ISC 1 Mod 1

National Institute of Standards and Technology

established in 1901

removes barriers to industrial competitiveness and improve access to resources to promote US research capabilities

NIST Cybersecurity Framework

voluntary framework that is designed to help organizations of all sizes and sectors to manage and reduce their cybersecurity risks

CSF core

CSF tiers

CSF organizational profiles

primary components to manage cybersecurity risk

CSF Core

describes cybersecurity outcomes that can be used by an organization of any size to reduce its cybersecurity risks

govern

identify

protect

detect

respond

recover

What are the six functions of CSF core?

CSF core: govern

this function establishes, communicates, and monitors the organization’s cybersecurity risk management strategy, expectations, and policy

assists an organization in achieving and prioritizing outcomes of the other five functions in relation to the organization’s mission and stakeholder expectations

CSF core: identify

this function focuses on understanding the assets and suppliers of an organization and the cybersecurity risk related to these assets and suppliers

includes identifying improvement opportunities related to the organization’s cybersecurity risk management policies, plans, processes, procedures and practices

CSF core: protect

focuses on an organizations ability to secure its assets to prevent or reduce the likelihood and impact of adverse cybersecurity events

CSF core: Detect

focuses on the timely discovery of cybersecurity attacks and incidents by analyzing anomalies, indicators of compromise, and other potentially adverse events that may indicate that a cybersecurity attack or incident is occurring

CSF core: respond

focuses on a companys ability to contain the effects of cybersecurity incidnets

CSF core: recover

focuses on supporting the timely restoration of a company’s normal operations to reduce the impact of cybersecurity incidents and communicate efforts effectively and appropriately

CSF Tiers: Tier 1

there is limited awareness of cybersecurity risks at the organizational level

CSF Tiers: Tier 2

the organization is aware of the cybersecurity risks in general and specific risks associated with its suppliers, but does not act consistently or formally in response to those risks

CSF Tiers: Tier 3

there is an organization-wide risk approach to cybersecurity where risks of assets, suppliers, and products and services are consistently and accurately monitored, as well as regularly communicated among senior leadership

CSF Tiers: Tier 4

through a process of continuous improvement that incorporates advanced cybersecurity technologies and practices, the organization actively adapts to a changing technological landscape and responds in a timely, effective manner to evolving threats

CSF organizational profiles

the mechanisms by which NIST recommends companies measure cybersecurity risk and establish a road map to ensure the organization can minimize such risk

a current profile

specifies the outcome that an organization is achieving based on the current cybersecurity posture

a target profile

specifies the desired outcome that an organization has prioritized achieving, and that considers anticipated changes to the organization’s cybersecurity posture

commuity profiles

are baseline outcomes developed among a number of organization due to the shared interest and goals of a particular industry sector, topic, or use case

NIST Privacy Framework

published in early 2020

to protect individual’s data as used in data processing applications

true

true or false: the NIST privacy framework also includes two extra approaches, control and communicate.

office of management and budget

requires the controls for federal information systems

the federal information security modernization act

requires the implementation of minimum controls to protect federal information and information systems