How to implement a cyber security framework – 5 step plan

Cyber security is more important than ever before. In a post-COVID-19 world, cyber threats are more prevalent than ever before and protecting unauthorised access to data centres and other computerised systems is something no business can afford to be without.

For many businesses, an ad hoc approach to cyber security is ineffective. With no clear plan in place, it is difficult to monitor and manage all the potential cyber threats to your business.

A cyber security framework is a great way for any business to put in place a clear plan to manage and mitigate against the threats of cyber-crime.

Another way to combat cyber crime is to put in place an Incident Response Plan and you can read more about that in one of our previous posts.

What is a cyber security framework?

A cyber security framework is a series of documents defining the best practices an organisation follows to manage its cybersecurity risk. Such frameworks reduce a company’s exposure to vulnerabilities.

When applied properly, a cybersecurity framework enables IT security leaders to manage their companies’ cyber risks more intelligently. An organisation can adapt an existing cybersecurity framework to meet its own needs or develop one internally.

The NIST Cyber Security Framework

The National Institute of Standards (NIST) first developed a cyber security framework in 2014 to provide guidance for organisations looking to bolster their cyber security defences.

The NIST Cyber Security Framework (CSF) has more recently been updated to Version 1.1.

It was created by cybersecurity professionals from government, academia, and various industries at the behest of President Barack Obama and later made into federal government policy by the new administration.  

The NIST CSF is the benchmark for cyber security frameworks and can be tailored to meet the needs of any organisation.

Tailoring the NIST Cyber Security Framework for your business

The content of the NIST CSF is freely available and there are several handy resources available to IT Managers to help understand the content of the CSF.

Tailoring the framework to your own business needs is easier said than done, however in this post, we have laid out five key steps you need to take in order to tailor your own cyber security framework, using the NIST CSF as the basis for your own framework.

Step 1: Set your target goals

As with most plans, the key to success is understanding what you want to achieve by putting this framework in place. That way, you can better understand and measure what success looks like.

For most businesses, the key decisions to make when setting goals are the risk tolerance levels that are acceptable to both the C-Suite and to your IT department.

Typically, it would be the responsibility of the IT Management team to pull together a definitive agreement that clarifies exactly what level of risk is acceptable to your organisation.

Setting clear budgets is also a crucial step and is essential when setting goals. Work within the confines of your own business when setting goals and this includes financial constraints to achieving those goals.

It may make sense to run a trial within a single department to learn what works and what doesn’t. Feedback at this stage can save you valuable resources once the framework is rolled out across the entire business and can help you to streamline your goals to make them more accurate and achievable.

Step 2: Create a detailed profile

The next step is to drill deeper and tailor the framework to your specific business needs.

NIST’s Framework Implementation Tiers will help you understand your current position and where you need to be. They are divided into three areas:

• Risk Management Process
• Integrated Risk Management Program
• External Participation

Like most of the NIST CSF, these should not be taken as set in stone. They can be adapted for your organisation.

Each one runs from Tier 1 to Tier 4.

Tier 1 – Partial – generally denotes an inconsistent and reactive cybersecurity stance.

Tier 2 – Risk Informed – allows for some risk awareness, but planning is consistent.

Tier 3 – Repeatable – indicates organization-wide CSF standards and consistent policy.

Tier 4 – Adaptive – refers to proactive threat detection and prediction.

These tiers should be aligned to the goals you set out in step one of this process. The higher levels are considered a more complete implementation of CSF standards and these are what you should aspire to. Your ability to proactively detect and predict threats to your business will most likely be dependant on the budget allocated to cyber security and your goals and your ability to match your goals to these tiers should reflect that.

Step 3: Assess your current position

Once you have set your goals and created a detailed profile, it is time to assess your current position.

The starting point for this is a detailed risk assessment to establish your current status. You can utilise open source or commercial software tools capable of scoring your target areas or engage with a cyber security specialist for them to carry out an independent assessment of your current position.

Once all areas have been scored, you will be able to present the findings to your key stakeholders, showing the security risks to organisational operations, assets, and individuals. Vulnerabilities and threats should be clearly identified at this stage of the process.

Step 4: Gap analysis and action plan

Armed with a deeper understanding of risks and potential business impacts, you can move on to a gap analysis.

At this stage of the process, you can compare your actual scores with your target scores. You may want to create a heat map to illustrate the results in an accessible and digestible way. Any significant differences immediately highlight areas that you will want to focus on.

Work out what you need to do to close the gaps between your current scores and your target scores.

Identify a series of actions that you can take to improve your scores and prioritise them through discussion with all key stakeholders. Specific project requirements, budgetary considerations, and staffing levels may all influence your plan.

Step 5: Implement your action plan

With a clear picture of the current health of your defences, a set of organisationally aligned target goals, a comprehensive gap analysis, and a set of remediation actions, you are now ready to implement the NIST CSF.

Use your first implementation as an opportunity to document processes and create training materials for wider implementation down the line.

The implementation of your action plan is not the end.

Your CSF should be continually reviewed to monitor its performance and goals continually re-evaluated to ensure they are meeting the changing landscape of the cyber security sector.

This should include an ongoing process of iteration and validation with key decision makers.  To get the maximum benefit, you will need to hone the implementation process and further customize the NIST CSF to fit your business needs.

Summary

A cyber security framework is an essential element when tackling the threat of cyber crime for your business. Without clear goals in place and an understanding of the risk tolerance levels, measuring the success of your cyber security efforts becomes extremely difficult.

By following these five clear steps and tailoring the NIST CSF to your business, you are providing your business with the best possible path to successfully combatting cyber-crime, helping to protect unauthorised access to data centres and other computerised systems.

If you would like to talk to us about your cyber security needs and learn more about tailoring a cyber security framework for your business, speak to one of our team today.