Cyber Security – unit 2

Cyber Security Framework Tiers

The NIST CSF implementation tiers are as follows:

o Tier 1: Partial
o Tier 2: Risk Informed
o Tier 3: Repeatable
o Tier 4: Adaptive

o
Tier levels determine how well organizations follow the rules and recommendations of the
CSF, with 1 being the lowest and 4 being the highest.
NIST Framework implementation tiers
To help private sector organizations measure their progress toward implementing the NIST
Cybersecurity Framework, the framework identifies four implementation tiers:
Tier 1 – Partial: Tier 1 – Partial
This tier includes companies with on-demand or no security procedures. Businesses in Tier 1
are categorized as having very little awareness of cyber security risk. They frequently fail to
prioritize cyber security measures properly.
Companies at this level must take steps to comprehend and effectively handle cyber security
concerns. Tier 1 applies to your organization if you lack the time to commit to risk
management processes, staff, or financial resources to implement a security program.
Tier 2 – Risk informed: The majority of corporate executives are now aware of the main
threats they face, including malware, state-sponsored attacks, and other bad actors.
Additionally, they most likely have policies in place to stay safe against and mitigating such
risks. Although tier 2 organizations have a fair amount of knowledge, they often lack a
coordinated strategy and uniform departmental rules.

1|Page
 Cyber Security – unit 2

Similarly, they could also be aware of the threats to their supply chains and assets, but they
lack the authority to take effective governance measures to address such threats.
Tier 3 – Repeatable: The organization and its senior executives are aware of cyber security
risks. They have implemented a repeatable, organization-wide cyber security
risk management plan. The cyber security team has created an action plan to monitor and
Respond effectively to cyber attacks.
Tier 4 – Adaptive: The organization is now cyber resilient and uses lessons learned and
predictive indicators to prevent cyber attacks. The cyber security team continuously improves
and advances the organization’s cyber security technologies and practices and adapts to
changes in threats quickly and efficiently. There is an organization-wide approach to
information security risk management with risk informed decision-making, policies,
procedures and processes. Adaptive organizations incorporate cyber security
risk management into budget decisions and organizational culture
----X---
NIST Function of Cyber Security
The NIST Cybersecurity Framework (CSF) has five main functions that help organizations
improve their cybersecurity:
 Identify
List all equipment, software, and data, and identify vulnerabilities and
threats. It will create and share a cyber security policy that covers roles and
responsibilities, and steps to take in the event of an attack.

 Protect
Control who can access devices and networks, use security software, and encrypt
sensitive data.
Examples of outcome Categories within this Function include:
 Protections for Identity Management and Access Control within the organization
including physical and remote access
 Empowering staff within the organization through Awareness and Training
including role based and privileged user training
 Establishing Data Security protection consistent with the organization’s risk
strategy to protect the confidentiality, integrity, and availability of information

 Detect

2|Page
 Cyber Security – unit 2

Monitor for unauthorized access, devices, and software, and investigate unusual
activity.
Examples of outcome Categories within this Function include:
 Ensuring Anomalies and Events are detected, and their potential impact is
understood
 Implementing Security Continuous Monitoring capabilities to monitor cyber
security events and verify the effectiveness of protective measures including
network and physical activities
 Maintaining Detection Processes to provide awareness of anomalous events

 Respond
Have a plan for notifying people and keeping operations running if a breach occurs.
 Recover
After an attack, restore affected equipment and networks, and keep people informed.
Examples of outcome Categories within this Function include:
 Ensuring the organization implements Recovery Planning processes and
procedures to restore systems and/or assets affected by cybersecurity incidents
 Implementing Improvements based on lessons learned and reviews of existing
strategies
 Internal and external Communications are coordinated during and following
the recovery from a cybersecurity incident

---X---

Features of NIST Cybersecurity

The NIST Cyber security Framework (CSF) provides a structured approach to managing cyber
security risks through its core functions: Identify, Protect, Detect, Respond, and Recover.
 Comprehensive Risk Management: Offers a clear method for identifying, assessing, and
managing cyber security risks, aligning these efforts with overall business strategies.
 Flexibility and Scalability: Adapts to organizations of any size or industry, with enhanced
guidance in CSF 2.0 for tailoring the framework to specific needs and evolving threats.

3|Page
 Cyber Security – unit 2

 Regulatory Compliance: Helps meet regulatory requirements, reducing risks of fines and
legal issues, and the Govern function reinforces compliance alignment.
 Enhanced Cyber Resilience: Improves detection, response, and recovery from incidents,
supporting business continuity and adapting to new threats.
 Ensuring the organization implements recovery planning processes and procedures to restore
systems and/or assets affected by cyber security incidents.
 The Respond function focuses on developing and implementing appropriate actions to
contain the impact of a detected cyber security event.
 The Detect function focuses on identifying the occurrence of cyber security events in a
timely manner. This function is crucial for quickly recognizing and responding to potential
threats.
---X---

What is the NIST Cyber security Framework?

NIST is the National Institute of Standards and Technology at the U.S. Department of
Commerce. The NIST Cyber security Framework helps businesses of all sizes better
understand, manage, and reduce their cyber security risk and protect their networks and
data. The Framework is voluntary.

The NIST Cybersecurity Framework (CSF) is a set of activities that helps organizations
manage and reduce cyber security risks:
 What it does
The CSF helps organizations understand their cyber security risks, protect their networks
and data, and focus their resources on cyber security.
 How it works
The CSF is a flexible framework that can be customized to meet an organization's unique
needs. It provides classification of cyber security outcomes that organizations can use to
assess, prioritize, and communicate their cyber security efforts.
 Who uses it
The CSF is intended for use by organizations of all sizes and across all sectors, including
government agencies and industry.
 How it's different from other frameworks

4|Page
 Cyber Security – unit 2

The CSF is free, self-certified, and a good choice for organizations developing a cyber
security strategy. In contrast, ISO 27001 is intended for organizations with a mature
cyber security posture and offers globally-recognized certification.
 What's included
The CSF wheel graphic has five sections: Identify, Protect, Detect, Respond, and
Recover.
 Latest update
The CSF was last updated in January 2024.

---X---
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Set Your Target Goals
Before you even think about how to implement the NIST CSF, you must take aim at
setting up your target goals. The first hurdle that many organizations encounter is
establishing agreement throughout the organization about risk tolerance levels. There is
often a disconnect between upper management and IT about what constitutes an
acceptable level of risk.
Create a Detailed Profile
The next step is to drill a bit deeper and tailor the framework for your specific business
needs. The Framework Implementation Tiers will help you to understand your current
position and where you need to be. They’re divided into three areas:
 Risk Management Process
 Integrated Risk Management Program
 External Participation
Each one runs from tier one to tier four.
 Tier 1 – Partial.
 Tier 2 – Risk Informed.
 Tier 3 – Repeatable .
 Tier 4 – Adaptive.
Assess Your Current Position
Now it’s time to conduct a detailed risk assessment, so that you can establish your status.
It’s a good idea to conduct an independent risk assessment. Identify software tools
capable of scoring your target areas and train up staff to use them, or hire a third-party to

5|Page
 Cyber Security – unit 2

run your risk assessment. It’s crucial that the people performing the risk assessment have
no knowledge of your target scores.
Your organization should have a clear understanding of the cybersecurity risk to
organizational operations (including mission, functions, image or reputation),
organizational assets and individuals. Vulnerabilities and threats should be identified and
fully documented.
Analyze Gaps and Identify Necessary Actions
Armed with a deeper knowledge of cybersecurity risks and the potential business impacts
for your organization, you can move on to a gap analysis. The idea is to compare your
actual scores with your target scores. You may want to create a heat map to illustrate the
results in an accessible and digestible way. Any significant differences immediately
highlight areas that you’ll want to focus on.
Work out what you need to do to close the gaps between your current scores and your
target scores. Identify a series of actions that you can take to improve your scores and
prioritize them through discussion with all key stakeholders. Specific project
requirements, budgetary considerations and staffing levels may all influence your plan.
Implement an Action Plan
With a clear picture of the current health of your cybersecurity defenses, a set of
organizationally aligned target goals, a comprehensive gap analysis and a set of
remediation actions, you are finally ready to implement the NIST CSF. Use your first
implementation as an opportunity to document processes and create training materials for
wider implementation down the line.
---X---

6|Page