*** Welcome to piglix ***

NIST Cybersecurity Framework


The NIST Cybersecurity Framework (NIST CSF) provides a policy framework of computer security guidance for how private sector organizations can assess and improve their ability to prevent, detect, and respond to cyber attacks. It "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes." Version 1.0 was published by the US National Institute of Standards and Technology in 2014, originally aimed at operators of critical infrastructure. Is being used by a wide range of businesses and organizations, and helps shift organizations to be proactive about risk management.

A security framework adoption study reported that 70% of the surveyed organizations see NIST's framework as a popular best practice for computer security, but many note that it requires significant investment.

It includes guidance on relevant protections for privacy and civil liberties.

The NIST CSF is designed with the intent that individual businesses and other organizations use an assessment of the business risks they face to guide their use of the framework in a cost-effective way.

The framework is divided into three parts, "Core", "Profile" and "Tiers". The "Framework Core" contains an array of activities, outcomes and references which detail approaches to aspects of cyber security. The "Framework Implementation Tiers" are used by an organization to clarify for itself and its partners how it views cybersecurity risk and the degree of sophistication of its management approach. Finally, a "Framework Profile" is a list of outcomes that an organization has chosen from the categories and subcategories, based on its business needs and individual risk assessments.

An organization typically starts by using the framework to develop a "Current Profile", which describes its current cybersecurity activities and what outcomes it is achieving. It can then develop a "Target Profile", or adopt a baseline profile that has been tailored to better match its critical infrastructure sector or type of organization. It can then take steps to close the gaps between its current profile and its target profile.

The NIST CSF organizes its "core" material into five "functions" which are subdivided into a total of 22 "categories". For each category, it defines a number of subcategories of cybersecurity outcomes and security controls, with 98 subcategories in all.


...
Wikipedia

...