The scope and process for an organization seeking to implement the NIST Cybersecurity Framework (CSF) can be daunting for even the most experienced CISO to handle. Despite the complexity of implementing the NIST CSF, its ability to unify cybersecurity efforts and bridge the gap between technical and business leaders makes it the gold standard for developing a risk management plan. While organizing a cyber risk management plan can be approached in a multitude of ways, customized specifically to the needs of your organization, the CSF is a perfect north star to guide these efforts. By understanding how the NIST CSF Framework Core works and by identifying key components within your plan, you can develop and track your company’s risk management plan with ease.
One of the most valuable aspects of the NIST CSF core is how customizable it is for every organization. No two paths to achieving the standard are the same even though they accomplish the same goal. By understanding and knowing what to look for within the Identify, Protect, Detect, Respond, and Recover elements of the framework core, your organization can effectively create a risk management plan. For our purposes, we’ll examine each of the five functions and how they each contribute to the development of a risk management plan. We will also examine the outcomes of each function as supporting factors to consider as you develop and document the plan.
In the context of developing a cyber risk management plan, Identify is the first waypoint to identifying what you are protecting. NIST defines the Identify function of the CSF as the need to "develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities". The focus of the Identify function of the core is on the business and how it relates to cybersecurity risk, especially taking into account the resources at hand. By collecting an inventory of assets across a wide range of factors, this can inform the development of your organization’s risk management plan.
This outcome is defined by cataloging physical devices, software applications, resources, and personnel that enable the enterprise to achieve its business objectives and ensure that they are managed consistent with their relative importance to the organizational objectives.
Business Environment is the organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.
This dimension of developing your risk management plan requires you and your team to assess your organization’s role in the greater business environment - assessing where you sit in other organizations’ supply chain, who is a part of yours, and what dependencies exist there. Furthermore assessing the roles and responsibilities within both your organization and the greater ecosystem as they relate to cybersecurity and managing cyber risk.
Governance is “the policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk”
Establishing the company’s cybersecurity policies, roles, legal and regulatory requirements, privacy and civil liberties obligations, and risk management processes is critical. Baselining to understand where your organization is in this process is critical with the next step being filling in policy gaps as they are discovered.
On the topic of a risk management plan, determining where your organization stands is a critical step to developing a plan. As a risk assessment relates to the CSF and the Identify function, this helps your organization get into the habit of baselining where you stand as it relates to cyber risk. Selecting the right methodology for conducting a risk assessment and risk analysis is crucial in that the data collected must be actionable for both technical and business side leadership.
Risk Management Strategy
In relation to developing a risk management plan, consider soliciting input and collecting information from other business unit leaders that manage other facets of the risks facing the enterprise. As information security leaders are called into business contexts more and more it becomes crucial that the data and strategy you deliver to the Board and CEO is actionable alongside the risk management plans from finance, operations, and strategy.
First and foremost ensure that you understand your organization’s risk tolerance to achieve a given business objective. This can help inform the initial development of your strategy as well as the creation of your risk management plan.
Supply Chain Risk Management
Supply Chain Risk Management is the priorities and risk tolerances of project stakeholders and business stakeholders that determine your cybersecurity team’s approach to supply chain risk. As more and more of today’s businesses outsource periphery activity to other businesses, identifying risks and mitigating risk in the supply chain is critical. Depending on your organization, factoring in vendor risks alongside internal risks into your risk management plan could prove beneficial or potentially vital.
For the purposes of developing your risk management plan, the Protect function of the CSF helps you and your organization consider the efforts and controls your organization has or needs to have in place to ensure that the assets catalogued in the identify phase continue to operate and add value. For our purposes, this element of your risk management plan should ensure that you have the correct controls (some listed below) to address potential risks.
Identity Management and Access Control
For Identity Management and Access Control, you will need to record which team members have access to what physical and digital assets, as well as remote access and how networks containing critical information are protected and kept secure.
Awareness and Training
How an organization’s personnel are trained and informed on how to perform their cybersecurity related duties. This includes policies, procedures, and agreements.
The procedures in place to protect the confidentiality, integrity, and availability of information that is critical to the operations of an organization. This includes protecting all ‘resting’ data as well as data that can be transferred over a network. You must also have protection against data leaks and integrity checking mechanisms.
Information Protection Processes and Procedures
To satisfy Information Protection Processes and Procedures, you will need to show security policies that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities, and what’s used to manage protection of information systems and assets.
This includes, baseline configurations of IT systems, a system development life cycle, data backups, data destruction policy, data protection improvement policy, response plans, recovery and contingency plans and a vulnerability management plan.
Your organization must have maintenance policies and procedures in place and must align with your risk management strategy policies.
Protective Technology consists of technical security solutions to ensure security and resiliency of systems. This includes, audit logs, protected removable media, protected communications and control channels, and failsafe mechanisms.
Using the Detect function of the NIST CSF, we’re able to layer on the controls and risk mitigation strategies that are in place into our risk management plan. From the Identify function, we have the assets we must protect, the projected risks facing those assets. From Protect, we have documented the steps already taken (or that must be taken in the near future) to secure those assets and mitigate the known risks. In the Detect portion of the risk management plan, outline the steps that your organization has taken to ensure that you and your team is aware that a cyber event is or has taken place.
Anomalies and Events
Anomalous activity is predicted and measured for potential impact of events.
Security Continuous Monitoring
Provide evidence your organization has monitoring for its information systems and assets to identify cybersecurity events. This includes malicious code detection, unauthorized code detection, external service provider monitoring, and vulnerability scans.
The detection processes for identifying a malicious cybersecurity event.
In the case of a risk management plan, we could argue that Protect is the most important element we’ll look at here. The Respond function requires that you take all the data from previous steps and understand and document how your organization would respond to a potential risk. Especially when reporting to other members of executive management and the Board, the Respond function is where you want to ensure that your risk planning is especially well documented in a centralized location to ensure that everyone understands their role in responding to a cyber event.
Response processes and procedures implemented to ensure defined responses to detected cybersecurity incidents.
The processes and information shared between project teams, project managers and stakeholders as it related to cybersecurity. This is done so cybersecurity can be measured and understood across all teams within a company.
Process of logging the response of recovery activities across cybersecurity personnel. Within this processes must be established to receive, analyze and respond to vulnerabilities to the organization from internal and external sources
The activities performed to mitigate or lessen the impact of a risk or cybersecurity event and resolve it.
What can be improved in your cybersecurity response plan and how policies are updated.
Finally, the Recover function in your risk management plan is the after effect. When reporting your risk management strategy up to the Board, the Recover function proves to be crucial: clearly explaining how the information security organization is not only going to respond to a cyber event but the steps that are in place after the event takes place is critical not only for internal recovery but also for reporting out to external stakeholders, customers, etc.
How your recovery plan is implemented during or after a disaster.
What can be improved in your cybersecurity response plan and how policies are updated.
Restorative activities to minimize reputational damage to a cybersecurity event, this includes recovery activities like communication with stakeholders and delivering a public statement if necessary.
Developing Your Own Risk Management Plan
As we’ve seen with the shift away from checkbox compliance and modular GRC to a risk-first approach and the rise of integrated risk management, addressing the unique configuration of risks within your organization makes a boilerplate risk management plan neigh impossible. However, leveraging gold-standard frameworks that are agile and flexible as the CSF proves extremely beneficial as it both serves a north star for technical information security teams as well as helps put cyber risk data in a context that business leaders can understand. As you go about developing or documenting your cyber risk management plan, it can be a great starting place for NIST CSF adoption.
Developing and executing on a risk management plan in spreadsheet or a modular GRC solution can prove exhausting and extremely time consuming - potentially putting the development of the plan at risk. By leveraging an integrated risk management solution, like CyberStrong, you can centralize your plan development progress alongside functionalities like a risk register and unify risk and compliance activities. If you have any questions about the NIST CSF framework core, or any other cybersecurity questions, give us a call at 1-800-NIST CSF request a demo.