hero image

NIST CSF Compliance

Close the Compliance Gaps of NIST CSF

How Does Your Information Security Program Stack Up to The NIST CSF?

The National Institute of Standards and Technology (NIST) released its Cyber Security Framework (CSF) as a roadmap for organizations to build, assess, and develop an information security program.

For security professionals that are in the early stages of building their program, or need guidance to ensure they’re properly following NIST CSF best practices, Delta Risk offers a NIST CSF assessment. This assessment is the first step in our Information Security Program Lifecycle, which also involves subsequent steps for establishing and improving an information security program, and monitoring and reviewing the progress of the information security program.

In accordance with the NIST CSF systematic process for managing cyber security risk, the Delta Risk assessment offers:

  • An examination of an organization’s business processes, systems, and controls
  • Prioritization for expenditures to maximize investment impacts
  • Important determination factors that are most important to critical service delivery

The Delta Risk Information Security Assessment Methodology

Our teams of security experts will conduct the following tasks:

  • A comprehensive review of key people, processes, and technologies in the current business environment to help assess and evaluate control design and control gaps associated with the critical elements in the NIST CSF
  • Conduct in-depth interviews with relevant business and technology representatives to discuss existing technologies, controls, policies, and procedures currently in place as they apply to the critical elements in the NIST CSF
  • Perform a gap analysis against our clients’ current security levels and the NIST CSF standard and other industry leading security practices

What to Expect From Our NIST CSF Detailed Analysis

Delta Risk will provide your organization with a detailed analysis of how an organization’s information security program compares to the NIST Cyber Security Framework:

  • Executive Summary Report — A high-level report summarizing scope, methodology, and approach
  • Detailed Assessment Report — Summarizing the observations and/or findings based on policy and documentation review
  • Corrective Action Plan — A roadmap facilitating immediate remedial actions (including short-term recommendations) to improve the effectiveness for each gap, finding, or observation
  • Detailed Work Papers — Detailed work papers for each phase including supporting documentation for the work performed and conclusions reached, as well as any reports or documentation generated during the assessment

NIST CSF Overview

The NIST CSF consists of three parts: The Framework Corethe Framework Profile, and the Framework Implementation Tiers.

The Framework Core

A set of cyber security activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational profiles.

The Framework Profile

The alignment of the functions, categories, and subcategories with the business requirements, risk tolerance, and resources of your organization. A Framework Profile enables you to establish a roadmap for reducing cyber security risk that is well aligned with organizational goals, legal/regulatory requirements, and industry best practices.

The Framework Implementation Tiers

Provides a mechanism for organizations to view and understand the characteristics of their approach to managing cyber security risk.  Tiers describe the degree to which an organization’s cyber security risk management practices match up with best practices defined in the Framework. The Tiers also characterize an organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4).

Stay Informed on Cloud Security

White paper

2019 Cloud Security Research

The 2019 Cloud Security Report highlights what is and what is not working for security operations teams in securing their cloud data, systems, and services in this shared responsibility model. 

White Paper

How to Overcome the Challenges of Cloud Misconfigurations

In this white paper, we define specific configuration risk factors impacting SaaS, cloud infrastructure, and DevOps, and examine the steps your organization can take to minimize these risks to avoid breaches.


Why Your SIEM Won’t Work for Your SaaS Applications

Despite the cost and complexity of implementation, many organizations rely on security information and event management (SIEM) for network detection and response for on-premises applications. With the move to the cloud, however, traditional SIEM approaches won’t work.


Office 365 Security Features Demystified

In this post, the first in a series, we’ll discuss two important steps to secure your Office 365 deployment: getting visibility into what’s happening in Office 365 without all the noise; and Govern user activity with sound Office 365 identity, access, and privilege management practices.