Using the NIST Cyber Security Framework to Build Your IT Risk Program

boxes with blue checkmarks

Creating a robust IT risk management program is critical in every business.  It is what will guide your security program, compliance regime, and even the decisions you make in selecting technology or business services. But before you can run, you have to walk.  Understanding the key elements of the NIST Cyber Security Framework (CSF) and focusing on best practices for applying the CSF will prepare you to implement an IT risk program.

The NIST Cyber Security Framework (CSF) resulting from the 2013 Executive order 13636 was created to reduce cyber risks to critical infrastructure.  Whether you have already deployed the CSF or are new to the framework and its benefits, you can use elements of the framework to create an IT risk program.  Lynx has created a CSF Quick Tip Checklist to help!

The CSF consists of three parts, including the Core, the Profile and the Tiers. The Framework provides a common language and mechanism for organizations to:

  • Describe their current cyber security posture
  • Describe their target state for cyber security
  • Identify and prioritize opportunities for improvement within the context of risk management
  • Assess progress toward the target state
  • Foster communications among internal and external stakeholders

Breaking down these three components looks like this:

Core – the Core is made up of functions and categories that drive the creation of policies and control activities to increase cyber security.  These policies and controls establish tolerance levels for control measurement and effectiveness that can drive reporting and metrics.

Profile – the Profile aligns the functions, categories, subcategories and controls with business requirements, risk tolerances and resources.  It is your roadmap for reducing risk by identifying gaps that exist between “current state” and “desired state”.

Tiers – Tiers reflect the maturity of an organization’s cyber security practices.  There are four tiers including: Tier One, partially compliant or partially effective; Tier Two, risk-informed; Tier Three, you have a repeatable process; and Tier Four, your process is repeatable, informed and adaptive.

An organization without an existing cybersecurity program can use the Framework as a reference to establish one, and can ultimately translate the CSF into an IT risk program.

So, what basic steps can you take to apply the NIST CSF to a more robust IT risk program?  We’ll very quickly cover the steps here to apply the framework but you can download our Quick Tip Checklist as a guide to help you through the process.  And check the Lynx Blog over the next several weeks for our detailed eBook on Implementing an IT Risk Program using the NIST Cyber Security Framework.

Now, back to the keys to remember when applying the Framework.  First, you want to identify the mission objectives. What is the scope of systems, networks, applications, or other assets that fall under your risk program? What are the regulatory requirements, contractual obligations (from customers or vendors), and business interests (policies, special requirements, etc.)? Follow the guidelines of the requirements to set the scope of applicability, keeping in mind that your key to scope is through the inherent risk of an asset.

Next, you must select the controls that apply to your business and the assets that are in the scope of your program.  The controls will be categorized by the CSF categories, functional orientation, departmental grouping, or even your custom risk assessment universe (RAUs).  Using categories and sub-categories, you create a profile that defines your current state – that is, your inherent risks.  Inherent risks are those that exist prior to applying controls or other security measures.  Assuming you already have some level of controls in place or after you have implemented your operational security program, you conduct a risk assessment against that profile.

In addition, you should create a target profile, that defines the level of risk that you can live with.  This is called your risk appetite.  Your target profile may be an industry-mandated target, or a business-oriented target. You’ll have to decide where you want to be. Compare the current profile with the target profile and determine your gaps; this is your residual risk.  If your residual risk is within your risk appetite, you have an effective program.  If your residual risk falls outside of the risk appetite, you may need to improve your implementation of controls, or prioritize your gaps to determine what in your security program you want to do.

Finally, implement your action plan, and that is your cybersecurity program.