Week 4 Discussion - CSF vs RMF PDF

Preview

Summary

CSF vs RMF...

Description

Many businesses follow NIST guidance for identifying, managing, remediating, and monitoring Information Systems Risk. Some follow the guidance because of contractual mandates (i.e. they're under contract to the US Federal Government). Other businesses follow the NIST guidance because it represents "best practices" and is a widely accepted source of guidance. Write a 3 to 5 paragraph position statement in which you identify and describe 3 to 5 contributions that your chosen framework (CSF or RMF) will make to effective management of enterprise IT risk. ORIGINAL

NIST CSF is a voluntary framework. Its purpose is to manage and mitigate Cybersecurity risk based on existing standards, guidelines and best practices (Chan, 2018). Managing risk is the central theme of NIST CSF. If businesses are not able to manage and mitigate the risk to information security then that could be devastating for those businesses. NIST CSF doesn’t just manage the IT enterprise risk but it also provides structure and context to cybersecurity (Burns & Levinson LLP, 2018). Due to the provision of structure, it becomes easier for businesses to compare themselves to previous years and even with other companies which use the NIST CSF. It also helps companies react better. For example, let’s say a credit card company gets hacked and they had implemented the NIST CSF which somehow got circumvented then this could be a learning moment for other credit card companies which have also implemented CSF to better protect themselves by avoiding what that company did or did not do. In this situation, comparison becomes comparatively easier as apples are being compared with apples. Companies can also utilize CSF to protect themselves against law suits or legal claims by their customers or other stakeholders. As the NIST CSF is an accepted set of standards for cybersecurity, it better protects companies as they are able to defend against law suits by saying that they had used the industry standard. No system is perfect against any type of threats especially cyber threats which are ever evolving and dynamic. But companies can better protect themselves against regulatory or legal action by making sure that no one can say that their information security was sub-par as they had implemented and maintained safeguards based on CSF (Burns & Levinson LLP, 2018). The CSF is designed in such a way that it complements, and not just replaces, a company’s existing cybersecurity program and risk management processes. The process of implementing CSF makes sure to identify the areas where new processes or standards can be implemented and it also identifies where existing processes can be strengthened even more. The NIST CSF is easy to implement and maintain and it is also cost effective. It doesn’t take out a huge chunk out of the company’s budget which makes it even more appealing. It is also a dynamic framework which stays up to date but it has to be maintained (Uses and Benefits of the Framework, 2018). NIST CSF improves communications between different levels or processes of any business. It helps guide key points about the risk management activities through various levels a business i.e.

from senior executive level to business or process level to implementations or operations level. This ensures a smooth two-way communication avenue which is key to the success of managing cyber risks and threats. The executive level communicates their priorities, the resources available and overall risk profile or tolerance to the business or process level. The business level uses that information as input to their risk management process and then creates a profile which is then implemented by the operations level. That is one direction of the process. Then the operations level communicates how the risk profile was implemented and its impact to the business level. The business level then reports the outcomes of that impact to the executive level and the executive level can decide if it matches the company’s risk tolerance or if the risk management process needs to be tweaked (Uses and Benefits of the Framework, 2018). The NIST CSF is being used by firms of different sizes and by firms in various industries. This framework is dynamic and so flexible that rather than removing what already exists in the business to manage IT risks, it complements the existing system and strengthens it. This framework has been used by University of Chicago’s Biological Sciences Division and even Intel. Both of these organizations tailored the framework to suit their business needs and used it accordingly (Uses and Benefits of the Framework, 2018).

References Burns & Levinson LLP. (2018, November 13). The Benefits of the NIST Cybersecurity Framework for the Private Sector . Retrieved from Lexology: https://www.lexology.com/library/detail.aspx?g=a2a8da5a-fdb2-42d3-9e9d-213031eed3ae Chan, A. (2018, September 14). Why should organizations implement the NIST Cybersecurity Framework? Retrieved from IT Governance USA: https://www.itgovernanceusa.com/blog/whyshould-organizations-implement-the-nist-cybersecurity-framework Uses and Benefits of the Framework. (2018, August 10). Retrieved from NIST: https://www.nist.gov/cyberframework/online-learning/uses-and-benefits-framework...