Cybersecurity risk management framework

In this session, Olga Torres, COO at Pirani, teaches us the objectives of NIST FRM, framework components, functions, and categories, implementing the framework, and a case study example in Pirani.

Definitions

According to the Cybersecurity and Infrastructure Security Agency (CISA): "Cybersecurity is the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.”

Objectives of NIST FRM

Risk Management: The primary objective of the NIST FRM is to facilitate effective risk management. This involves identifying, assessing, and mitigating cybersecurity risks within an organization's critical infrastructure, allowing them to make informed decisions to protect their assets.

Cybersecurity Resilience: Enhancing the resilience of critical infrastructure against cyber threats is a key goal. The framework helps organizations prepare for, withstand, and recover from cybersecurity incidents, ensuring minimal disruption to operations.

Improvement of Cybersecurity Capabilities: Provides a repeatable process designed to promote the protection of information and information systems commensurate with risk to facilitate the implementation of the Framework for Improving Critical Infrastructure Cybersecurity NIST CFS.

Framework Components

• Core: The Core is a set of desired cybersecurity activities and outcomes organized into Categories and aligned to Informative References
• Tiers: Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework
• Profile: Profiles are an organization's unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core.

Framework Functions

1. Identify
2. Protect
3. Detect
4. Respond
5. Recover