4 Critical Elements of the NIST Risk Management Framework

4 Critical Elements of the NIST Risk Management Framework

The world has become heavily dependent on technology. To deal with the challenges, the NIST risk management framework from the National Institute of Standards and Technology was developed. As the NIST explains, their risk management framework (RMF) incorporates concepts of their cybersecurity framework, systems security engineering, and privacy risk management concepts. In this article, we’ll cover the most pertinent things that you should know about the NIST framework.

Understanding the Most Recent Updates

The most recent update to the framework was produced in December 2018 and addressed many shortcomings that the NIST framework’s initial publication lacked. The latest iteration deals with helping departments assess and manage risk by focusing on protecting personal data. The responsibility for protecting this personal data is shared between information security and privacy programs. The NIST Cybersecurity Framework is already an accepted standard, which we covered in detail in a previous post. The new NIST Risk Management Framework ties itself heavily to the standards conceptualized by the cybersecurity framework.

Additionally, the NIST Risk Management Framework adds preparation before instituting its changes. The first step organizations are asked to pursue is addressing the most critical organizational and system-level activities. Organizational activities include understanding current threats to the information systems, developing and implementing the company’s risk management strategy, and understanding the vital stakeholders in the process. System-level prep also deals with identifying stakeholders, but specifically those that directly influence the system. Preparation at the system level also includes conducting a risk assessment on the existing system and terminating the security and privacy requirements necessary for the system to operate safely.

Supply Chain Risk Management (SCRM)

Within a supply chain, businesses are likely to interact with suppliers that may or may not have the same stringent security protocols introduced by their own risk management framework. To ensure that the system continues to perform as expected, personnel must verify that suppliers further up the supply chain conform to the NIST standards. Formal agreements or contracts should govern supplier operations such as storage, processing, and federal information transmission. The responsibility for ensuring that these standards are met falls to the organization through the authorizing personnel assigned to the supply chain.

Cloud and Shared System Authorization to Use

Authorization to Use (ATU) applies to all cloud and shared applications, systems, and services. Typically, it should be implemented if the information contained within a packet doesn’t originate within the organization itself. The stipulation is that the organization must review the incoming packet for risk following their risk management strategy. Since this authorization happens internally within the organization, it saves costs to the supplier who doesn’t need to get the data verified by an external investigating committee. Facility authorization extends this consideration, allowing systems existing within a particular environment to inherit the parent organization’s controls and privacy plans.

A Holistic Approach to Security and Privacy

Organizations that depend on technology to perform their functions don’t have the luxury of ignoring the institution’s cybersecurity needs. The latest iteration of the NIST Risk Management Framework seeks to integrate the existing risk management framework that the business has already developed. Additionally, senior management feels more connected to the operations needed to ensure security across the organization. Governance-level decisions can then be informed by the practices and implementations done on the risk management framework. The current framework also keeps all the most pertinent developments that the NIST cybersecurity framework already uses, giving it a basis to build on. If you’re interested in finding out how the Risk management Framework works within an organization, contact our offices today! We can assist you with your business’ NIST risk management framework strategy.

Comparing ISO 27001 Standard and NIST Security Framework

Comparing ISO 27001 Standard and NIST Security Framework

Both the NIST security framework and the ISO 27001 standard deal with information security controls. The International Organization for Standardization (ISO) mentions that ISO 27001 provides guidelines for the establishment of an information security management system (ISMS). Digital Guardian informs us that the NIST security framework is designed to shore up inefficiencies in a business’s information security plans. 

It’s immediately apparent that both of these methodologies share a common goal. However, they’re not interchangeable. This article delves into the similarities and differences between the NIST’s framework and ISO 27001.

The Structure of the ISO 27001

The ISO 27001 standard has ten (10) clauses that outline the critical information for applicants. The first three (3) clauses go over references, terms, and a basic understanding of the standard. The seven that follow are instrumental in helping businesses develop and finalize their ISMS. They define the business’s organizational context and probe whether the company’s leadership is committed to ensuring the standard’s success. 

Other steps ask about the business’s ability to anticipate information  security threats (cybersecurity and IT security) and manage its information security risk. The ISO standard examines the company’s established support network and suggests ways to improve and develop it. It then makes suggestions on the operation of the business’s ISMS. 

As with all ISO standards, there is a built-in system for self-improvement. The final clauses of the ISO 27001 document focus on evaluating the established system’s performance and how to improve those processes. Implementing this standard can bring benefits to businesses in several ways. We covered previously how the ISO 27001 standard can work in concert with project management.

ISO 27001 Annex A has 14 Domains with 114 controls. NIST covers 110 of these controls. 

Understanding the NIST Security Framework

Since both the ISO 27001 standard and the NIST framework have similar goals, it’s evident that there will be overlap between their implementations. However, while the ISO 27001 standard was designed for a specific purpose, the NIST framework is more open-ended. As such, any business that uses information technology stands to benefit from this framework. The NIST security framework relies on five overarching principles:

  • Identify: This step determines the risks that exist within the organization from a cybersecurity perspective. It’s similar to the fourth clause of ISO 27001.
  • Protect: Businesses that have cybersecurity risks need to protect the organization’s data and infrastructure from them. This protection either stops threats from occurring or minimizes the impact of those threats if they enter the system.
  • Detect: The longer a threat remains undetected on a system, the more havoc it can cause. This step allows businesses to find threats faster and neutralize them.
  • Respond: This step creates an organized response so that all parties know what they have to do. In a cybersecurity breach, time is crucial to success. Having everything planned out beforehand speeds up deployment and engagement.
  • Recover: This stage focuses on getting the business’s systems back online and working as usual. It addresses factors such as backup and restore times, and allows the company some recovery time to get back on track after an attack.

Similar Yet Different

There are distinct similarities in how these methodologies approach the problem of information security. The NIST framework is heavily flexible, which gives it a lot of room for application. However, this flexibility leaves the interpretation of the framework to the business implementing it. The ISO standard, on the other hand, is more focused on what it provides to companies. The defined, cyclical nature of the standard makes it ideal for a specific situation. Unfortunately, it’s not very flexible in application. Despite this, we’ve covered several ways how the ISO 27001 standard can benefit businesses.

If you’ve got questions about ISO 27001 or the NIST security framework, Contact Sync Resource. Let our experts help you to understand what each offers your business and which one is right for you.