WorkCapabilitiesThe LabTeamAbout UsInsights
NIST Security Frameworks (CSF)
Jean Pierre LeJacq
April 15, 2021
NIST Security Framework

Topics

  1. Introduction
  2. Motivation
  3. NIST versus other frameworks
  4. NIST CSF core structure
  5. NIST SP 800-53
  6. Examples
  7. Dangers
  8. How this effects you
Introduction

NIST Cybersecurity Framework (CSF) for reducing cyber risks to organizations.

  • Developed as part of President issued Executive Order in 2013 to improve critical infrastructure cybersecurity based on existing standards and guidelines.
  • Later directed by congress to create Cybersecurity Framework guides that are accessible to small and medium businesses.
  • Used by US and international government agencies, businesses and organizations.
  • Not applicable to US security agencies.
Three types of security frameworks

Program framework - NIST Cybersecurity Framework (CSF

  • Defines the security policy.

Control framework - NIST SP 800-53

  • Defines the specific controls on how to implement the security program framework policy.

Risk framework - NIST SP 800-39

  • Provides guidance for managing information security risk.
Motivation

Compliance to a security framework is an expensive undertaking.

  • Reduce our own risk.
  • Provide guidance to our clients.
  • Increasing common requirements of our clients - Lowe's example.
  • Possible market opportunity for Quoin.
NIST versus other frameworks

Lot's of alternative frameworks - ISO 27001, PCI, FAIR, HITRUST, ...

Advantages

  • NIST is simpler than most other, really!
  • Prioritize automation, with open source tools.
  • Part of extensive ecosystem - NVD, CCE, CVE, ...
  • Freely available.

Possible disadvantages

  • Sponsored by US.
  • Generic, not industry specific.
NIST CSF core structure
  • Five functions, 23 categories and 108 subcategories.
  • Each is cross referenced to multiple control standards including NIST SP 800-53.
  • Provided as PDF or spreadsheet.
NIST CSF core structure
  • Five functions, 23 categories and 108 subcategories.
  • Each is cross referenced to multiple control standards including NISP SP 800-53.
  • Provided as PDF or spreadsheet.
NIST SP 800-53
  • 20 control families and 322 controls.
  • Provided in XML, JSON, YMAL and spreadsheet.
  • Also searchable online.
  • Organized by security categorization of the system, the security baselines - low, moderate and high.
NIST CSF core structure
Examples

IA-2 IDENTIFICATION AND AUTHENTICATION

PE-3 PHYSICAL ACCESS CONTROL

Dangers
  • Often devolves to paper pushing exercise.
  • Maintaining and updating a significant investment.
How this effects you

This is a work in progress to develop a strategy.

  • More standardization.
  • More formalization of roles.
  • More internal training on policies and procedures.
tag
FrameworkCybersecurity
Work.
The Lab.
About Us.
Capabilities.
Team.
Insights.
Let's Connect
Careers @ Quoin
Downtown Boston
50 Milk St. | 16th floor
Boston, MA 02109 | +1-617-357-5233
Charlotte Metro
210 Delburg Street
Davidson, NC 28036-8634 |
BostonCharlotteNew York CityWashington DC
PrivacyTerms of UseSite Map© 1994 Quoin, Inc.