As we grow and implement technologies that can expose our infrastructure to cyberattacks, we must understand and develop frameworks that we can work with to be able to have our information system assets secured.
According to PreyProject.com Cyber Security Framework a system of standards, guidelines, and best practices to manage risks that arise in the digital world. It provides the structure and methodology you need to protect your important digital assets.
There are different types of cybersecurity frameworks that organizations can be implemented and they are the National Institute of Standard & Technology (NIST) Cyber Security Framework and International Standard Organization (ISO 27001) structure. While both framework structures have their strength and they also have their weakness.
The ISO 27001 has a structure that is focused on the security of client’s data, maintaining the integrity that ensures that client’s data are prevented from unauthorized persons/systems and available to only authorized persons.
NIST Cybersecurity Framework on the other hand has a structure that is focused on the security of critical infrastructure with a strong emphasis on the identification, evaluation, and management of risk associated with critical infrastructure.
Since the NIST Cybersecurity framework is more advanced, we must review the necessary steps to develop a corporate-based cybersecurity framework from the NIST cybersecurity framework.
The primary objective of a cybersecurity framework is to guide an organization toward the security of the critical infrastructure.
And NIST cybersecurity framework has stated steps and guide to help a corporate organization to be able to secure its critical infrastructure.
The first is to identify. This has to do with a continuous process of IT Inventory, where critical infrastructures are identified and classified. One will also need to understand the business environment to identify and control who and what has access to business information, data, processes, and infrastructures. This stage of the framework covers background checks on old and new employees. You will also need to know the total number of employees and their roles in order to create a user account for each employee according to their job role and description. At the end of this phase, a regular risk assessment report should be produced, which will give birth to the question of how to mitigate, transfer or limit identified risk.
After identifying the necessary information system assets, the next phase will be to protect. It is in this phase that we develop policies and procedures to mitigate the risk identified. We also would be developing deciding on the type of technology we would be deploying to protect the information system assets of the organization. Some of the policies that we should consider should be separation of concern and position routine policy, job role access control, network configuration policy, bring your own device policy, email and internet use policy, patch management policy, secured software development policy, infrastructure & media disposal policy, etc. Some of the technology that would be considered for protecting the information system assets may be web, email & URL filtering, firewall technology, endpoint security, Wifi security technologies such as Radius AAA, data encryption, and data transmission technologies such as wireless devices, access point, switches, routers, etc. It is not just about the availability of the technology but the level of security the technology will add to protecting the overall information system assets of the organization. An important aspect of the protection phase is the training of employees. Having the best and most secured technologies and policies without proactive and cyber-vigilant employees is like protecting the main entrance to your organization from threats and ignoring the vulnerability associated with the staff entrance of the organization.
Deploying the right technology is key to ensuring your information system assets are safe. However, due to the imperfection in human nature, vulnerability may still exist in the policies, procedures, or technology that we are using to secure our organization’s information system assets. This is why the detecting phase is required when developing a cybersecurity framework. This phase is aimed at detecting threats, vulnerabilities, or risks as they are revealed. The detection phase can be implemented with the use of technologies such as antivirus, antimalware, IDP/IPS, Security Information & Event Management (SIEM) System which helps to detect anomalies within the network, etc. However, the detection phase is more effective when combined with a manual approach of a regular network, system, and security log analysis.
The next phase after the detection phase is the response phase. In the case of a threat, vulnerability, or an attack, it is the response phase that determines how to respond. This phase requires a Cyber Incident Response Plan, Business Continuity Plan, and Disaster Recovery Plan. The Business Continuity Plan is to ensure that business is not affected before, during & after a security incident. The Disaster Recovery Plan is focused on recovering from a natural disaster as it affects the information system assets of an organization. The Cyber Incident Response Plan is a document that directs the Cybersecurity Incident Response Team and Computer Emergency Response Team on how to prepare, detect and respond to a security incident.
The last and final phase of the NIST Cybersecurity Framework is the Recovery phase, which covers the recovery of an incident and restoring the organization back to its original state after the security incident has been mitigated and risk eliminated. It is at this stage that all form of communication is restored and lessons are documented for knowledge purposes.
The NIST Cybersecurity Framework is a comprehensive framework that covers all aspects of a cybersecurity attack on the organization. Most organizations may not see the need to develop their own organizational cybersecurity framework because they feel it is not necessary, unknown to them that a cyber attack on an organization is not a matter of if your organization will be attacked, but a case of when your organization is attacked. So, when your fall victim to cyber-attacks, what are you putting in place to ensure that you don’t lose everything because it is possible to lose all due to cyber attacks. Getting your organization’s Cyber Security Framework ready is the best step in the right direction.
