It is extremely important to develop an IT security governance body that helps prioritize risks and build support for when more resources are required to protect the organization. … Using a model allows the CISO to present nontechnical risk-information to the governance body in a format that they will understand.
IT security governance is the system by which an organization directs and controls IT security (adapted from ISO 38500). … Governance specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks.
The NIST Cybersecurity Framework provides a policy framework of computer security guidance for how private sector organizations in the United States can assess and improve their ability to prevent, detect, and respond to cyber attacks. The framework has been translated into many languages and is used by the governments of Japan and Israel, among others.[1] It “provides a high-level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes.” Version 1.0 was published by the US National Institute of Standards and Technology in 2014, originally aimed at operators of critical infrastructure. It is being used by a wide range of businesses and organizations and helps shift organizations to be proactive about risk management.[2][3][4] In 2017, a draft version of the framework, version 1.1, was circulated for public comment.[5] Version 1.1 was announced and made publicly available on April 16, 2018.[6]Version 1.1 is still compatible with version 1.0. The changes include guidance on how to perform self-assessments, additional detail on supply chain risk management and guidance on how to interact with supply chain stakeholders.[7]
A security framework adoption study reported that 70% of the surveyed organizations see NIST’s framework as a popular best practice for computer security, but many note that it requires significant investment.[8]
It includes guidance on relevant protections for privacy and civil liberties.[9]
In 2017, NIST published the NIST Baldrige Cyber Security Excellence Builder which leverages the 2014 framework. It includes a simpler self-assessment.[citation needed] The questions are divided into six areas and a results section:[citation needed]
- Leadership
- Strategy
- Customers
- Measurement, Analysis and Knowledge Management
- Workforce
- Operations, and
- Results.