Jump to content
Sign in to follow this  
Kristen LeClere

Understanding the Implementation Tiers

Recommended Posts

One of the most challenging components of the Cybersecurity Framework to grasp is that of the Framework Implementation Tiers (“Tiers”). Last week, you heard about the Framework Core – “a set of activities to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes” [from the Cybersecurity Framework, Section 2.1].  If the Core indicates what to do, the Tiers influence how to do activities. In recording the current activities to achieve the outcomes described in the Core, and in planning how one will achieve those outcomes in the future, the tiers help organizations define how well they are/want to achieve those outcomes.

 

It goes without saying that each organization has differing priorities and resources. Those resources need to support achievement of the risk management goals of the organization, and they need to do so in a cost-effective manner. Consider an illustrative example outcome of “local fires in data centers are extinguished quickly.” To protect a critical information system for a large corporation, a reasonable proactive approach might be to install Halon fire suppression equipment at a cost of tens of thousands of dollars. A smaller organization, however, might choose to take a reactive stance and provide a $20 fire extinguisher. Each solution is suitable depending upon the value of the resources being protected and depending upon the organization’s risk management criteria.

 

While the example above may be somewhat extreme, it illustrates how the Framework Implementation Tiers (“Tiers”) “provide context on how an organization views cybersecurity risk and the processes in place to manage that risk.” As part of the implementation process, an organization selects the Tier level that is applicable, ranging from Partial (Tier 1) to Adaptive (Tier 4).  Understanding the selected Tier, in turn, will help the implementer determine:

·       the current level of achievement to be recorded in Current Profile(s);

·       how target outcomes will be achieved, thereby informing the planned activities; and,

·       factors in the gap analysis between what’s currently happening and what should be happening to achieve Core outcomes.

 

The following provides a general summary of the tiers.  Next week we’ll discuss an approach for selecting the appropriate tier for your organization and each tier in more detail.

 

Tier 1 - Partial:  Organizations operating at Tier 1 typically swarm to cybersecurity incidents in an ad hoc manner.  They address each incident as it occurs leveraging the experiences and lessons learned of the staff swarming to the challenge.

Tier 2 - Risk Informed: Management within the organization approves risk management decisions.  The organization understands the priorities for cybersecurity protections and reactions within the organization, but they may not be codified in organizational policies or procedures.

Tier 3 - Repeatable: Management within the organizations has formally approved cybersecurity policy and procedures.  The organization receives threat information for their sector from partners and others in their sector to make informed decisions.  They typically work as an organization to address cybersecurity incidents ensuring the right staff and management are identified to correctly address an incident or attack.

Tier 4 - Adaptive: Organizations update their formalized cybersecurity policy and procedures on an ongoing basis based on lessons learned and predictive threat indicators.  Adaptive organizations are an active member in their sector collaborating with partners on best practices and potential threats to their industry.

 

*This generalizes the tiers as defined in Section 2.2 of the Framework.  More, specific, information is available in section 2.2.

Share this post


Link to post
Share on other sites

The Tiers are actually maturity levels. NIST states that they are not, but in reality they are (sorry. If it looks like a duck.......). There are many tools that will facilitate your level and help you decide if you need to go further such as CMMI and ISO 21827. It does not have to be complicated, just thorough.

Share this post


Link to post
Share on other sites
Sign in to follow this  

×