the nist cybersecurity framework: what smbs need to know · 2019-10-02 · the nist cybersecurity...

2
The NIST Cybersecurity Framework: What SMBs Need to Know Why is the NIST Cybersecurity Framework important? Cybersecurity is a complex concept that encompasses technology, risk management and mitigation, business processes and procedures, operations, and other functional areas. The interdisciplinary nature of cybersecurity can make it difficult for organizations to operationalize and affect cybersecurity strategy. The NIST CSF provides a roadmap for organizations to begin planning and operationalizing cybersecurity controls that align with specific security outcomes. How does the NIST CSF apply to small and medium businesses (SMBs)? One weakness of the NIST CSF is that fully aligning an organization to all standards and outcomes can be incredibly time consuming, expensive, and challenging – especially for SMBs that may already be resource- constrained or lack a risk management officer and information security specialist on staff. Recognizing these challenges, NIST published “Small Business Information Security: The Fundamentals” in November 2016 to pare down the original NIST CSF recommendations to the fundamental security standards and outcomes that all organizations should have in place to ensure a baseline level of cybersecurity preparedness. Corvid Cyberdefense recommends that all organizations begin by mapping their cybersecurity strategy to this SMB-focused framework (unless industry requirements specify alignment with compliance-based standards such as HIPAA or NYDFS). Once the fundamentals have been implemented, work can begin to align to the larger NIST CSF. How does Haven™ align with the Small Business Fundamentals? Corvid Cyberdefense created an all-in-one solution called Haven that includes advanced security technologies, virtual CISO (Chief Information Security Officer) consulting services, 24x7 monitoring and response, and employee cybersecurity training for all clients. The Haven combination of technology, consulting, and managed services fulfills all 20 fundamental outcomes. The NIST Cybersecurity Framework was created to guide organizations through structured steps to protect their networks and data. Below we answer common questions about the framework and how the end-to-end cybersecurity solution, Haven™ helps organizations achieve these important and widely-accepted recommendations for protection. (800) 349-0976 | [email protected] | corvidcyberdefense.com Contact us to find out how Haven™ can protect your business What is the NIST Cybersecurity Framework? The National Institute for Standards and Technology (NIST) published the inaugural Cybersecurity Framework (CSF) in 2014 and released update 1.1 in April of 2018. The NIST CSF is the federal government’s attempt to establish comprehensive cybersecurity standards and outcomes for organizations regardless of industry, entity type, or size. The five functions of the framework are: Identify, Protect, Detect, Respond, and Recover. Credit: N. Hanacek/NIST

Upload: others

Post on 04-Jul-2020

9 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: The NIST Cybersecurity Framework: What SMBs Need to Know · 2019-10-02 · The NIST Cybersecurity Framework was created to guide organizations through structured steps to protect

The NIST Cybersecurity Framework:What SMBs Need to Know

Why is the NIST Cybersecurity Framework important?Cybersecurity is a complex concept that encompasses technology, risk management and mitigation, business processes and procedures, operations, and other functional areas. The interdisciplinary nature of cybersecurity can make it difficult for organizations to operationalize and affect cybersecurity strategy. The NIST CSF provides a roadmap for organizations to begin planning and operationalizing cybersecurity controls that align with specific security outcomes.

How does the NIST CSF apply to small and medium businesses (SMBs)?One weakness of the NIST CSF is that fully aligning an organization to all standards and outcomes can be incredibly time consuming, expensive, and challenging – especially for SMBs that may already be resource-constrained or lack a risk management officer and information security specialist on staff. Recognizing these challenges, NIST published “Small Business Information Security: The Fundamentals” in November 2016 to pare down the original NIST CSF recommendations to the fundamental security standards and outcomes that all organizations should have in place to ensure a baseline level of cybersecurity preparedness. Corvid Cyberdefense recommends that all organizations begin by mapping their cybersecurity strategy to this SMB-focused framework (unless industry requirements specify alignment with compliance-based standards such as HIPAA or NYDFS). Once the fundamentals have been implemented, work can begin to align to the larger NIST CSF.

How does Haven™ align with the Small Business Fundamentals?Corvid Cyberdefense created an all-in-one solution called Haven that includes advanced security technologies, virtual CISO (Chief Information Security Officer) consulting services, 24x7 monitoring and response, and employee cybersecurity training for all clients. The Haven combination of technology, consulting, and managed services fulfills all 20 fundamental outcomes.

The NIST Cybersecurity Framework was created to guide organizations through structured steps to protect their networks and data. Below we answer common questions about the framework and how the end-to-end cybersecurity solution, Haven™ helps organizations achieve these important and widely-accepted recommendations for protection.

(800) 349-0976 | [email protected] | corvidcyberdefense.com

Contact us to find out how Haven™ can protect your business

What is the NIST Cybersecurity Framework?The National Institute for Standards and Technology (NIST) published the inaugural Cybersecurity Framework (CSF) in 2014 and released update 1.1 in April of 2018. The NIST CSF is the federal government’s attempt to establish comprehensive cybersecurity standards and outcomes for organizations regardless of industry, entity type, or size. The five functions of the framework are: Identify, Protect, Detect, Respond, and Recover.

Credit: N. Hanacek/NIST

Page 2: The NIST Cybersecurity Framework: What SMBs Need to Know · 2019-10-02 · The NIST Cybersecurity Framework was created to guide organizations through structured steps to protect

Source: NIST.govDETECT RESPOND RECOVERIDENTIFY PROTECT

NIST RecommendationsSecurity

Technology

Controls

Security & IT

Consulting/

VCISO

24x7

Managed

Detection and

Response

1.1 Identify and control who has access to your business information ✔ ✔ ✔

1.2 Conduct background checks ✔

1.3 Require individual user accounts for each employee ✔ ✔

1.4 Create policies and procedures for informa<on security ✔

2.1 Limit employee access to data and informa<on ✔

2.2 Install surge protectors and uninterruptible power supplies (UPS) ✔

2.3 Patch your operating systems and applications ✔ ✔

2.4 Install and activate software and hardware firewalls on all networks ✔ ✔

2.5 Secure your wireless access point(s) and network(s) ✔ ✔

2.6 Set up web and email filters ✔

2.7 Use encryption for sensitive business information ✔ ✔

2.8 Dispose of old computers and media safely ✔

2.9 Train your employees ✔ ✔ ✔

3.1 Install and update anti-virus/spyware/malware programs ✔ ✔

3.2 Maintain and monitor logs ✔ ✔

4.1 Develop a plan for disasters and information security incidents ✔ ✔

5.1 Make full backups of important business data/information ✔ ✔

5.2 Make incremental backups of key business data/information ✔ ✔

5.3 Consider cyber insurance ✔

5.4 Make improvements to processes/procedures/technologies ✔ ✔ ✔

NIST Small Business Information Security: The Fundamentals How Haven™ Delivers

(800) 349-0976 | [email protected] | corvidcyberdefense.com