Destiny Young | #Cybersecurity
The National Institute of Standards and Technology (NIST) has released the Cybersecurity Framework CSF 2.0
A cybersecurity framework is a structured approach or set of guidelines that organizations use to manage and improve their cybersecurity posture. These frameworks provide a structured methodology for identifying, assessing, and managing cybersecurity risks and ensuring the confidentiality, integrity, and availability of information and systems. They offer a systematic way to align cybersecurity efforts with business objectives and regulatory requirements.
Several cybersecurity frameworks have been developed by various organizations and government agencies to help businesses and institutions enhance their cybersecurity practices. Some of the most well-known frameworks include:
1. NIST Cybersecurity Framework (CSF): Developed by the National Institute of Standards and Technology (NIST), this framework provides guidelines for organizations to manage and reduce cybersecurity risks. It focuses on five core functions: Identify, Protect, Detect, Respond, and Recover.
2. ISO/IEC 27001: This international standard outlines the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS) within the context of the organization’s overall business risks.
3. CIS Controls: Developed by the Center for Internet Security (CIS), this framework provides a prioritized set of actions designed to improve an organization’s cybersecurity posture. It is organized into 20 controls that cover various aspects of cybersecurity.
4. Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework): Created by the U.S. Department of Homeland Security, this framework is targeted at organizations critical to the functioning of a nation’s infrastructure. It aligns with the NIST CSF and focuses on risk management.
5. COBIT (Control Objectives for Information and Related Technologies): Developed by ISACA, COBIT is a framework for governing and managing enterprise IT environments. It provides comprehensive guidance for managing and controlling information systems and technology.
6. FAIR (Factor Analysis of Information Risk): FAIR is a framework for quantifying and analyzing information risk in financial terms. It helps organizations make informed decisions about managing cybersecurity risks based on a quantitative approach.
7. MITRE ATT&CK: This framework, developed by MITRE, focuses on understanding and categorizing the tactics, techniques, and procedures (TTPs) that adversaries use during different stages of a cyber-attack. It’s widely used for threat intelligence and improving detection and response capabilities.
When implementing a cybersecurity framework, organizations should tailor it to their specific needs, industry requirements, and risk profile. The chosen framework should serve as a roadmap for improving cybersecurity practices, risk management, and incident response capabilities to effectively protect digital assets and sensitive information.
The scope of the framework has been expanded to provide cybersecurity for all organizations. A new function called “administration” emphasizes internal decision-making for cybersecurity strategy. The project provides advanced tutorials, including custom configurations and implementation examples. A reference tool will be released soon, allowing users to browse, search, and export CSF data. Stay tuned for the launch of CSF 2.0 and improve your cybersecurity strategy!
The changes in CSF 2.0
“The CSF 2.0 project reflects a number of major changes, including:
1. The scope of the framework has expanded — explicitly — from protecting critical infrastructure, such as hospitals and power plants, to providing cybersecurity for all organizations. organization, regardless of type or size. This distinction is reflected in the official title of the CSF, which has become the “Cybersecurity Framework”, its colloquial name, from the more restrictive “Critical Infrastructure Cybersecurity Improvement Framework”.
2. To date, CSF has outlined the key pillars of a successful and comprehensive cybersecurity program using five key functions:
identify, protect, detect, respond, and recover. To these, NIST has now added a sixth function, governance, which covers how an organization can make and execute its own internal decisions to support its cybersecurity strategy. He pointed out that cybersecurity is a major source of business risk, which ranks alongside legal, financial, and other risks as considerations for top management.
3. The project provides improved and extended guidance on CSF implementation, especially for profiling, to help tailor the CSF to specific situations. The cybersecurity community has asked for help using it in specific economic areas and use cases where profiles can be useful. It is important that the project now includes implementation examples for each subcategory of functionality to help organizations, especially small businesses, use the framework effectively.
