CyberSaint Blog | Expert Thought

Developing Your Risk Management Plan Using the NIST CSF

Written by Justin Peacock | July 14, 2020

The scope and process for an organization seeking to implement the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) can be daunting for even the most experienced CISO to handle. Despite the complexity of implementing the NIST CSF, its ability to unify cybersecurity efforts and bridge the gap between technical and business leaders makes it the gold standard for developing a risk management plan. While organizing a cyber risk management plan can be approached in a multitude of ways, customized specifically to the needs of your organization, the CSF is a perfect north star to guide these efforts. An organizational risk management plan example like the NIST CSF Framework Core identifies key components and risk categories within your plan. You can develop and track your company’s project planning with this risk management plan template with ease.

One of the most valuable aspects of the NIST CSF core is how customizable it is for every organization. No two paths to achieving the standard are the same, even though they accomplish the same goal. By understanding and knowing what to look for within the Identify, Protect, Detect, Respond, and Recover elements of the framework core, your organization can effectively create a risk management plan. For our purposes, we’ll examine each of the five functions and how they each contribute to the development of a risk management plan. We will also examine the outcomes of each function as supporting factors to consider as you develop and document the risk in your project.

Identify

In the context of developing a cyber security risk management plan, Identify is the first waypoint to identifying what you are protecting. NIST defines the Identify function of the CSF as the need to "develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities". The focus of the Identify function of the core is on the business and how it relates to cybersecurity risk, especially taking into account the resources at hand. Collecting an inventory of assets across a wide range of factors can inform the development of your organization’s risk management plan.

Asset Management

This outcome is defined by cataloging physical devices, software applications, resources, and personnel that enable the enterprise to achieve its business objectives and ensure that they are managed consistently with their relative importance to the organizational objectives.

Business Environment

The business environment is the organization’s mission, objectives, stakeholders, and activities that are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.

This dimension of developing your risk management plan requires you and your team to assess your organization’s role in the greater business environment - assessing where you sit in other organizations’ supply chains, who is a part of yours, and what dependencies exist there. Furthermore, assess the roles and responsibilities within both your organization and the greater ecosystem as they relate to cybersecurity, risk owners, and managing risks.

Governance

Governance is “the policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk”

Establishing the company’s cybersecurity policies, roles, legal and regulatory requirements, privacy and civil liberties obligations, and risk management framework is critical. Baselining to understand where your organization is in this process is critical, with the next step filling in policy gaps as they are discovered.

Risk Assessments

On the topic of a risk management plan, determining where your organization stands is a critical step to developing a plan. As a risk assessment relates to the CSF and the Identify function, this helps your organization get into the habit of baselining where you stand as it relates to cyber threats. Selecting the right methodology for conducting a risk assessment and risk analysis is crucial in that the data collected must be actionable for both technical and business-side leadership.

Risk Management Strategy

In relation to developing a risk management plan, consider soliciting input and collecting information from other business unit leaders that manage other facets of the risks facing the enterprise. As information security leaders are called into business contexts more and more, it becomes crucial that the data and strategy for risk responses you deliver to the Board and CEO is actionable alongside the risk management plans from finance, operations, and strategy.

First and foremost, ensure that you understand your organization’s risk tolerance to achieve a given business objective. This can help inform the initial development of your strategy as well as the creation of your risk management plan.

Supply Chain Risk Management

Supply Chain Risk Management is the priorities and risk tolerances of project stakeholders and business stakeholders that determine your cybersecurity team’s approach to supply chain risk. As more and more of today’s businesses outsource periphery activity to other businesses, identifying risks and mitigating potential threats in the supply chain is critical. Depending on your organization, factoring in vendor risks alongside internal risks into your risk management plan could prove beneficial or potentially vital.

Protect

For the purposes of developing your risk management plan, the Protect function of the CSF helps you and your organization consider the efforts and controls your organization has or needs to have in place to ensure that the assets cataloged in the Identify phase continue to operate and add value. For our purposes, this element of your risk management plan should ensure that you have the correct controls (some listed below) to address potential risks.

Identity Management and Access Control

For Identity Management and Access Control, you will need to record which team members have access to what physical and digital assets, as well as remote access and how networks containing sensitive data are protected and kept secure.

Awareness and Training

How an organization’s personnel are trained and informed on how to perform their cybersecurity-related duties. This includes policies, procedures, and agreements.

Data Security

The procedures are in place to protect the confidentiality, integrity, and availability of information that is critical to the operations of an organization. This includes protecting all ‘resting’ data as well as data that can be transferred over a network. You must also have protection against data breaches, data leaks, and integrity-checking mechanisms.

Information Protection Processes and Procedures

To satisfy Information Protection Processes and Procedures, you will need to show security policies that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities, and what’s used to manage the protection of information systems and assets.

This includes baseline configurations of IT systems, a system development life cycle, data backups, a data destruction policy, a data protection improvement policy, response plans, recovery and contingency plans, and a vulnerability management plan.

Maintenance

Your organization must have maintenance policies and procedures in place and must align with your cybersecurity risk management processes.

Protective Technology

Protective Technology consists of technical security solutions to ensure the security and resiliency of systems. This includes audit logs, protected removable media, protected communications and control channels, and failsafe mechanisms.

Detect

Using the Detect function of the NIST CSF, we’re able to layer the controls and risk mitigation strategies that are in place into our risk management plan. From the Identify function, we have the assets we must protect, and the projected risks facing those assets. From Protect, we have documented the steps already taken (or that must be taken in the near future) to secure those assets and mitigate known cybersecurity threats. In the Detect portion of the risk management plan, outline the steps that your organization has taken to ensure that you and your team are aware that a cyber attack is or has taken place.

Anomalies and Events

Anomalous activity is predicted and measured for the potential impact of events.

Security Continuous Monitoring

Provide evidence your organization has monitoring for its information systems and assets to identify cybersecurity events. This includes malicious code detection, unauthorized code detection, external service provider monitoring, and vulnerability scans.

Detection Processes

The detection processes for identifying a malicious cybersecurity event.

Respond

In the case of a risk management plan, we could argue that Protect is the most important element we’ll look at here. The Respond function requires that you take all the data from previous steps and understand and document how your organization would respond to potential risk. Especially when reporting to other members of executive management and the Board, the Respond function is where you want to ensure that your risk planning is especially well documented in a centralized location to ensure that everyone understands their role in responding to a cyber event.

Response Planning

Response processes and procedures implemented to ensure defined responses to detected cybersecurity incidents.

Communications

The processes and information shared between project teams, project managers, and stakeholders as it related to cybersecurity. This is done so cybersecurity can be measured and understood across all teams within a company.

Analysis

Process of logging the response of recovery activities across cybersecurity personnel. Within this, processes must be established to receive, analyze and respond to vulnerabilities in the organization from internal and external sources

Mitigation

The activities performed to mitigate or lessen the impact of a risk or cybersecurity event and resolve it.

Improvements

What can be improved in your cybersecurity response plan, and how policies are updated?

Recover

Finally, the Recover function in your risk management plan is the after-effect. When reporting your risk management strategy to the Board, the Recover function proves to be crucial: clearly explaining how the information security organization is not only going to respond to a cyber event but the steps that are in place after the event takes place is critical not only for internal recovery but also for reporting out to external stakeholders, customers, etc.

Recovery Planning

How your recovery plan is implemented during or after a disaster.

Improvements

What can be improved in your cybersecurity incident response plan, and how policies are updated?

Communications

Restorative activities to minimize reputational damage to a cybersecurity event include recovery activities like communication with stakeholders and delivering a public statement if necessary.

Developing Your Own Risk Management Plan

As we’ve seen with the shift away from checkbox compliance and modular GRC to a risk-first approach and the rise of integrated risk management, addressing the unique configuration of risks within your organization makes a boilerplate risk management plan neigh impossible. However, leveraging gold-standard frameworks that are agile and flexible as the CSF proves extremely beneficial as it both serves as a north star for technical information security teams as well as helps put cyber risk data in a context that business leaders can understand. As you go about developing or documenting your cyber risk management plan, it can be a great starting place for NIST CSF adoption.

Developing and executing a risk management plan in a spreadsheet or a modular GRC solution can prove exhausting and extremely time-consuming - potentially putting the development of the plan at risk. By leveraging an integrated risk management solution, like CyberStrong, you can centralize your plan development progress alongside functionalities like a risk register and unify risk and compliance activities. If you have any questions about the NIST CSF framework core or any other cybersecurity questions, request a demo.