Developing a Cyber Security Program with the NIST CSF.

In today’s fast paced world it’s easy to get overwhelmed with day to day activities, e-mails and various other items, add that you now have to build a security program from scratch to that and you could go crazy. The purpose of this article is to show how a CISO can use the NIST CSF to begin the process of building a solid security program and hopefully reduce stress that comes along with security program development.
The NIST Cyber Security Framework was developed in February 2014 in response to Executive Order signed by President Obama, the order called for a standardized security framework for critical infrastructure in the United States. The NIST CSF consists of 3 elements, they are:
1. Framework Core — The framework consists of a set of activities, guidelines and best practices that allows for standard communication from the top executive down to the implementing engineer. There are 5 high level functions in the core, they are Identify, Protect, Detect, Response and Recover. Each one of these functions contain more detailed categories and subcategories.
2. Framework Tiers — The framework contains 4 different levels of tiers. These tiers allow an organization to get a view of where they are from a cyber security perspective. Tier 1 — Partial, Tier 2 — Risk Informed, Tier 3 — Repeatable Tier 4 — Adaptive.
3. Framework Profiles — The framework also has profiles. Profiles represent outcomes of where your current state of security is and where do you want to be.
For this article we will be concentrating on the 5 functions, their categories, and the associated subcategories.
Building a Security Program
So you have been hired to build a cyber security program for your new employer, you walk in and they tell you they have a cloud based firewall or two, AV, a CASB set of solutions, e-mail through O365 and a they utilize both Azure and AWS. Now what?
This is where the NIST CSF comes into play. As we discussed above, the CSF has 5 functions that are great for building a security roadmap:
1. Identify
2. Protect
3. Detect
4. Response
5. Recover
Now, there may be cases where you will have to modify the order of functions based on your company’s requirements ( like addressing protect first or working multiple at the same time) but generally speaking the first function I look at when building a program is the Identify function. The Identify function covers the building blocks of a solid security program such as inventory (hardware & software), governance, polices, risk (management & assessments) and supply chain risk management. What this provides is a top down approach to your cyber security program. I like this approach because many company’s have the technology in place and in some cases too much technology in place and one of the reasons is because they don’t have good inventory , the policies are either not complete or not approved by executive management , there is little to no governance and finally risk management. They may or may not have a comprehensive risk management program in place.
So now you have the Identify function in place and the next step in building a security program is addressing the Protect function in NIST CSF. This is the function that covers identity management, security awareness training, data security (Cyber is a cool word, but data security is really what we do), maintenance as well as Information Protection Processes and Procedures. These areas are key to cyber security operations. In this function, CSF covers change processes as well as the overall system development life cycle.
The next function of the NIST CSF that you would tackle is Detect. This is the function I got my teeth into when I first came into security almost 20 years ago. Here we look at the processes and procedures for monitoring everything from your network to physical security and vulnerability scanning. Detection and Anomalies and Events are also a key part of this function. This is the function that your MSP would be a key part of and could assist the most.
The Respond function is centered around Incident Response and communication. There are some people who would say you need to have this function completed before you even touch detect but for me this works as well as both functions are key to properly identifying and responding to any events.
The Recover function of the NIST CSF is exactly what you think it is. Its about recovering from an incident. This includes a disaster recovery plan, how your organization will communicate during the incident or recovery exercise. It also covers all the planning that is needed to properly recover from an incident.
Finally, the NIST CSF is a great template to develop your information security program around. Although I laid out an approach that I think makes sense, there are some functions that could move up or down in depending on your organizational needs. For more information on the NIST CSF, please see the NIST page @ https://www.nist.gov/cyberframework.