The President is in the process of defining the Cyber Security Policy for the United States. This follows on from the previous administration’s efforts to improve cyber security throughout the US. While we expect to see more emphasis on public-private cooperation as well as potentially refining and defining what the roles of the Department of Defense and the Department of Homeland Security fill, at the end of the day, organizations are still going to be responsible for protecting themselves in Cyberspace.
The NIST Cybersecurity Framework (NIST CSF) provides organizations with a method to assess their current cybersecurity posture, determine the desired state and put plans in place to achieve the desired state. The five areas of Identify, Protect, Detect, Respond and Recover are a workable approach to the critical areas of cyber resilience. Even the most ill prepared organization can apply the evaluation to determine what steps they need to accomplish. Using the NIST CSF can seem like a large undertaking but in today’s age it is imperative that organizations evaluate their cybersecurity posture and take steps to improve.
Identify, the first part of the NIST CSF “Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.” Under this one of the five core functions, there are five sub-categories.
- Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.
- Business Environment (ID.BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.
- Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.
- Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
- Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions
By taking some of the actions above, organizations can take important steps toward cyber resilience. As the Administration works to develop their Cyber Security Policy, organizations should take important steps to secure themselves. There are many reputable companies who can support companies and organizations seeking to implement the NIST CSF. JohnsTek Inc is one such company.
Cyber Security is not an issue only for large companies, small business need to protect themselves. There are resources out there to help. Click here for more information or to schedule your free consultation.