From the course: Cybersecurity Foundations
Adopting the NIST Cybersecurity Framework
- [Narrator] The second component of the NIST Cybersecurity Framework is the framework profile. This is used to align business outcomes and cybersecurity activities, providing a view of risks and a development plan to bridge the two. The third and final component of the NIST Cybersecurity Framework is a maturity model for cybersecurity known as the implementation tiers. The basic level of cybersecurity maturity is the partial implementation tier. This is characterized by enterprise risk management being somewhat ad hoc and reactive, where cybersecurity activities aren't based on risk objectives or business outcomes and where there's little external collaboration. At the next level of maturity, risk management practices are formalized but may not be adopted across the enterprise. There's informal sharing of cybersecurity information internally, but not externally. The third tier of maturity, repeatable, is where risk management is formalized and mandated as policy and processes exist to respond to changes in risk. Collaboration and information sharing exist both internally and externally. The highest maturity level, adaptive, extends the third level with the awareness and agility to apply continuous changes to cybersecurity activities as a result of changes to assets, threat, and vulnerabilities. When adopting the cybersecurity framework for an organization, NIST recommends establishing two profiles. The first should represent the current state of cybersecurity as assessed against the subset of enterprise-specific activities that have been selected as being required. This is what cybersecurity looks like now. The second should be the target state of cybersecurity, set as the acceptable level of risk against each of the enterprise-specific activities. A security plan of prioritized projects can then be defined to close the gap between the current and the target state framework profiles. For an organization that's starting up its cybersecurity program, there are some key actions required to take advantage of the cybersecurity framework. The first is to identify the key business outcomes and then understand the threats and vulnerabilities to those outcomes. Create a profile, conduct a risk assessment, decide on the target profile, determine, analyze, and prioritize the gaps to create the action plan, and establish and execute a program to implement the plan.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.
Contents
-
-
-
-
The Orange Book: Early concepts in computer security4m 23s
-
Understanding the NIST Cybersecurity Framework2m 53s
-
Adopting the NIST Cybersecurity Framework2m 51s
-
Understanding the basics of cyber risk4m
-
Analyzing cyber threats and controls1m 59s
-
Recording, reporting, and the risk context3m 32s
-
An advanced risk framework5m 32s
-
Managing security with COBIT3m 47s
-
COBIT for operational security5m 43s
-
Introduction to cybersecurity controls2m 35s
-
Cybersecurity control framework4m 27s
-
Cybersecurity standards of good practice3m 3s
-
-
-
-
-
-