Last week we discovered the biggest reasons to implement the NIST Cybersecurity Framework into your current cybersecurity program. If you missed the post, you can read it here. So now that you’ve decided to use the NIST CSF as your guideline framework, the next step is to prepare for implementation. Here are three tips to keep in mind before implementing the NIST Cybersecurity Framework:
1. The NIST CSF is intended to compliment, not replace, an organization’s cybersecurity program.
While consumer targeted cyber attacks have decreased by roughly 24% within the past year, businesses have actually seen a 235% INCREASE. Because of this increasing threat, most organizations already have some sort of cybersecurity program in place. As a result, there is no need for these organizations to recreate their programs from scratch. These organizations may continue using their current processes and compare them to the framework in order to identify areas for improvement. The elements of the framework that are not already addressed can be incorporated into the existing program.
On the flip side, organizations without an existing cybersecurity program can use the framework as a starting point to establish one. A good place to start when establishing a new program is with each of the five framework functions known as identify, protect, detect, respond, and recover.
2. Establish a plan to coordinate people, processes, and technology to correspond with each NIST CSF function, category, and subcategory.
There is a recommended set of questions to follow when addressing the five NIST CSF functions: Will you use internal resources, contracted resources, manual processes or automation? How will the function be managed? What is the desired timeline? What new or existing tools are required? To answer these questions, management buy-in and dedication of resources is required.
After addressing each function, your organization can then dive into the categories of each function. For example, the identify function is divided into the categories including Asset Management, Governance, and Risk Management. Your organization should determine who will be responsible for each category and the requirements of those responsibilities. The responsibilities might call for new resources and/or governance policies.
In the last level of the framework, we address the sub-categories which tend to require a more in-depth level of detail. This stage is where your action plan comes into play. For each sub-category, you should determine the 5 w’s – who, what, where, when, why [and how].
3. Before taking any action, have a plan to measure the success.
The most critical measurement of the NIST Cybersecurity Framework is risk. A risk assessment will determine the risk remaining after implementation and the accompanying controls. Your organization should conduct risk assessments to identify the affected assets, the threats impacting those assets, and the mitigating controls in place to reduce the threats. The residual risk that remains could be accepted, avoided, or further mitigated by additional or enhanced existing security controls.
The main goals of implementing the NIST Cybersecurity Framework are to enhance your organization’s security and minimize the cyber risk. The best way to accomplish this is to take the proper steps to thoroughly develop your strategy. A proper strategy will ensure organization wide acceptance and an overall cybersecurity culture.