Organisations looking to bolster their cybersecurity posture and better protect an organisation's critical infrastructure have another weapon to add to their arsenal – the NIST Cybersecurity Framework, developed by the National Institute of Standards and Technology.
The Framework is based on existing standards, guidelines, practices and includes references to ISO 2700x, CobIT and other standards. It consists of three main components – Framework Core, Implementation Tiers and Profiles.
While it is used by most organisations to identify, protect, detect, respond and recover from cyber related threats and incidents, more widespread adoption is being hampered by the significant investment required in terms of resources to improve cybersecurity capabilities, according to Raymond du Plessis, senior managing consultant, Mobius Consulting.
Speaking at the ITWeb Security Summit 2019, hosted in Sandton Johannesburg this week, Du Plessis outlined the five core functions covered by the framework including: to identify, protect, detect, respond and recover.
"It is being used by more and more organisations, not only in the US, but in South Africa and round the world. One of the cool things is that it is completely free ... there are 287 controls split into five core functions and that's the trick. They've taken the controls we're all used to and rearranged them into these pillars. You can think of them as functions to reinforce security," said du Plessis.
Organisations have to follow several steps to benefit from the framework. These steps include conducting an assessment against the framework to identify gaps, develop a roadmap and prioritise plans.
"Step four is incident response. This is a critical component of cyber security and especially this cyber security framework. You have to spend a lot of time and effort in getting this right," said du Plessis.
Incident response is based on key sub-steps including detection, response and recovery.
Du Plessis emphasised that to leverage the framework, businesses must begin by achieving a common understanding of critical assets and cyber-related threats.
"It is important to identify critical assets and think about cyber threats and threat actors," he said.
These potential threats were listed as cybercriminals, social hackers, competitors, activists/ hacktivists, cyber terrorists and nation states.