A fact of doing business in today’s hyper-internet-connected world is the need for organizations, regardless of size or sector, to protect their enterprises against a constant onslaught of malicious actors, insider threats, and a slew of other cybersecurity risks. It’s more a matter of “when,” not “if” your organization will face an attack. Fortunately, cybersecurity frameworks have been developed that comprise best practices, standards, and guidelines designed to manage risks and combat these threats so you can protect your greatest assets: people, property and data.
Businesses that work with the government or are in defense, finance, health care, or security sectors are likely required to comply with a particular framework or to meet certain regulatory requirements. These include the Federal Information Security Modernization Act (FISMA), the Federal Risk and Authorization Management Program (FedRAMP), Defense Federal Acquisition Regulation Supplement (DFARS), the Sarbanes-Oxley Act, and the Health Insurance Portability and Accountability Act (HIPAA), among others.
Even if you are not mandated to adhere to any particular regulations, it still makes sense for your business to be proactive in managing risk. All frameworks include guidance for good cybersecurity hygiene, such as effective inventory and asset management, contingency planning, personnel security, system access control, and staff awareness and training, to list a few. To prepare for the aftermath of a cyber incident, frameworks provide incident response guidelines you can follow to recover and try to limit the damage. Establishing a framework can not only help your organization follow best practices but also bring rigorous cyber discipline to your organization.
Determining your risk profile
To figure out the best framework(s), the first step is to determine your risk vectors and what risks your business can tolerate. The Cybersecurity & Infrastructure Security Agency, which is part of the Department of Homeland Security, offers security tips for managers, including Questions Every CEO Should Ask About Cyber Risks. This is a good place to start.
You also might want to consider engaging a risk management firm to help you sort through your options. These experts can help you select the best-suited framework for your business; define your organization’s cybersecurity strategies, goals, and objectives; and help you prepare for the most serious cyber threats your industry faces.
The National Institute of Standards and Technology (NIST) frameworks and the NIST Cybersecurity Framework, described below, are commonly used frameworks. NIST offers several options that work for organizations in a range of industries.
NIST Variety of Framework and Standards
NIST is a U.S. government agency that has developed several useful cybersecurity frameworks that represent the basis for most other frameworks. Detailed in special publications (SPs), these frameworks offer specific controls—best practices—that organizations in both the public and private sectors can follow to achieve the stated objective of the special publication.
NIST SP 800-37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (known as RMF) is built around seven steps: prepare, categorize, select, implement, assess, authorize, and monitor. This process helps organizations prioritize their risk management efforts by measuring, tracking, and identifying risks.
NIST SP 800-53, Security Privacy Controls for Information Systems and Organizations is a tried-and-true framework that focuses on privacy controls in recognition that privacy is a critical concern in the cybersecurity realm.
NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, focuses on assisting organizations that store, transfer, or transmit controlled unclassified information, referred to as CUI. NIST 800-171’s controls are aimed at helping nonfederal organizations that do business with the federal government protect CUI confidentiality. These are good guidelines for any organization to follow to safeguard its own and its customers’ data.
The NIST Cybersecurity Framework, known as CSF, centers on basic cyber defense functions that are required to determine risks and protect assets: identify, protect, detect, respond, and recover. It is designed to be customizable so that organizations can create a cyber security program that suits their individual risks, situations, and requirements. They can then prioritize their investment and maximize their spending on the most effective cybersecurity risk management.
Implementing a Framework
It can definitely be a daunting task to decide on a framework and then implement it effectively. Some firms may have the resources but could use help with interpreting the controls as they apply them to their organization. Other firms may need an outside expert to handle the whole process.
Third-party risk management firms can help in both situations by advising businesses on where to start and what frameworks make the most sense for them.
A key way a risk management firm can help is by starting with a gap analysis. This evaluates your company’s “as is” cybersecurity status and determines how to get to the “should be” status. The third-party experts will identify, quantify, and prioritize your organization’s risks and weaknesses and suggest remediation steps to address them. This can include advising on the most appropriate framework that can best protect your organization’s people, property and data and maximize your cybersecurity investment. Once a baseline is established and you address the gaps, you use the guidelines in your chosen framework to continuously measure your organization against this benchmark.
Given the complexity, artfulness, and range of cybercrimes that organizations face, it is important to use every available tool to combat these attacks. Adopting a proven cybersecurity framework that is suited to your business needs and risks gives you the tools to protect your enterprise against threats confronting you today and will continue to fend off tomorrow.
 NIST Special Publication 800-171 Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, defines CUI as “any information that law, regulation, or governmentwide policy requires to have safeguarding or disseminating controls.” The CUI Registry lists these categories.