Skip to content

Understanding the Benefits of Engaging in a NIST CSF Assessment

Nov 25, 2024

A cyber breach can have potentially devastating effects on a company. It can erode public trust, cause millions of dollars in losses, and even lead to fines and lawsuits. In order to help organizations improve cybersecurity, the National Institute of Standards and Technology (NIST) released its Cybersecurity Framework (CSF) 2.0, which provides a a framework related to managing and reducing risks managed and updated by NIST.

Independent NIST CSF assessments completed by a CRI Certified Information Systems Security Professional (CISSP) use the  CSF Core Functions and evaluate the controls around them to provide insight on the specific cybersecurity risks of organizations.

Govern

An organization’s cybersecurity risk management strategy involves setting clear policies, expectations, and procedures that are communicated and monitored. The GOVERN Function guides organizations in aligning their cybersecurity efforts with their mission and stakeholder expectations while supporting broader enterprise risk management (ERM) goals. It focuses on understanding the organization’s context, defining roles and responsibilities, establishing cybersecurity policies, managing supply chain risks, and providing oversight for cybersecurity strategies. Effective governance ensures cybersecurity is integrated into the organization’s overall risk management approach.

Identify

If there is some sort of cyber breach, it is paramount to have a certain level of controls in place. For instance, a company may have some type of monitoring system in place to detect intrusions. Alternatively, there may be a threat detection metric that reads logs in order to flag specific file changes. Having the tools in place to identify breaches when they occur is a key aspect of mitigating risk and damage.

Protect

Each client has different security needs. A smaller local business may require a simpler protection plan, whereas something more complex may be necessary for a large multinational corporation that deals with sensitive information. NIST CSF assessments performed by CRI assessors aim to ensure organizations have as much protection as possible, which starts with the evaluation of a number of different aspects of a protection plan. It is crucial to ensure that the firewall is working and properly monitored. Employees need to be trained and understand how to react if a breach occurs. Without having measures like this in place, a company can put itself—and clients—at high risk.

Detect

After making sure that breach controls are in place, the next step is to detect if one has occurred. There are distinct ways to tell. For example, if a computer has been hit with ransomware, the user may see the dreaded skull and crossbones graphic appear on their screen. However, that means it is too late to do something. Detecting a breach, or an attempted breach, is a crucial step towards mitigating or preventing a cyber attack. A combination of technological and people-based controls are needed when it comes to detecting breaches. Typically, companies will have a unique set of needs based on their size and the complexity of their operations.

Respond

Once a breach is detected, it’s time to respond as quickly as possible. If a breach occurs to a specific network, the issue must be isolated to prevent spreading. Additionally, the response isn’t solely limited to the IT side of things. There also needs to be a proper response in regards to communications. With so much sensitive information at risk, ensuring that these policies are in place make certain that no data is divulged to the general public.

Recover

After responding to the impact of a breach, it’s now time for the recovery process. This is the final stage when evaluating a company’s capabilities for mitigating damage from a breach. There needs to be procedures and policies in place that aim to fix what was affected by the incident. For instance, recovering from a ransomware attack requires that specific backup processes are followed.

Seek Guidance

If your organization is considering an independent NIST Cybersecurity Framework (CSF) assessment to evaluate and manage cybersecurity risks, contact your CRI professional for guidance on starting the process. For additional details about the NIST CSF, visit the NIST Cybersecurity Framework homepage. Taking proactive steps now can strengthen your organization’s cybersecurity posture and align it with industry best practices.

Relevant insights

Join Our Conversation

Subscribe to our e-communications to receive the latest accounting and advisory news and updates impacting you and your business.

By proceeding, you are agreeing to the terms and conditions in the Carr, Riggs and Ingram Privacy Policy.

This field is for validation purposes and should be left unchanged.