#nistcsf — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #nistcsf, aggregated by home.social.
-
🔐 RELIANOID & NIST Cybersecurity Framework Alignment
At RELIANOID, security is built into both our Load Balancer and our internal operations. We align our product and organizational practices with the NIST Cybersecurity Framework (CSF) across its five core functions: Identify, Protect, Detect, Respond, and Recover.
A structured, risk-based approach to cybersecurity—continuously reviewed and improved.
#CyberSecurity #NISTCSF #Compliance #EnterpriseSecurity #ADC
https://www.relianoid.com/security-compliances/nist-cybersecurity-framework/
-
GRC rarely feels like “governance, risk, and compliance” and more like alphabet soup with lawyers attached.
I wrote up how I approach GRC as an Associate CCISO: one risk-based program mapped to HIPAA, PCI DSS, NIST CSF, FTC Safeguards, and NIS2 instead of five separate nightmares.
#GRC #CyberSecurity #InfoSec #Compliance #HIPAA #PCIDSS #NISTCSF #NIS2
-
GRC rarely feels like “governance, risk, and compliance” and more like alphabet soup with lawyers attached.
I wrote up how I approach GRC as an Associate CCISO: one risk-based program mapped to HIPAA, PCI DSS, NIST CSF, FTC Safeguards, and NIS2 instead of five separate nightmares.
#GRC #CyberSecurity #InfoSec #Compliance #HIPAA #PCIDSS #NISTCSF #NIS2
-
GRC rarely feels like “governance, risk, and compliance” and more like alphabet soup with lawyers attached.
I wrote up how I approach GRC as an Associate CCISO: one risk-based program mapped to HIPAA, PCI DSS, NIST CSF, FTC Safeguards, and NIS2 instead of five separate nightmares.
#GRC #CyberSecurity #InfoSec #Compliance #HIPAA #PCIDSS #NISTCSF #NIS2
-
GRC rarely feels like “governance, risk, and compliance” and more like alphabet soup with lawyers attached.
I wrote up how I approach GRC as an Associate CCISO: one risk-based program mapped to HIPAA, PCI DSS, NIST CSF, FTC Safeguards, and NIS2 instead of five separate nightmares.
#GRC #CyberSecurity #InfoSec #Compliance #HIPAA #PCIDSS #NISTCSF #NIS2
-
GRC rarely feels like “governance, risk, and compliance” and more like alphabet soup with lawyers attached.
I wrote up how I approach GRC as an Associate CCISO: one risk-based program mapped to HIPAA, PCI DSS, NIST CSF, FTC Safeguards, and NIS2 instead of five separate nightmares.
#GRC #CyberSecurity #InfoSec #Compliance #HIPAA #PCIDSS #NISTCSF #NIS2
-
Thinking About The Next Five Years
I’ve mapped out a 5-year plan that tries to reduce the certificaiton treadmill and focuses on the skills that actually matter for what’s coming next.https://islandinthenet.com/thinking-about-the-next-five-years/
-
Thinking About The Next Five Years
I’ve mapped out a 5-year plan that tries to reduce the certificaiton treadmill and focuses on the skills that actually matter for what’s coming next.https://islandinthenet.com/thinking-about-the-next-five-years/
-
NIST CSF 2.0 has a new format and organization that may make it easier to manage, especially for small and medium-sized organizations. 😮😃 Read this article to get the latest on NIST CSF 2.0, including what's hot and what not. 🔥❄👇
Find out why the National Institute of Standards and Technology (NIST) updated the #Cybersecurity Framework (CSF), see what's changed + what's stayed the same, and learn about:
🔺 The new Governance Function
🔺 Other new subcategories in CSF 2.0
🔺 How you can achieve your NIST CSF 2.0 objectives
& more...
https://graylog.org/post/nist-csf-v2-whats-hot-and-whats-not/ #SMB #SMBsecurity #nistcsf #nistcybersecurityframework -
NIST CSF 2.0 has officially been released: https://www.nist.gov/cyberframework
-
Ever felt lost in the digital security jungle? 🛡️ Discover the Top 10 Cybersecurity Frameworks that are your compass to navigate through cyber threats. From protecting personal data to securing corporate assets, find out which framework suits your needs. Let's decode cyber safety together! #cybersecurityframeworks #Cybersecurity #iso27001 #NISTCSF #hitrust #pcidss #katakri #SOGP #CSACCM #COBIT #cybersecurtityawareness #informationsecurity #infosecurity #dataprotection
-
Ever felt lost in the digital security jungle? 🛡️ Discover the Top 10 Cybersecurity Frameworks that are your compass to navigate through cyber threats. From protecting personal data to securing corporate assets, find out which framework suits your needs. Let's decode cyber safety together! #cybersecurityframeworks #Cybersecurity #iso27001 #NISTCSF #hitrust #pcidss #katakri #SOGP #CSACCM #COBIT #cybersecurtityawareness #informationsecurity #infosecurity #dataprotection
-
TL:DR "NIST CSF compliance" is meaningless because the NIST CSF isn't a set of things you must do - it's a set of things you can do, with no guidance about which ones you should do.
There is no mapping from "we are doing this" to "this is our maturity level". There isn't a standard set of questions to answer, let alone a guide to what the "right" answer is. And there can't be, because what's "right" for one organisation is going to be wrong for other organisations - too much or too little, or simply just not the right balance between Confidentiality, Integrity and Availability.
Key Quotes:
"the Framework has utility as a structure and language for organizing and expressing compliance with an organization’s own cybersecurity requirements"Or in context:
"The decision about how to apply it is left to the implementing organization. There sometimes is discussion about “compliance” with the Framework, and the Framework has utility as a structure and language for organizing and expressing compliance with an organization’s own cybersecurity requirements. Nevertheless, the variety of ways in which the Framework can be used by an organization means that phrases like “compliance with the Framework” can be confusing and mean something very different to various stakeholders."The framework is best understood as a long list of good things to be doing, organised into a very sensible structure to unify our conversation, by providing common terminology.
There are 5 functions, broken into Categories and Subcategories.
There are links to other standards for subcategory. If you consider those links as being a type of #include statement, it's a candidate for the world's longest 48 page document.
But there are no tests, no way to score a subcategory, no way to collate your subcategory scores into any kind of overall pass/fail, let alone a maturity score.
Yes, the framework contains 4 'Tiers'.
But, quote:
"Tiers do not represent maturity levels. Tiers are meant to support organizational decision making". Tiers are for thinking about how you manage cybersecurity risk, they aren't a measure of how cybersecure you are.The NIST CSF is a brilliant starting point for building your own score sheet, and yes, I've done that, and yes it works well. But that's my score (OK, my organisation's core), it's not NIST's score. It's not going to be the same score that someone else would give if they use their own NIST CSF based score sheet.
Their score and my score would be comparable only in the sense that it becomes meaningful to ask: why did you give different scores to XYZ subcategory? And that's a potentially useful conversation, but different numeric scores may well both be valid, because they reflect different priorities and therefore measure different things differently.
Let me give an example:
ID.RA-5: "Threats, vulnerabilities, likelihoods, and impacts are used to determine risk".This is not a yes/no question. This is not something that can be meaningfully answered on a 5 point Likert scale.
A proper answer to this question requires significant investigation of an organisation's documented processes, but also their actual practices.
You cannot just ask 'do you do this?' or 'on a scale of 1 to 5, how much do you do this?' If you try, the answer is always "yes" and, almost always, "we're 5 out of 5".
To be repeatable, you need to record far more than just the number, you need to document the process you used to obtain that answer. You need to document what to look at, and how to compile a numerical rating, and how to weight those ratings into the overall score.
Your answer, using your process, is quite going to be different to someone else's answer using a different process. And it should be.
Last quote "the Cybersecurity Framework is not a one-size-fits-all approach to managing cybersecurity"
It's not a maturity model or a compliance checklist As it says on the tin, it's a framework. It helps us hold a conversation.
--------------
All quotes from: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf#NistCSF #MaturityModels #Compliance #CyberSecurity #CyberSecurityFramework
-
I wrote about NIST CSF, cloud transformation, policy velocity and compliance audits among other things in this latest article:
-
The inclusion of "Govern" as a new top level area in the proposed NIST CSF is very welcome! A lot of #cybersecurity deficiencies can be linked to lack of ownership in top #management - this is definitely a step in the right direction! #infosec #nistcsf
https://portswigger.net/daily-swig/nist-plots-biggest-ever-reform-of-cybersecurity-framework -
It's about time! Five years is a long, long time, where cybersecurity is concerned. Looking forward to seeing the updated framework, down the line.
#cybersecurity #cybersec #cybersecuritynews #nist #nistcsf
https://portswigger.net/daily-swig/nist-plots-biggest-ever-reform-of-cybersecurity-framework