Govern
In the previous chapter, we took a look at the NIST Cybersecurity Framework (CSF) [1] and its three components: Core, Tiers, and Profiles. We learned that the Core is made up of six different functions: Govern, Identify, Protect, Detect, Respond, and Recover. Each of these functions pertains to different control objectives that are used to reduce cyber risk.
We apply tiers, or a score, to each of the sub-categories to better understand our risk posture. Ranging from 1 to 4, each tier increases from little evaluation of risk to continuous evaluation and improvement. We also learned how to apply the Deming cycle to our processes so that they can advance from a lower tier to a higher tier.
Lastly, we created profiles to understand where the security program is currently, and where we plan to take it in the next 3 to 5 years. Remember, we shouldn’t take a cheeky box approach to cybersecurity. It’s a program, one that shouldn’t just fill a box and move...
