Exciting developments at foot in the world of cyber security: the National Institute of Standards and Technology has developed the Cybersecurity Framework, which is a voluntary framework with standards, guidelines, and practices for managing (and mitigating) cybersecurity risks. If you haven’t heard about it, here’s the Cliff Notes version:
The Cybersecurity Framework began back in 2013, when POTUS issued an executive order: Improving Critical Infrastructure Cybersecurity. The executive order tasked the NIST to work with key stakeholders on creating a framework (voluntary) that will reduce security risks to infrastructure (and reduce the impact of attacks on the economy, business infrastructure, and the government).
The framework is designed to be both flexible and cost-effective in order to help protect and secure critical infrastructure across sectors. This framework has five key functions: Identify, Protect, Detect, Respond, and Recover. The framework has one big goal: to help businesses reduce cyber security threats and attacks. The ‘Identify’ function in this framework exists to develop an understanding of the actual cybersecurity risk to your systems, users, data, assets, and functions.
The goals of identifying cybersecurity risks are:
- Identify both physical and software assets within your organization in order to establish a program for asset management.
- Identify and understand organizational supports – such as the role in the supply chain and the role in the critical infrastructure sector.
- Identify cybersecurity policies that have been established — as well as finding any legal/regulatory requirements to which the organization must adhere.
- Identify a risk management strategy to include establishing risk tolerances (based on all of the above).
- Identify a supply chain risk management strategy to include all priorities, limitations, risk tolerances, and any assumptions used to support risk decisions made when managing risks in the supply chain.
Without the Identification function, the other functions are just lip service. As with most things, all of it sounds fine and dandy…on paper…but the big problem that so many well-meaning organizations face is ‘the how’. How can an organization actually find the physical and software assets it uses…especially when documentation has been, at best, haphazard and minimal over the years? For many organizations, finding every single asset – especially with a lo-fi tool like Excel, would eat up far too many employee hours that are needed elsewhere for more pressing issues.
That being said, safeguarding the network from cybersecurity risks is not exactly something to put on the backburner. When a cyberattack hits a large business, such as Target, it makes national news – however, cybersecurity risks affect businesses of all sizes: a recent study shows that 58% of cyber attacks actually hit small businesses.
One possible solution? Ditch the procrastination, the Visio, the Excel, and leave the cybersecurity risks behind in the dust: automated network diagrams and documentation software. With an automated solution, you can generate maps of the network without having to do the work by hand. Our software, netTerrain, for example, not only saves you the manual work of creating the network diagrams – but also can discover your network and connect with 3rd party systems, and has Visio and Excel import buttons (among many other features that help you bring in data).