In the world of cybersecurity, the only constant is the quickly-changing environment. With this rapid pace, threat vectors change, and so too must the industry best practices that are used to protect against them. Documentation in the world of cybersecurity is often behind and outdated, as trends usually change quicker than documents are able to be drafted.
Setting Standards: The NIST Framework
Fortunately, there are organizations that specialize in forming standards, best practices and publications that are regularly updated to ensure resources aren’t being wasted on outdated practices. A commonly referenced organization in this regard is the National Institute of Standards and Technology, or NIST. NIST provides a plethora of information available to both the public and private sectors, mostly in the form of Special Publications. These publications are chock full of information relating to various cybersecurity practices, and are often updated through drafts with public comment taken into consideration. This constant updating of documents keeps NIST at the forefront of usability as organizations continue to harden their security posture.
Risk Assessment With The NIST Cyber Security Framework
One of the most popularly referenced materials from NIST is their Cybersecurity Framework, which according to NIST, “…provides a common language for understanding, managing, and expressing cybersecurity risk both internally and externally. The NIST Cybersecurity Framework can be used to help identify and prioritize actions for reducing cybersecurity risk, and it is a tool for aligning policy, business and technological approaches to managing that risk,” (NIST. 2017.); this document is currently undergoing a revision process, with the latest updates occurring on December 5, 2017. Many organizations have successfully utilized this framework to scope their activities around a cybersecurity operation. The Cybersecurity Framework works to develop activities around specific functions. These are Identify, Protect, Detect, Respond and Recover.
NIST also champions another well-referenced publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations, which is currently on revision four. This lengthy document provides controls listed in groups of families, such as Access Control and Incident Response. Many NIST documents reference these controls as a baseline for a wide variety of information systems, business missions and functions.
Over the upcoming months, we will take an in-depth look at many of the most popular NIST publications, as well as dissecting the link between many of these documents. More importantly, we will also discuss how compliance requirements will utilize some of these documents to meet legal requirements.