Companies of all sizes, from small businesses to large enterprises, require a systematic approach to cybersecurity. A systematic approach enables employees at all levels to understand risk, their role in the security puzzle and allows them to focus on their primary tasks.
For enterprises, building their approach is simplified by the fact that they have dedicated skilled teams to manage security and compliance. Smaller companies struggle with their cybersecurity implementation due to the lack of dedicated teams and skills. Luckily, the NIST Cybersecurity Framework can help.
Who is NIST, and what is the Cybersecurity Framework?
NIST, or the National Institute of Standards and Technology, is a non-regulatory United States agency. The agency is tasked with driving innovation and competition.
NIST wrote the Cybersecurity Framework in 2014 to provide computer security guidance to private companies that operate and control critical infrastructure. Today, the framework is for all private organizations and is not limited to those that manage critical infrastructure.
The document separates security into five functions. The functions are Identify, Protect, Detect, Respond, and Recover. The policy divides functions further into categories and sub-categories to guide the reader.
How does the framework help smaller companies? The structure makes it easy to break down the components required to secure an organization and provides references to additional details. Companies can map their current security strategies against the framework to identify what they are doing and to identify areas for improvement. This process does not require a large technical team for analysis due to its breakdown of categories and clarity.
MSJ uses the framework as a guide for both its processes and the design of operations for our clients. We recommend that our clients review the NIST document, and we can help walk them through analyzing their policies against the framework.
The framework publication is free and is available at https://doi.org/10.6028/NIST.CSWP.04162018.