Welcome to the
CyberIQs Knowledge Centre

Notifications
Clear all

NIST Tier and profile

3 Posts
3 Users
0 Likes
420 Views
rupeshh
(@rupeshh)
Active Member
Joined: 2 years ago
Posts: 5
Topic starter  

Hi, I would like to understand how the tiering system works in NIST CSF, and what is the difference with the NIST profile. The tiering system seems a maturity score; however, I have found in many places including the NIST documentation that the tiers do not express maturity. If they are not a way of expressing maturity what are they? Please, can someone help me understand what is the tiering system and how to interpret them after an assessment?

Thanks!!!


   
Quote
konsultant
(@konsultant)
Active Member
Joined: 2 years ago
Posts: 9
 

In my experience there are slighly different ways of using the tier system in NIST.The one I use often is based on high level NIST assessments. See below,

 

Tier1: no policy, procedures or processes

Tier2: processes are available in the organization

Tier3: policies, procedures and processes are part of the security program of the organization.


   
ReplyQuote
the_eagle
(@the_eagle)
Eminent Member
Joined: 2 years ago
Posts: 28
 

The tiers represent 3 key features of an organization.

1. Risk Management Process

2. Integrated Risk Management Program

3. External Participation

 

Which means:

 

1. How widely adopted are the risk management practices?

2. How well integrated are cyber risks in the wider risk management framework

3. How well connected is the organisation within their ecosystem (intelligence sharing and production)

 

Check these links:

https://www.nist.gov/cyberframework/online-learning/components-framework

https://slideplayer.com/slide/17826013/

 


   
ReplyQuote
Share: