How Does Your Information Security Program Stack Up to The NIST CSF?
The National Institute of Standards and Technology (NIST) released its Cyber Security Framework (CSF) as a roadmap for organizations to build, assess, and develop an information security program.
For security professionals that are in the early stages of building their program, or need guidance to ensure they’re properly following NIST CSF best practices, Delta Risk offers a NIST CSF assessment. This assessment is the first step in our Information Security Program Lifecycle, which also involves subsequent steps for establishing and improving an information security program, and monitoring and reviewing the progress of the information security program.
In accordance with the NIST CSF systematic process for managing cyber security risk, the Delta Risk assessment offers:
- An examination of an organization’s business processes, systems, and controls
- Prioritization for expenditures to maximize investment impacts
- Important determination factors that are most important to critical service delivery
The Delta Risk Information Security Assessment Methodology
Our teams of security experts will conduct the following tasks:
- A comprehensive review of key people, processes, and technologies in the current business environment to help assess and evaluate control design and control gaps associated with the critical elements in the NIST CSF
- Conduct in-depth interviews with relevant business and technology representatives to discuss existing technologies, controls, policies, and procedures currently in place as they apply to the critical elements in the NIST CSF
- Perform a gap analysis against our clients’ current security levels and the NIST CSF standard and other industry leading security practices
What to Expect From Our NIST CSF Detailed Analysis
Delta Risk will provide your organization with a detailed analysis of how an organization’s information security program compares to the NIST Cyber Security Framework:
- Executive Summary Report — A high-level report summarizing scope, methodology, and approach
- Detailed Assessment Report — Summarizing the observations and/or findings based on policy and documentation review
- Corrective Action Plan — A roadmap facilitating immediate remedial actions (including short-term recommendations) to improve the effectiveness for each gap, finding, or observation
- Detailed Work Papers — Detailed work papers for each phase including supporting documentation for the work performed and conclusions reached, as well as any reports or documentation generated during the assessment
NIST CSF Overview
The NIST CSF consists of three parts: The Framework Core, the Framework Profile, and the Framework Implementation Tiers.
The Framework Core
A set of cyber security activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational profiles.
The Framework Profile
The alignment of the functions, categories, and subcategories with the business requirements, risk tolerance, and resources of your organization. A Framework Profile enables you to establish a roadmap for reducing cyber security risk that is well aligned with organizational goals, legal/regulatory requirements, and industry best practices.
The Framework Implementation Tiers
Provides a mechanism for organizations to view and understand the characteristics of their approach to managing cyber security risk. Tiers describe the degree to which an organization’s cyber security risk management practices match up with best practices defined in the Framework. The Tiers also characterize an organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4).