A Tool to Support your Cyber-resilience
In today’s digital world, nearly all our personal and business information exist in electronic form. Most businesses rely heavily on technology for transactions – whether it’s swiping a credit card, placing supplier orders, paying bills, generating invoices, or using email to share information. When this data falls into the wrong hands, the consequences can be devastating.
However, just as technology can be used against us, it can also be a powerful tool for protecting our business and personal data. There are many resources available to help mitigate these risks, including the implementation of a robust cybersecurity framework. Such a framework is vital for preventing and addressing the internal and external threats that organizations face by technology, safeguarding not only their business but also their clients and personnel’s.
In the following newsletter, we will explore what a Cybersecurity Framework is, the tools available to implement it, and how businesses can effectively use these tools to identify risks, protect their assets, detect anomalous events, respond to such events and recovery in case of an incident that affect the normal business activities.
What is a Cyber Security Framework?
The following is an adapted definition from the glossary of the National Institute of Standards and Technology, NIST:
A cybersecurity framework is a risk-based approach to reducing cybersecurity risk through a structured set of guidelines and best practices.
The primary objective of any Cybersecurity Framework is to manage cybersecurity risks alongside other business risks, including those related to finance, privacy, supply chain, reputation, technology, and physical security.
There are several cybersecurity frameworks such as ISO 27001, SOC2 and Cybersecure Canada. In this newsletter we will focus on the NIST Cybersecurity Framework exclusively.
What is the NIST Cybersecurity Framework?
The National Institute of Standards and Technology (NIST) is a non-regulatory US federal agency that promotes innovation by advancing measurement science, standards and technology, which has developed the NIST Cybersecurity Framework (CSF), defined as voluntary guidance that helps organizations —regardless of size, sector, or maturity— better understand, assess, prioritize, and communicate their cybersecurity efforts. The framework is not a one-size-fits-all approach to managing cybersecurity risks. This supplement and the full CSF 2.0 can help organizations to consider and record their own risk tolerances, priorities, threats, vulnerabilities, requirements, etc.
The official NIST CSF website offers a wealth of free material to assist in adopting the cybersecurity framework. You will find templates, spreadsheets, examples, videos and much more information to help you begin your journey towards becoming risk smart. Surprisingly, NIST also published a French version of the introductory guide NIST CSF 2.0 Guide de démarrage rapide pour les petites entreprises.
In this newsletter, we will concentrate on comprehending and applying the updated NIST CSF 2.0 specifically for small businesses. The tables, the figures are extracted from the CSF 2.0 NIST documentation and some of the texts are liberally quoted from the NIST CSF 2.0 standard and other related documents.
Why should I use it?
We frequently hear in the news about companies that have been compromised, leading to significant disruptions in their operations—sometimes for hours, days, or even months—due to ransomware attacks, identity theft, or IT service outages. These incidents illustrate how cybercriminals leverage technology to negatively affect our lives.
While the media often highlights high-profile corporate breaches, the truth is that cybercrime impacts everyone, not just large businesses. It has become an unavoidable aspect of our daily existence. Nowadays, thieves no longer need to physically rob banks while wearing masks and wielding weapons. Instead, they exploit technology from remote locations, often far from their targets. In many cases, they can simply use a phone to scam multiple individuals simultaneously, transferring funds from personal accounts into their own.
To put it in perspective below are some statistics extracted from a 2024 survey on the Perceptions and Attitudes of Canadian Organizations Toward Cybersecurity conducted by CIRA on Canadian organizations.
Over one quarter of cyber professionals report that their organization has been the victim of a successful ransomware attack in the last 12 months, up from 17 per cent in 2021. Of those, 79 percent indicate that the organization paid ransom demands.
No company is too small to follow and implement a cybersecurity framework (CSF), and by doing so, your company will be better prepared in the event of a cybersecurity incident.
NIST Cybersecurity Framework 2.0: Small Business Quick-Start Guide Overview
- Provides guidance for small-to-medium-sized businesses (SMB) to kick-start their cybersecurity risk management strategy using the NIST Cybersecurity Framework (CSF) 2.0.
- Helps organizations understand, assess, prioritize, and communicate cybersecurity efforts.
- Organizes cybersecurity outcomes into six high-level functions: Govern, Identify, Protect, Detect, Respond, and Recover.
Note: In February 2024, NIST released CSF 2.0. The goal of this new version is to help CSF become more adaptable and thus widely adopted across a wider range of organizations. Any organization looking to adopt CSF for the first time should use this newer version and organizations already using it can continue to do so but with an eye to adopt 2.0 in the future.
The Functions
This section explains the CSF Core Functions and their importance in cybersecurity risk management, providing an overview of the cyclical process for managing cybersecurity.
The CSF Core consists of six functions: GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER.
Each function has specific outcomes and responsibilities, such as establishing cybersecurity strategy and identifying risks. They should be addressed concurrently to prevent, detect, respond, and recover from cybersecurity incidents.
The CSF Core applies to all types of technology environments, including Information Technology, Operational Technology and the Internet of Things.
The functions, categories, and subcategories are intended to be forward-looking and adaptable to future changes in technologies.
The functions are interconnected, with GOVERN at the centre informing the implementation of the other five functions.
GOVERN (GV)
GOVERN. The Govern function helps you establish and monitor your business’s cybersecurity risk management strategy, expectations, and policy
Actions include:
- Understanding the specific cybersecurity risks of the organization based on its mission, vision and objectives, its legal requirements and particularities of the environment and industry where it operates
- Develop the risk strategy based on the existing internal information, from the external coming from the industry and/or geopolitical environment
- Prioritizing managing cybersecurity risks alongside other business risks
- Define all the cybersecurity governance framework including policies and clear roles and responsibilities for all the cybersecurity functions (govern, identify, protect, detect, respond, recover)
- Communication of policies, cybersecurity practices and all leadership communication that supports of a risk-aware culture
- Assessing the potential impact of critical business assets, cybersecurity insurance, and risks posed by suppliers
- Continuous monitoring of risks and identification of improvements of the cybersecurity posture.
FUNCTION | CATEGORY |
GOVERN (GV)
The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored |
Organizational Context The circumstances – mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements – surrounding the organization’s cybersecurity risk management decisions are understood |
Risk Management Strategy The organization’s priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions |
|
Roles, Responsibilities, and Authorities Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated |
|
Policy Organizational cybersecurity policy is established, communicated, and enforced |
|
Oversight Results of organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy |
|
Cybersecurity Supply Chain Risk Management Cyber supply chain risk management processes are identified, established, managed, monitored, and improved by organizational stakeholders |
IDENTIFY (ID)
IDENTIFY. The Identify function helps you determine the current cybersecurity risk to the business
The Identify function is covering the following aspects:
- Identify critical business processes and the assets that support these processes
- Keep the inventory of hardware, software, applications, cloud solutions, services that the organization uses
- Document the information flow: data transfer between internal systems and external entities.
- Identify threats, vulnerabilities and determine risks. The risks identified should be documented in a risk register containing also the risk response actions. The risks should be continuously monitored
- Identify improvements based on lessons learned.
FUNCTION | CATEGORY |
IDENTIFY (ID)
The organization’s current cybersecurity risks are understood |
Asset Management Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy |
Risk Assessment The cybersecurity risk to the organization, assets, and individuals is understood by the organization |
|
Improvement Improvements to organizational cybersecurity risk management processes, procedures and activities are identified across all CSF Functions |
PROTECT (PR)
PROTECT. The Protect function supports your ability to use safeguards to prevent or reduce cybersecurity risks
The function Protect supports the capability of secure the assets. The main activities considered in this function are the following:
- Uses safeguards to prevent or reduce cybersecurity risks
- Manage access logical and physical accesses
- Train users to ensure they are aware of security practices in day-to-day activities, communicate and explain security policies, communicate common attack recognition and basic cyber hygiene tasks to staff
- Protect and monitor devices, control and manage configurations and ensure that devices are securely disposed
- Protect sensitive data at rest and in transit by encryption
- Implement data integrity checks to control data changes.
FUNCTION | CATEGORY |
PROTECT (PR):
Safeguards to manage the organization’s cybersecurity risks are used. |
Identity Management, Authentication, and Access Control Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access |
Awareness and Training The organization’s personnel are provided with cybersecurity awareness and training so that they can perform their cybersecurity-related tasks |
|
Data Security Data are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information |
|
Platform Security The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization’s risk strategy to protect their confidentiality, integrity, and availability |
|
Technology Infrastructure Resilience Security architectures are managed with the organization’s risk strategy to protect asset confidentiality, integrity, and availability, and organizational resilience |
DETECT (DE)
DETECT. The Detect Function provides outcomes that help you find and analyze possible cybersecurity attacks and compromises
The following are the activities included in this function:
- Monitor networks, systems and facilities continuously to find potentially adverse events
- Understanding indicators of a cybersecurity incident
- Collect logs from different sources to detect unauthorized activities
- Determine the impact of the adverse events and communicate to authorized personnel to ensure appropriate incident response actions.
FUNCTION | CATEGORY |
DETECT (DE): Possible cybersecurity attacks and compromises are found and analyzed
|
Adverse Event Analysis Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents |
Continuous Monitoring Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events |
RESPOND (RS)
RESPOND. The Respond function supports your ability to take action regarding a detected cybersecurity incident
The actions included in this function are the following:
- Execute an incident response plan once the incident is declared
- Categorize and prioritize incidents and when need escalate
- Collect incident data and preserve its integrity and source
- Communicate confirmed incidents with stakeholders
- Contain and eradicate incidents.
FUNCTION | CATEGORY |
RESPOND (RS): Actions regarding a detected cybersecurity incident are taken | Incident Management Responses to detected cybersecurity incidents are managed |
Incident Analysis Investigations are conducted to ensure effective response and support forensics and recovery activities |
|
Incident Response Reporting and Communication Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies |
|
Incident Mitigation Activities are performed to prevent expansion of an event and mitigate its effects |
RECOVER (RC)
RECOVER. The Recover function involves activities to restore assets and operations that were impacted by a cybersecurity incident.
The main activities in this function include the following:
- Understand recovery responsibilities
- Implement recovery plan to restore business operations as soon as possible
- Evaluate what went wrong, what went right and what can be improved, will allow the optimization of the processes, and reducing cybersecurity risk to the organization
- Communicate regularly with stakeholders and documenting completion of incident and resumption of normal activities.
FUNCTION | CATEGORY |
RECOVER (RC): Assets and operations affected by a cybersecurity incident are restored | Incident Recovery Plan Execution Restoration activities are performed to ensure operational availability of systems and services affected by cybersecurity incidents |
Incident Recovery Communication Restoration activities are coordinated with internal and external parties |
CSF Implementation Examples
NIST provides comprehensive details for each category within every function. For specific examples of each subcategory, please refer to the CSF 2.0 Implementation Examples spreadsheet.
How does the CSF accommodate companies of different sizes?
The CSF created by NIST accommodates organizations of different sizes through various mechanisms such as:
- Flexibility in addressing unique risks, technologies and missions
- Providing a common language for effective communication
- Offering online resources like Quick Start Guides and Community Profiles
- Utilizing CSF Core, Profiles and Tiers for understanding, assessing and prioritizing cybersecurity risks
- Emphasizing continuous improvement and iterative processes
- Introducing Tiers to characterize rigor of cybersecurity practices
- Providing scalability and adaptability in the framework
- Allowing organizations to tailor Core Functions, Categories, and Subcategories
- Offering guidance for improvement and emphasizing awareness and training
- Addressing cybersecurity risks related to suppliers and third parties.
Community Profiles
A Community Profile is a baseline of CSF outcomes that is created and published to address shared interests and goals among several organizations. A Community Profile is typically developed for a particular sector, subsector, technology, threat type, or other use case.
These profiles help organizations prioritize actions, align cybersecurity efforts with industry-specific best practices and communicate information to stakeholders.
Community Profiles provide insights into how organizations implement the CSF, offering real-world applications and best practices. Organizations can use these profiles to learn from each other and improve their cybersecurity strategies based on successful models and experiences.
Examples of Community Profiles can be found on the NIST CSF website.
Conclusion
In conclusion, the NIST Cybersecurity Framework (CSF) 2.0 provides a comprehensive approach to managing and mitigating cybersecurity risks. By offering a structure content of each category within each function, NIST ensures that organizations have the necessary guidance to enhance their cybersecurity posture.
This structured framework not only helps in identifying and protecting against potential threats but also in responding to and recovering from incidents effectively. Adopting the NIST CSF 2.0 can significantly bolster an organization’s resilience against cyber threats, fostering a more secure and robust digital environment.
Resources and Bibliographical References
Perceptions and Attitudes of Canadian Organizations Toward Cybersecurity survey conducted by CIRA on Canadian organizations in 2024: https://www.cira.ca/uploads/2024/09/CIRA-2024-Cybersecurity-Report.pdf
NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
Navigating NIST’s CSF 2.0 Quick Start Guides: https://www.nist.gov/quick-start-guides
NIST Cybersecurity Framework 2.0: US Small Business Quick-Start Guide https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1300.pdf
NIST Cybersecurity Framework Profiles https://www.nist.gov/cyberframework/profiles
NIST Cybersecurity Framework: Examples of Community Profiles Community profiles https://www.nccoe.nist.gov/examples-community-profiles
NIST CSF 2.0 Resources: https://www.nist.gov/cyberframework/resources-0
NIST CSF 2.0 Implementation Examples: https://www.nist.gov/document/csf-20-implementation-examples-xlsx
French version of the NIST CSF 2.0 : Guide de démarrage rapide pour les petites entreprises https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1300.fre.pdf
Contributions
Special thanks for the financial support of the National Research Council Canada and its Industrial Research Assistance Program (IRAP).
Author: Yolanda Garcia MEng. et Al.
Executive Editor: Alan Bernardi