What is a framework and why can it be useful? Briefly describe the 5 core activities of NIST’s Cybersecurity framework.
A framework is something that is to be used as a logical, step-by-step process to accomplish a goal. A framework can usually be scalable and flexible enough for any situation, not just cyber security. As a template, you can pick and choose how flexible or stringent your controls will be using that particular framework. They are usually further broken down into smaller deliverables that make it easier to implement.
The National Institute of Standards and Technology is one of the larger frameworks and has been implemented for several US Government entities as a baseline for what their cyber security baseline should resemble. Private industry has used the NIST framework as a template and while they may use some of its core activities, some industries may opt for more strict controls is they are dealing with financial or health data.
The NIST is broken down into five core activities: identify, protect, detect, respond, recover. Identify is the bedrock in which the core activities are built upon. The other activities will have less of a chance of being successful if the identification piece is not fully understood or achieved. Every entity using the NIST framework must fully understand the “cybersecurity risk to systems, people, assets, data and capabilities” . Protection is the next critical function and builds upon the identification step by using what you know to build safeguards and best practices. Detection is putting those protection practices into action which will lead to step 4, the response. Responding is critical because it is how your organization will react to an event and how quickly you have to meet certain wickets in your response to contain an incident. Final step is recovery which outlines how your organization will overcome the incident and rebuild what was lost or stolen.
Each of these core activities are broken down into smaller steps to help your organization achieve its end goals. Not all are going to fit or may not even be appropriate for your organization but they represent a logical process in how you should craft your cybersecurity program.