We recently posted an article on cybersecurity that explained five essential tips to help companies limit security breaches. If you missed that article, you can read it here. Those tips should be implemented into every company’s cybersecurity risk management program. The establishment of a cybersecurity risk management program is the most important first step to take to limit cyber incidents. This applies to companies throughout the world.
Globig had the opportunity to discuss the topic of cybersecurity with expert, Adam Anderson, the CEO and founder of Atlas Vault. Large companies with large budgets can hire a Chief Security Officer who leads an internal risk management department. However, small and even medium sized companies are generally not in a position to have an internal risk management department. Mr. Anderson pointed us toward the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity (often called the Cybersecurity framework or CSF), which provides standards, guidelines, and practices that work effectively to prevent and respond to cybersecurity threats. The Framework can be used by companies of all sizes, but it is a particularly great place for SMBs to start. The Framework can be used by companies around the world. This article will summarize the Framework, explain who can use the Framework, and discuss how it can be effectively implemented.
What is the Framework?
The Framework provides guidance, based on existing standards, guidelines, and practices, for organizations to better manage and reduce their cybersecurity risks. The Framework introduces a risk-based approach to cybersecurity management. The Framework is made up of three parts: 1) the Framework Core; 2) the Framework Implementation Tiers; and 3) the Framework Profile. The Framework provides a cybersecurity risk management program that is meant to be an ongoing process of identifying, assessing, and responding to cybersecurity risks.
The Framework Core: The Framework Core is comprised of the following five concurrent and continuous functions. The Framework Core is a process that can be implemented into a cybersecurity risk management program.
1. Identify: develop an understanding of systems, assets, data, and capabilities to manage cybersecurity risk.
2. Protect: develop and implement the appropriate safeguards to ensure the delivery of a company’s services.
3. Detect: develop and implement the appropriate activities to identify the occurrence of a cybersecurity incident.
4. Respond: develop and implement the appropriate activities to take action when a cybersecurity event is detected.
5. Recover: develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.
Together, these five functions provide a high-level, strategic view of the lifecycle of company’s cybersecurity risk management system. Under each function is a list of categories, subcategories, and informative references.
The Framework Implementation Tiers: The Framework Implementation Tiers provide context into how a company views cybersecurity risks and how its processes manage that risk. The Tiers describe the degree to which a company’s cybersecurity risk management system has adapted to the Framework.
The Framework Profile: A profile can be used to help a company identify its opportunities to improve its risk management system by comparing a ‘current profile’ with a ‘target profile.’ In this way, a Profile can be used to conduct self-assessments.
Who uses the Framework?
Although the Framework was pushed through by the government to protect the United States’ critical infrastructure sectors, it is not only useful to critical infrastructure organizations, but to any company in need of guidance on improving or establishing their cybersecurity risk management system. For companies with an existing cybersecurity risk management system, the framework can be used in conjunction with the existing system and is meant to complement and improve that system. Companies without an existing cybersecurity risk management system can use the Framework as a reference to establish their system.
Furthermore, the Framework is neither industry nor country specific, so it can be used to enhance or establish policies and procedures for all type of companies in different countries. The framework can be used by companies of all sizes, including large companies with internal risk management departments. It is important to remember that companies will always have unique risks, including different threats, different vulnerabilities, and varying levels of risk tolerance, so the Framework is not one-size-fits-all.
How can the framework be implemented?
Once your company has decided to implement the Framework, you need to set up a strategy establish a cybersecurity risk management system based on the Framework. Below are the high-level steps you should take to implement the Framework into your cybersecurity risk management system:
1. Learn what you can about the Framework. The Framework is fairly difficult and dense to anyone not familiar with cybersecurity. There are many books and podcasts you can review to help in your learning process. You can start with Adam Anderson’s book, ‘Small Business Cyber Security: Your Customers Can Trust You…Right?’ and Globig’s podcast featuring Adam Anderson.
2. Obtain executive level buy-in. Cybersecurity is not just an IT problem, it is an executive problem. It is not a technology problem, it is a human problem. Without executive buy-in, your risk management system will not succeed.
3. Assemble your risk management team. Establishing a risk management system is not a job for one person. It will take teamwork and time to create an effective cybersecurity risk management system.
4. Create your current profile. In order to determine your risk management needs, you need to determine where your gaps are.
5. Define your target tiers. You need to determine your goals in order to create the risk management system that will get you to your goals. This means creating your target profile.
6. Conduct risk assessments. Determine what gaps are present between your current profile and your target profile. These gaps are your areas for improvement.
7. Adjust your profile as needed. You will likely need to prioritize your risks to develop your strategy to move toward your target profile.
8. Develop and implement risk management processes for the ongoing maintenance of your risk management system.
9. Adjust your processes as needed. You may need to adjust your processes to move toward or stay within your target profile. About Globig: If you have international offices with employees and business teams focused on foreign markets, Globi is a must for saving valuable time and money, and for managing risk. Want to learn more? We are here to help.
With the prevalence of cybersecurity breaches today, no company can afford to do business without a comprehensive and effective cybersecurity risk management system in place. The Cybersecurity Framework can help companies around the world improve existing systems or guide companies without an existing system to establish an effective cybersecurity risk management system.
About Globig:
If you have international offices with employees and business teams focused on foreign markets, Globig is a must for saving valuable time and money, and for managing risk.
Want to learn more? We are here to help.