...

...

Key Concepts

NIST cybersecurity framework

https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf

NIST.Cybersecurity-framework-2-SWP.29.pdf.     GD

NIST.Cybersecurity-framework-2-SWP.29.pdf.  file

Image Added

NIST now provides Implementation Examples and Informative References

• CSF Core, the nucleus of the CSF, which is a taxonomy of high-level cybersecurity outcomes that can help any organization manage its cybersecurity risks. The CSF Core components are a hierarchy of Functions, Categories, and Subcategories that detail each outcome. The outcomes are sector-, country-, and technology-neutral, they provide an organization with the flexibility needed to address its unique risks, technologies, and mission considerations.

• CSF Organizational Profiles, which are a mechanism for describing an organization’s current and/or target cybersecurity posture in terms of the CSF Core’s outcomes.

• CSF Tiers, which can be applied to CSF Organizational Profiles to characterize the rigor of an organization’s cybersecurity risk governance and management practices. Tiers can also provide context for how an organization views cybersecurity risks and the processes in place to manage those risks

Image Added

NIST resources that describe the mutual relationship between cybersecurity risk management and ERM include: • NIST Cybersecurity Framework 2.0 – Enterprise Risk Management Quick-Start Guide • NIST Interagency Report (IR) 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM) • IR 8286A, Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management • IR 8286B, Prioritizing Cybersecurity Risk for Enterprise Risk Management • IR 8286C, Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight • IR 8286D, Using Business Impact Analysis to Inform Risk Prioritization and Response • SP 800-221, Enterprise Impact of Information and Communications Technology Risk: Governing and Managing ICT Risk Programs Within an Enterprise Risk Portfolio • SP 800-221A, Information and Communications Technology (ICT) Risk Outcomes: Integrating ICT Risk Management Programs with the Enterprise Risk Portfolio

Image Added

Supply chain risks: An organization can use the CSF to foster cybersecurity risk oversight and communications with stakeholders across supply chains. All types of technology rely on a complex, globally distributed, extensive, and interconnected supply chain ecosystem with geographically diverse routes and multiple levels of outsourcing. This ecosystem is composed of public- and private-sector entities (e.g., acquirers, suppliers, developers, system integrators, external system service providers, and other technology-related service providers) that interact to research, develop, design, manufacture, acquire, deliver, integrate, operate, maintain, dispose of, and otherwise utilize or manage technology products and services. These interactions are shaped and influenced by technologies, laws, policies, procedures, and practices.

Image Added

800-37  Risk Management Framework for Information Systems

800-30.  Guide for Conducting Risk Assessments

800-53.  Security and Privacy Controlsfor Information Systems 

AI Risk Management Framework

NIST AI 600-1.  Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence 

Image Added

NIST-CSF-GUIDE_v2-implementation.pdf.     GD

NIST-CSF-GUIDE_v2-implementation.pdf.  file

Potential Value Opportunities

...