CIRA welcomed Jeff Gardiner, CIO at Compute Canada to give a webinar on the NIST framework for cybersecurity.
NIST stands for the National Institute of Standards and Technology, a U.S.-based non-regulatory agency. This webinar provides some great content for IT pros, cybersecurity pros, and those looking for good ways to help convince their non-technical peers on the importance of frameworks.
In Canada, several organizations have adapted or otherwise used this framework in developing their own cybersecurity recommendations. For example, nationally, the Canadian Center for Cybersecurity (CCCS) published “Baseline Cyber Security Controls for Small and Medium Organizations”, while provincially different governments are involved in helping businesses, government and non-profits (notably, the BC government publishes among the best set of resources ). And finally, if you do business internationally, then the use of ISO cybersecurity standards may better apply to your organization - if they are required by your customers and partners.
The key takeaway from this webinar is that some form of risk mitigation documentation can and should be done for all organizational types. For key business processes, this can be understood by understanding risk along a matrix of impact versus probability.
Within NIST, there are five functions of the framework:
- Identify – Determine what assets are at risk
- Protect – Take steps to safeguard your IT assets
- Detect – Routinely monitor to alert for problems
- Respond – Plan for the worst and be ready to act
- Recover – Get back to normal after a breach
Notice something in “recover”? It is assumed that you will need to get back to normal after a breach. In other words, it is assumed that at some point you will face a successful cyber-attack and part of being ready is having the right documentation, plans and controls. The webinar goes into more detail on where to get the specific documentation to help you create your plans.
While this type of framework can be implemented by many IT folks to a greater or lesser degree, it has emerged as a specialty within the cybersecurity world. What is certain is that if an organization is looking to implement a framework then they need an internal champion and/or an external consultant to drive the process – again to the level of sophistication based on the risk of your situation.
While the below radial diagram looks complex, it can start with some baseline analysis for those organizations in stages one or two of their sophistication. The documentation the framework provides plugs into fairly easy-to-read implementation stage diagrams so you know where the gaps are and where you need to put your efforts.
The oft-quoted Peter Drucker said, "if you can’t measure it you can’t manage it". The NIST framework provides a clear measurement model on which you can score your sophistication and implement according to what is right for your organization.
If you are new to NIST or looking to add some additional measurement to your existing implementation and if you are a CIRA Cybersecurity Awareness Training customer then you can leverage the NIST functionality in the application to help get you out. You'll not only meet one of the key components of the framework, but help improve measurement.