Open in app

Sign in

Write

Sign in

Breakdown of Cyber Security Framework

Dev Thakkar
3 min readMar 12, 2024

(1) NIST Cybersecurity Framework (CSF)

  • CSF helps to manage and reduce organizational security risks.
  • It provides a list of functions, categories and subcategories that are used as guidelines for creating an organizational security posture.
  • It is used as a transformative tool with a goal of achieving continuous security compliance.

(2) Breakdown

  • CSF Core Functions
(a) Functions provide high level view of the organizations management of 
cybersecurity risk.

(b) Govern (GV) - Provides outcomes to inform what an organization may do 
to achieve and prioritize the outcomes of the other five functions in 
the context of its mission and stakeholder expectations. 

(c) Identify (ID) - Understanding organization cybersecurity risk through its 
assets and supplier relationships. (e.g., data, hardware, software, 
systems, facilities, services, people).

(d) Protect (PR) - Supports the ability to secure assets to prevent or 
lower the likelihood and impact of adverse cybersecurity events.

(e) Detect (DE) - Supports successful incident response and recovery 
activities. 

(f) Respond (RS) - Supports the ability to contain the effects of
 cybersecurity incidents.

(g) Recover (RC) - Supports the timely restoration of normal operations to 
reduce the effects of cybersecurity incidents.
  • Categories and Sub-categories
(a) Each function is broken down into multiple categories. 
(b) Categoires provide set of objectives that align with goals of 
the function.
(c) There are 28 categories in total.
(d) Subcategories further divide each category into more specific outcomes 
of technical and management activities.

(3) How is it applied

  • Organizations create a working roadmap that aligns with functions, categories, and subcategories.
  • The alignment provides a current state and desired target state (Profile) of business assets, risks and tolerance.
  • Organizations can also use Tiers to communicate internally its current and target state Profiles.
    Tier 1 - Partial
    Tier 2 - Risk Informed
    Tier 3 - Repeatable
    Tier 4 - Adaptable

(4) Informative references

  • References help inform how an organization may achieve the core’s outcomes. It can be sector or technology specific.
  • For example, control from NIST SP 800–53, “Security and Privacy Controls for Information Systems and Organizations”, can be utilized to achieve the outcome described in one subcategory.
  • Organizations can identify relevant informative references produced by NIST or another organization.

(5) Implementation examples

--

--

Dev Thakkar

Written by Dev Thakkar

3 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams