Читать книгу Cybersecurity Risk Management - Cynthia Brumfield - Страница 16

The Framework Profile is a blueprint or map that considers the Framework’s functions, categories, and subcategories for a specific purpose tailored to the organization’s needs. Organizations should develop profiles for current or desired cybersecurity objectives, and some organizations can create multiple profiles for different segments or aspects of the organization.

No template for what a profile should look like exists because Framework users should tailor their profiles to their organizations’ specific needs. As NIST points out, there is no right or wrong way to develop a profile. As Figure 0.5 illustrates, the factors that could go into a profile are an organization’s business objectives, threat environment, requirements, and controls, all of which create a cybersecurity profile unique to that organization.

Figure 0.5 NIST FRAMEWORK RISK MANAGEMENT CYCLE.

The profiles’ vital aspect compares where an organization is currently and where an organization wishes to be – its target. As NIST states in the Framework document, “this risk-based approach enables an organization to gauge resource estimates (e.g. staffing, funding) to achieve cybersecurity goals in a cost-effective, prioritized manner.”⁷