A cybersecurity framework is a set of policies, best practices and procedures implemented by a business to create an effective security posture. By defining controls, frameworks offer a strategic plan to protect data, infrastructure, and information systems and enable companies to choose technical safeguards that align with their budgetary constraints.
NIST CSF 2.0, the National Institute of Standards and Technology Cybersecurity Framework 2.0, is a voluntary framework designed to help organizations understand, assess, prioritize, and communicate about their cybersecurity risks. It assists businesses in understanding their cybersecurity maturity, defining cybersecurity goals, and identifying gaps between current and target states.
When helping clients manage their cybersecurity risks, GBQ advocates that every firm choose a framework to build their cybersecurity risk management program around. In the state of Ohio, reasonable compliance with a known framework, including NIST CSF, provides a positive legal defense in the case of a breach as defined by the Ohio Data Protection Act.
Some important things to know about NIST CSF 2.0:
- Voluntary Framework: NIST CSF 2.0 is a voluntary framework designed to help organizations of any size, sector, or maturity understand, assess, prioritize, and communicate about their cybersecurity risks. While the framework is voluntary, some firms find it provides the structure to meet client risk obligations and organizes regulatory requirements.
- Framework Core: The framework specifies five functions, often called “pillars”: Identify, Protect, Detect, Respond, and Recover. The framework core provides a common language for organizations to manage cybersecurity risk in a systematic and organized manner. We can discuss a firm’s security posture with business leaders using the functions while also having deeply technical discussions with security and IT team members using the control objectives within each function.
- Govern: In the 2.0 version, a new function, Govern, has been added to the core. We applaud NIST for including it.
The new Govern function in NIST CSF 2.0 comprises the following control objectives:
- Organizational Context (GV. OC): Understanding the organization’s risk context, including mission, mission priorities, stakeholders, objectives, and direction. An accounting firm, a restaurant franchise operator, a non-profit social service organization, an educational publisher, and a home builder all have cyber security risks to manage. However, the context of their business means the approach for each company will be different.
- Risk Management Strategy (GV.RM): Establishing and monitoring the organization’s risk management strategy, expectations, and policy. This follows the hard trend that recognizes the imperative for business leadership to be involved in cybersecurity decisions. It is no longer just a concern for IT.
- Roles and Responsibilities (GV. RR): Defining and communicating the roles and responsibilities for cybersecurity within the organization.
- Adaptability: NIST CSF 2.0 offers increased guidance to help organizations adapt the framework to their specific needs, including smaller businesses. It also explains how organizations can leverage other technology frameworks, standards, and guidelines to implement the CSF.
Our team helps clients understand their business context, select a framework, and organize operations so that cybersecurity is a continually improving function in the business. We conduct cybersecurity risk assessments to identify weaknesses in the system, important in protecting your business. Regulations, insurance carrier requirements, and customer contracts may oblige a firm to conduct regular risk assessments.
To learn more, contact a member of our IT Services team today.
