Because Cyberattacks are Real, look to Information Security Governance.
For all organizations doing business in the 21st century, cybersecurity attacks are a real concern — especially as the frequency and sophistication of these attacks increase. Unfortunately, most organizations are unaware of proper cybersecurity practices, believing that good cybersecurity is a static state that can be achieved by installing the right antivirus. In truth, the heart of cybersecurity is risk management and risk mitigation, as dictated by the process of Information Security Governance. The National Institute of Standards and Technology (NIST) defines Information Security Governance as:
“The process of establishing and maintaining a framework to provide assurance that information security strategies are aligned with and support business objectives, are consistent with applicable laws and regulations through adherence to policies and internal controls, and provide assignment of responsibility, all in an effort to manage risk.”
SideChannel offers the Cybersecurity Compliance service to help organizations adhering to Information Security Governance. Our vCISOs can help organizations define their cybersecurity goals and the components necessary for success, such as good risk management. However, in order to implement the process successfully, a strong foundational framework is necessary.
How the NIST CSF v1.1 Framework Helps
Released in 2018 following the v1.0 release in 2014, the NIST Cybersecurity Framework (CSF) v1.1 is a policy framework that aims to help organizations better understand, manage, and reduce their cybersecurity risks. It has four core elements: Functions, Categories, Subcategories, and Informative References. The NIST CSF v1.1 is not meant to be an exhaustive step-by-step process or checklist; it is meant to serve as a guide that businesses can apply based on their specific needs and situation. To this end, its four core elements provide a set of activities for achieving specific cybersecurity outcomes and guidance for achieving those outcomes. Basic cybersecurity activities are categorized into five functions:
- Identify: Organizing information on systems, people, assets, data, and capabilities
- Protect: Implementing safeguards for critical activities
- Detect: Developing systems for timely identification of cybersecurity events
- Respond: Planning what actions to take in response to cybersecurity events
- Recover: Developing plans for repairs for anything impaired by cybersecurity events
In essence, using the NIST CSF v1.1 framework provides oversight to ensure that risks are adequately mitigated, and afterward supports management to ensure that controls are implemented to mitigate risks.
As mentioned, NIST CSF v1.1 is not a checklist that organizations can use as a one-size-fits-all approach for addressing their cybersecurity issues. Different organizations and sectors face different threats, vulnerabilities, and risk tolerances, so customizing the framework to suit your organization’s needs is paramount to its success. If you are not confident in your ability to use the NIST CSF v1.1, consider hiring a business offering the skills of CISO or vCISO. With their technical expertise, they are experienced in developing robust risk management and risk mitigation practices, as well as conducting quarterly assessments to track progress and delivering status updates as needed.