NIST CSF (Cybersecurity Framework)

NIST CSF Introduction

Version 1.0 of the National Institute of Standards and Technology Cybersecurity Framework was issued in February 2014 and provides a framework for improving critical infrastructure cybersecurity.  Version 1.1 released in April 2018 refines, clarifies, and enhances version 1.0 of the NIST Cybersecurity Framework (CSF).  

The National Institute of Standards and Technology is currently working on version 2.0 of the NIST CSF.  

Find the latest version of the NIST CSF at:  NIST CSF 

This article as an overview of the NIST Cybersecurity framework and is not meant to drill down to deep.  Separate articles drill down on each function in greater detail.

Table of Contents

• Organizational Benefits from NIST CSF
• Intro to the Five (5) NIST CSF Functions
• NIST CSF Identify
• NIST CSF Protect
• NIST CSF Detect
• NIST CSF Respond
• NIST CSF Recover
• NIST CSF Implementation Tiers
• Conclusion

Organizational Benefits from NIST CSF

Based on security practices known to be effective, the NIST Cybersecurity Framework (CSF), establishes a set of standard security functions and outcomes.  Organizations can use the NIST CSF to improve their cybersecurity posture.  It helps organizations foster communication about cybersecurity internally and externally and allows organizations to integrate and align cybersecurity risk management with enterprise risk management processes.

Introduction to the five (5) NIST CSF Functions

The NIST Cybersecurity framework is organized on 5 key functions:

NIST CSF Function Table

These five (5) functions are a comprehensive view of managing cybersecurity risk over time.  Each function is an important aspect of cybersecurity and all functions are needed to have an effective cybersecurity posture.

NIST CSF Identify

The NIST CSF Identify function helps to develops the ability to manage cybersecurity risk to: systems, assets, data, and capabilities.  It involves inventorying assets, systems, and data to determine what needs protecting.

The NIST CSF Identify function helps to:

1. Identify critical enterprise processes and assets
2. Document information flows
3. Maintain hardware and software inventory
4. Establish policies for cybersecurity that include roles and responsibilities
5. Identify threats, vulnerabilities, and risk to Assets

NIST CSF Protect

The NIST CSF Protect function is focused on putting in place the appropriate safeguards to ensure delivery of services.  So, implementing the protection mechanisms to ensure critical information systems and operational systems are protected and in service.

The Protect function helps to: 

1. Manage access to assets and Information
2. Protect Sensitive data
3. Conduct regular backups
4. Protect devices
5. Manage device vulnerabilities
6. Train Users

NIST CSF Detect

NIST CSF Detect function ensures the appropriate mechanisms and tools are in place to identify occurrences of cybersecurity events.  Detect is all about identifying when a cybersecurity event is happening.

1. The Detect function helps to:
2. Test and update detection processes
3. Know the expected data flows for your enterprise
4. Maintain and monitor logs
5. Understand the impact of cybersecurity events

NIST CSF Respond

The NIST CSF Respond function ensures the appropriate activities and mechanisms are in place to take appropriate actions when a cybersecurity event is detected.  The Respond function is all about taking swift action when a cybersecurity event happens to contain and prevent any further impacts. 

The NIST CSF Respond function helps to:

1. Ensure response plans are tested
2. Ensure response plans are updated
3. Internal and external stakeholder coordination is managed and in place

NIST CSF Recover

The NIST CSF Recover function ensures appropriate activities are in place to maintain plans for resilience and to restore systems, capabilities, or services impaired due to a cybersecurity event.   The respond function is focused on recovery or restoring any services that were impacted due to a cybersecurity event.

The NIST CSF Recover function helps to:

1. Communicate with internal and external stakeholders
2. Ensure recovery plans are updated
3. Manage public relations and company reputation

NIST CSF Implementation Tiers

NIST defines Implementation tiers for the Cybersecurity framework.  The Tiers denote increasing degrees of rigor and maturity regarding cybersecurity risk management practices.  The tier levels help with determining the extent to which cybersecurity risk management is informed by business needs and is integrated into an organization’s overall risk management practices.   

Tiers are defined to support organizational decision making on how to manage cybersecurity risk, as well as helping to determine the dimensions that are higher priority for an organization and should receive additional resources.  Obtaining higher tiers is encouraged when it is determined to be feasible and cost-effective for reduction of cybersecurity risk.

The Tier definitions are as follows:

• Tier 1: Partial
• Tier 2: Risk Informed
• Tier 3: Repeatable
• Tier 4: Adaptive

Conclusion

The NIST Cybersecurity Framework is important for increasing an organizations security posture.  The NIST CSF is built based on security practices that are known to be effective.  This is extremely helpful to organization in improving cybersecurity risk management practices.  NIST CSF is organized around 5 functions, Identify, Protect, Detect, Respond, and Recover.  The NIST Cybersecurity framework also helps to foster communication across internal and external stakeholders allowing organizations to work more collaboratively to improve the cybersecurity posture across the enterprise.  

Finally NIST CSF establishes four (4) implementation tiers and are defined to help with organizational decision making on how to manage cybersecurity risk.  The four implementation tiers are:  Tier 1: Partial, Tier 2: Risk Informed, Tier 3: Repeatable, Tier 4: Adaptive

(C) 2022-23 jspublishing.blogspot.com

Identity and Access Management (IAM)

What Is IAM?

Identity and Access Management is about creating and managing trusted digital identities using policies, technologies, processes, and personnel with the purpose of protecting sensitive organizational data.

Identity and Access Management includes the following areas:

• Assignment rules, role definition, and identification for the system
• User or non-person entity (NPE) attribute management
• Individual, groups of individuals, and NPEs access level assignments
• NPE and individual role management and maintenance in the system

Authentication and Authorization

Identity and Access Management uses Authentication to verify an individual or Non Person Entities identity.  Authentication is defined as verifying the identity of a user, process, or device.

Authorization is used to define the asset permission level the individual or Non-person entity has and is defined as “the permission granted to an entity to access a system resource”

Common Authentication methods include:

• Password based Authentication – individual or automated process uses a user login and password to authenticate their identity and is the most common authentication method.  
• Certificate-based Authentication – Users provide digital certificate to sign in
• Hardware / Software token Authentication – New one-time code generated every 30 seconds or so to authenticate identity
• Multi-Factor Authentication (MFA) – uses 2+ independent ways to authenticate
• Biometric Authentication – unique physical identifier of a person i.e. fingerprint
• Behavioral Authentication – This method uses Artificial Intelligence to detect if user behavior is outside the norm and lock down access to systems

Common Authorization methods include:

• Role-Based Access Control (RBAC) – Permissions are assigned to designated job roles or functions within the organization. 
• Access Control List (ACL) – To grant or deny access to information systems is by defined rules. 
• Policy-Based Access Control (PBAC) – Business roles and policies of users are combined to determine what access privileges users of each role should have.
• Graph-Based Access Control (GBAC) – Permissions or abilities to entities/users are defined by Query language

National Institute of Standards & Technology (NIST)

The National Institute of Standards and Technology Cybersecurity Framework includes Identity and Access Management under the Protect function.

The NIST CSF outcome category for Identity and Access Management is:  

Identity Management, Authentication and Access Control (PR.AC): Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.

Identity Management, Authentication, and Access Control has the following 7 subcategories:

• PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
• PR.AC-2: Physical access to assets is managed and protected
• PR.AC-3: Remote access is managed
• PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
• PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)
• PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions
• PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)

Identity and Access Management is critical to Cybersecurity.  With Identity and Access Management, organizations are able to significantly reduce illegal access to sensitive information.  IAM provides protection against dissemination of compromised login credentials, unauthorized access to the organizations network, as well as, hacking, and various other types of cyberattacks.

Also, Identity and Access Management helps organizations meet industry regulations to ensure customer data is secure and private.  Regulations such as the Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA), and Sarbanes-Oxley (SOX) govern the  protection of customer data.

Summary 

Identity and Access Management is important for information and network security.  Policies, technologies, processes, and personnel are all used to create and manage trusted digital identities in an organization. 

Authentication methods are used to validate identities and authorization is used to define the permission levels for system assets or resources.

Identity and Access Management is a critical outcome category for the Protect function of the NIST Cybersecurity framework and includes 7 subcategories that ensure all areas of Identity and Access Management are covered within an organization.

(C) 2022-23 jspublishing.blogspot.com