A framework to help organisations to better understand and improve their management of cybersecurity risk
The US National Institute of Standards and Technology (NIST) has created a voluntary Framework based on existing standards, guidelines, and practices for organisations to better manage and reduce cybersecurity risk. In addition, it was designed to foster risk and cybersecurity management communications amongst both internal and external organisational stakeholders.
Having an overview of this framework will help Board members understand the key areas of cyber risk management.
The Cybersecurity Framework consists of three main components: the Core, Implementation Tiers, and Profiles.
Framework Core: provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand. The Core guides organisations in managing and reducing their cybersecurity risks and is intended to be complementary to existing risk management processes.
Framework Implementation Tiers: help organisations to consider the appropriate level of rigour for their cybersecurity program and are often used as a communication tool to discuss risk appetite, mission priority, and budget.
Framework Profiles: are an organisation’s unique alignment of their organisational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core. Profiles are primarily used to identify and prioritise opportunities for improving cybersecurity at an organisation.
More information on their resources can be found here.
