NIST Component - Core
- The Core is a key component of the NIST Cybersecurity Framework.
- It provides a set of activities that are crucial for different cybersecurity outcomes.
- The Core is divided into five concurrent and continuous functions—Identify, Protect, Detect, Respond, and Recover.
- These functions provide a high-level, strategic view of an organization’s management of cybersecurity risk.
Identify
- The Identify function assists in developing an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
- It involves identifying the business context, resources, and related cybersecurity risks, enabling an organization to focus and prioritize its efforts.
- Categories include:
a. Asset Management: The organization needs to identify and manage the data, personnel, devices, systems, and facilities that enable them to achieve business purposes. b. Business Environment: The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. c. Risk Assessment: The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. d. Risk Management Strategy: The organization establishes and implements the risk management strategy, including processes to identify, assess, manage, and minimize potential risks. e. Supply Chain Risk Management: The organization identifies, assesses, and manages the risks associated with the supply chain and the products and services it relies on.
Protect
- The Protect function outlines appropriate safeguards to ensure delivery of critical infrastructure services.
- It involves implementing the necessary safeguards to limit or contain the impact of a potential cybersecurity event.
- Categories include: a. Identity Management and Access Control: This involves ensuring that only authorized individuals have access to your systems and data. This includes implementing user authentication, managing user identities and credentials, and controlling user access to systems and data based on their roles and responsibilities. b. Awareness and Training: This involves training all users (including partners and third parties) on their cybersecurity responsibilities. This includes providing regular cybersecurity awareness training and ensuring users understand the potential risks and how to avoid them. c. Data Security: This involves protecting data in all stages (at rest, in transit, and in use). This includes data classification, encryption, secure storage, secure transmission, and secure disposal of data. d. Information Protection Processes and Procedures: This involves implementing and maintaining security policies, procedures, and processes to manage and protect information. This includes incident response processes, disaster recovery processes, and business continuity plans. e. Maintenance: This involves performing regular maintenance on systems and equipment to ensure they remain secure. This includes regular updates and patches, system health checks, and replacement of outdated equipment. f. Protective Technology: This involves using technology to protect systems and data. This includes firewalls, intrusion detection systems, antivirus software, and other security technologies.
Detect
- The Detect function defines the appropriate activities to identify the occurrence of a cybersecurity event in a timely manner
- This includes continuous monitoring and detection processes.
- Categories include: a. Anomalies and Events: This involves identifying unusual activity that could be indicative of a cybersecurity event. This includes monitoring network traffic, user behavior, and system logs to detect anomalies and events. b. Security Continuous Monitoring: This involves continuously monitoring and analyzing the organization’s networks, systems, and applications to detect cybersecurity events and verify the effectiveness of protective measures. This includes network monitoring, vulnerability scanning, and intrusion detection systems. c. Detection Processes: This involves maintaining and testing the processes to detect and report cybersecurity events. This includes incident response processes, reporting mechanisms, and procedures for analyzing security alerts and events.
Respond
- The Respond function includes appropriate activities to take action regarding a detected cybersecurity incident.
- The goal is to contain the impact and maintain or restore operations as soon as possible.
- Categories include: a. Response Planning: This involves having a response plan in place that can be executed during a cybersecurity event. The plan should be regularly updated and tested to ensure its effectiveness. b. Communications: This involves coordinating with internal and external stakeholders, including law enforcement and affected customers or users, during and after a cybersecurity event. This includes providing timely and accurate information. c. Analysis: This involves investigating a cybersecurity event to understand its impact and how to prevent similar events in the future. This includes analyzing the event’s source, method, and impact. d. Mitigation: This involves containing the impact of a cybersecurity event and resolving the event. This includes removing the threat from your systems, recovering systems and data, and implementing measures to prevent similar events. e. Improvements: This involves learning from cybersecurity events and using that knowledge to improve your response and recovery capabilities. This includes updating response plans and processes based on lessons learned and feedback from post-event reviews.
Recover
- The Recover function identifies appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.
- Categories include: a. Recovery Planning: This involves having a recovery plan in place that can be executed following a cybersecurity event. The plan should be regularly updated and tested to ensure its effectiveness. b. Improvements: This involves learning from cybersecurity events and using that knowledge to improve your recovery strategies and processes. This includes updating recovery plans and processes based on lessons learned and feedback from post-event reviews. c. Communications: This involves coordinating with internal and external stakeholders, including law enforcement and affected customers or users, during and after a cybersecurity event. This includes providing timely and accurate information about recovery efforts.
Govern
:- The Govern function, while not officially part of the NIST Cybersecurity Framework, is sometimes added by organizations to address governance, risk, and compliance aspects of cybersecurity.
- Categories include: a. Policy Management: This involves establishing and maintaining the organization’s cybersecurity policies. This includes creating, reviewing, and updating policies to reflect the organization’s goals, risk tolerance, and regulatory requirements. b. Risk Management: This involves identifying, assessing, and managing cybersecurity risks. This includes conducting risk assessments, implementing risk mitigation strategies, and monitoring the effectiveness of risk controls. c. Compliance: This involves ensuring the organization meets all relevant laws, regulations, and standards. This includes monitoring changes in legal and regulatory requirements, assessing compliance levels, and addressing any compliance gaps. d. Training and Awareness: This involves ensuring all employees are aware of the policies and have the necessary training to follow them. This includes conducting regular cybersecurity awareness training and promoting a culture of cybersecurity within the organization. e. Audit and Assurance: This involves regularly reviewing and auditing the cybersecurity practices to ensure they are effective and followed correctly. This includes conducting internal and external audits, tracking audit findings, and implementing corrective actions.