Posted on Sep 4, 2017
Although not a regulatory framework, the U.S. National Institute of Standards and Technology (NIST) framework is considered an industry best practice for to identifying, measuring, and managing cybersecurity risk.
In the 2016 Tenable Trends in Security Framework Adoption Survey, nearly a third of the IT and security professionals surveyed said the NIST cybersecurity framework was being leveraged by their organization, and 70 percent of those that adopted the framework did so because of its clout as a best practice standard.
The NIST framework has been updated from the Cybersecurity Enhancement Act of 2014 to make the framework easier to use and more refined.
The new version includes:
The framework is made of three parts – the core, the tiers, and the profiles.
The core of the framework is made up of 4 components:
The tiers are the cybersecurity outcomes that are based on the organization’s business needs that they’ve selected from the core categories and subcategories that can range from partial (tier 1) to adaptive (tier 4) For example, a more mature, or adaptive, organization would have a risk management approach that is informed by business needs and works in tandem with the overall risk management program. Having a tiered approach to the NIST framework has allowed organizations to measure their individual level of cybersecurity maturity and share this with senior management or a board of directors, essentially enabling them to benchmark performance. Once performance is measured and benchmarked, the board can understand how the organization adheres to the NIST security controls.
The organization’s current cybersecurity status and their roadmap towards NIST goals are outlined under profiles. The profiles are used to help organizations identify areas of opportunity by outlining their current state and comparing it to their desired state.
This two-pronged approach can help uncover areas of opportunity in which the organization can improve its cybersecurity implementations and ultimately adjust the ease in which the organization can move between tiers. The two profiles an organization has helps connect the core elements to business requirements, risk tolerance, and resources of the larger organization it serves.
NIST’s recent update helps ensure that organizations abiding by the three components, described above, are in a better position to not only react to malicious cyber activity, but also to prevent this type of activity from happening.
With hackers finding new ways to attack third-parties in hopes of infecting a larger organization, the third-party ecosystem is more fragile than ever before.
The purpose of IT security risk assessment is to determine security risks to your company’s critical assets, and how much funding and effort should be used in their protection. Get started with SecurityScorecard’s step-by-step guide to managing your cyber risk.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.