From the course: Cybersecurity Foundations

Understanding the NIST Cybersecurity Framework

From the course: Cybersecurity Foundations

Understanding the NIST Cybersecurity Framework

- [Instructor] The inclusion of cyberspace international critical infrastructures was formally recognized at the 3rd Global Conference on Cyberspace held in Seoul in 2013, with the publication of the Seoul Framework for Commitment to Open and Secure Cyberspace. It states, the global and open nature of the internet is a driving force in accelerating progress towards development. Governments, businesses, organizations and individual owners and users of cyberspace must assume responsibility for and take steps to enhance the security of their information technologies. In response to this, in 2014, the US National Institute of Standards and Technology issued the "Framework for Improving Critical Infrastructure Cybersecurity." This NIST Framework has now become the de facto standard for cybersecurity. Let's take a look at it. The NIST Cybersecurity Framework is an action-oriented approach to security and consists of three elements. The Framework Core, the Framework Profile, and the Framework Implementation Tiers. The Framework Core provides a set of activities to achieve cybersecurity. Described in the five areas of Identify, Protect, Detect, Respond, and Recover. Each of these activities is decomposed into a total of 23 categories of security activities. For example, we can see that the Detect Group decomposes into the three categories of Anomalies and Events, Security Continuous Monitoring and Detection Processes. Going deeper, the categories are further decomposed into a set of controls. For example, the Detection Processes category is broken down into five subcategories. Roles and responsibilities, compliant with requirements, activities are tested, detection information is communicated, and continuous improvement. Each of these subcategories is referenced to the relevant NIST, ISO and COBIT standards. The NIST Cybersecurity Framework doesn't introduce its own set of controls. It provides a higher level framework which can be used to develop a contemporary cybersecurity profile for an organization. But it relies on existing control frameworks for its implementation. And these are COBIT, ISA, otherwise known as IEC 62443, ISO 2700 and NIST SP 800-53. A draft of the Cybersecurity Framework version 2.0 has been released and this includes a sixth area called Govern. Into which a number of the existing categories in the five other areas have been moved. This change consolidates governance for the framework and adds a new category to explicitly call out a requirement for oversight. It also adds additional subcategory controls.

Contents