The US National Institute of Standards and Technology (NIST) Cyber Security Framework is a set of standards, guidelines and best practices to help organisations better understand and manage cyber security-related risk.
However, improving cyber security capabilities goes hand-in-hand with a significant investment, which is why many businesses are reluctant to fully adopt the NIST Cyber Security Framework.
This is according to Raymond du Plessis, senior managing consultant at Mobius Consulting.
Du Plessis will present on "Developing a cyber security programme based on the NIST framework" at ITWeb Security Summit 2019, to be held from 27 to 31 May, at the Sandton Convention Centre.
He says the NIST Cyber Security Framework was developed and released in 2014 with the aim to promote the protection of an organisation's critical infrastructure. "It is based on existing standards, guidelines and practices, and includes informative references to ISO 2700x, COBIT and other standards."
The framework consists of three main components: implementation tiers, framework core and profiles, he notes.
The framework core consists of a set of desired cyber security activities and outcomes organised into categories, including five high-level functions: identify, protect, detect, respond and recover, explains Du Plessis.
Finally, the framework profiles are used to assess an organisation's alignment to organisational objectives, risk appetite and resources against the framework core.
"The profiles developed from the framework can be used to identify opportunities for improving cyber security posture by comparing a current profile with a target profile."
Du Plessis will discuss using the framework to develop a risk-based approach for cyber security improvements that will help motivate the investment required.
His talk will include the high-level steps to go from developing a threat profile, performing an initial assessment, through to developing an improvement programme.
Share