NIST framework core

The Functions are the highest level of abstraction included in the Framework. They act as the backbone of the Framework Core that all other elements are organised around. These five Functions were selected because they represent the five primary pillars for a successful and holistic cyber security programme. They aid organisations in easily expressing their management of cyber security risk at a high level and enabling risk management decisions.

The Identify Function assists in developing an organisational understanding to managing cyber security risk to systems, people, assets, data, and capabilities. Understanding the business context, resources that support critical functions, the related cyber security risks enable an organisation to focus and prioritise its efforts, consistent with its risk management strategy and business needs. Outcome Categories within this Function include:

• Identifying physical and software assets within the organisation to establish the basis of an Asset Management programme.
• Identifying the Business Environment, the organisation supports including the organisation's role in the supply chain, and the organisations place in the critical infrastructure sector. 
• Identifying cyber security policies established within the organisation to define the Governance programme as well as identifying legal and regulatory requirements regarding the cyber security capabilities of the organisation. 
• Identifying asset vulnerabilities, threats to internal and external organisational resources, and risk response activities as a basis for the organisations Risk Assessment. 
• Identifying a Risk Management Strategy for the organisation including establishing risk tolerances. 
• Identifying a Supply Chain Risk Management strategy including priorities, constraints, risk tolerances, and assumptions used to support risk decisions associated with managing supply chain risks.

The Protect Function outlines appropriate safeguards to ensure delivery of critical infrastructure services and supports the ability to limit or contain the impact of a potential cyber security event. Outcome Categories within this Function include:

• Protections for Identity Management and Access Control within the organisation including physical and remote access.
• Empowering staff within the organisation through Awareness and Training including role based and privileged user training.
• Establishing Data Security protection consistent with the organisation’s risk strategy to protect the confidentiality, integrity, and availability of information.
• Implementing Information Protection Processes and Procedures to maintain and manage the protections of information systems and assets.
• Protecting organisational resources through Maintenance, including remote maintenance, activities
• Managing Protective Technology to ensure the security and resilience of systems and assets are consistent with organisational policies, procedures, and agreements.

The Detect Function defines the appropriate activities to identify the occurrence of a cyber security event. The Detect Function enables timely discovery of cyber security events. Outcome Categories within this Function include:

• Ensuring Anomalies and Events are detected, and their potential impact is understood.
• Implementing Security Continuous Monitoring capabilities to monitor cyber security events and verify the effectiveness of protective measures including network and physical activities.
• Maintaining Detection Processes to provide awareness of anomalous events.

The Respond Function includes appropriate activities to act regarding a detected cyber security incident. The Respond Function supports the ability to contain the impact of a potential cyber security incident. Outcome Categories within this Function include:

• Ensuring Response Planning process are executed during and after an incident.
• Managing Communications during and after an event with stakeholders, law enforcement, external stakeholders as appropriate
• Analysis is conducted to ensure effective response and support recovery activities including forensic analysis and determining the impact of incidents.
• Mitigation activities are performed to prevent expansion of an event and to resolve the incident.
• The organisation implements Improvements by incorporating lessons learned from current and previous detection / response activities.

The Recover Function identifies appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cyber security incident. The Recover Function supports timely recovery to normal operations to reduce the impact from a cyber security incident. Outcome Categories within this Function include:

• Ensuring the organisation implements Recovery Planning processes and procedures to restore systems and/or assets affected by cybersecurity incidents.
• Implementing Improvements based on lessons learned and reviews of existing strategies.
• Internal and external Communications are coordinated during and following the recovery from a cyber security incident.