responding to incidents, like an employee opening an email with a virus or your systems being accessed by an unapproved international IP address, will know what is expected of them.
The Respond Function features five Categories that help companies build their response plan:
The final Function, Recover, involves the steps your company should take in the aftermath of a cybersecurity event. As your organization works through the Recover Function, you will develop and implement a plan for resilience and restoration of any systems or solutions that were impaired by the data breach.
As with some of the previous Functions, successful recovery following a data breach is dependent on rapid response. Consider a scenario in which your data storage server was corrupted by a data breach. When most of your business functionality is reliant on the files stored on that server, all of your operations could be stopped in their tracks, seriously impacting your productivity and your bottom line.
The high-level goal of the Recover Function is to return your business back to normal operations, minimizing the amount of time and data that was lost to the cybersecurity event. While a data breach can be frustrating and potentially harmful for a company, with an appropriate recovery plan, your operations will return to normal in no time.
Below are the three Categories under Recover. Each one plays a role in returning your operations back to normal following a breach.