In this episode, we’ll dig a little deeper into this csf, explore what it is, how you can implement it, and the benefits provides for your organization we’re not going to get deep down into the technical details of implementation. We’Ll keep the focus on the business impacts and benefits. So if you’d like to learn more about how you can best secure your businesses data in a way that is affordable and achievable, keep watching so let’s start with some background and then we’ll dig into how the framework is put together as a result of an executive Order in 2013, the national institute of standards of technology created the nist cyber security framework. They did this to shore up cyber security across all sectors, to develop a common language and practices and and develop best guidelines for any organization to follow. Nist publishes a lot of documents. These are the three main frameworks that they publish 853 is for government agencies, 800 171 for defense contractors, and then this csf is designed for all businesses, it’s easier to achieve and it’s more affordable than the other nist frameworks. It provides a standardized way for you to design your cyber security protections and since it’s, based on a proven government standard it’ll stand up to scrutiny by regulators or in lawsuits. In fact, ohio recently passed legislation stating that, if you can prove that you have implemented the miss csf for the past 12 months, that can be used as an affirmative legal defense.
That must be accepted by a jury that you did the right thing. So if you ever need to defend your cyber security decisions, would you rather say you saw a really cool security tool at a conference and installed it? Or would you like to respond that you implemented the federal government’s recommended framework and you have the reports to prove it? This csf has become recognized as the gold standard. When it comes to cyber security guidelines, you can link it to many different things. Most of the regulations that we have now are based on this csf and all 50 states have at least some form of data privacy regulation and some like california. New york have much stricter laws. These all have missed csf at their core, and other countries are even starting to use an scsf and don’t forget about your cyber liability insurance. Your application had many control requirements and they most likely came from this csf. Implementing the framework is going to ensure that you’re staying compliant with those requirements that you agreed to when you applied for that policy, so let’s look at how the framework is made up. You have the core the framework, then the implementation, tiers and finally, the profiles so let’s look at the core. This is made up of five functions, identify protect, detect, respond and recover. We don’t have time to dig into each of these functions in this short video we’ll get into those specifics of each of those functions in future videos.
Today, we’re just going to focus on how the framework is organized inside each function. You have different categories then. Finally, each category has subcategories. This is where the specific controls come into play. In this example, we’re looking at the identify function, then the business environment category subcategories here deal with defining the organization’s role in the supply chain and priorities for the organization’s missions and objectives. We won’t get into all the subcategories in this video. There are 108 of them. I just want to give you an idea of how it’s made up the next component of the framework are implementation, tiers the tiers describe the degree to which an organization exhibits the characteristics defined in the framework. Most small businesses are in tier one they’re reacting to external events. They they don’t, have a plan they’re just putting together things in an ad hoc manner. Some businesses are in tier two. They know a little bit more about some of the best practices but they’re inconsistent. They have a set it and forget it type of approach. You really want to be in tier three and then eventually tier four in tier three you’re following the framework and it’s aligned with your business practices, then in tier four you’ve been doing this for a while. You have a proven track record of implementation and then you’re applying lessons that you’ve learned along the way. Then the final component of the framework are the profiles. A profile is an organization’s unique alignment of their objectives, their priorities, their budget and specific threats in their environment.
With the controls of the framework, so you start with your current profile. This shows where you are right now and then you put together a target profile showing where you want to get to and then you’ll develop action plans to get to that target profile. This is an ongoing process. You’Ll always have a target profile that you’re going to strive for the landscape, changes and threats are going to evolve and your business objectives will change cyber security and compliance it’s a journey, not a destination. So a couple final thoughts as we wrap up this episode implementing any cyber security framework is not just an i.t department task. I can’t stress this one enough: the entire organization needs to be involved at the executive management level. You need to set priorities and identify the specific threats in your risk. Tolerance you’ll determine the budgets. Then you have the business managers and the department heads they’re, going to deal with the business uses of the data and the computer tools, and then you have the iet department where the implementation happens. So if you’re planning to just let the i.t department or your outsourced, it provider handle a project like this and not have involvement for the entire organization. Don’T even bother taking this on it’s going to fail and you’re going to end up with just another policy manual on the shelf. Collecting dust. I’Ll leave you this when you think of cyber security and compliance. Think of it like a three legged stool.
If any one of these legs is missing or broken the stool doesn’t stand, you need to have written documentation stating what your policies are. Then you need to define procedures that you’re going to follow to implement those policies. Some companies will get those first, two correct, but very few get the third that’s, where their verification and the evidence that the policies and procedures that you said you’re going to follow are really working. Without that, your cyber security posture is going to fail when it’s put to the test. That may be the test of an audit, or maybe when a cyber attack occurs. Trust me that time will come if it hasn’t already. Are you confident your cyber security is going to stand up when that does so? If you need a partner to help, you implement a framework or just evaluate your current posture in your current state, our trailhead team is here to help. We have tools and resources that will help manage this process of aligning and following this cyber security framework, i’ll put contact information in the comment section and at the end of the video. So i hope this helped explain the nist cyber security framework a little bit and the reasons why you should implement in your organization.