Categories: For each of the five functions, there are categories that are specific challenges or tasks one must carry out. For instance, in order to protect (function) your systems, you must implement software updates, install antivirus and antimalware programs, and have access control policies in place.
Subcategories: These are the tasks or challenges associated with each category. For instance, in implementing software updates (category), an organization must ensure that all its Windows computers have auto-updates turned on (subcategory).
Information Sources: These are the documents/manuals that detail specific tasks for users on how to perform tasks. An example would be a document that would detail how auto-updates are enabled for Windows computers.
Implementation Tiers: The NIST Cybersecurity Framework specifies four implementation tiers. This helps an organization assess its level of compliance. The higher the tier, the more compliant the operation is.
Profiles: Profiles under the NIST Cybersecurity Framework relate to both the current status of your organization’s cybersecurity measures and the roadmaps you have towards being NIST Cybersecurity Framework compliant. NIST suggests that having these profiles allows organizations to see their weak spots every step of the way. Once organizations can plug in these weaknesses, it becomes easier to move up to higher implementation tiers.
NIST Cybersecurity Framework: Is It a Fit for Us?
Not all companies are required to implement the NIST Cybersecurity Framework. However, the cost of a security breach can be significant. And if the financial complications aren’t harrowing enough, it’s impossible to place a value on the loss of customer trust and an organization’s reputation. It is recommended companies at the very least understand the current state of their cybersecurity program, risks and initiatives or strategies in place to address such risks.
MorganFranklin helps public and private companies benchmark their cybersecurity processes, controls and technologies against the NIST Cybersecurity Framework and make smart investment decisions to enhance their cybersecurity programs.