Welcome to the
CyberIQs Knowledge Centre
Notifications
Clear all
Topic starter 04/04/2021 10:19 am
Hi, I would like to understand how the tiering system works in NIST CSF, and what is the difference with the NIST profile. The tiering system seems a maturity score; however, I have found in many places including the NIST documentation that the tiers do not express maturity. If they are not a way of expressing maturity what are they? Please, can someone help me understand what is the tiering system and how to interpret them after an assessment?
Thanks!!!
18/04/2021 12:49 pm
In my experience there are slighly different ways of using the tier system in NIST.The one I use often is based on high level NIST assessments. See below,
Tier1: no policy, procedures or processes
Tier2: processes are available in the organization
Tier3: policies, procedures and processes are part of the security program of the organization.
21/04/2021 9:40 am
The tiers represent 3 key features of an organization.
1. Risk Management Process
2. Integrated Risk Management Program
3. External Participation
Which means:
1. How widely adopted are the risk management practices?
2. How well integrated are cyber risks in the wider risk management framework
3. How well connected is the organisation within their ecosystem (intelligence sharing and production)
Check these links:
https://www.nist.gov/cyberframework/online-learning/components-framework
https://slideplayer.com/slide/17826013/
