Professional Documents
Culture Documents
This white paper offers an executive introduction to the National Institute of Standards and
Technology’s (NIST) Cybersecurity Framework1, which is a comprehensive guide to managing
cybersecurity for an entire organization. The framework is both a technical reference and
a management guide. The latter means that parts of it apply to, and require the attention of,
an organization’s senior management. Unfortunately, the technical depth and breadth necessary
to cover such a broad and complex topic can make the documents intimidating. Gaining
an understanding of the framework’s terms and concepts will help executives interface more
effectively with employees, clients, and vendors as they apply this framework.
ThreatSketch®
business solutions for cyber risk
1 The official title is Framework for Improving Critical Infrastructure Cybersecurity, but it is referred to informally as the NIST Cybersecurity Frame-
work, or simply the framework.
Declarative statements are statements of fact such as: Unfortunately, not all of the external reference material is
“Jack runs.” Someone may conclude that a given statement free. Some of the information is only available with mem-
is true (Jack is indeed running), false (Jack is standing still), bership, licences, or purchases from specific organizations.
or somewhere in between (Jack is jogging). With that in Others, like the NIST’s own Special Publications (SP 800-
mind, let’s look at an example: x), are free.
ID.RA-5: Threats, vulnerabilities, likelihoods, Busy executives often just want to know which products
and impacts are used to determine risk and services they need to buy. The framework does not
give product level information, primarily because doing so
The identifier ID.RA-5 designates this as an IDentify Func- would violate government policies regarding the endorse-
tion in the Risk Assessment Category addressing Subcate- ment of commercial interests. Despite this, it does pro-
gory number 5. The declarative statement is then evaluat- vide a wealth of advice to help make informed purchase
ed by simply thinking about the statement, or discussing it decisions.
with a team, to decide if it is true for the organization. If the
answer is false or unsure, then one should read the Infor- Figure 1 is a snapshot of the framework’s Core, which
mative References to figure out how to make it true. shows how Functions, Categories, Subcategories, and In-
formative References are organized. The full layout is more
Informative References refer to specific sections of a pub- easily browsed in spreadsheet form, which is available on
lication that further describe what an organization might the NIST’s website.
In theory, a Tier 4 organization would give a definitive “yes” to every declarative statement in every Subcategory. However,
the NIST recognizes that not every item applies to every organization. It is also true that what is sufficient to say “yes” for one
company may be insufficient for another. This is another way the NIST built flexibility into the framework.
Profiles Conclusion
A pass through all of the Subcategories answering Yes, Adopting the NIST Cybersecurity Framework is a great
No, Partial, Unsure, or Not Applicable to each is what the way to protect your company from cyber attack. In addition
framework refers to as a Profile. A Profile allows an organi- to being a comprehensive technical reference for solving
zation to take a baseline snapshot of where it stands. The specific problems, it offers executives a way to:
NIST recommends using this baseline to identify which ar-
eas need improvement. It may help to think about baseline • Establish and communicate company wide goals
and target Profiles like an actual and a projected budget. and cultural standards.
However, budgeting is just a helpful metaphor. The frame-
work provides no formula for budgeting. • Monitor status and measure progress toward a
larger goal.
Keep in mind that Profile items are not weighted equally.
Seventy yes’s on a Profile might indicate good risk man- • Connect baselines and targets to the organiza-
agement practices, or it could mean the organization is still tional mission and strategic goals.
very exposed. To understand relative importance, Profile
Even if your organization takes a different approach to
results need context. The framework provides guidance for
managing cyber risk, you will at some point encounter the
developing context in these Identity (ID) subcategories:
NIST Cybersecurity Framework as a government, industry,
• Risk Management Strategy (ID.RM): The organi- or client-driven mandate. All U.S. Government agencies are
zation’s priorities, constraints, risk tolerances, and required to adopt this standard2, which also applies to any-
assumptions are established and used to support one doing business with them. Over time, anyone doing
operational risk decisions. business with the U.S. government will need to demon-
strate compliance with the framework.
• Risk Assessment (ID.RA): The organization un-
derstands the cybersecurity risk to organizational In the private sector, large companies are demanding proof
operations (including mission, functions, image, of good cybersecurity stewardship. This is because 63
or reputation), organizational assets, and individ- percent of attacks on large companies have been traced
uals. back to vendors in their supply chain3. In some cases,
companies are banding together to develop and enforce
• Governance (ID.GV): The policies, procedures, industry wide regulations. Healthcare, payment card pro-
and processes to manage and monitor the organi- cessing, and banking are examples of this. In other cases,
zation’s regulatory, legal, risk, environmental, and large companies are demanding good cybersecurity
operational requirements are understood and practices directly from all of their suppliers as a condition
inform the management of cybersecurity risk. of doing business. Small companies that can provide proof
of cybersecurity stewardship can win more business and
Executives at large companies will have an easier time charge a premium in some cases.
digesting the reference material for these three catego-
ries than their small business counterparts. At times the The NIST Cybersecurity Framework is the most universal
reference material can be more elaborate than is practical solution to meet government and private sector demands.
for small organizations. Owners and executives of smaller, Whatever brings executives into contact with the frame-
resource-constrained organizations need a slightly differ- work, having a solid understanding of the terminology and
ent approach, one that looks at budgets and management the concepts will improve communication with employees,
of cybersecurity with their specific needs in mind. For this clients, and vendors when evaluating and adopting the
audience, the book Cybersecurity: A Business Solution* is NIST Cybersecurity Framework.
a great resource. It offers a concise, step-by-step approach
to managing risk. It explains what risk assessments are and
shows how to use them to establish priorities and budgets.
For more information, please visit our website:
It also provides a more in-depth discussion of the role
ThreatSketch.com
executives play in managing cyber risk through compa-
ny culture, vendor relationships, etc., and other strategic *For a preview the book, please visit:
contributions. cybersecurityabusinesssolution.com
2 “Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” White House, Office of the Press Secretary,
May 11, 2017, https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal
3 “2013 Trustwave Global Security Report,” Trustwave Document Library. https://www.trustwave.com/Resources/Library/Documents/2013-Trustwave-Global-
Security-Report/