10 Oct The Identify, Detect, Protect, Respond, Recover Lifecycle
Know more of our RISK & CYBERSECURITY capabilities.
The National Institute of Standards and Technology (NIST) is responsible for creating the cybersecurity framework that guides critical infrastructure organizations on how to identify, protect, detect, respond to, and recover from cyber incidents.
It is designed to be flexible so that organizations can tailor it to their specific needs and risk profiles.
The five functions of the framework – identify, protect, detect, respond, and recover – form a continuous loop that allows organizations to constantly adapt their cybersecurity posture in response to changes in the threat landscape.
Below, we will examine NIST and the five stages of this cycle in more detail.
What is NIST?
NIST is a non-regulatory agency of the United States Department of Commerce. Its mission is to promote innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
In the area of cybersecurity, NIST develops voluntary standards and guidelines that aim to improve the security of information systems.
These standards are used by organizations across all sectors, including government, critical infrastructure, and the private sector.
Difference between NIST and ISO
Currently, ISO 27001 is the most widely adopted security standard in the world, with tens of thousands of organizations certified in it.
NIST’s cybersecurity framework is not a standard like ISO 27001. Rather, it is a set of guidelines that organizations can use to assess and improve their cybersecurity posture.
One key difference between the two is that the NIST framework is flexible and customizable, while ISO 27001 is more prescriptive.
This means that organizations can tailor the NIST framework to their specific needs, whereas ISO 27001 – and its supplementary standard ISO 27002 – must be followed more rigidly, with auditors and certifiers ensuring compliance.
Companies can adopt either the NIST framework or ISO 27001, or both. Many organizations choose to use a combination of the two, as they complement each other well.
The first stage of the cycle is identification, in which organizations assess their assets and vulnerabilities and identify the risks they face. This information forms the basis for the rest of the decisions made in the other stages of the cycle.
Organizations should consider both internal and external factors when identifying risks. Internal factors include things like organizational structure, processes, and capabilities. External factors include things like the threat landscape, regulatory environment, and market trends.
It is important to note that risk is not static – it changes over time as the organization’s environment changes. Therefore, identification is an ongoing process that should be revisited regularly.
Other categories of cybersecurity that are part of the identify function are governance, risk management, and compliance. These help organizations set priorities and make informed decisions about how to allocate resources.
The second stage of the cycle is protection, in which organizations put controls in place to mitigate the risks they have identified. This might include things like implementing security protocols, deploying firewalls, or encrypting data.
No organization can be 100% secure – there will always be some residual risk that cannot be eliminated. The goal of protection is to reduce risk to an acceptable level.
Protection measures should be commensurate with the risks they are designed to mitigate. For example, an organization that is at high risk of a cyber attack would implement more stringent protection measures than one that is at low risk.
These measures must be constantly updated and adapted as the threat landscape changes. What was considered an acceptable level of risk yesterday might not be today.
Organizations should also have plans in place for how to respond to incidents when they do occur. These plans should be tested regularly to ensure that they are effective.
The third stage of the cycle is detection, in which organizations monitor their systems for signs of an attack. This might include things like intrusion detection systems, activity monitoring, and log analysis.
Detection is not the same as prevention. Prevention measures are designed to stop attacks from happening in the first place, while detection measures are designed to identify attacks that have already occurred.
Organizations should have a clear understanding of what types of activity constitute an attack. This will help them to set up appropriate detection mechanisms and to respond quickly when an incident does occur.
Detection is an important part of the cybersecurity lifecycle, but it is not enough on its own. Organizations must also have measures in place to respond to incidents when they are detected.
The fourth stage of the cycle is response, in which organizations take action to contain and mitigate the damage from a cyber incident. This might include things like cutting off access to compromised systems, notifying affected users, or initiating a PR campaign.
Response plans should be designed in advance so that they can be executed quickly and effectively when an incident occurs. These plans should be regularly tested and updated to ensure that they are still effective.
After an organization has identified and detected a cyber incident, it must then decide how to respond. The type of response will depend on the severity of the incident and the amount of damage that has been done.
Organisations should have a clear understanding of their critical assets and what would constitute an acceptable level of risk for each asset. This will help them to prioritize their response activities and make sure that they are taking appropriate actions to mitigate the risks.
The fifth and final stage of the cycle is recovery, in which organisations restore normal operations after a cyber incident. This might include things like rebuilding systems, updating software, or changing passwords.
Recovery plans should be designed in advance so that they can be executed quickly and effectively when an incident occurs. These plans should be regularly tested and updated to ensure that they are still effective.
Organisations should have a clear understanding of their critical assets and what would constitute an acceptable level of risk for each asset. This will help them to prioritize their recovery activities and make sure that they are taking appropriate actions to mitigate the risks.
The goal of the cybersecurity lifecycle is to help organisations continuously adapt their cybersecurity posture in response to changes in the threat landscape. By following this cycle, they will be constantly identifying and mitigating new risks.
Focusing your resources
Not every stage in the NIST lifecycle will require the same amount of attention or resources. How much focus an organization gives to each stage will depend on its specific needs and risk profile.
For example, an organisation that is primarily concerned with data breaches may choose to focus more on the detection and response stages, while an organisation that is primarily concerned with malware infections may choose to focus more on the protection and recovery stages.
When determining which will require the most attention from your business, consider the following:
- What are the most likely types of attacks that you will face?
- What are your critical assets?
- What is your acceptable level of risk?
Once you have answered these questions, you can start to prioritize the stages of the NIST cybersecurity framework that are most important for your organization.
The key is to make sure that your organisation is giving adequate attention to all five stages of the cycle, and that you are constantly reassessing your needs and risks so that you can adjust your focus as necessary.
For many companies, especially small businesses, implementing this framework is daunting and time-consuming. At times, they may have to work with an outside cybersecurity firm to implement governance processes, technical controls, and security best practices.
It is important to remember that the NIST cybersecurity framework is not a silver bullet; it will not prevent all attacks or guarantee that your organization will never be breached. However, it is a valuable tool that can help you to reduce the risks associated with cyber incidents.