Summary
The NIST CSF is packed with great information to set up your cybersecurity and risk management programs. The core of the framework, made up of six functions, its categories, and subcategory controls, is used to reduce cyber risk in your organization. The framework will assist you and your team in elevating your posture and maturing a program.
While many score the NIST CSF against a maturity model, it should be evaluated against risk. This is the true intent of the CSF and is true for other frameworks as well. Risk is further evaluated in three separate categories – risk management processes, integrated risk management, and external participation. When evaluating an organization against the framework tiers, remember that we are evaluating against risk and its place in a greater ecosystem.
Is resiliency built into a design? Are the policy documents aligned with business objectives? Does documentation come from an organization, or is it localized within a department...
