Fundamentals of Adopting the NIST Cybersecurity Framework by Moskowitz David;

Author:Moskowitz, David;
Language: eng
Format: epub
Publisher: The Stationery Office Ltd

4.4.2 Establishing a cybersecurity program

The Framework uses a standard seven-step approach (NIST, 2018) to create or improve organizational cybersecurity capabilities, as shown in Figure 4.6. Repeat the steps as necessary to achieve the desired organizational cybersecurity state:

Step 1: Prioritize and scope The organization identifies its business/mission objectives and high-level organizational priorities. With this information, it makes strategic decisions regarding cybersecurity implementations, and determines the scope of systems and assets that support the selected business line or process. The Framework is adaptable to support the different business lines or processes within an organization, which may have different business needs and associated risk tolerance. A target Implementation Tier reflects the associated risk tolerances.

Step 2: Orient Once the scope of the cybersecurity program is determined, the organization identifies related systems and assets, regulatory requirements, and overall risk approach. The organization then consults sources to identify threats and vulnerabilities applicable to those systems and assets.

Step 3: Create a current Profile The organization develops a current Profile by assessing and documenting the specific category and subcategory outcomes from the Framework Core. Note any partially achieved outcomes to support subsequent steps by providing baseline information.

Step 4: Conduct a risk assessment Base this assessment on the overall organizational risk management process or previous risk assessment activities. The organization analyzes the operational environment to determine the likelihood of a cybersecurity event and the impact that it could have on the organization. Organizations must identify emerging risks, and use cyber threat information from internal and external sources to understand the likelihood and impact of cybersecurity events.

Step 5: Create a target Profile Create a target Profile that focuses on assessing the Framework categories and subcategories that describe the desired organizational cybersecurity outcomes. The organization may develop additional categories and subcategories to account for unique organizational risks. It may also consider the influences and requirements of external stakeholders such as sector entities, customers, and business partners when creating a target Profile. The target Profile should appropriately reflect criteria within the target Implementation Tier.

Step 6: Determine, analyze, and prioritize gaps The organization compares the current and target Profiles to determine gaps. Next, it creates a prioritized action plan to address gaps, reflecting the mission drivers, costs and benefits, and risks to achieve the outcomes in the target Profile. The organization then determines the resources necessary to address the gaps, including funding and workforce. Using Profiles in this manner encourages the organization to make informed decisions about cybersecurity activities, supports risk management, and enables it to perform cost-effective, targeted improvements.

Step 7: Implement action plan The organization determines which actions to take to address the gaps identified in the previous step, and then adjusts its cybersecurity practices to achieve the target Profile. For further guidance, the Framework identifies example informative references regarding the categories and subcategories, but the organization should determine which standards, guidelines, and practices, including those that are sector-specific, work best for its needs.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.