We have previously gone over the NIST Framework Core and Implementation Tiers, and would now like to dive into the Framework Profiles.
Profiles are an organization’s unique positioning of their business requirements; such as the size of the company, industry and vertical as well as their unique requirements such as; contractual obligations, objectives, risk tolerance, and organizational resources against the desired outcomes of the Framework Core. Profiles can be used to identify opportunities for enhancing cybersecurity outlook by comparing a “Current” Profile with a “Target” Profile. Keep in mind that Framework is voluntary, so there is no ‘right’ or ‘wrong’ way to do it.
What are your Current and Target Profiles?
First, you must determine your Current Profile which indicates the current cybersecurity outcomes that your organization has achieved. If you haven’t already done so, take some time to map out your cybersecurity requirements, objectives, methods of operation and current practices. Compare these with the subcategories in the Framework Core, and this will be your Current Profile.
Next, you must determine your Target Profile which indicates the outcomes needed to achieve your desired cybersecurity risk management goals. Your company needs to have internal conversations to understand your unique alignment of requirements, risk appetite, resources, and objectives. It is essential here to loop in goals from all business segments, both business and security, to create a more well-rounded goal set that aligns with your business’s vision for the future.
Communication is Key
The better the communication is within and around your organization, the more progress you’ll make in building a robust program or even creating a faster response plan.
Understanding your Current and Target Profiles enables your organization to observe gaps in your cybersecurity posture and identify opportunities for improvement. You can use Framework Profiles both as a tool to identify opportunities for improvement in your cybersecurity posture and to create a Roadmap to reduce cybersecurity risk.
Port53 can help your organization baseline against NIST Cybersecurity Framework best practices. By working with your technical and business units, Port53 aims to align your security roadmap to your desired outcomes, based on your current and target profile. You will be able to see areas for improvement and gaps across all five NIST functions as well as have a clear roadmap on how to close the gaps within and around your organization.
Call (415) 347-9040 or email [email protected] for a free initial consultation and Cloud Risk Assessment.