Cybersecurity is the protection of internet-connected systems, including hardware, software and data, from cyberattacks.
In a computing context,security comprises cybersecurity and physical security -- both are used by enterprises to protect against unauthorized access to data centers and other computerized systems. Information security, which is designed to maintain the confidentiality, integrity and availability of data, is a subset of cybersecurity.
Cyber security comprises technologies, processes and controls that are designed to protect systems, networks and data from cyber attacks. Effective cyber security reduces the risk of cyber attacks, and protects organisations and individuals from the unauthorised exploitation of systems, networks and technologies.
This voluntary Framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The Cybersecurity Framework's prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.
Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include:
First, the CISO (Chief Information Security Officer) and security stakeholders must pinpoint the systems, devices, users, data and facilities that support key, daily business processes, and these items are then managed according to their critical importance.
The final category within the Identify function relates to establishing the company's priorities, challenges, risk tolerances and assumptions, and then using these to enable the best operational risk decisions on the part of CISOs and their security stakeholders.
Here, the CISO and security stakeholders seek to glean a full understanding of the enterprise's policies and procedures for managing and monitoring regulatory, legal, risk, environmental and operational requirements, according to the NIST framework.
This category calls for CISOs and their security stakeholders to ensure a full understanding of the cybersecurity risks that could impact the business, its users and the critical IT systems and platforms they use to complete daily operations.
This category covers the prioritization of the company's mission, goals, stakeholders and processes, which is then leveraged to inform the creation of roles, responsibilities and key security decision-makers.
Supply chain risk management (SCRM) is "the implementation of strategies to manage both everyday and exceptional risks along the supply chain based on continuous risk assessment with the objective of reducing vulnerability and ensuring continuity".
Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include
As noted, much of this function revolves around creating secure access protections for authorized users while ensuring that unauthorized users aren't able to view, access or change the company's systems, data and assets. First, CISOs and their teams must ensure that the identities and credentials related to their pool of authorized users are appropriately managed. From here, security stakeholders should look to manage and protect physical as well as remote access to their IT assets.
A critical part of the Protect function also involves supporting efforts with security education. Under this category, security decision-makers must train personnel so that they can efficiently and effectively carry out the protection tasks outlined in the company's policies and vendor agreements.
Once CISOs and their counterparts have appropriately managed access credentials and have provided security education for their workforce, they can move on to data security efforts. Within this category, security stakeholders work to consistently manage data in a way that aligns with the business's risk strategy, and support the confidentiality and integrity of information while also ensuring its availability.
This category involves maintaining and leveraging security policies, processes and procedures to adequately protect critical data and the systems that support it. These policies were initially created under the Governance category of the Identify function.
Here, CISOs and their stakeholders should ensure that maintenance takes place in a scheduled manner, and that any remote maintenance is done carefully so as to avoid unauthorized access.
This category focuses on the technical security solutions, and calls for the documentation, implementation and review of audit and log records, and the protection of removable media and communications and control networks
Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include
CISOs and their teams should be able to detect activity considered anomalous. This activity is or could be associated with a cybersecurity incident, and should be detected in a timely manner. CISOs must also strive to understand the potential impact of this aberrant activity, and establish incident alert thresholds.
Continuous monitoring is a risk management approach to cybersecurity that maintains an accurate picture of an agency's security risk posture, provides visibility into assets, and leverages use of automated data feeds to quantify risk, ensure effectiveness of security controls, and implement prioritized remedies.
Here, CISOs and their stakeholders work to maintain all processes and procedures related to the detection of anomalous activity and protections against cybersecurity events. This includes defining roles and responsibilities involved in detection, and also ensuring that these activities align with industry compliance
Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Response Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include
Upon the threat being recognized as part of the Detect function, the Response function begins with the execution of previously created response procedures. These response plans must be carried out in a timely fashion, either while the cybersecurity event is still taking place, or after, depending upon the timeliness of threat detection.
This critical step includes processes to contain the incident, prevent it from spreading and mitigate the potential damage of the threat. In addition, any new vulnerabilities not identified in the past are documented and included as part of the company
During this process, CISOs and their teams examine and investigate detection system notifications to analyze the impact of the event, as well as the adequacy of the enterprise's response. This is also when forensics are performed.
Finally, CISOs and other stakeholders examine the lessons learned from responding to the threat, and work to incorporate these findings into future response strategies.
This category will lean heavily upon the CISO and his or her team. Here, internal and external stakeholders â€" typically lead by the CISO and IT admins â€" coordinate response activities, and may reach out to law enforcement for support, if needed. During this process, individuals follow response plans and understand their roles therein, the initial threat event and any other associated events are reported on, and this data is shared with stakeholders to ensure coordinated consistency according to response plans. In addition, details about the event can be voluntarily shared with key stakeholders outside the company.
Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include
The CISO and his or her stakeholders lead as the recovery plan is carried out. Depending on timing, this can occur while the event is still taking place, or after the incident has ended. Again, the key here is timeliness â€" any systems or platforms impacted by the incident must be addressed and support restored.
It's important that lessons learned during the incident are identified and utilized to update and improve upon recovery plans. The CISO and his team should spearhead these efforts, and work to ensure the quickest response and recovery possible.
The final part of this function includes coordinating efforts with internal and external stakeholders, where necessary. The CISO and his or her team should communicate recovery plans and processes with internal managers and the executive team. In addition, communication efforts can include working with internet and managed services providers, technology vendors and other owners of attacked systems to support public relations and mitigate damage to the company's reputation.