A company might conduct a NIST CSF Gap & Risk Assessment because it provides a structured and flexible approach to managing cybersecurity risk. The framework is based on industry standards and best practices and can be customized to fit an organization’s unique needs. Additionally, the NIST CSF is widely recognized and adopted by organizations in both the public and private sectors, making it easier for a company to demonstrate compliance with regulatory requirements and industry standards.
Our assessment methodology will educate, inform, and guide your information security program using an industry-standard framework for securing data and systems. According to the framework’s published documentation, the NIST Cybersecurity Framework (CSF) applies to all organizations “regardless of size, degree of cybersecurity risk, or sophistication. ” The NIST CSF takes the most impactful components of many global standards and incorporates them into a single, targeted framework. In cybersecurity circles, NIST is most well known for developing this CSF and other frameworks for protecting controlled unclassified government contractor and military supply chain data (800-171) and the government’s classified data (800-53).
NIST CSF Overview
The current NIST CSF Version 1.1 is tuned to assess these five core functions:
- Identify (ID)
- Protect (PR)
- Detect (DE)
- Respond (RS)
- Recover (RC)
NIST CSF Functions, Categories, & Subcategories
The NIST Cybersecurity Framework (CSF) has five core functions:
-
Identify (ID): Establish the context of the organization’s cybersecurity risk management and establish the foundation for an effective cybersecurity program.
-
Protect (PR): Develop and implement the appropriate safeguards to ensure the delivery of critical infrastructure services.
-
Detect (DE): Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
-
Respond (RS): Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
-
Recover (RC): Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
- ID.AM Asset Management
- ID.BE Business Environment
- ID.GV Governance
- ID.RA Risk Assessment
- ID.RM Risk Management Strategy
- ID.SC Supply Chain Risk Management
- PR.AC Identity Management and Access Control
- PR.AT Awareness and Training
- PR.DS Data Security
- PR.IP Information Protection Processes and Procedures
- PR.MA Maintenance
- PR.PT Protective Technology
- DE.AE Anomalies and Events
- DE.CM Security Continuous Monitoring
- DE.DP Detection Processes
- RS.RP Response Planning
- RS.CO Communications
- RS.AN Analysis
- RS.MI Mitigation
- RS.IM Improvements
- RC.RP Recovery Planning
- RC.IM Improvements
- RC.CO Communications
NIST CSF Controls For Risk Assessments
Performing a NIST Gap & Risk Assessment is important because it can help meet several of the NIST CSF controls in and of itself, which include:
-
Identifying the organization’s assets, including information and systems, and the associated risks to those assets.
-
Identifying the threats and vulnerabilities that could potentially exploit those risks.
-
Assessing the likelihood and impact of those threats and vulnerabilities on the organization’s assets.
-
Prioritizing risks based on their likelihood and impact and determining the appropriate level of risk management.
-
Communicating risk information to relevant stakeholders, including management, employees, and other stakeholders.
-
Keeping the risk assessment up-to-date by regularly reviewing and updating the risk assessment to reflect changes in the organization, its assets, and the threat landscape.
-
Regularly repeating the risk assessment process to ensure that risks are identified, analyzed, and managed on a continuous basis.
-
Considering the interdependencies of different systems and assets to identify potential cascading effects in case of a breach.
A valuable security assessment of your overall information security program
► Assess 108 security sub-categories
► Analyze security gaps, risks, and maturity levels
► Report of findings and recommendations