NIST CSF Cores
The NIST CSF (Cybersecurity Framework) core is like a set of desired cybersecurity activities and outcomes. It guides organizations in managing and reducing their cybersecurity risks. There are 5 main categories: Identify, Protect, Detect, Respond and Recover. These contain 108 subcategories in all.
It can be quite daunting to recall the main objectives of these categories for beginners. This is how I tried to consolidate all the subcategories to try and highlight the key points.
- IDENTIFY
I. Asset Management (ID.AM): Data, personnel, devices, systems, facilities -> Inventoried & mapped.
II. Business Environment (ID.BE): Organizational mission, objectives, activities -> Established & communicated.
III. Governance (ID.GV): Policies, legal and regulatory requirements -> Understood & managed.
IV. Risk Assessment (ID.RA): Asset vulnerabilities, threats, business impacts -> Identified & documented.
V. Risk Management Strategy (ID.RM): Risk management processes, risk tolerance -> Determined & agreed by stakeholders.
VI. Supply Chain Risk Management (ID.SC): Suppliers, third-party vendor contracts, supply chain RM processes -> Prioritized & assessed.
2. PROTECT
I. Identity Management, Authentication and Access Control (PR.AC): Physical access, remote access, permissions, assets -> Authenticated & limited.
II. Awareness and Training (PR.AT): Personnel, privileged users, stakeholders -> Trained & understand their roles.
III. Data Security (PR.DS): Data at rest, in transit -> Follows CIA & protected.
IV. Information Protection Processes and Procedures (PR.IP): Information, security policies, response plans, recovery plans -> Implemented & tested.
V. Maintenance (PR.MA): Maintenance (physical and remote), repair of assets -> Logged & performed with approved tools.
VI. Protective Technology (PR.PT): Security solutions are managed for -> Security & resilience.
3. DETECT
I. Anomalies and Events (DE.AE): Data flows, event data -> Collected & determined.
II. Security Continuous Monitoring (DE.CM): Network, personnel, unauthorized connections, devices -> Monitored & detected.
III. Detection Processes (DE.DP): Detection processes, activities, procedures -> Tested & constantly improved.
4. RESPOND
I. Response Planning (RS.RP): Response plans, procedures -> Maintained & executed.
II. Communications (RS.CO): Response activities -> Coordinated & consistent with response plans.
III. Analysis (RS.AN): Events notifications, incident impact, processes to analyze disclosed vulnerabilities -> Investigated & analyzed.
IV. Mitigation (RS.MI): Incidents, newly identified vulnerabilities -> Contained & mitigated.
V. Improvements (RS.IM): Response plans, strategies -> Updated & incorporates lessons learned.
5. RECOVER
I. Recovery Planning (RC.RP): Recovery plan -> Executed & maintained.
II. Improvements (RC.IM): Recovery plans, strategies -> Updated & incorporates lessons learned.
III. Communications (RC.CO): Recovery activities, public relations, reputation -> Managed & repaired.
While these short notes give a very high-level view of the CSF core, it could be useful to go through and recollect important points!
