On February 12, 2014 by decree of Executive Order the National Institute of Standards and Technology issued the "Framework for Improving Critical Infrastructure Cybersecurity" which calls for the development of a "voluntary risk-based Cybersecurity Framework - a set of industry standards and best practices to help organizations manage cybersecurity risks." This Framework consists of the Framework Core, the Framework Profiles and the Framework Implementation Tiers designed to provide guidance to businesses and organizations alike with strategies to mitigate cyber threats.
The Framework Core has five functions: Identify, Protect, Detect, Respond and Recover. This is intended to be a high level analysis of how the organization can be attacked, what action the organization will take against an attack, and how well the organization mitigates damages from an attack.
The Framework Implementation Tiers are designed to outline management's view of the cyber security risk as well as the preparedness to respond in an effective manner. Organizations should consider regulatory requirements, potential threats, legal environment and objectives of the business as a whole. The Tier system is utilized in determining how proactive a business needs to be in defense of a potential cyber attack. Based on the determined Tier organizations will determine the appropriate measures to take to ensure optimal mitigation against a cyber attack.
A Framework Profile is the outcome of the Core and the Implementation Tiers. The Profile is designed to be the action plan for preparing for and defending against an attack. Within the Profile, the organization will have identified what the risks are and what will be done in the event of an attack as well as identified the level of risk for a cyber attack including likelihood, susceptibility and level of preparedness.
Cyber security has quickly become one of the major concerns of organizations due to an increased level of reliance on technology. Sensitive information travels in cyberspace with an increasing frequency each passing year. As new technologies are developed to prevent cyber attacks, new strategies are developed by those that chose to attack. A comprehensive risk assessment and plan against a cyber attack will not prevent an organization from an attack but will however provide a level of protection against the full potential damage that a cyber attack could cause.