Monday 3 March 2014

NIST Cybersecurity Framework

The NIST has just released the Cybersecurity Framework Version 1.0. This is mainly intended for improving critical infrastructure type facilities in the USA. However, it can potentially be applied to a much broader range of organisations across the world.

It covers 5 main functions of a cyber security framework.
  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

Each of these functions is then broken down into categories and the categories are further sub divided into subcategories.

This is two more than Bruce Schneier who defines Protect, Detect and Respond.

The basic idea is that you take the categories and analyze it to define your current profile. You then define a target profile and work out action plans and prioritizations to achieve the target profile.

It is not a very long document and much of the useful information is stored in the appendixes. It widely references other public standards.

Application Security

The framework does not have much to say about secure application development.  However it is extensible so you can add in your own categories and sub categories. It does talk about access control, data-at-rest and data-in-transit controls etc.

PR.DS-7 says:
The development and testing environment(s) are separate from the production environment

Useful Links

  • NIST Press Release 

Social: DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot


  1. you already have. Like most organisations, you are probably using a mixture of Microsoft Office versions office 365