This is part 4 of our ongoing blog series on the NIST Cybersecurity Framework. To view our previous posts in this series, please see the links below:
NIST Cybersecurity Framework - Overview and Identify
NIST Cybersecurity Framework - Protect
NIST Cybersecurity Framework - Detect
After the countless hours and days that were put into identifying assets within the organization, researching and implementing ways to protect these assets and even going the extra mile by implementing detection mechanisms to alert us in the event of an incident, the stressful day has arrived, and now the fourth function will have to be initiated, which is Respond. The NIST Cybersecurity framework defines the Respond category as; "Develop and implement the appropriate activities to take action regarding a detected cybersecurity event." The Respond function is further broken down into five categories (outlined below) which identify specific areas that organizations should consider in their risk management analysis. Of the 98 subcategories within the NIST Cybersecurity framework, 15 are addressed within the Respond function.
The third function that will be discussed is Detect. After we have identified the assets within our organization and have implemented ways on how to protect those assets, we need to implement measure on how to Detect cybersecurity incidents that may occur. This can be achieved with using multiple monitoring systems like Intrusion Detection & Prevention Systems (IDS/IPS), File Integrity Monitoring (FIM) or even good old log reviews.
As promised in last month’s blog about the NIST Cybersecurity Framework Identify function, this month we are discussing the Protect function. After an organization has addressed the five categories within the Identify function (Asset Management (ID.AM), Business Environment (ID.BE), Governance (ID.GV), Risk Assessment (ID.RA), and Risk Management Strategy (ID.RM)) the next step that should be considered is how/what will protect those items within the categories. While all parts of the framework are important and serve a critical purpose in the overall security of an organization, in my opinion, the protect function should be considered the most important. The Protect function is the largest portion of the NIST Cybersecurity framework and is defined as; "Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services." The Protect function is further broken down into six categories (outlined below) which identify specific areas that organizations should consider in their risk management analysis. Of the 98 subcategories within the NIST Cybersecurity framework, 35 are addressed within the Identify function.
We are in our third part in a six-part series talking about the NIST Cybersecurity Framework and the core, or functions, of the framework. In the last 2 posts, we talked about the Identify and Protect functions of the framework and used the analogy of building a house. When you build a house, you must start with a foundation for your house to be built on (Identify). Next, you need to frame out your house, give it some walls and a roof to keep you safe from the weather and other elements (Protect). Once you have your house built, you need to put some items in your house to alert you to any pending danger or threats. These could be things like smoke detectors, carbon monoxide detectors and home alarm systems. Using that same analogy of building a house, this would be the Detect function of the core.