Thursday 15th April 2021

A brief video introduction to the NIST framework

NIST is the National Institute of Standards and Technology. They were selected for the task of developing the NIST Cyber Security Framework (CSF) because they are a non-regulatory federal agency. They act as an unbiased source of scientific data and practices, including cybersecurity practices.

The framework was the result of a US executive order in 2013. By 2014 it was adopted globally, partly due to global organisations having a U.S. Headquarters and being U.S. owned organisations such as Google, Amazon/AWS, Paypal and Morgan Stanley.

Organisations and government departments worldwide use the framework to engender a continuous process starting with identifying assets, applying protection to those assets and monitoring for attacks against them. Finally, the framework suggests how we need to plan our response and rehearse our recovery.

Not only does the NIST CSF help to establish essential continuous security processes but it significantly helps to define the remit of cyber security in the organisations. This leads to clearly responsibility, accuracy in terms of budgets and ROI as well as introduce a measurable operational environment in a constantly evolving and expanding threat landscape.

The framework itself is made up of 5 functions; Identify, Protect, Detect, Respond and Recover.

The functions are further broken down into 23 categories and underneath those categories are 108 sub-categories.

Such a functional structure makes auditing an organisationsā€™ security simpler and can ensure that budgets are applied proportionately.

The functions of the framework take place in a logical order, enabling your security approach to use the identify function as a foundation for their organisationā€™s security posture, and in turn, the protect function as the initial phase of defensive measures. The two functions of identify and protect can be followed iteratively, first gaining visibility of your assets, defining the risks and impact against these assets and applying a programme of defences that includes policy, process and technology. The NIST CSF maps very closely to the 2017 NIS Directive (Now NIS Regulations) where the UK government published the first version of the Directive in order to guide suppliers of essential services to the Critical National Infrastructure.

To learn more and speak to our expert team, please complete the below and we’ll be in touch:

  • Throughout our business dealings with IP Performance, their expertise, professionalism and “can do” attitude continue to ensure we have the systems we need, when we need them.

    Matt Williams - IT Business Delivery Manager,
    UK Bus, FirstGroup PLC