top of page

NIST Cybersecurity Framework 

The Basis of CAN/DGSI 104 

5 Minute Module

NIST cybersecurity framework.png
NIST Cybersecurity Framework: The Basis of CAN/DGSI 104 

​

In today’s interconnected world, cybersecurity is a top priority for organizations of all sizes. From small startups to multinational corporations, every business must safeguard its systems and data against a wide array of threats. One of the most effective ways to do this is by adopting well-established regulatory compliance frameworks that guide organizations in building robust cybersecurity defenses. Among these frameworks, the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) has emerged as a leading standard. The CAN/DGSI 104 regulations are based on this Framework and customized to Canadian standards for Small and Medium Sized Businesses (SMBs). 

 

This Learning Module delves into the NIST Cybersecurity Framework, its components, and how it aligns with regulatory compliance efforts to ensure comprehensive security and risk management. While NIST is international, CAN/DGSI 104 is Canadian and based on the NIST Framework. As a Canadian business, 123 Cyber uses the CAN/DGSI 104 Standard when conducting Audit Preparations, but it’s also good practice to understand NIST, as it is the forefather of CAN/DGSI 104. 

 

What is the NIST Cybersecurity Framework?

 

The NIST Cybersecurity Framework was first introduced in 2014 in response to Executive Order 13636, which emphasized improving critical infrastructure security. Developed by the National Institute of Standards and Technology (NIST), this framework provides voluntary guidance to organizations to manage and reduce cybersecurity risks. Over the years, it has become widely adopted across various industries, not just in critical infrastructure but also in finance, healthcare, and other sectors. 

 

The framework’s strength lies in its flexibility and adaptability. Organizations can use it regardless of size, industry, or cybersecurity maturity level. By aligning with the NIST Cybersecurity Framework, businesses can establish a common language for cybersecurity and integrate it seamlessly into their overall risk management strategy. 

 

Core Components of the NIST Cybersecurity Framework 

​

The NIST CSF is built around three key components: 

  • The Framework Core 

  • Implementation Tiers 

  • Profiles 

 

1. Framework Core 

​

The Framework Core provides a set of activities, outcomes, and references that are common across industries and are designed to improve cybersecurity. It consists of five primary functions: 

​

  • Identify: Develop an organizational understanding of cybersecurity risks to systems, assets, data, and capabilities. This includes asset management, governance, and risk assessment. 

  • Protect: Implement safeguards to ensure the delivery of critical infrastructure services. This involves access control, awareness training, data security, and protective technology. 

  • Detect: Develop and implement activities to identify cybersecurity events promptly. This includes continuous monitoring and anomaly detection. 

  • Respond: Take action regarding a detected cybersecurity event to minimize its impact. Activities here include incident response planning, mitigation, and communication. 

  • Recover: Restore capabilities or services that were impaired due to a cybersecurity incident. This involves recovery planning and improvements based on lessons learned. 

 

2. Implementation Tiers 

​

The Implementation Tiers help organizations understand their approach to managing cybersecurity risks. There are four tiers: 

​

  • Tier 1: Partial: Risk management is ad hoc and not formalized. 

  • Tier 2: Risk-Informed: Some risk management processes are in place but not standardized. 

  • Tier 3: Repeatable: Risk management is formally established and consistently applied. 

  • Tier 4: Adaptive: Risk management processes are continuously improving and integrated with the organization’s overall goals. 

 

These tiers allow organizations to assess their current cybersecurity posture and identify areas for improvement. 

​

3. Profiles 

​

Profiles are a tailored alignment of the Framework Core with organizational requirements, risk tolerance, and resources. A Current Profile outlines the organization’s existing cybersecurity practices, while a Target Profile defines the desired outcomes. By comparing these profiles, businesses can identify gaps and prioritize actions. 

 

Regulatory Compliance and the NIST Cybersecurity Framework 

​

Regulatory compliance plays a critical role in cybersecurity. Many industries operate under strict regulations designed to protect sensitive information, ensure privacy, and maintain operational integrity. Examples include: 

​

  • Small and Medium Sized Canadian Businesses: CAN/DGSI 104 is a Canadian cybersecurity standard that provides guidelines for implementing effective security controls to protect digital systems and sensitive information against evolving cyber threats. 

  • Healthcare: HIPAA (Health Insurance Portability and Accountability Act) 

  • Finance: GLBA (Gramm-Leach-Bliley Act) and PCI DSS (Payment Card Industry Data Security Standard) 

  • Government: FISMA (Federal Information Security Management Act) 

  • General Data Protection: GDPR (General Data Protection Regulation) 

​

NIST CSF as a Bridge to Compliance 

​

The NIST Cybersecurity Framework is not a regulatory requirement, but it serves as an effective bridge to achieving compliance. Its flexible structure allows organizations to map the framework’s functions, categories, and subcategories to specific regulatory requirements. 

​

For example: 

​

  • HIPAA: The Protect function aligns closely with HIPAA’s requirements for ensuring the confidentiality, integrity, and availability of electronic protected health information (ePHI). 

  • PCI DSS: The Detect function supports PCI DSS’s emphasis on regular monitoring and testing to maintain secure systems. 

  • GDPR: The Identify and Protect functions align with GDPR’s focus on data protection and privacy by design. 

​

Streamlining Compliance Efforts 

​

Using the NIST CSF can streamline compliance efforts by providing a unified framework that accommodates multiple regulatory requirements. Organizations can: 

​

  • Conduct Gap Analyses: Compare their Current Profile against the Target Profile and regulatory requirements to identify deficiencies. 

  • Prioritize Actions: Use risk-based decision-making to focus resources on the most critical compliance areas. 

  • Demonstrate Due Diligence: Documenting adherence to the NIST CSF shows regulators and stakeholders a commitment to cybersecurity. 

 

The NIST / CAN/DGSI 104 Cybersecurity Framework 

​

The NIST Cybersecurity Framework offers several benefits: 

​

  • Enhanced Security Posture: The framework’s comprehensive approach ensures that organizations address all aspects of cybersecurity. 

  • Risk-Based Approach: Businesses can prioritize cybersecurity activities based on their unique risk landscape. 

  • Interoperability: The framework aligns with other standards, such as ISO/IEC 27001, making it easier for multinational organizations to achieve global compliance. 

  • Cost Efficiency: By focusing resources on high-priority areas, organizations can optimize their cybersecurity investments. 

  • Stakeholder Confidence: Demonstrating alignment with the NIST CSF enhances trust among customers, partners, and regulators. 

 

Implementing the NIST / CAN/DGSI 104 Cybersecurity Framework 

​

Implementing the NIST CSF requires careful planning and execution. Here are the key steps: 

​

  • Establish Leadership Commitment: Secure buy-in from senior management to ensure adequate resources and support. 

  • Define the Scope: Identify the systems, assets, and processes to be covered by the framework. 

  • Conduct a Risk Assessment: Evaluate existing cybersecurity risks and vulnerabilities. 

  • Develop a Current Profile: Document the organization’s current cybersecurity practices. 

  • Set a Target Profile: Define desired outcomes based on business objectives and regulatory requirements. 

  • Create an Action Plan: Identify and prioritize initiatives to bridge the gap between the Current and Target Profiles. 

  • Monitor and Improve: Continuously assess performance and refine the framework as needed. 

 

Conclusion 

​

The NIST Cybersecurity Framework has been an indispensable tool for building the CAN/DGSI 104 Standards for organizations seeking to bolster their cybersecurity defenses, while meeting regulatory compliance requirements. Its flexible and comprehensive structure enables businesses to navigate the complex landscape of cybersecurity threats and regulations with confidence. 

​

By adopting the NIST CSF, if you’re outside Canada, and the CAN/DGSI 104 Standards if you are in Canada, organizations not only enhance their security posture but also demonstrate a proactive commitment to protecting sensitive data and maintaining operational integrity. Whether you’re a small business or a large enterprise, the NIST Cybersecurity Framework can be your roadmap to achieving robust cybersecurity and regulatory compliance. 

​

---

​

This training series is based on the CAN/DGSI 104 NATIONAL STANDARD OF CANADA Baseline cyber security controls for small and medium sized organizations (typically less than 500 employees), the Canadian Centre for Cyber Security controls and the National Institute of Standards and Technology (NIST). 

​

This tutorial is a guideline for best practices, but you are encouraged to review your company's password policy to ensure you are following your organization's procedures. 

​

---

​

If you are interested in becoming CAN/DGSI 104 compliant, or would like to join our affiliate program:

 

​

bottom of page