Small business cyber defense starts with a solid plan. Learn how the NIST Cybersecurity Framework can help protect your assets.
Read more 👉 https://lttr.ai/AepHF
#CybersecurityFramework #NISTCSF #SMBcybersecurity #RiskManagement #InfoSec #DataProtection #iFeelTech
Get expert tips to manage the shift from #NIST CSF 1.1 to 2.0! Read our new blog by our COO Madison Iler for insights, mapping strategies, and essential resources to manage the NIST CSF 2.0 changes: https://www.lmgsecurity.com/navigating-the-nist-csf-2-0-changes/
#Cybersecurity #NISTCSF #RiskManagement #Compliance #CSF #CISO
NIST CSF 2.0 has a new format and organization that may make it easier to manage, especially for small and medium-sized organizations. 😮😃 Read this article to get the latest on NIST CSF 2.0, including what's hot and what not. 🔥❄👇
Find out why the National Institute of Standards and Technology (NIST) updated the #Cybersecurity Framework (CSF), see what's changed + what's stayed the same, and learn about:
🔺 The new Governance Function
🔺 Other new subcategories in CSF 2.0
🔺 How you can achieve your NIST CSF 2.0 objectives
& more...
https://graylog.org/post/nist-csf-v2-whats-hot-and-whats-not/ #SMB #SMBsecurity #nistcsf #nistcybersecurityframework
NIST CSF 2.0 has officially been released: https://www.nist.gov/cyberframework
The #NIST CSF 2.0 draft guidelines are out! From governance to #supplychain risk management, we've summarized the biggest changes to this leading framework for #cybersecurity risk assessment and reduction. Check it out: https://www.lmgsecurity.com/understanding-the-new-nist-csf-2-0-draft-guideline-changes/
#CISO #security #compliance #NISTCSF
TL:DR "NIST CSF compliance" is meaningless because the NIST CSF isn't a set of things you must do - it's a set of things you can do, with no guidance about which ones you should do.
There is no mapping from "we are doing this" to "this is our maturity level". There isn't a standard set of questions to answer, let alone a guide to what the "right" answer is. And there can't be, because what's "right" for one organisation is going to be wrong for other organisations - too much or too little, or simply just not the right balance between Confidentiality, Integrity and Availability.
Key Quotes:
"the Framework has utility as a structure and language for organizing and expressing compliance with an organization’s own cybersecurity requirements"
Or in context:
"The decision about how to apply it is left to the implementing organization. There sometimes is discussion about “compliance” with the Framework, and the Framework has utility as a structure and language for organizing and expressing compliance with an organization’s own cybersecurity requirements. Nevertheless, the variety of ways in which the Framework can be used by an organization means that phrases like “compliance with the Framework” can be confusing and mean something very different to various stakeholders."
The framework is best understood as a long list of good things to be doing, organised into a very sensible structure to unify our conversation, by providing common terminology.
There are 5 functions, broken into Categories and Subcategories.
There are links to other standards for subcategory. If you consider those links as being a type of #include statement, it's a candidate for the world's longest 48 page document.
But there are no tests, no way to score a subcategory, no way to collate your subcategory scores into any kind of overall pass/fail, let alone a maturity score.
Yes, the framework contains 4 'Tiers'.
But, quote:
"Tiers do not represent maturity levels. Tiers are meant to support organizational decision making". Tiers are for thinking about how you manage cybersecurity risk, they aren't a measure of how cybersecure you are.
The NIST CSF is a brilliant starting point for building your own score sheet, and yes, I've done that, and yes it works well. But that's my score (OK, my organisation's core), it's not NIST's score. It's not going to be the same score that someone else would give if they use their own NIST CSF based score sheet.
Their score and my score would be comparable only in the sense that it becomes meaningful to ask: why did you give different scores to XYZ subcategory? And that's a potentially useful conversation, but different numeric scores may well both be valid, because they reflect different priorities and therefore measure different things differently.
Let me give an example:
ID.RA-5: "Threats, vulnerabilities, likelihoods, and impacts are used to determine risk".
This is not a yes/no question. This is not something that can be meaningfully answered on a 5 point Likert scale.
A proper answer to this question requires significant investigation of an organisation's documented processes, but also their actual practices.
You cannot just ask 'do you do this?' or 'on a scale of 1 to 5, how much do you do this?' If you try, the answer is always "yes" and, almost always, "we're 5 out of 5".
To be repeatable, you need to record far more than just the number, you need to document the process you used to obtain that answer. You need to document what to look at, and how to compile a numerical rating, and how to weight those ratings into the overall score.
Your answer, using your process, is quite going to be different to someone else's answer using a different process. And it should be.
Last quote "the Cybersecurity Framework is not a one-size-fits-all approach to managing cybersecurity"
It's not a maturity model or a compliance checklist As it says on the tin, it's a framework. It helps us hold a conversation.
--------------
All quotes from: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
#NistCSF #MaturityModels #Compliance #CyberSecurity #CyberSecurityFramework
I wrote about NIST CSF, cloud transformation, policy velocity and compliance audits among other things in this latest article:
The inclusion of "Govern" as a new top level area in the proposed NIST CSF is very welcome! A lot of #cybersecurity deficiencies can be linked to lack of ownership in top #management - this is definitely a step in the right direction! #infosec #nistcsf
https://portswigger.net/daily-swig/nist-plots-biggest-ever-reform-of-cybersecurity-framework
It's about time! Five years is a long, long time, where cybersecurity is concerned. Looking forward to seeing the updated framework, down the line.
#cybersecurity #cybersec #cybersecuritynews #nist #nistcsf
https://portswigger.net/daily-swig/nist-plots-biggest-ever-reform-of-cybersecurity-framework
there was not a class review option for the #nistcsf so: void, accept my offering.
NIST, you need to step the fuck up. Your cybersecurity framework's video courses are behind a login on a PLAIN HTTP SITE, which is not really endearing me to paying attention to what you have to say about SECURING YOUR NETWORK.
Also: the number of typos and frankly WRONG ANSWERS on your own chapter review quizzes is ASTOUNDING. How was this not copy edited? Is "basic grammar" not a standard NIST supports?
