The 2018 National Institute of Standards and Technology (NIST) Cyber Security Framework is an updated version of the first version published in 2014. Notably, the two versions of the framework have some similarities as well as differences. Generally, the NIST CSF was designed for organizations as well as other private institutions to manage risks and threats emanating from cyber security. Both the 2018 and 2014 versions have five major processes, which include: identify, protect, detect, respond and recover.
Both the 2018 and 2014 versions have five major processes, which include: identify, protect, detect, respond and recover.
The 2014 CSF stipulated guidelines with which businesses and organizations in the private sector could identify cyber security risks and threats, protect the critical infrastructure from the threats, deploy appropriate response strategies to the identified risks, and recover in the case that a cyber-attack was successfully carried out. What it did not do however, was to provide guidelines of how organizations can use the framework to assess themselves, how to carry out a supply chain risk management, and when organizations should consider seeking for external participation. Conversely, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework was designed to do that. Eventually, organizations can derive more value form the COSO framework by coupling it with the CSF to achieve simplified risk management at an enterprise level as well as ground level risk management.
Risk Assessment in the 2018 CSF
A critical review of the 2018 CSF reveals slight differences from the 2014 version, as well as the COSO framework. This latest cyber security framework does provide guidelines with which organizations can assess themselves as it pertains to their capabilities of detecting and mitigating cyber security risks. Since the 2014 version did not provide any assessment guidelines, organizations and businesses in the private sector experienced some difficulties in using the guidelines. In particular, the 2014 CSF put more focus on implementation tiers effectively failing to discuss how organizations can grade or measure themselves so as to determine their performance in regards to the cyber security perspective.
To fill the gaps, the updated version of the 2018 CSF provides some guidelines of how businesses and organizations can determine whether they are actively managing cyber security risks and threats through conducting self-assessments.
To fill the gaps, the updated version of the 2018 CSF provides some guidelines of how businesses and organizations can determine whether they are actively managing cyber security risks and threats through conducting self-assessments. The new 2018 section 4 is renamed “Self-Assessing Cybersecurity Risk with the Framework” and it contains guidelines of how organizations can assess themselves. Additionally, the 2018 CSF contains detailed and integrated guidelines of supply chain risk management which has been encompassed to be part of the framework.
External Audit Engagement
Another major difference between the 2018 and 2014 CSFs is that the 2014 version did not advise users when they should consider getting eternal parties to be involved in implementing or managing their cyber security frameworks. The 2018 CSF identifies four tiers which guide on the processes and procedures which organizations should observe when including the participation of external parties in their cyber security programs. The tiers include:
- Tier 1 – Partial: Organization may lack the procedures and processes to participate in information collaboration with external parties.
- Tier 2 – Risk informed: An organization understands it role in the ecosystem, but has not created processes to share information with other entities.
- Tier 3 – Repeatable: An organization receives information from partners to enable collaboration and risk based management decisions
- Tier 4 – Adaptive: An organization manages risks while actively sharing information with external parties to enhance cybersecurity
Contrast with COSO
Whereas the CSF identifies the ways through which organizations can identify cyber risks and protect themselves accordingly through deploying appropriate measures and also ways through which they can assess themselves, the COSO framework does a more thorough job of defining the internal controls which enable organizations to achieve their objectives.
The COSO framework categorizes organizational goals into three major categories:
- Efficiency and effectiveness in organizational operations,
- Reliability in the mode of reporting finances, and
- Observing compliance with the existing laws and regulations
The defined processes of both frameworks are also different. The processes of the NIST framework are identify, protect, respond, and recover. Each of the processes aim at managing cyber security risks which may harm an organization if the required actions are not taken.
The processes of the COSO framework focuses on enabling organizations to use their internal control systems to enable them to achieve their missions. The processes comprise of the control environment, risk assessment, control activities, information and communication, and monitoring. Control environment process aims at ensuring that ethical values and integrity are observed and that organizations are committed to deploying competent processes and resources. Risk assessment includes identifying and analyzing risks as well as managing change within an organization. Control activities are the procedures and policies put in place to aid in the achievement of organizational goals and objectives. Information and communication ensure that proper channels of communication are implemented, and monitoring is a process that organizations use to evaluate their performance and report deficiencies where they exist. The description of COSO indicates that the framework is more of a supplement to CSF.
Ultimately, organizations trying to handle rambling issues of risk management and cybersecurity will eventually come across the NIST CSF as a starting point. Notably, the 2014 CSF version offers a common structure for discussing and enhancing security. However, it has some limitations, which have been refined on the 2018 one based on feedback from the community. Eventually, organizations can derive more value form coupling the CSFs and COSO frameworks to achieve simplified risk management at an enterprise level as well as ground level risk management.