One of the most practical ways to improve information security and ensure long-term compliance with relevant industry regulations is to use a recognized security framework. Cybersecurity frameworks developed by government agencies and non-profit organizations can help you establish actionable best practices and policies to manage your company’s cybersecurity risks.
Two key cybersecurity frameworks are the National Institute of Security and Technology’s Cybersecurity Framework (NIST CSF) and the Center for Internet Security Critical Security Controls for Effective Cyber Defense (CIS CSC). This article gives an overview of these two frameworks and provides some tips for implementing them.
What is NIST CSF?
The NIST Cybersecurity Framework establishes uniform language and best practices for mitigating risks and effectively recovering from cybersecurity incidents. It is founded on five key functions: Identify, Protect, Detect, Respond, and Recover. The guidelines laid out by the NIST CSF have become references for several compliance standards, including HIPAA for the healthcare industry and DFARS and CMMC for defense contractors.
NIST CSF was established in 2014 in response to US Presidential Executive Order 13636. The stated aim was for the NIST to “work with the private sector to identify existing voluntary consensus standards and industry best practices and build them into a Cybersecurity Framework.” While the NIST CSF is arguably the most recognized and comprehensive framework in the industry, it can be overwhelming for SMBs due to its scale.
What is CIS CSC?
The Center for Internet Security’s Critical Security Controls is a set of 20 high-priority actions for blocking or mitigating known cyber attacks. The goal is to provide straightforward, actionable recommendations for cybersecurity based on the most pervasive threats. The CIS CSC are updated by a community of government and private industry security experts. The current version covers:
While NIST provides a comprehensive guide to security policy, risk management, and program governance, CIS CSC focuses only on the most impactful cybersecurity measures, making it easier for SMBs to adopt. Adding to this effect, the controls are organized into three tiers: Basic, Foundational, and Organizational. These range from the bare minimum security efforts that all organizations must implement (Basic) to controls that focus on setting organizational standards to mitigate cyber risks (Organizational).
How to start implementing a cyber security framework
For many organizations, implementing a cybersecurity framework is not only a wise security investment, but a mandatory compliance requirement. Since standards like NIST CSF attempt to make cybersecurity efforts uniform, they often encompass the compliance requirements laid out for specific industries, making them an excellent starting point for organizations bound by these regulations.
NIST CSF is broken down into 4 tiers, which define the degree to which an organization has implemented its standards and practices. Organizations should start by defining their current tier then create a roadmap for improvement. The tiers are as follows:
-
Tier 1 (Partial): Cybersecurity measures are typically carried out reactively and unsystematically, with little prioritization or awareness of supply chain risks.
-
Tier 2 (Risk-informed): Cybersecurity risk management exists but is not standardized across the organization. While awareness of supply chain risks exists, it is rudimentary and rarely translates into action.
-
Tier 3 (Repeatable): Risk management policies and processes are structured, regularly updated, and applied organization-wide. Organizations in this tier are aware of supply chain risks and act formally on them.
- Tier 4 (Adaptive): Risk management methods are actively adapted according to past, present, and predictive cybersecurity threats, and organizational objectives and budgets take cybersecurity into consideration. Organizations in this tier are active in mitigating supply chain risk.
Organizations can progress through the tiers by updating their cybersecurity strategy, processes, training, and tools.
With the CIS CSC framework, the 20 controls are ordered by priority. Therefore, rather than trying to implement them all at once, organizations should tackle the controls in order. Similarly to NIST CSF, they can also work their way through the tiers from Basic to Organizational.
Although these frameworks are written in plain language, they are often complex to implement. Businesses without a dedicated cybersecurity team often lack the necessary time and expertise to maintain them, and therefore many choose to work with an expert cybersecurity partner.
Get help implementing your cyber security framework
An IT partner with in-depth cybersecurity knowledge can help your business implement the core processes, policies, and practices of a cybersecurity framework. Not only will this mitigate your risk of non-compliance, it could protect your organization from a disastrous data breach or cyber attack. Frameworks also act as a useful budgeting tool, as they expose areas where your current cybersecurity processes and infrastructure are lacking.
The experts at Umbrella are experienced at implementing NIST CSF, CIS CSC, and other industry-specific cybersecurity frameworks. To find out how we can help you achieve long-term regulatory compliance and industry-standard cybersecurity, contact us today.
