Michael Brown writes the National Institute of Standards and Technology‘s Framework for Improving Critical Infrastructure Cybersecurity was developed following collaboration with industry to establish a structure, benchmark and road map for risk management.
Under the “Core” part of the framework, risk management programs can be structured to identify potential impact to the business, protect systems from digital risk, detect the risk itself, respond to attacks and recover the business in the aftermath of an incident.
The “Implementation Tiers” section then details the four levels of cybersecurity risk management, from partial or ad hoc implementation, to risk-informed implementation that is still isolated within IT, to repeatable implementation across the organization with help from industry partners and to adaptive implementation with continuous improvements and active industry collaboration.
Brown said these tiers are intended to describe implementations based on business needs and context, instead of as a hierarchy.
Finally, the “Profile” section indicates either an organization’s current or desired state in managing risk.
According to Brown, the NIST framework was designed to align industry best practices and experience with those of the government and to support other existing standards.
He notes that organizations can apply the guidelines from the framework to evaluate their business needs, IT resources and risk levels and draw a road map for implementation to improve or achieve their risk management targets.