Today, the key word in cybersecurity has become ‘framework’. On February 12, 2013, the President issued an Executive Order [EO 13636 – Improving Critical Infrastructure Cybersecurity] which directed NIST to develop and issue a voluntary, risk-based Cybersecurity Framework that would provide organizations with industry standards and best practices to help manage cyber risks. While the focus of this effort is on critical infrastructure; given the vulnerability of all organizations and businesses, as demonstrated by ongoing data breaches and business disruptions, it should be obvious to everyone that the adoption of a strong cyber framework, tailored to the needs/risks of your enterprise, represents a smart decision.
The Framework consists of five Core concurrent and continuous functions – Identify, Protect, Detect, Respond and Recover. These seem like simple enough concepts, but as responsible managers we need to ask ourselves – do we really fully understand what each of these functions involves, and have we done the analysis and put in place the resources so we are aware and ready for what may come at us next?
To answer this question it can be helpful to read the definitions assigned by NIST to the Framework Implementation Tiers. Read and then ask yourself – where are we?
Tier 1 (Partial) – The organization’s risk management profiles are not formalized and are managed on an ad hoc basis. There is limited organizational awareness of risks and an organization-wide approach to managing cyber risk has not been established.
Tier 2 (Risk Informed) – An established cyber risk management policy exists but is not organization wide. Senior management is making an effort to establish objectives, understand the threat environment, and implement security procedures with appropriate supporting resources.
Tier 3 (Repeatable) – The organization is running with formal cyber security procedures, which are regularly updated based on changes in risk, business requirements and changing threats. There are well trained resources in place and the organization has reached out to its supply chain partners to collaborate on risk-based decisions.
Tier 4 (Adaptive) – The organization adapts cybersecurity practices in real-time based on lessons learned and predicative indicators. Through continuous improvement, real-time collaboration with partners, continuous monitoring, and analysis of threat intelligence you are able to respond rapidly to sophisticated threats.
Let us know where you think your organization is. We are experts in the assessment of organization risk and the development and implementation of cybersecurity frameworks – the essential starting point for successful and cost effective security.
January 12th, 2015