Using the Cybersecurity Framework

September 18, 2016 | Views: 10178

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Using the Cybersecurity Framework

Organizations can leverage the Framework to assess, identify, and manage risk associated with cybersecurity.  The Framework can be used to develop a new security program or to supplement an existing cybersecurity program.

Basic Review of Cybersecurity Practices

The organizations current cybersecurity state can be compared with the standards outlined by the Framework Core.  A Current Profile can be used to determine where the organization is meeting the defined goals and where gaps in their current posture exists as defined by the Framework Core.  In addition to identifying where the organization is currently meeting its goals or where gaps existing, they may also identify where they may be overinvesting in certain areas.



Establishing or Improving a Cybersecurity Program

The following steps illustrate how an organization can improve or create a new Cybersecurity Program.

1.       Prioritize and Scope – Organization defines their mission objectives and priorities, which are used to decide the scope of systems that support the business.  This can be adapted for different lines of businesses within the organization.

2.      Orient – Related systems, regulatory requirements, and the overall risk strategy are identified by the organization.  In addition, associated threats and vulnerabilities of these systems are identified.

3.       Create a Current Profile – A Current Profile is developed which assesses the organization’s compliance with the Framework Core’s Categories and Subcategories.

4.       Conduct a Risk Assessment – A risk assessment is completed to evaluate the operational environment’s existing and emerging threat data.

5.       Create a Target Profile – A Target Profile is created which focuses on the Categories and Subcategories of the Framework while including the organization’s cybersecurity goals.

6.       Determine, Analyze, and Prioritize Gaps – A comparison of the Current and Target Profile occurs to determine if weaknesses exist.  Prioritization of actions based on the organizations mission, risks associated with the Target Profile, and a cost benefit analysis occurs.  Lastly, necessary resources to remediate the acknowledged gaps are identified.

7.       Implement Action Plan – A plan of action to address the identified gaps and meet the Target profile is created.

Communicating Cybersecurity Requirements with Stakeholders

The Cybersecurity Framework allows effective communication using a standard language (Current & Target Profiles, Categories, and Subcategories) that is familiar to the interdependent stakeholders responsible for providing critical services.

Identifying Opportunities for New or Revised Informative References

The Framework Core provides associated references (Cobit, ISO, NIST) to standards/guidelines.  Additionally, it also allows the flexibility to utilize new references that better fit the needs of a given or newly developed Subcategory.

Methodology to Protect Privacy and Civil Liberties

According to an Executive Order, the privacy and civil liberties of individuals must be addressed as it relates to cybersecurity operational activities.  Below are topics that can be used to address privacy and civil liberties.

  •           Governance of cybersecurity risk
  • Approaches to identifying and authorizing individuals to access organizational assets and systems
  •           Awareness and training measures
  •           Anomalous activity detection and system and assets monitoring
  •           Response activities, including information sharing of other mitigation efforts


National Institute of Standards and Technology (February, 2014), Framework for Improving Critical Infrastructure Cybersecurity, pp.13-17, Retrieved from

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Excellent interpretation of an often complex subject! Great submission!

  2. Nice article. I prefer however iso27000 over this one, since this is a one shot investment and iso a continuous process.

  3. The article is good but there is less mention of technical tools that can help us to complete each stage.

    • Choosing the tools to implement your controls is highly subjective. Each environment will have different skill sets, experience, and budgets. Some may choose to buy off the self solutions while others may build their own. The CSF provides you with a framework so that you can prioritize and track your overall security strategy.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?