Welcome to the
CyberIQs Knowledge Centre
NIST Tier and profile
Hi, I would like to understand how the tiering system works in NIST CSF, and what is the difference with the NIST profile. The tiering system seems a maturity score; however, I have found in many places including the NIST documentation that the tiers do not express maturity. If they are not a way of expressing maturity what are they? Please, can someone help me understand what is the tiering system and how to interpret them after an assessment?
Thanks!!!
In my experience there are slighly different ways of using the tier system in NIST.The one I use often is based on high level NIST assessments. See below,
Tier1: no policy, procedures or processes
Tier2: processes are available in the organization
Tier3: policies, procedures and processes are part of the security program of the organization.
The tiers represent 3 key features of an organization.
1. Risk Management Process
2. Integrated Risk Management Program
3. External Participation
Which means:
1. How widely adopted are the risk management practices?
2. How well integrated are cyber risks in the wider risk management framework
3. How well connected is the organisation within their ecosystem (intelligence sharing and production)
Check these links:
https://www.nist.gov/cyberframework/online-learning/components-framework
https://slideplayer.com/slide/17826013/
-
Cyber security assessments in the maritime industry
1 year ago
-
NIST CSF Assessment Template
1 year ago
-
(Cyber) Security Operation Assessments
1 year ago
-
Cyber Resilience frameworks
1 year ago
Latest Post: Certificate of Cloud Auditing Knowledge ( CCAK) Our newest member: Saul Arias Mendez Recent Posts Unread Posts Tags
Forum Icons: Forum contains no unread posts Forum contains unread posts
Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed