How the NIST Frameworks Can Benefit Your Privacy and Cybersecurity Programs
Article

How the NIST Frameworks Can Benefit Your Privacy and Cybersecurity Programs

by Mark Knight
May 16, 2023

Share

Cybersecurity and privacy are increasingly critical concerns for organizations of all sizes, and keeping up with the latest threats and regulations is crucial for defense against evolving risks. But if your organization has ad hoc cybersecurity and/or privacy frameworks in place, or lacks a framework altogether, you may be relying on outdated or inaccurate information and non-authoritative sources, which can leave you lagging behind your competitors — and susceptible to risk.

Implementing industry-standard cybersecurity and privacy frameworks like those created by the National Institute of Standards and Technology (NIST), a federal agency under the U.S. Department of Commerce, provides a comprehensive approach to risk management that can help you maintain regulatory compliance, strengthen your cyber and privacy practices and get invaluable peace of mind.

Here’s a breakdown of the NIST frameworks and why they are essential for your organization. We’ll also cover the frameworks’ structures and how you can use the framework assessments to evaluate and manage risk, enabling you to make informed decisions about how to implement them in your own organization.

What Is the NIST Cybersecurity Framework?

The NIST cybersecurity framework (CSF) is a set of guidelines, standards and best practices created to help organizations better manage their cybersecurity risk and improve their cybersecurity posture. Though it’s not a mandatory tool, the NIST CSF is considered the gold standard for cybersecurity and can help your organization make informed decisions on how to better protect your networks and data.

What Is the NIST Privacy Framework?

The NIST privacy framework (PF) provides a structured approach to help organizations identify and manage data privacy risks, develop controls, implement policies and procedures, and communicate effectively with stakeholders about privacy issues. It is designed to be used in collaboration with the NIST CSF.

Why the NIST Frameworks Are Important

Implementing the NIST frameworks can help you:

  • Eliminate blind spots: The NIST frameworks can help you identify and fill any data security or privacy gaps that may have gone unnoticed.
  • Fulfill common contract requirements: Many organizations require vendors to adopt a cybersecurity and/or privacy framework, and the NIST frameworks are widely recognized as an industry standard.
  • Future-proof your organization: Implementing the NIST frameworks can help you fulfill your current compliance obligations, as well as future-proof your products and services to continue to meet these obligations amid a changing technological and policy landscape.
  • Facilitate communication: The NIST frameworks establish a common language for discussing cybersecurity and privacy-related issues, helping stakeholders across your organization understand each other and communicate more effectively.
  • Provide reassurance: Having the NIST frameworks in place allows your organization to prove to clients and prospects that you are committed to protecting personal information and ensuring the privacy rights of your customers, helping you build trust in the marketplace. Adhering to an industry-accepted standard boosts internal confidence as well.

Additionally, because the frameworks are flexible and customizable, your organization can implement specific controls depending on your unique needs and risk profile, enabling innovative solutions and allowing you to stay current with technology trends.

NIST Framework Structures

Though the NIST CSF focuses on cybersecurity issues while the NIST PF is devoted to privacy-related risks, both frameworks follow a similar structure. Each framework consists of three main elements: a core, profiles and implementation tiers.

Core: The framework core is a system of cybersecurity (for CSF) or privacy protection (for PF) activities and outcomes intended to enable a dialogue across all levels of an organization about prioritization level based on an organization’s values, business needs and associated risks.

Though the core shouldn’t function as a compliance checklist since NIST is a non-regulatory agency, you can use the core outcomes and activities to prioritize and discuss risks, tradeoffs and costs across your organization.

Profiles: The profile represents the activities and outcomes your organization has selected from the core and has prioritized as a focus in your cybersecurity and/or privacy risk management. Profiles can be used as a self-assessment and to compare your current state of cybersecurity and/or privacy protection vs. your target state.

Implementation tiers: The implementation tiers provide a baseline to assess your organization’s level of risk and whether it has sufficient resources to manage that risk and achieve its target profile. The different tiers reflect a progression from reactive responses to approaches that are agile and risk informed.

NIST Assessments

NIST assessments are typically categorized into a good, better and best model to gauge the maturity of an organization’s cybersecurity practices and progress toward achieving its cybersecurity goals.

Good: A good assessment examines an organization's cybersecurity or privacy posture from a high level. Geared toward organizations that are new to the NIST frameworks or have never done an assessment before, an assessment at this level acts as a broad health check of the policies and procedures you currently have in place and gives an indication of where gaps lie.

Better: The better assessment is a controls assessment that evaluates the effectiveness of an organization's controls and safeguards in addressing cyber risks. An organization using this assessment has typically implemented more advanced security controls and is regularly monitoring its systems for threats, and this level of assessment helps examine those controls and pinpoint areas for improvement.

Best: The best assessment is a maturity assessment that measures an organization's level of risk management maturity. This assessment is geared toward organizations that have implemented advanced controls, regularly conduct audits, vulnerability assessments and penetration testing and have executed a comprehensive incident response plan.

Some key NIST assessments include:

  • Risk assessment according to NIST CSF: This assessment allows organizations to evaluate their current cybersecurity practices and determine how well they align with the CSF. It examines your organization’s current implementation of the recommended NIST CSF controls and remaining risk levels and provides key findings to help you further improve cybersecurity policies and procedures.
  • Privacy risk assessment: Conducting a NIST privacy risk assessment helps organizations to analyze and assess privacy risk that may arise from the processing of individual data — something that is especially critical if your organization is subject to the General Data Protection Regulation or the California Privacy Rights Act. This evaluation focuses on risk models, risk assessment methodologies and approaches to determining privacy risk factors.
  • Risk assessment according to CIS Critical Security Controls: The Center for Internet Security (CIS) Critical Security Controls (CSC) assessment is a common evaluation that many organizations adopt to measure their cybersecurity capabilities against prescriptive best practices. It provides a list of controls and safeguards that your organization could put in place to address your cyber risks and details a project plan to help you improve your overall security posture.
  • Compliance assessment according to NIST 800-53: The NIST 800-53 standard is primarily used by U.S. federal agencies and contractors to establish security and privacy controls for information systems. This assessment examines an organization’s compliance with the criteria set forth in the NIST 800-53 cybersecurity framework. The controls address diverse requirements derived from mission and business needs, laws, executive orders, directives, regulations, policies, standards and guidelines.

Where to Start

Ready to implement NIST frameworks within your organization? Take these steps to get started.

Identify your cybersecurity and privacy objectives

Begin by establishing your organization’s cybersecurity and privacy objectives so you can better measure how the NIST frameworks can help you achieve success. These objectives should be aligned with your organization’s business goals and take into account regulatory requirements, stakeholder expectations and risk management considerations. By setting goals up front, you can begin to define the scope of your security needs and develop a plan of action.

Assess your current cybersecurity and privacy posture

Once your organization has confirmed its cybersecurity and privacy objectives, the next step is to assess your current cybersecurity and privacy posture.

This involves conducting detailed assessments, like the ones mentioned above, to evaluate your existing controls and processes for any threats, potential vulnerabilities or risks to your organization’s data and assets. The goal of the assessments should be to pinpoint gaps that exist between your current state and desired goals, identify which areas currently adhere to NIST standards and which need improvement, and determine the next steps your organization should take to strengthen your cybersecurity and privacy measures.

Leverage an outside resource

If you need assistance selecting and conducting assessments or simply want guidance on incorporating NIST frameworks throughout your organization, you can engage an outside advisor who has an in-depth knowledge of the frameworks and how to integrate them across your business. An advisor can offer strategies and tools that get your NIST compliance in order, so you can avoid disruption instead of scrambling to meet NIST frameworks and risking not doing it well.

Final Thoughts

Ultimately, aligning with a highly regarded, industry standard framework like the NIST CSF or PF helps your organization mitigate privacy and cybersecurity risks, better protect your networks and data, and identify areas for continuous improvement. Though adhering to a NIST framework — and completing the respective assessments — is a voluntary exercise, it’s also a vital opportunity for you to strengthen your cyber and privacy risk management practices, offer demonstrable proof of your data protection policies, reassure stakeholders and internal employees, and get peace of mind that your cybersecurity and privacy strategies will remain relevant for the long haul.


Contact our cybersecurity and data privacy experts for help incorporating NIST frameworks or conducting a NIST risk assessment, or explore other ways to embrace change and face the future with confidence.

Stay In Touch

Sign up to stay up-to-date with the latest accounting regulations, best practices, industry news and technology insights to run your business.

Author
Mark Knight - Risk Assurance & Advisory| Armanino
Partner
Mark Knight, CPA, CISA, CITP
Resources
Related News & Insights
6 Ways to Comply With the SEC’s New Cybersecurity Disclosure Rules - Isometric image with lock
Article
6 Ways to Comply With the SEC’s New Cybersecurity Disclosure Rules
Gain clarity on the new requirements and learn tips to help you streamline the reporting process.
October 27, 2023
Data Governance: A Guide for Managing Enterprise Risk
Article
Data Governance: A Guide for Managing Enterprise Risk
Learn why proper data governance is a critical component of managing enterprise risk.
August 03, 2023
Top SaaS Compliance Frameworks to Know and Why They Add Value
Article
Top SaaS Compliance Frameworks to Know and Why They Add Value
Strengthen your SaaS compliance and leverage key data privacy and cybersecurity compliance frameworks to drive growth.
April 20, 2023
View All