NIST Cybersecurity Framework: A Guide to Achieving SaaS Security and Compliance

How can productivity and risk in SaaS environments be balanced?

Released in 2014 the   ‘NIST Cybersecurity Framework (CSF) helps organizations to understand their cybersecurity risks (vulnerabilities, threats, and impacts) and how to reduce those risks with customized measures.

The changes to the work environment due to COVID-19 and the growth in SaaS bring new security challenges. Although the framework was published and updated while SaaS was on the rise, it is still tailored toward the classical critical infrastructure security challenges. However, to respond to new risks organizations can adapt the CSF to modern, SaaS-based working environments.

This article will point out its key merits, review the CSF’s key elements and suggest implementations for SaaS security.

Overview of the Framework

The CSF lays out five security functions, then splits them into categories and subcategories. The actual controls are contained in subcategories. For each subcategory, the CSF includes cross-references to well-known standards and frameworks such as NIST SP 800-53, ISO 27001, ANSI/ISA-62443, and COBIT.

These cross-references help organizations implement the CSF and map it to other frameworks. For example, security managers or other team members can use the references to justify their decisions no matter what security standard the company needs to comply with.

The Framework combines a different approach to dealing with cyber security risks. This includes:

  • Setting the procedure
  • training
  • Role definition
  • audit
  • monitoring

The framework has five core functions: Identity, Protect, Detect, Respond and Recover. These functions should be performed concurrently and continuously to form an operational culture that addresses the dynamic cybersecurity risks. We are going to break them down into bullets for you.

Identify

NIST defines it as follows:

“Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.”

Examples of subcategories included within this function are:

  • Asset Management
  • Business Environment
  • Governance
  • Risk Assessment
  • Risk Management Strategy

Protect

NIST defines it as follows:

“Develop and implement appropriate safeguards to ensure delivery of critical services”

It supports the ability to contain or limit the impact of a potential cybersecurity event.

Examples of subcategories included within this function are:

Examples of subcategories included within this function are:

  • Identity Management and Access Control
  • Awareness and Training
  • Data Security
  • Information Protection Processes and Procedures
  • Maintenance
  • Protective Technology.

Detect

NIST defines it as follows:

“Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.”

It enables the timely discovery of cybersecurity events.

Examples of subcategories included within this function are:

  • Anomalies and Events
  • Security Continuous Monitoring
  • Detection Processes.

Respond

NIST defines it as follows:

“Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.”

It supports the ability to contain the impact of a potential cybersecurity incident.

Examples of subcategories included within this function are:

  • Response Planning
  • Communications
  • Analysis; Mitigation
  • Improvements

Recover

NIST defines it as follows:

“Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.”

It supports timely recovery to normal operations to reduce the impact of a cybersecurity incident.

Examples of subcategories included within this function are:

  • Recovery Planning
  • Improvements
  • Communications

How to Use the Framework

An organization can use the Framework for identifying, assessing, and managing cybersecurity risk. The Framework is not designed to replace existing processes; an organization can use its current process and overlay it onto the Framework to determine gaps in its current cybersecurity risk approach and develop a roadmap to improvement.

26 thoughts on “NIST Cybersecurity Framework: A Guide to Achieving SaaS Security and Compliance”

  1. This blog is definitely rather handy since I’m at the moment creating an internet floral website – although I am only starting out therefore it’s really fairly small, nothing like this site. Can link to a few of the posts here as they are quite. Thanks much. Zoey Olsen

  2. I like what you guys are up also. Such clever work and reporting! Carry on the excellent works guys I have incorporated you guys to my blogroll. I think it’ll improve the value of my web site 🙂

  3. After research a number of of the blog posts on your web site now, and I truly like your approach of blogging. I bookmarked it to my bookmark web site list and shall be checking back soon. Pls try my website online as effectively and let me know what you think.

  4. Heya i am for the primary time here. I came across this board and I in finding It really useful & it helped me out much. I’m hoping to offer one thing again and aid others such as you helped me.

  5. I in addition to my guys were found to be following the great thoughts located on your site and all of the sudden got a horrible feeling I had not thanked the web blog owner for those strategies. The people had been so stimulated to read them and now have in fact been using them. Thank you for being really helpful and also for settling on varieties of useful subjects millions of individuals are really desperate to be informed on. Our own honest regret for not expressing gratitude to you earlier.

  6. Hello there! I know this is kinda off topic but I was wondering which blog platform are you using for this site? I’m getting tired of WordPress because I’ve had issues with hackers and I’m looking at options for another platform. I would be fantastic if you could point me in the direction of a good platform.

  7. Have you ever thought about publishing an e-book or guest authoring on other blogs? I have a blog centered on the same information you discuss and would really like to have you share some stories/information. I know my viewers would appreciate your work. If you’re even remotely interested, feel free to shoot me an e-mail.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top