NIST CSF self-assessments

Introduction

The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) provides guidance for organizations regarding how to better manager and reduce cybersecurity risk by examining the effectiveness of investments in cybersecurity. This framework provides flexible guidance that allows for the unique risks that organizations face take centerstage (as much as is needed) with regard to their cybersecurity profile. 

A big part of NIST CSF is being able to determine where your organization’s cybersecurity posture is in relation to the CSF. For this purpose, NIST added self-assessing as a new section to the Framework for Improving Critical Infrastructure Cybersecurity in 2018, available here.

This article will detail self-assessments for CSF. We will explore what self-assessments are, the benefits of self-assessment, what to do before you self-assess, the steps of conducting a full self-assessment, questions to include in the self-assessment questionnaire and self-assessment resources.

What are self-assessments?

Self-assessments are intended to show how your cybersecurity program matches up with the NIST CSF. According to NIST, self-assessments are a way to measure an organization’s cybersecurity maturity. 

To help organizations with self-assessments, NIST published a guide for self-assessment questionnaires called the Baldrige Cybersecurity Excellence Builder. This will help organizations make tough decisions in assessing their cybersecurity posture.

The benefits of self-assessment

It should be noted that as well as conducting self-assessments, the NIST CSF are voluntary guidance for organizations. With this said, organizations should consider conducting a self-assessment of their cybersecurity posture for the benefits it conveys alone. These benefits include:

  • Identifying successes and highlighting opportunities for improvement
  • Jump-starting improvement initiatives
  • Energizing change initiatives
  • Energizing the workforce
  • Assessing performance against both the NIST CSF and the competition
  • Better alignment of resources with organization objectives

What to do before self-assessment

Before you begin your organization’s self-assessment, you need to do a (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Greg Belding. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/JxlMPRlZgIw/