GRC & Chill: Kickstarting Your Risk Management with Quantification
In this episode of GRC & Me, Megan Phee talks to Netflix's Senior Information Security Risk Engineer, Tony…
On April 16, 2018, the National Institute of Standards and Technology (NIST), released updates to their Cybersecurity Framework (CSF) titled “Framework for Improving Critical Infrastructure Cybersecurity Version 1.1”...The updates work seamlessly with the original framework and are intended to be implemented by first time and current framework users.
On April 16, 2018, the National Institute of Standards and Technology (NIST), released updates to their Cybersecurity Framework (CSF) titled “Framework for Improving Critical Infrastructure Cybersecurity Version 1.1”. NIST began the update process in 2015 and, over the next couple years, they have updated the framework based on over 200 written comments and over 1,200 conversations.
NIST states in their Cybersecurity Fact Sheet, “This framework is designed to work for every size, sector or type of organization. It provides an approach to prioritize cybersecurity resources, make risk decisions, and take action to reduce risk. It enhances cybersecurity communication within an organization and with other organizations (such as partners, suppliers, regulators, and auditors) and helps organizations identify, manage, and assess cybersecurity risks.” The updates work seamlessly with the original framework and are intended to be implemented by first time and current framework users.
7 Things to Know about the NIST CSF Update
- Clarified usage of the term “compliance” - Added clarity that the term “compliance” when used in the framework should be adaptable within an organization's own cybersecurity requirements, and allows each organization to establish their own measures for meeting compliance.
- Self-assessment Guidance - Section 4.0, “Self-Assessing Cybersecurity Risk with the Framework”, was added to explain how the framework can be implemented in order to assess an organization's own cybersecurity risk, including the use of measurements.
- Enhanced Supply Chain Risk Management Material - Section 3.3, “Communicating Cybersecurity Requirements with Stakeholders”, was expanded to include a better explanation of Cyber Supply Chain Risk Management. Additional supply chain risk management criteria were added to the Implementation Tiers, and a new category was added to the framework core.
- COTS Purchasing Requirements - Section 3.4, “Buying Decisions”, was added to explain the risk in purchasing commercial off-the-shelf (COTS) products and services.
- Improved Access Control Guidance - The language of the Access Control category has been refined to better account for authentication, authorization, and identity proofing. This included adding one Subcategory each for Authentication and Identity Proofing. Also, the Category has been renamed to Identity Management and Access Control (PR.AC) to better represent the scope of the Category and corresponding Subcategories.
- Updated definition of Implementation Tiers and Profiles - The expanded Section 3.2, “Establishing or Improving a Cybersecurity Program”, includes a better explanation of the relationship between Implementation Tiers and Profiles.
- New Vulnerability Disclosure Guidance - A Subcategory related to the vulnerability disclosure lifecycle was added.
How to Use the Framework
The framework is not intended to be a one-size-fits-all solution or a one-and-done concept. This framework should be utilized to enable the minimization of cybersecurity risks and to ensure that organizations are taking into account potential risk. It can be implemented in conjunction with current systems and processes, which allows the organization to determine gaps in its current cybersecurity risk approach and develop a roadmap to improvement. It can also be used as the foundation for a new cybersecurity program.
NIST has plans to release an additional supplementary document later this year titled, “The Roadmap For Improving Critical Infrastructure Cybersecurity”, which describes key areas of development, alignment, and collaboration.
LogicGate and the NIST CSF
LogicGate’s Controls and Standards Repository includes the latest version of the NIST Cybersecurity Framework. Each subcategory is captured in a record that lists the overall category and function that the subcategory falls under, as well as the associated informative references.
For many organizations, NIST CSF is not the only standard they want to align with. Often times, there are multiple other control frameworks and regulations with which the organization needs to comply. Thanks to LogicGate's graph database technology, each individual NIST CSF subcategory can easily be linked to other common frameworks and regulations (e.g., ISO 27001/ISO 27002, NIST 800-53, PCI DSS, COBIT 5). If your organization has its own unique internal controls, it’s just as easy to link those as well.
Additionally, LogicGate’s standard and controls assessment process can be used to facilitate assessments against the NIST Cybersecurity Framework to help your organization understand its current cybersecurity performance maturity. If your organization has a unique assessment methodology, the assessment process can be quickly modified using LogicGate’s drag-and-drop workflow builder to meet your custom requirements, making it easy to utilize the NIST CSF to manage your organization’s cybersecurity risks.
