Select a state or province from the map above to get primary contact and web information for any
member fund.

By Lori D’Errico, Technical Infrastructure and IS Security Manager, The Beacon Mutual Insurance Company (Rhode Island)

When it comes to computer security, there are numerous standards, laws, regulations, and best practice strategies. It can be difficult for businesses to organize and prioritize these requirements in their effort to build and maintain a comprehensive security program. This is where the NIST Cybersecurity Framework can be effective.

NIST is a nonregulatory federal agency within the U.S. Department of Commerce. The overall mission of NIST is to enhance economic security. The NIST Cybersecurity Framework was created in 2014 to provide guidelines in computer security for private businesses and to provide a standard in the United States. It is a comprehensive approach to security best practices.

The Cybersecurity Framework was developed from other known standards and practices to represent current practices in cybersecurity. Businesses need to identify unique challenges to their organizations, but the goal is to have a common framework as a starting point. The NIST Framework is adaptable and can provide a connected strategy.

The NIST Cybersecurity Framework provides a method for identifying the most important activities to assure critical operations and service delivery. It helps establish a common language for cybersecurity and risk management. This is a key component to communicating a security strategy within businesses. The framework helps structure, manage, and reduce cybersecurity risk by establishing basic processes and essential controls. The goal is to provide businesses with the ability to prevent, detect, and respond to cyber attacks.

The NIST Cybersecurity Framework utilizes a risk-based approach, and the framework consists of a set of activities. The foundation of the framework consists of four parts: Functions, Categories, Subcategories, and Informative References. The function areas include Identity, Protect, Detect, Respond, and Recover.

Each function contains categories that identify specific areas of focus. The categories have subcategories with specific objectives. The Informative References include documentation, steps for execution, standards, and other guidelines. There are four tiers of implementation, which can be used to determine the maturity level of your security program.

Although this may sound overwhelming, the framework provides straightforward suggestions that will not break the budget. It provides tips for training employees in security and offers suggestions, such as purchasing cybersecurity insurance to transfer financial risk of a security breach.

There are resources, documentation, and tools that a business can utilize to start applying best practices or simply evaluate where the business security program stands.  If you are looking for guidance in managing and reducing cybersecurity risk, the NIST Cybersecurity Framework is worth evaluating.

This material has been prepared for informational purposes only, and is not intended to provide, and should not be relied on for, legal or security advice. You should consult your own legal and security advisors to determine what computer security practices are appropriate for your organization.