Cybersecurity Governance Frameworks | Implementing information security governance framework
Cybersecurity Governance Frameworks | Implementing information security governance framework #grc #audit #cybersecurity #gdprcompliance
Tailoring the NIST Cyber Security Framework for your business
The content of the NIST CSF is freely available and there are several handy resources available to IT Managers to help understand the content of the CSF.
Tailoring the framework to your own business needs is easier said than done, however in this post, we have laid out five key steps you need to take in order to tailor your own cyber security framework, using the NIST CSF as the basis for your own framework.
Step 1: Set your target goals
As with most plans, the key to success is understanding what you want to achieve by putting this framework in place. That way, you can better understand and measure what success looks like.
For most businesses, the key decisions to make when setting goals are the risk tolerance levels that are acceptable to both the C-Suite and to your IT department.
Typically, it would be the responsibility of the IT Management team to pull together a definitive agreement that clarifies exactly what level of risk is acceptable to your organisation.
Setting clear budgets is also a crucial step and is essential when setting goals. Work within the confines of your own business when setting goals and this includes financial constraints to achieving those goals.
It may make sense to run a trial within a single department to learn what works and what doesn’t. Feedback at this stage can save you valuable resources once the framework is rolled out across the entire business and can help you to streamline your goals to make them more accurate and achievable.
Step 2: Create a detailed profile
The next step is to drill deeper and tailor the framework to your specific business needs.
NIST’s Framework Implementation Tiers will help you understand your current position and where you need to be. They are divided into three areas:
Risk Management Process
Integrated Risk Management Program
External Participation
Like most of the NIST CSF, these should not be taken as set in stone. They can be adapted for your organisation.
Each one runs from Tier 1 to Tier 4.
Tier 1 – Partial – generally denotes an inconsistent and reactive cybersecurity stance.
Tier 2 – Risk Informed – allows for some risk awareness, but planning is consistent.
Tier 3 – Repeatable – indicates organization-wide CSF standards and consistent policy.
Tier 4 – Adaptive – refers to proactive threat detection and prediction.
These tiers should be aligned to the goals you set out in step one of this process. The higher levels are considered a more complete implementation of CSF standards and these are what you should aspire to. Your ability to proactively detect and predict threats to your business will most likely be dependant on the budget allocated to cyber security and your goals and your ability to match your goals to these tiers should reflect that.
Step 3: Assess your current position
Once you have set your goals and created a detailed profile, it is time to assess your current position.
The starting point for this is a detailed risk assessment to establish your current status. You can utilise open source or commercial software tools capable of scoring your target areas or engage with a cyber security specialist for them to carry out an independent assessment of your current position.
Once all areas have been scored, you will be able to present the findings to your key stakeholders, showing the security risks to organisational operations, assets, and individuals. Vulnerabilities and threats should be clearly identified at this stage of the process.
Step 4: Gap analysis and action plan
Armed with a deeper understanding of risks and potential business impacts, you can move on to a gap analysis.
At this stage of the process, you can compare your actual scores with your target scores. You may want to create a heat map to illustrate the results in an accessible and digestible way. Any significant differences immediately highlight areas that you will want to focus on.
Work out what you need to do to close the gaps between your current scores and your target scores.
Identify a series of actions that you can take to improve your scores and prioritise them through discussion with all key stakeholders. Specific project requirements, budgetary considerations, and staffing levels may all influence your plan.
Step 5: Implement your action plan
With a clear picture of the current health of your defences, a set of organisationally aligned target goals, a comprehensive gap analysis, and a set of remediation actions, you are now ready to implement the NIST CSF.
Use your first implementation as an opportunity to document processes and create training materials for wider implementation down the line.
Видео Cybersecurity Governance Frameworks | Implementing information security governance framework канала Luv Johar Free IT Training Videos
Tailoring the NIST Cyber Security Framework for your business
The content of the NIST CSF is freely available and there are several handy resources available to IT Managers to help understand the content of the CSF.
Tailoring the framework to your own business needs is easier said than done, however in this post, we have laid out five key steps you need to take in order to tailor your own cyber security framework, using the NIST CSF as the basis for your own framework.
Step 1: Set your target goals
As with most plans, the key to success is understanding what you want to achieve by putting this framework in place. That way, you can better understand and measure what success looks like.
For most businesses, the key decisions to make when setting goals are the risk tolerance levels that are acceptable to both the C-Suite and to your IT department.
Typically, it would be the responsibility of the IT Management team to pull together a definitive agreement that clarifies exactly what level of risk is acceptable to your organisation.
Setting clear budgets is also a crucial step and is essential when setting goals. Work within the confines of your own business when setting goals and this includes financial constraints to achieving those goals.
It may make sense to run a trial within a single department to learn what works and what doesn’t. Feedback at this stage can save you valuable resources once the framework is rolled out across the entire business and can help you to streamline your goals to make them more accurate and achievable.
Step 2: Create a detailed profile
The next step is to drill deeper and tailor the framework to your specific business needs.
NIST’s Framework Implementation Tiers will help you understand your current position and where you need to be. They are divided into three areas:
Risk Management Process
Integrated Risk Management Program
External Participation
Like most of the NIST CSF, these should not be taken as set in stone. They can be adapted for your organisation.
Each one runs from Tier 1 to Tier 4.
Tier 1 – Partial – generally denotes an inconsistent and reactive cybersecurity stance.
Tier 2 – Risk Informed – allows for some risk awareness, but planning is consistent.
Tier 3 – Repeatable – indicates organization-wide CSF standards and consistent policy.
Tier 4 – Adaptive – refers to proactive threat detection and prediction.
These tiers should be aligned to the goals you set out in step one of this process. The higher levels are considered a more complete implementation of CSF standards and these are what you should aspire to. Your ability to proactively detect and predict threats to your business will most likely be dependant on the budget allocated to cyber security and your goals and your ability to match your goals to these tiers should reflect that.
Step 3: Assess your current position
Once you have set your goals and created a detailed profile, it is time to assess your current position.
The starting point for this is a detailed risk assessment to establish your current status. You can utilise open source or commercial software tools capable of scoring your target areas or engage with a cyber security specialist for them to carry out an independent assessment of your current position.
Once all areas have been scored, you will be able to present the findings to your key stakeholders, showing the security risks to organisational operations, assets, and individuals. Vulnerabilities and threats should be clearly identified at this stage of the process.
Step 4: Gap analysis and action plan
Armed with a deeper understanding of risks and potential business impacts, you can move on to a gap analysis.
At this stage of the process, you can compare your actual scores with your target scores. You may want to create a heat map to illustrate the results in an accessible and digestible way. Any significant differences immediately highlight areas that you will want to focus on.
Work out what you need to do to close the gaps between your current scores and your target scores.
Identify a series of actions that you can take to improve your scores and prioritise them through discussion with all key stakeholders. Specific project requirements, budgetary considerations, and staffing levels may all influence your plan.
Step 5: Implement your action plan
With a clear picture of the current health of your defences, a set of organisationally aligned target goals, a comprehensive gap analysis, and a set of remediation actions, you are now ready to implement the NIST CSF.
Use your first implementation as an opportunity to document processes and create training materials for wider implementation down the line.
Видео Cybersecurity Governance Frameworks | Implementing information security governance framework канала Luv Johar Free IT Training Videos
cybersecurity framework cyber security risk management cybersecurity frameworks cybersecurity framework examples nist cybersecurity framework cybersecurity certification cybersecurity framework nist security cybersecurity cybersecurity framework components cyber security tutorial cyber security training cybersecurity for beginners cybersecurity fundamentals cyber security course cybersecurity 101 cybersecurity framework implementation
Комментарии отсутствуют
Информация о видео
10 мая 2024 г. 7:13:07
00:12:43
Другие видео канала
