Читать книгу Cybersecurity Risk Management - Cynthia Brumfield - Страница 15



The Framework Implementation Tiers consist of four levels of “how an organization views cybersecurity risk and the processes in place to manage that risk.” Although the levels are progressive in terms of rigor and sophistication from Tier 1 (partial) to Tier 4 (Adaptive), they are not “maturity” levels in terms of cybersecurity approaches. NIST based successful implementation on the outcomes described in the organization’s Target Profiles (see the next section) rather than a progression from Tier 1 to Tier 4.

The final Framework document describes the implementation tiers in more detail, but the following is a summary of the four tiers, modified from NIST’s description (Figure 0.4):

 Tier 1: Partial – Risk is managed in an ad hoc and sometimes reactive manner. There is limited awareness of cybersecurity risk at the organizational level with no organization-wide approach to cybersecurity. The organization may not have the processes in place to participate in coordination or collaboration with other entities.

 Tier 2: Risk-Informed – Management approves risk management practices, but they may not be an organization-wide policy. There is awareness of cybersecurity risk at the organization level. Still, an organization-wide approach has not been established, and the organization understands the broader ecosystem but has not formalized its participation in it.

 Tier 3: Repeatable – The organization’s risk management practices are approved and formally adopted as policy. There is an organization-wide approach to risk management. The organization collaborates with and receives information from partners in the wider ecosystem.

 Tier 4: Adaptive – The organization adapts its cybersecurity practices from lessons learned. Cybersecurity risk management uses risk-informed policies, procedures, and processes and is part of the organizational culture and the organization actively shares information with partners.


Cybersecurity Risk Management

Подняться наверх