Cybersecurity Framework
Blog

Cybersecurity Framework

The National Economic security of the United States depends on the reliable functions of the critical infrastructure. As cybersecurity threats have become more prevalent in recent years the nation’s economy, public safety, health and security have become increasingly at risk of exclusion. To address this growing national threat, the President issued an executive order 13636 which is meant to improve critical infrastructure in cybersecurity on 12th February 2013. The order directed the National Institute of Standards and Technology (NIST) to figure with stakeholders to develop a voluntary framework under the existing standards, guidelines and practices for reducing cyber risks to critical infrastructure. The Cyber Security Enhancement Act of 2014 reinforced NIST’s executive order 13636 rules created through the collaboration between industry and government. The Voluntary Framework consists of guidelines, standards and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cyber-related risks.

According to section 7 of the Executive Order, the Secretary of Commerce shall direct the director of the NIST to lead the development of the framework to reduce cyber risk on critical infrastructure. The Cyber Security Framework shall include a group of standards, procedures and processes that align policies, business and technological approaches to deal with cyber risk. The Cyber Security Framework shall incorporate a voluntary set of standards and practices to the fullest extent possible. The Framework will help the organization to better understand, manage and reduce its cybersecurity risks. It enables organizations notwithstanding size, degree of cybersecurity risk or cybersecurity sophistication to use the principles and best practices of risk management to enhance the safety and resilience of critical infrastructure. It will assist in determining which activities are more important to ensure the critical operation and service delivery which intern will prioritize investments and maximize the impact of each dollar spent in cybersecurity. Organizations can readily use the framework to communicate current or desired cybersecurity posture between a buyer or supplier. It provides the organizational structure to new approaching cybersecurity by resembling standards, guidelines and practices that are working efficiently in the industry at present. The framework is not a one size fit all across, though each organization has its unique threats, vulnerabilities and risk tolerances. How they implement the framework vary.

The Framework is voluntary guidance, supporting existing guidelines, and practices for organizations to enhance, manage and reduce cybersecurity risks. In addition to helping organizations. It is designed to foster risk and cybersecurity management communication amongst both internal and external organization’s stakeholders. The available cybersecurity framework includes Payment Card Industry and Data Security Standards (PCI DSS), International Organizations for Standardizations (ISO 27001/27002), Critical Security Controls (CIS) and the NIST Framework.

The PCI DSS is a set of security controls required to implement protected payment account security. It is designed to guard credit cards, debit cards and cash card transactions. The ISO best practice includes a recommendation for information security management and information security program elements. The CIS prescribes an arrangement of activities for cyber protection that gives particulars and are known for the approaches to stop most inescapable and frivolous attacks. A key advantage of the controls is that they organize and centrifuge all activities of the organizations. Most important amongst all the frameworks is the NIST. It is meant to improvise critical infrastructure cybersecurity to improve organizational management on cybersecurity risk. NIST was developed in February of 2013 after the U.S. Presidential executive order. It was designed to address national and economic challenges. The cybersecurity framework was formulated to prioritize a flexible and cost-effective approach that led to market protection and resilience of critical infrastructure and other sectors which are important for the economy and national security. The framework was developed to be adaptable, flexible and scalable by the organization.

The Cyber Security Framework consists of three main components- core, implementation tiers and profiles. The Framework Core provides the set of desired cybersecurity activities and outcomes using a common language. The core guides organizing, managing and reducing their cybersecurity risks in a way that is complementing organization existing cybersecurity and risk management processes. Four elements which constitute core- functions, categories, subcategories and informative references. The function element is made up of five cybersecurity activities-identify, protect, detect, respond and recover, whose purpose is to reach certain cybersecurity outcomes. All of the functions are required to be done simultaneously to create an operational culture that addresses cybersecurity risk. The rest of the core elements set to divide the five functions into more focused activities eventually reaching a resilience that will help the organization. The final piece of the four-core element is the informative references that contain various pieces i.e., cross-sector, standards, guidelines and practices.

Whereas the Framework implementation tiers assists an organization by providing a context on how an organization views cybersecurity risk management. It describes how well the organization’s cybersecurity practices align with the Framework. These tiers reflect a progression from reactive responses to agile and risk-informed. The tiers guide the organization’s to consider the appropriate level of rigor for the cybersecurity program and are often used as a communication tool to discuss the machine priority and budget. During the tier selection process, the organization must consider the present risk management practices, the threat environment, legal and regulatory requirements, business and mission objectives and organizational constraints.

Lastly, the framework profiles are an organization’s unique alignment of their organizational requirements, risk tolerances and resources. The profile represents the outcome based on business needs that the organization has selected from the framework categories and subcategories. The profile is often characterized because of the alignment of business’s standards, guidelines and practices to the Framework Core during a particular implementation scenario. They are primarily used to identify opportunities for improving cyber securities as an organization by comparing the current profile to the target profile.

The Framework helps to guide key decision points about the risk management activities through the various levels of an organization supporting risk management. The levels are executive, business process and implementation or operations. The executive-level communicates the priorities, available resources and risk tolerance to business process levels. The business or process level uses this information as inputs into the risk management process and collaborates with the implementation or operation level to communicate its needs and create a profile. The implementation level communicated the profile program details to the business level. They use it to process and pass the assessment. They report the outcomes of the impact on the executive level to inform the organization’s overall risk management process and the implementation level to create awareness.

The NIST is a practical and very useful framework that every organization must use to combat cybersecurity risk. The Framework provides organizational instruction and multiple approaches to cybersecurity by assembling standards and guidelines, practices that are working effectively in the industry today. Moreover, because it recognizes globally refereed standards for cybersecurity the Framework can also be used by the organization located outside the U.S. as a model for international cooperation on strengthening critical infrastructure. The Framework may be a living document and still be updated and improved as per the industry’s feedback on implementation. As the Framework is put into practice lessons learnt will be integrated into the future versions. This will ensure meeting the needs of the critical infrastructure owners and operators in a dynamic and launching environment of new threats and solutions.