Cyberattacks and data breaches have now been putting organizations at risk. This is why data security has become the global goal of organizations because data is one of their most valuable assets. It is crucial to an organization to detect, prevent, and recover from cybercrimes — that is why cybersecurity resilience should be the best defense.
In 2013, President Barack Obama signed an Executive Order requiring organizations to develop a cybersecurity resilience framework to reduce cyber attacks against critical infrastructures. According to the Executive Order, the cybersecurity resilience framework “shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.”
Therefore, an organization must develop a cybersecurity resilience framework to aid itself in identifying, assessing, and managing when cyber breaches occur.
Why is the Cybersecurity Resilience Framework Needed?
The word framework is “the ideas, information, and principles that form the structure of an organization or plan,” as defined by the Cambridge Dictionary. With the influx of cyberattacks in today’s digital world, there is a need for an organization to form a framework that guides and aids them to control, manage, and recover from cybercriminal attacks.
Cybersecurity resilience frameworks provide organizations security approach that is cost-effective, flexible, prioritized, and performance-based. Organizations should develop this framework to identify areas in their system that needs to be improved. This can be addressed with potential collaboration with concerned sectors and organizations that develop security standards. Developing a framework can also help an organization see its degree of progress, where it is, and where it needs to go in terms of security measures.
The cybersecurity resilience framework aims to describe the current security stance, identify the target security posture, continuous improvement, and assess progress towards the target security stance.
Frequently Adopted Cybersecurity Resilience Frameworks
The following framework types are often used by organizations to help them secure and protect data from cyberattacks:
- The National Institute of Standards and Technology (NIST) Framework. This framework aims to improve the lack of security standards of an organization. It provides a structure of identifying and addressing an organization’s capability to detect, prevent, and respond to cyber risks. In the Trends in Security Framework Adoption Survey, the NIST framework is seen to be the best standard for data and computer security, as viewed by 70% of the represented organization in the study.
- Center for Internet Security (CIS) Critical Security Controls. This framework includes a suggested set of cyber defenses that offer specific actions to cease today’s increasing invasion of data security. These controls have principal benefits, including focusing and prioritizing a smaller amount of actions with highly successful results. Additionally, these controls are always updated and tailored based on new and evolving cyberattacks.
- ISO 27001 and ISO 27002 (International Organization for Standardization). These are international standards that allow an organization to show customers and other stakeholders that it is managing data security. These standards establish, implement, operate, maintain, and improve the Information Security Management System (ISMS) using a process-based approach. Furthermore, these standards can achieve compliance with legal regulations like the General Data Protection Regulation (GDPR).
- Payment Card Industry Data Security Standard (PCI DSS). This is an information security standard that manages and secures credit cards from major card schemes. This standard was created to reduce credit card fraud. It has six control objectives which include building and maintaining a secure network and system, protecting data of cardholder, maintaining a vulnerability management program, implementing a secure access control measures, monitoring and testing networks regularly, and maintaining an information security policy.
Five Functions of Cybersecurity Resilience Framework
For an organization to be cybersecurity resilient and able to withstand any cyber risks, it is recommended that five interconnected functions of a framework should be used to guide its security measures. These five functions are as follows:
The objective of this function is to develop an organization-wide understanding of managing cybersecurity risks to systems, assets, data, people, and capabilities. This function proves that understanding the business context and cybersecurity risks allows an organization to be focused and consistent with its business needs and risk management. There is a list of critical categories covered by this framework function. This includes risk management strategy, risk assessment, governance, business environment, and asset management.
- Risk management strategy. This is the development of an organization’s priorities, risk tolerances, and constraints. These are used to aid in decision-making during operations.
- Risk assessment. This category involves an understanding of the cyber risks in all operations, individuals, and assets in an organization.
- Governance. This is necessary to manage and monitor an organization’s operational, environmental, regulatory, risk, and legal requirements.
- Business Environment. This category covers the definition of the organization’s mission, objectives, stakeholders, and activities.
- Asset Management. This involves the identification of facilities, systems, services, data, and personnel used to accomplish the organization’s purposes.
This is probably an essential part of the five functions. This involves developing and implementing suitable safeguards to make sure that the delivery of critical services is successful. This function covers the limitation and control of secure access to critical physical and digital assets and systems to prevent any breaches. This function also has six key categories that include protective technology, maintenance, information protection processes and procedures, data security, awareness and training, and identity management and access control.
- Protective technology. This category covers the technical solutions for security and the implementation, review, documentation of log and audit records. This also focuses on protecting removable communications, media, and control networks.
- Maintenance. In this category, remote maintenance should be done carefully to prevent unauthorized access. This also promotes maintenance that is appropriately scheduled and implemented.
- Information Protection Processes and Procedures. Security policies are maintained and leveraged in this category. These policies are first established under the Governance category of the Identify function of a framework.
- Data Security. This category revolves around supporting integrity and confidentiality of data while also making it available. Stakeholders involved in the security consistently work on managing the data that mostly suits an organization’s risk plans.
- Awareness and Training. Security education must be given to an organization’s personnel. Training should be carried out to uphold the protection strategies of an organization effectively.
- Identity Management and Access Control. This category covers the organization’s appropriate management of credentials and identities related to its system authorized users. This also involves establishing secure access protection for these authorized users.
This function aims to implement and develop suitable activities and actions to identify a cybersecurity risk event promptly. The focus of this function is to recognize suspicious activities and quickly access its effect on an organization. This function has three key categories, which include detection processes, security, continuous monitoring, and anomalies and events.
- Detection Processes. This category covers the organization’s definition of roles and responsibilities involved in the detection and the maintenance of activities detecting anomalous events and protection against cyber risks. This also includes making sure these set of actions comply with the industry needs and are entirely tested and improved.
- Security Continuous Monitoring. In this category, vulnerability scans should be carried out throughout protected systems. The organization should monitor assets and information technology systems to identify issues in security and measure the ability of safeguards in place.
- Anomalies and Events. The organization should detect events that are considered anomalous and understand the potential effect of these events. Detection of these suspicious activities should be done promptly.
The objective of this framework function is to develop suitable sets of actions to be carried out when a cybersecurity event is detected. This supports the capability of an organization to withstand the impact of a potential cyberattack. The Respond function covers five key categories, and they are as follows: response planning, communications, analysis, mitigation, and improvements.
- Response Planning. After the Detection function when a cybersecurity incident is discovered, this category begins with the execution of the response procedures. In a timely manner, these response plans should be done either during or after the cybersecurity event.
- Communications. After following the response plans, the concerned stakeholders of the organization must coordinate response activities, and if needed, they may seek help from law enforcement. The details of the cyber attack event should be shared among the concerned individuals inside and outside the organization.
- Analysis. This category revolves around investigation and examination of the detected event. Analysis of the impact of the incident and the ability of the organization to take action should be involved.
- Mitigation. This involves taking actions that will prevent the cyberattack from continuing and spreading. Mitigating the potential impact of the threat is of utmost importance.
- Improvements. After the cybersecurity event, the organization should examine and learn the lessons from the previous response to threats. These findings should be improved to help with future related events.
This last function has the objective to implement and develop suitable activities to maintain resilience strategies. This also involves the restoration of any damaged services or capabilities caused by a cybersecurity breach. In a timely manner, the organization should recover to normal business operations to decrease the effect of cyberattacks. This function has three key categories that include recovery planning, improvements, and communications.
- Recovery Planning. Depending on the timeliness of the incident, this category can happen during or after the event has concluded. Recovery plans should be carried out, and in a timely manner, all affected systems should be supported, restored, and addressed.
- Improvements. This category revolves around the lessons learned during and after the cybersecurity event and how these can be used to improve the security strategies of the organization.
- Communications. This involves the coordination of efforts to concerned stakeholders. All the recovery plans and strategies should be communicated among the involved individuals, may it be internal and external, to reduce the damage and protect the reputation of the organization.
Components of the Cybersecurity Resilience Framework
Three key components comprise the framework. The first component is the Framework Core. It is a set of activities associated with cybersecurity, the organization’s desired results, and references that are general across critical systems. Second is the Framework Implementation Tiers which provides context and information on how an organization sees and understands cyber risks and the process to control that risk.
The third component of the cybersecurity resilience framework is the Framework Profile. This profile is characterized as the arrangement of practices, guidelines, and standards of an organization. These three components strengthen the connection between the organization’s mission and goals and cybersecurity activities.
Getting Started with the Framework
Almost every organization can use this cybersecurity resilience framework, which includes utility companies, financial institutions, transportation companies, government contractors, research organizations, health care companies, and universities, among other organizations. Adhering to this framework is a manifestation of an organization’s willingness to protect data and carry out the best security practices.
Using and adopting a framework involves appropriate resources and a strong commitment to the strategy. Adopting a framework is highly encouraged or frequently mandatory for an organization to comply with legal regulations and requirements. If done correctly, an organization would demonstrate resilience existing and evolving cyber risks and prevent financial losses. If the organization uses the framework efficiently, its professional reputation would be saved from potential damages and trust from the general public would be maintained that took years to build. Contact RSI Security to get started.