Jump to content
Sign in to follow this  
Guest Alex Calis

Selecting a Tier

Recommended Posts

Guest Alex Calis

While Tier selection is based upon organizational goals as part of CSF Step 1 (The implementation steps will be discussed in the upcoming weeks), it should be informed by threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints. This is an area where the DHS Critical Infrastructure Cyber Community Voluntary Program can assist, as can other Federal government departments and agencies, Information Sharing and Analysis Centers (ISACs), and relevant business associations. Organizations should neither choose a higher tier nor a lower tier than will achieve the stakeholder goals defined in the first step for implementing the Framework.
The table below describes the four Tiers as introduced in the Cybersecurity Framework 1.0.  This table is a summary of Section 2.2 of the Framework v1.0.  The table focuses on helping an organization consider three factors, and the level of proactivity/predictability desired. Those factors include: the organization’s risk management process, its integrated risk management program, and the extent to which the organization participates with external parties to manage risk. In general, the more formal the risk management processes are/should be, the higher the Tier level selected will be. Similarly, the more an organization receives and/or shares security information (e.g. threat warnings, vulnerability understanding, intelligence about how vendors/suppliers are managing risk) from outside sources, the higher the Tier level selected will be. This enables those applying the Framework to identify realistic and cost-effective approaches to achieving the Core outcomes in the way that best fulfills organizational goals.


Share this post

Link to post
Share on other sites
Sign in to follow this