Your Top Five Cyber Risks in Five Clicks with the Free Cyber Risk Analysis

FREE RISK ANALYSIS
Request Demo

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)has been touted as a gold-standard framework for cyber risk management. The NIST CSF comprises three main elements: The Framework Core, Profiles, and Implementation Tiers. The NIST Cybersecurity Framework Core is broken into five functions: Identify, Protect, Detect, Respond, and Recover. These high-level functions are designed to foster communication around cybersecurity activities between technical practitioners and business-side stakeholders, enabling risk related to cyber to roll up into the organization's overall cyber risk management strategy.

While the CSF does not prescribe controls expressly, each of the Framework Functions has a series of categories, subcategories, and informative references nested within it to enable organizations to implement the appropriate capabilities and services to improve the organization's cybersecurity posture. In this post, we’ll explain the 23 categories within NIST CSF Version 1.1 to help you understand the Framework Core as you begin your journey to implement the NIST CSF.

The Guide to The NIST CSF Categories

Identify Categories

NIST charges activities within the Identify function to develop an organizational understanding of managing cybersecurity risk to systems, people, assets, data, and capabilities. The primary activities around the identification function focus on baselining and gathering information about the information security program. This expands beyond resource allocation (although that is a fundamental element) to include the business context and the related cybersecurity risks associated with the business as it relates to business objectives.

  • Asset Management (ID.AM): To what extent are all physical assets (devices and systems), software, communication workflows, external information systems, prioritized resources, and roles relating to cybersecurity documented and inventoried?
  • Business Environment (ID.BE): To what extent is the organization’s place in its supply chains and industry sector, business mission, objectives, dependencies on critical resources, and resilience and requirements to support the delivery of critical services established and documented?
  • Governance (ID.GV): To what extent is the organization’s cybersecurity policy, roles, responsibilities, legal and regulatory requirements, and governance and risk processes documented and understood?
  • Risk Assessment (ID.RA): To what extent are the organization’s asset vulnerabilities identified and documented, threat intelligence received, threats identified and documented along with potential business impacts from said threats, use of threats and impacts used to determine risk, and risks identified and prioritized within the organization?
  • Risk Management Strategy (ID.RM): To what extent are risk management decisions established, managed, and agreed to by key stakeholders? How well is the organization’s risk tolerance clearly expressed and understood by leadership? To what extent is risk tolerance informed by the organization’s role in the business ecosystem and sector-specific risks?
  • Supply Chain Risk Management (ID.SC): To what extent are vendor management processes established and managed, third parties identified and assessed using those risk management processes, and contracts with third parties used to implement measures to maintain cybersecurity posture?

Protect Categories

Following the inventories of the Identify function, the next step is to identify the measures your organization uses to protect and ensure the delivery of critical services. The Protect function’s goal is to reduce the impact of a potential cyber event through proactive safeguards to ensure the ongoing achievement of business objectives.

  • Identity Management and Access Control (PR.AC): To what extent are identities and credentials managed for authorized devices and users, physical access to assets managed and protected, remote access managed, access permissions and authorizations managed to incorporate principles of least privilege and separation of duties? To what extent is network integrity protected, identities proofed and bound to credentials and asserted in interactions, and users and devices authenticated measured against the risk of the transaction within the organization?
  • Awareness and Training (PR.AT): To what extent are all users informed and trained? Do privileged users/third-party stakeholders/senior executives/physical and cybersecurity personnel understand their roles and responsibilities within the organization?
  • Data Security (PR.DS): To what extent are data-at-rest and data-in-transit protected and assets formally managed throughout the organization's removal/transfers/disposition? To what extent is adequate capacity available, protections against data leaks implemented, integrity mechanisms implemented, development and testing environments kept separate from production environments, and integrity checking mechanisms used to verify hardware integrity (as available) within the organization?
  • Information Protection Processes and Procedures (PR.IP): To what extent is a baseline configuration created and maintained incorporating security principles, a Systems Development Lifecycle implemented, configuration change control processes in place, backups conducted and maintained, policies and regulations met? To what extent are protection processes improved and effectiveness measured, response plans in place and regularly tested, vulnerability management plan developed and implemented, and cybersecurity program included in human resources practices within the organization?
  • Maintenance (PR.MA): To what extent are maintenance and repair of organizational assets performed and logged with approved and controlled tools, as well as remote maintenance of organizational assets approved and performed in a manner that prevents unauthorized access within the organization?
  • Protective Technology (PR.PT): To what extent are audit logs documented and reviewed, removable media protected and use restricted as necessary, communications and control networks protected, and mechanisms implemented to achieve resilience requirements in most organizational situations?

Detect Categories

The Detect function categories are designed to enable the prompt discovery of a cybersecurity event within the organization.

  • Anomalies and Events (DE.AE): To what extent are a baseline of network operations and expected data flows for users and systems established and managed within the organization? To what extent are detected events analyzed to understand attack targets and methods, data collected and correlated from multiple sources, the impact of events determined, and incident alert thresholds established within the organization?
  • Security and Continuous Monitoring (DE.CM): To what extent is the digital and physical environment monitored to detect potential cybersecurity events, malicious code detected, external service provider activity monitored to detect potential cybersecurity events, and monitoring for unauthorized access and vulnerability scans performed within the organization?
  • Detection Processes (DE.DP): To what extent are detection roles and responsibilities well defined to ensure accountability, detection activities comply with all applicable requirements, detection processes are tested and continuously improved, and event detection information is communicated within the organization?

Respond Categories

Arguably the most critical and sellable function to business-side stakeholders, the Respond categories support an organization’s ability to mitigate the impact of a cybersecurity incident.

  • Response Planning (RS.RP): To what extent is the response plan executed during and/or after an incident?
  • Communications (RS.CO): To what extent do personnel know their roles and order of operations when a response is needed? Are incidents reported? Coordinate with stakeholders and share information based on response plans within the organization.
  • Analysis (RS.AN): To what extent are notifications from detection systems investigated, the impact of an incident understood, forensics performed, incidents categorized consistent with response plans, and processes established to receive/analyze/respond to vulnerabilities disclosed to the organization from internal and external sources?
  • Mitigation (RS.MI): To what extent are incidents contained and mitigated and newly identified vulnerabilities mitigated or documented as accepted risks within the organization?
  • Improvements (RS.IM): To what extent do response plans incorporate lessons learned and updated organizational strategies?

Recover Categories

The Recover categories are most critical to events following a cyber event. They lay the groundwork and outline activities to maintain resilience plans following a cybersecurity incident.

  • Recovery Planning (RC.RP): To what extent are response plans executed during or after a cybersecurity incident within the organization?
  • Improvements (RC.IM): To what extent do recovery plans incorporate lessons learned and response strategies updated within the organization?
  • Communications (RC.CO): To what extent are public relations managed and reputation repaired after a cyber incident, and are recovery activities communicated to internal and external stakeholders and executive management teams within the organization?

Since this article was published, the NIST CSF has been updated. NIST CSF 2.0 includes updates to the core function with the 'Govern' Function, widespread applicability beyond critical infrastructure, and a renewed emphasis on supply chain risk management. 

Implementing NIST CSF Categories

The NIST CSF categories outline the next layer of granularity under the five functions of the Framework Core. When beginning to outline your NIST CSF implementation strategy, use the categories and these questions to think about where you stand in the context of the five functions and where to begin.  Contact us if you have questions about how the NIST CSF categories work and want to implement a more secure cyber risk management system.

You may also like

Putting the “R” back in GRC - ...
on October 22, 2024

Cyber GRC (Governance, Risk, and Compliance) tools are software solutions that help organizations manage and streamline their cybersecurity, risk management, and compliance ...

October Product Update
on October 17, 2024

The team at CyberSaint is thrilled to announce the latest additions and updates to the CyberStrong solution. To start off, we’ve made it easier to create an assessment and risk ...

Transforming Cyber Risk ...
on October 12, 2024

In today’s complex cyber landscape, managing risks effectively isn’t just about identifying threats—it’s about understanding their impact and knowing how to prioritize ...

Step-by-Step Guide: How to Create ...
on September 23, 2024

Cyber risk management has become more critical in today's challenging digital landscape. Organizations face increased pressure to identify, assess, and mitigate risks that could ...

From Fragmentation to Integration: ...
on September 17, 2024

Organizations are often inundated with many security threats and vulnerabilities in today's fast-paced cybersecurity landscape. As a result, many have turned to point ...

How to Create a Comprehensive ...
on September 9, 2024

Cyber threats are becoming more frequent, sophisticated, and damaging in today's rapidly evolving digital landscape. Traditional approaches to cyber risk management, which often ...