NIST RMF
The NIST RMF takes a simplistic approach to evaluating cyber risk throughout the organization. At the top of the triangle, we start off with tier 1, which is primarily made up of the BoD and the Executive Leadership Teams (ELTs). They are responsible for defining the risk and its thresholds. When it comes to tier 2, we take the definitions and place them into policies, standards, and procedures. These are then pushed by the enterprise architecture team to define the standards to be used by the organization. Lastly, tier 3 is the tier where the IT systems reside:
Figure 9.1 – NIST SP 800-37 RMF
Tier 1
Organizational risk is first defined by the BoD and ELTs. They are the ones that state what their level of risk or their risk tolerance is. Back when I said cyber risk can be subjective, this is what I meant. There is no standard definition that states that you must patch a vulnerability within one day, nor is there a regulation that states...
