Академический Документы
Профессиональный Документы
Культура Документы
A. Tier Definition
Tier 1 2 3 4
Definition Partial Risk Informed Repeatable Adaptive
Risk Management Process Not formalized, risk is Risk management practices The organization’s risk The organization adapts
managed in an adhoc and are approved by management practices are its cybersecurity
sometimes reactive manner management but may not formally approved and practices based on
be established as expressed as policy previous and current
organizational-wide policy Organizational cybersecurity activities,
Prioritization of cybersecurity practices are including lessons learned
cybersecurity activities and regularly updated based on and predictive indicators
protection needs is directly the application of risk Through a process of
informed by organizational management processes to continuous improvement
risk objectives, the threat changes in incorporating advances
environment, or business/mission cybersecurity
business/mission requirements and a technologies and
requirements changing threat and practices, the
technology landscape organization actively
adapts to a changing
threat and technology
landscape and responds
in a timely and effective
manner to evolving,
sophisticated threats
Integrated Risk Management Limited awareness of There is an awareness of There is an organization- There is an organization-
program cybersecurity risk at the cybersecurity risk at the wide approach to manage wide approach to
organizational level organizational level, but an cybersecurity risk managing cybersecurity
Organization implements organization-wide approach Risk-informed policies, risk that uses risk-
cybersecurity risk on an to managing cybersecurity processes and procedures informed policies,
irregular, case-by-case basis risk has not been are defined, implemented processes, and
due to varied experience or established as intended, and reviewed procedures to address
Tier 1 2 3 4
Definition Partial Risk Informed Repeatable Adaptive
information gained from Cybersecurity information is Consistent methods are in potential cybersecurity
outside sources shared within the place to respond effectively events
Organization may not have organization on an informal to changes in risk The relationship between
processes that enable basis Personnel posses the cybersecurity risk and
cybersecurity information to Consideration of knowledge and skills to organizational objectives
be shared within the cybersecurity in perform their appointed is clearly understood and
organization organizational objectives roles and responsibilities considered when making
and programs may occur at The organization decisions
some but not all levels of consistently and accurately Senior executives
the organization monitors cybersecurity risk monitor cybersecurity
Cyber risk assessment of of organizational assets risks in the same context
organizational and external Senior cybersecurity and as financial risk and other
assets occurs, but is not non-cybersecurity organizational risks
typically repeatable or executives communicate The organizational
re-occurring regularly regarding budget is based on an
cybersecurity risk understanding of the
Senior executives ensure current and predicted
consideration of risk environment and risk
cybersecurity through all tolerance
lines of operation in the Business units implement
organization executive vision and
analyze system-level risks
in the context of the
organizational risk
tolerances
Cybersecurity risk
management is part of
the organizational
culture and evolves from
an awareness of previous
activities and continuous
awareness of activities
on their systems and
networks
Tier 1 2 3 4
Definition Partial Risk Informed Repeatable Adaptive
The organization can
quickly and efficiently
account for changes to
business/mission
objectives in how risk is
approached and
communicated
External Participation The organization does not Generally, the organization The organization The organization
understand its role in the understands its role in the understands its role, understands its role,
larger ecosystem with respect larger ecosystem with dependencies and dependencies, and
to either its dependencies or respect to either its own dependents in the larger dependents in the larger
dependents dependencies or ecosystem and may ecosystem and
The organization does not dependents, but not both contribute to the contributes to the
collaborate with or receive The organization community’s broader community’s broader
information from other collaborates with and understanding of risks understanding of risks
entities nor does it share receives some information It collaborates with and It receives, generates and
information from other entities and receives information from reviews prioritized
The organization is generally generates some of its own other entities regularly that information that informs
unaware of the cyber supply information, but may not complements internally continuous analysis of its
chain risks of the products and share information with generated information, and risks as the threat and
services it provides and that it others shares information with technology landscape
uses The organization is aware of other entities evolve
the cyber supply chain risks The organization is aware The organization uses
associated with the of the cyber supply chain real-time or near real-
products and services it risks associated with the time information to
provides and uses, but does products and services it understand and
not act consistently or uses. Additionally, it consistently act upon
formally upon those risks usually acts formally upon cyber supply chain risks
those risks, including associated with the
mechanisms such as products and services it
written agreements to provides and that it uses
communicate baseline Additionally, it
requirements, governance communicates
structures and policy
Tier 1 2 3 4
Definition Partial Risk Informed Repeatable Adaptive
implementation and proactively, using formal
monitoring and informal
mechanisms to develop
and maintain strong
supply chain
relationships
B. Framework Profile
Current Profile – indicates the cybersecurity outcomes that are currently being achieved
Target Profile – indicates the outcome needed to achieve the desired cybersecurity management goals
Gaps
Risk-based approach
Function
Category Unique
Unique Function Category
Identifier
Identifier
ID Identify ID.AM Asset Management
ID.BE Business Environment
ID.GV Governance
ID.RA Risk Assessment
ID.RM Risk Management Strategy
ID.SC Supply Chain Risk Management
PR Protect PR.AC Identity Management and Access Control
PR.AT Awareness and Training
PR.DS Data Security
PR.IP Information Protection Processes and Procedures
PR.MA Maintenance
PR.PT Protective Technology
DE Detect DE.AE Anomalies and Events
DE.CM Security Continuous Monitoring
DE.DP Detection Processes
RS Respond RS.RP Response Planning
RS.CO Communications
RS.AN Analysis
RS.MI Mitigation
RS.IM Improvements
RC Recover RC.RP Recovery Planning
RC.IM Improvements
RC.CO Communications