Understanding the Work of the IT Governance Board
NIST Security Framework
c Greetings new members, I would like to give you a brief summary of
the NIST Security Framework. c The NIST Security Framework, created
by the National Institute of Technology (NIST) to be used as a
framework for guiding organization on the various ways of preventing,
detecting and responding to the many cyberattacks and threats that
target our nation’s critical infrastructure.
c “NIST defines the framework core as a set of cybersecurity
activities, desired outcomes, and applicable informative references
common across critical infrastructure sectors. The Core presents
industry standards, guidelines, and practices in a manner that allows for
communication of cybersecurity activities and outcomes across the
organization from the executive level to the
implementation/operations at a high level. The NIST CSF categories, or
core functions, contribute to the building of a strong business
foundation and help identify cybersecurity compliance gaps and
requirements.
c The framework consists of three separate components, the
Framework Core, the Implementation Tiers and the Framework profile:
• Framework Core - The first step in implementation. c The
Framework Core is designed to be intuitive and to act as a
translation layer to enable communication between multi-
disciplinary teams by using simplistic and non-technical language
(Keller, 2018).
• Implementation Tiers - “provide context on how an organization
views cybersecurity risk and the processes in place to manage
that risk" (NIST, 2018). Tiers describe the degree to which an
organization’s cybersecurity risk management practices exhibit
the characteristics defined in the Framework (e.g., risk and threat
aware, repeatable, and adaptive). The Tiers characterize an
organization’s practices over a range, from Partial (Tier 1) to
Adaptive (Tier 4). These Tiers reflect a progression from informal,
reactive responses to approaches that are agile and risk-informed.
During the Tier selection process, an organization should consider
its current risk management practices, threat environment, legal
and regulatory requirements, business/mission objectives, and
organizational constraints” (NIST, 2018).
Padgett-Beale can utilize the 4 tiers to assess and rank risks as they are
detected. The Tiers are Tier 1: Partial, which are low priority risks and
do not have a significant impact on Padgett-Beale; Tier 2: Risk-
informed, a higher level risk than Tier 1 but doesn’t have a significant
impact; Tier 3: Repeatable, this level of risk can cause significant harm
to Padgett-Beale’s day-to-day operations and must be mitigated as
soon as detected; and lastly, Tier 4: Adaptive,” The organization adapts
its cybersecurity practices based on previous and current cybersecurity
activities, including lessons learned and predictive indicators. Through
a process of continuous improvement incorporating advanced
cybersecurity technologies and practices, the organization actively
adapts to a changing threat and technology landscape and responds in
a timely and effective manner to evolving, sophisticated threats” (NIST,
2018).
• Framework Profile - aligns the functions, categories and
subcategories of the framework with the organizational
requirements and risk tolerance. The framework profile “enables
organizations to establish a road map for reducing cybersecurity
risks that is well aligned with organizational goals.
There are five key elements of the Framework core which consists of:
• Identify - Organizations must be able to identify the critical
functions that enable the organization to operate.
• Protect - “The functions must be protected by preventing,
limiting and containing the potential damage caused by
cyberattacks” (Impact, 2021).
• Detect - The identified functions must be able to detect threats
and attacks in real-time.
• Respond - Provides the ability of the organization to respond to
the crisis and mitigate any consequences of the threat/attack.
• Recover - There must be a robust and strategic disaster response
in place that will enable Padgett-Beale to respond to service
disruption and restore business operations immediately after a
threat/attack has been detected.
c The NIST Security Framework provides a foundation for
organizations like Padgett-Beale to use to guide cybersecurity activities
within the workplace and assist in the abilities to identify and mitigate
cyber-attacks and threats. c
References
Impact, (2021). c The 5 Elements of the NIST Framework Core.
Retrieved from
c https://www.impactmybiz.com/blog/the-5-elements-of-the-nist-
framework-
core/#:~:text=There%20are%20five%20key%20functions,especially%2
0with%20re
gard%20to%20compliance.
Keller, N., (2018). An Introduction to the Components of the
Framework.
c Retrieved from
https://www.nist.gov/cyberframework/onlinelearning/components-
framework
National Institute of Standards and Technology (NIST)., (2018).
Framework forImproving Critical Infrastructure Cybersecurity.
Retrieved from
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
NIST Cybersecurity Framework Handout
c In February 2013, President Obama, issued Executive Order 13636:
Improving Critical Infrastructure Cybersecurity. The executive order
called for the development of a voluntary cybersecurity framework
that would provide a prioritized, flexible and performance-based
approach to aid organizations in managing cybersecurity risks for
critical infrastructure services. While multiple federal agencies were
tasked with developing elements related to this executive order, NIST
was assigned to develop a cybersecurity framework with input from
private industry. The final version of NIST's document was released in
2014
What is the NIST Cybersecurity Framework?
A: c The NIST Cybersecurity Framework (NIST CSF) provides guidance
on how to manage and reduce IT infrastructure security risk. The CSF
is made up of standards, guidelines and practices that can be used to
prevent, detect and respond to cyberattacks.
What is the purpose of the NIST Cybersecurity Framework
B. The purpose is to provide a foundation to guide organizations in its
ability to detect and mitigate cybersecurity threats and attacks.
The Framework can be used to increase security within Padgett-Beale
by:
• determining current levels of implemented cybersecurity
measures by creating a profile;
• identifying new potential cybersecurity standards and policies;
• communicating new requirements; and
• creating new cybersecurity programs and requirements
References
Gillis, A., (n.d.). NIST Cybersecurity Framework. Retrieved from
https://www.techtarget.com/searchsecurity/definition/NIST-
CybersecurityFramework#:~:text=The%20NIST%20Cybersecurity%20F
ramework%20(NIST,detect%20and%20respond%20to%20cyberattacks.