Framework Overview
The Cybersecurity Framework (CSF) is a risk-based
approach to addressing information security risks. The framework is
composed of the following components:
Framework Core
The Framework Core involves actions that meet the
requirements and guidelines to address cybersecurity concerns. The core
consists of the following elements:
Functions
Functions represent basic information security and
assist the organization in managing cybersecurity risk through the organization,
risk management, making decisions, responding to threats and learning from the
past.
Identify – The process of identifying critical business
resources and related information security risks to ensure prioritization
matches the business needs and risk management strategy. Categories
include:
- Asset Management
- Governance
- Risk Assessment
Protect – The process of minimizing the impact of a
potential breach of event. Categories include:
- Access Control
- Awareness and Training
- Maintenance
Detect – The ability to quickly detect information
security events. Categories include:
- Continuous monitoring
- Anomalies
Respond – The ability to effectively react and contain
information security events. Categories include:
- Response Planning
- Communications
- Analysis
Recover – The process of quickly returning to a normal
operating environment in the event of a cyber security incident.
Categories include:
- Recovery Planning
- Communications
Categories
Categories are divisions within the core functions
which align with the higher goals to address the identified needs.
Subcategories
Subcategories are a further subdivision of
categories into more precise technical or management initiatives.
Informative References
Informative References are related standards,
guidelines and practices that support the goals of subcategories.
Framework Implementation Tiers
The Framework Implementation Tiers illustrate how
an organization sees cybersecurity risk and what processes are in place to
manage these threats. The tiers range from Tier 1 to Tier 4 with an increased
level of sophistication. An organization’s threat environment, legal and
regulatory responsibilities, objectives of the business, risk management program
and organizational limitations are all considered when selecting the
appropriate Tier. The organization’s selected Tier should align with the
business, meet the organization’s risk tolerance and can be implemented with a
reasonable amount of effort. The success of the proper Tier selection is
based on how it meets the requirements outlined in the Framework Profile.
Tier 1: Partial
At this Tier, organizations are characterized by
ad-hoc risk management practices. The organization has limited cybersecurity
awareness with no global management approach. Collaboration of information with
external entities is unlikely.
Tier 2: Risk Informed
Management has approved the risk management
practices, but a global policy may not have been implemented. Information security
awareness exists but has not been disseminated across the organization. The
organization has realized its part within the larger environment, but there is
no formal external interaction established.
Tier 3: Repeatable
A risk management program has been formally
accepted with the creation of supporting policies that are updated regularly to
address updates to the threat landscape. Due to the organizational
understanding of its dependency and contribution to external partners,
risk-based decisions are improved.
Tier 4: Adaptive
Based on feedback and lessons learned, the
organization’s risk management process is adapted. Information security
events are addressed based on risk-based policies, procedures and
processes. Accurate threat information is actively shared with external
partners to improve posture before potential cybersecurity events.
Framework Profile
The Framework Profile aligns business requirements,
the appetite for risk and available resources with Functions, Categories, and
Subcategories. This Profile allows the organization to develop a strategy,
which aligns with organizational goals to reduce information security risks.
The Current Profile illustrates the existing cybersecurity level achieved. The
Target Profile represents the needed outcomes to achieve the desired
cybersecurity stance. Overall, the business needs and measured risk drive the
prioritization of mediating gaps.
Framework Implementation
There are roughly three layers of information flow
and decision-making within an organization:
- Executive
- Business/Process
- Implementation/Operation
At the executive level, risk tolerance, business
mission and available resources are communicated. The creation of a Profile
occurs at the business/process level with guidance from information obtained
from executives and collaboration with the implementation/operations group.
Progress of the implementation of the Profile is communicated back to the
business/process group, where an impact assessment is conducted. The results of
the impact assessment are reported back to the executive level to update the
organization’s risk management status.
Comments
Post a Comment