ISC S1

Nist cyber security framework

application of information technology in an organization is the systematic implementation of hardware and software that can be transmitted, modified, accessed and securely and efficiently stored

( identify, govern, protect, detect, respond, recover )

CSF CORE

describes cyber security outcomes that be used by an organization of any size with a focus on reducing cyber risks through 6 functions: Govern, Identify, Protect, Detect, Respond, Recover

Identify ( ID )

focus on understanding the assets and suppliers of an organization and possible opportunities for improvement

Protect ( PR )

focus on organizations ability to secure its assets to prevent or reduce the likelihood and impact of adverse cybersecurity events

Detect ( DE )

focus on the timely discovery of cybersecurity and incidents by analyzing anomalies and red flags

Respond ( RS )

focus on ability to contain the effects of cyber security incidents

Recovery ( RC) 

support the restoration of the companies normal operations to reduce the impact of incidents 

Govern

covers the tone at the top and oversight of 5 components through policy and oversight

CSF tiers

provides a measure of an organizations information security infrastrcuture sophistication in the form of 4 CSF tiers with 2 subtiers

cybersecurity risk governance

refers to the organizational oversight and decision making around cyber security risks with focus on senior management leadership and tone at the top

cybersecurity risk management

covers more of the day to day operational activities that identify assess, respond, and monitor cyber security risks

CRG tier 1 ( lowest ) ( partiel )

used as needed as a reactive measure with no formal basis on organization objectives 

CRM tier 1 ( lowest ) ( partiel )

limited awareness of cyber security risks at organizational level and is implemented on irregular basis without a process to share information across the organization 

CRG tier 2 ( risk informed )

prioritization is based on organizational risks and management must approve efforts but policies are typically isolated and not organization wide 

CRM tier 2 ( risk informed )

Organization is aware of risks in general and specific supply risks but does not act formally or consistently 

CRG tier 3 (repeatable)

uses cybersecurity in planning and has formal documented policies that are frequently updated based on business landscape 

CRM tier 3 (repeatable)

organization wide risks approach to cybersecurity where risks of assets, suppliers, products, services are consistently and accurately monitored and communicated with leadership 

CRG Tier 4 (adaptive) - highest level

risk informed approach that is organizational wide and used to manage and monitor risks

CRM Tier 4 (adaptive) - highest level

process of continuous improvement that incorporates advanced cyber security tech and practices to an organization and actively adapts to change and responds in timely manor

CSF organizational profiile

Mechanism in which NIST recommends companies measure cybersecurity risk and how to minimize such risk and catagorizes them into 2 profils and 5 repeatable steps for continous improvment: scope, gather info, create, analyze gaps between current and target, and implementation

current profile 

specifies the desired outcomes that an organization has prioritized achieving 

target profile

specify desired outcomes and considers anticipated changes 

community profile

baseline outcomes developed among a number of organizations due to shared interests and goals of industry sector or topic

Nist Privacyframework 

Similar risk management approaches but applied subjects differently ( identify, govern, protect  control, communicate ) 

NIST SP 800-53 framework 

Set of securities and privacy controls applicable to all information systems and now the standard for federal information security systems and is more strict then CSF and privacy framework

NIST big 3 standardization frameworks