Posted on Sep 4, 2017
Although not a regulatory framework, the U.S. National Institute of Standards and Technology (NIST) framework is considered an industry best practice for to identifying, measuring, and managing cyber security risk.
In the 2016 Tenable Trends in Security Framework Adoption Survey, nearly a third of the IT and security professionals surveyed said the NIST cyber security framework was being leveraged by their organization, and 70 percent of those that adopted the framework did so because of its clout as a best practice standard.
The NIST framework has been updated from the Cybersecurity Enhancement Act of 2014 to make the framework easier to use and more refined.
The new version includes:
The framework is made of three parts – the core, the tiers, and the profiles.
The core of the framework is made up of 4 components:
The tiers are the cyber security outcomes that are based on the organization’s business needs that they’ve selected from the core categories and subcategories that can range from partial (tier 1) to adaptive (tier 4) For example, a more mature, or adaptive, organization would have a risk management approach that is informed by business needs and works in tandem with the overall risk management program. Having a tiered approach to the NIST framework has allowed organizations to measure their individual level of cyber security maturity and share this with senior management or a board of directors, essentially enabling them to benchmark performance. Once performance is measured and benchmarked, the board can understand how the organization adheres to the NIST security controls.
The organization’s current cyber security status and their roadmap towards NIST goals are outlined under profiles. The profiles are used to help organizations identify areas of opportunity by outlining their current state and comparing it to their desired state.
This two-pronged approach can help uncover areas of opportunity in which the organization can improve its cyber security implementations and ultimately adjust the ease in which the organization can move between tiers. The two profiles an organization has helps connect the core elements to business requirements, risk tolerance, and resources of the larger organization it serves.
NIST’s recent update helps ensure that organizations abiding by the three components, described above, are in a better position to not only react to malicious cyber activity, but also to prevent this type of activity from happening.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.