CIS and NIST Frameworks | Why they matter in a risk assessment

Every day, hundreds, if not thousands, of new cybersecurity threats are uncovered. Cybersecurity Ventures projects global cybercrime costs to reach $10.5 trillion annually by 2025. With profits like that, cybercriminals aren’t backing down any time soon.

But here’s the good news: as threats grow, so does our ability to identify them and fight back, protecting data from exploitation.

Cybersecurity frameworks lay a crucial foundation in the fight for data protection. Moreover, risk assessments based on these frameworks can help identify system weaknesses to bolster defenses further.

WEBIT Services has helped its clients develop cybersecurity strategies and practices for over 25 years using cybersecurity frameworks.

By the end of this article, you will learn about two key cybersecurity frameworks, their importance, and how they are foundational for risk assessments.

NIST and CIS frameworks

In response to the growing threat of cyberattacks, leading information technology specialists came together to create cybersecurity frameworks for the IT industry. Cybersecurity frameworks set the standard for various IT practices, including cybersecurity and compliance. Frameworks are created by experts who collect and evaluate data to determine the most efficient and effective practices for their IT focus.

Security frameworks will update their recommendations and practices to address new risks as cybercrime and technology change.

Quality IT security providers will follow one or more frameworks to ensure they use the best tools and practices to help protect their clients.

Both NIST and CIS are recognized cybersecurity frameworks.

National Institute of Standards and Technology (NIST)

The National Institute of Standards and Technology (more commonly known as NIST) created its NIST cybersecurity framework in 2013.

The NIST framework is created by IT experts within the United States, and it identifies five main steps to protect data:

  1. Identify
  2. Protect
  3. Detect
  4. Respond
  5. Recover

Center for Internet Security (CIS)

Unlike NIST, the Center for Internet Security (also known as CIS) is an international collection of IT and technology experts. It was founded in 2000, and its framework is currently in version 8.

CIS has frameworks both for cybersecurity and specific compliance standards like HIPAA.

The CIS security framework summarizes its steps as follows:

  1. Inventory
  2. Track
  3. Correct

However, the CIS framework is currently a total of 18 Controls that break down each process used to “identify,” “track,” and “correct” threats.

Benefits of using frameworks

While the terminology may differ, the core instructions of both NIST and CIS frameworks are the same.

They both instruct IT security to:

  1. Identify or Inventory hardware, software, and practices in use.
  2. Protect the system through various tools and practices.
  3. Detect or Track
  4. Respond to or Correct detected threats.
  5. Recover system functionality and data loss, if possible.

These five steps encompass the goals and strategies of cybersecurity.

If your IT provider or internal IT department is not following a framework, they are likely missing a key piece of their cybersecurity strategy.

  1. Missing the Identify step means that missed hardware does not receive protection, potentially exposing the entire system.
  2. Missing the Protect step means the system is exposed and vulnerable to cyberattacks.
  3. Missing the Detect step means viruses and malicious activity goes unnoticed.
  4. Missing the Respond step means viruses and malicious activity are not addressed or removed.
  5. Missing the Recover step means that data and functionality are lost.

While there is flexibility regarding which tools, programs, and strategies can be used within the framework, an official framework must be followed for maximum effectiveness.

If your company is not following an official cybersecurity framework, you are missing critical security elements and are exposed to preventable risks.

IT risk assessments

Using a chosen security framework, your IT provider will perform regular risk assessments to detect and respond to security vulnerabilities. These vulnerabilities are then ranked as low, medium, high, or critical risk. Afterward, a response plan is created.

These security profiles are a snapshot of the risks and security within an organization’s system at that specific point in time.

New risks are constantly discovered, so risk assessments should be performed throughout the year.

IT providers usually recommend quarterly assessments. This timeframe gives enough time to thoroughly address identified risks while also keeping users aware but not overwhelmed.

Risk assessments performed more often do not give enough time to execute projects that address current risk priorities and see improvements successfully. Still, assessments performed less frequently leave gaps in risk awareness, creating preventable vulnerabilities.

However, if there has been a significant system change (for instance, an influx of 50 new employees who all need new computers), a risk assessment should be performed before the 90-day benchmark. This will help locate and address any new weaknesses and, in turn, will help protect your system amid modifications.

Risk assessment process

Risk assessments will follow their chosen framework. If an assessment does not follow a framework, there will be security knowledge gaps and preventable vulnerabilities.

A risk assessment following a framework will:

  1. Identify your system's hardware, software, and IT resources.
  2. Assess what protections (endpoint protection, cybersecurity practices, etc.) are in place.
  3. Detect new risks (malware, aging or failing hardware, system updates, etc.)
  4. Recommend responses to each identified risk.

Your IT provider will let you know each identified risk and its level of impact (low, medium, high, or critical). From there, they will list recommended responses based on the risk impact levels.

Recommended responses may include updating software, replacing older hardware, removing malicious software, and evaluating cybersecurity practices and habits of the organization.

Risk assessment benefits

Risk assessments holistically track improvements and weaknesses in your security system and practices when used alongside a framework. This allows you to strategically address critical risks before they become a significant problem.

Risk assessments allow your organization to:

  1. Identify at-risk software and hardware.
  2. Identify new malware, virus, and other threats created by cybercriminals.
  3. Identify weak cybersecurity practices that can be improved.

When weak practices are identified, they can be used to create targeted security training for that quarter.

For example, in one assessment, you learn several employees are clicking phishing links. This could be a sign that they do not know how to identify phishing emails or the risk posed by strange links.

In response, your organization requires employees to participate in cybersecurity training that focuses specifically on the dangers of phishing emails and how they endanger your company and client data.

You should see significant improvement in this area in the following risk assessment.

Each assessment gives you a detailed look at your system’s security at that point in time, so you and your IT provider can work together to improve security and decrease risk.

Looking at your next risk assessment

While each cybersecurity framework may use varying language or focus, its main steps can be summarized as follows:

  1. Identify
  2. Protect
  3. Detect
  4. Respond
  5. Recover

Risk assessments follow these steps to help your organization identify system weaknesses and strategize responses for better security tools and practices. Following frameworks and performing quarterly risk assessments keeps you aware of risks and builds protection against cyber threats.

For over 25 years, WEBIT Services has utilized both NIST and CIS security frameworks to help clients build strategies and protect their data.

If you haven’t had a risk assessment in the last 90 days, don’t let it go much longer. The cost of not doing one could be very high.

Talk to your IT provider about your next risk assessment and ask if these assessments follow an endorsed framework like NIST or CIS. It might be time to look for a new provider if they do not.

If you’re ready to have a conversation about security frameworks and risk assessments for your business, schedule a free 30-minute consultation with WEBIT.

If you’re not ready to talk to our team of experts, you may be interested in these other articles: