NIST Cybersecurity Framework (CSF)

While the NIST Cybersecurity Framework (CSF) does not introduce new standards or concepts, it leverages and integrates industry-leading cybersecurity practices that were developed by organizations, including NIST and the International Organization for Standardization (ISO). Why not put these best practices to work in securing your cloud?

Don’t lag on the NIST CSF. We’ve found that applying the NIST CSF is a way for organizations to accomplish a large portion of their control needs in a unified way consistent with many industry and global standards and regulations. Trust Us to Get You There.

Shake Up Your Approach to Compliance with 38North

Instead of chasing one or two standards, we recommend looking for the broadest approach to applying the least-burdensome controls framework. NIST CSF is one way to complement your existing risk management process and beef up your program. Even better, our NIST CSF security compliance and advisory services can take the burden off your technical teams (they have better things to do) and build a compliance program that takes care of NIST CSF.

Our Advisory Process

What is the NIST CSF?

There are three components to the NIST CSF, each of which steps through identifying which activities and functions need to be implemented based on your maturity and profile.

The framework core is a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors, organized into five functions.

Identify

Protect

Detect

Respond

Recover

Identify

cybersecurity risks to systems, assets, data and capabilities.

Protect

critical infrastructure services with appropriate safeguards.

Detect

the occurrence of a cybersecurity event through continuous monitoring.

Respond

appropriately to a detected cybersecurity event through incident response process.

Recover

from a cybersecurity event and repair and regain performance with minimal impact.

Know Your Tier and Profile

NIST CSF is largely about tailoring risk to your business risk profile. For this, you’ll need an unbiased assessment of your program — to know where you’re starting from — and a plan to implement changes. This can be done by finding your place in the framework’s implementation tiers and building a profile.

Framework Implementation Tiers

Knowing which NIST CSF tier your program needs to follow depends on your risk level and security posture. Our team can help you make sense of the increasing complexity as you step through the tiers.

Tier 1 (Partial): Your organization’s cyber risk management profiles aren’t formalized and are ad hoc. There is limited awareness of your organization’s cybersecurity risk at the enterprise level, and a cybersecurity risk management approach hasn’t been established.
Tier 2 (Risk Informed): Your organization has a cyber risk management policy approved by senior management, though not enterprise-wide. Senior management is taking steps to create objectives, understand threats, and implement procedures with adequate resources.

Tier 3 (Repeatable): Your organization has formal cybersecurity procedures, regularly updated with changes in risk management, business requirements, threats, and technology. Cyber personnel are well-trained and can perform their duties. Your organization also collaborates with business partners to make risk-based decisions.
Tier 4 (Adaptive): Your organization adapts its cybersecurity practices in real-time based on lessons learned and predictive indicators derived from current and past cybersecurity activities.

With continuous improvement, real-time collaboration, and continuous monitoring, your organization’s cybersecurity practices can rapidly respond to increasingly-sophisticated threats.

Framework Profile

The NIST CSF framework profile is a tool to describe your cybersecurity program. Profiles enable your organization to align their practices with business needs, risk tolerance, and resources.

Using the core and implementation tiers, you can create a current profile of the “as-is” state and a target profile of the “to-be” state. Comparing them can help identify gaps to enhance cybersecurity, and prioritize improvements to reach those goals.

38North NIST CSF Framework Services

You don’t have to tackle NIST CSF alone. We can help you make sense of the CSF and make a plan to improve your maturity over time. No matter where you are in your NIST CSF process, we have a program and proven path to help you get there with minimal headaches.

Cybersecurity Framework Gap Analysis

Determine your organization’s current security profile according to the Cybersecurity Framework. Compare that against the framework core, assessing how well your organization is achieving the outcomes in each of the five high-level functions (identity, protect, detect, respond, recover). Estimate costs for aligning with the Framework and collecting data on risks and challenges. Identify and prioritize critical action items.

Cybersecurity Framework Risk Assessments

We’ll assess the risk of potential cybersecurity events based on current security profile, then present a roadmap for remediation with prioritized recommendations for existing and new management, operational, and technical countermeasures.

Cybersecurity Framework Implementation Support (Target Profile and Action Plan)

Lastly, we can develop a target profile to document all applicable framework categories and subcategories in order to achieve desired cybersecurity outcomes. We’ll compare it against your current profile and create an action plan based on gaps. To keep things easy, we’ll use existing processes, resources, etc. when possible before considering new protective measures.

Get Ahead of the Pack with 38North

Book a conversation with one of our global security experts today and we’ll help you get ahead of the pack and become an early adopter of the NIST Cybersecurity Framework.

Contact Us

Name(Required)

First Name Last Name

Company Name

Email Address

Phone Number

Message

(Please do not provide additional PII in this box)

Comments

This field is for validation purposes and should be left unchanged.