Jump to content
Sign in to follow this  
Guest Alex Calis

Implementation Steps (3-5)

Recommended Posts

Guest Alex Calis

Continuing the discussion on the Cybersecurity Framework Steps, this article discusses steps 3, 4 and 5: Create a Current Profile, Conduct a Risk Assessment, and Create a Target Profile, respectively. As mentioned in previous articles, an organization can reorder these steps to best fit their organization. The

most common of these changes is to transpose steps 3, Create a Current Profile, and 5, Create a Target Profile. The remainder of this post provides a summary of implementation steps 3 through 5 “in plain language” in the order as identified in the Framework v1.0 as released by NIST.


Step 3: Create a Current Profile – This step is completed by walking though each of the subcategories and recording how the organization is currently achieving the outcome defined by the Framework Core. In some cases, organizations are differentiating their current state profile to record the organizations current policy for meeting the Core’s objective and the actual current implementation. Using PR.AT-1 as an example, an organization may state their policy is that “100% of all employees within the business unit receive quarterly security awareness training”. However, the actual state is that only 90% of the employees have received the training. Identifying both the current policy and actual implementation can assist organization in better identifying gap closing activities in the later implementation steps.


Step 4: Conduct a Risk Assessment – This step is as straight forward as the title. The Framework does not identify a preferred or required risk assessment process. Organizations can conduct a Risk Assessment using their current process, or if a recent risk assessment is available it may be used for this step.


Step 5: Create a Target Profile – During this step, organizations are encouraged to define the target, or desired, state for their cybersecurity program based on the risk assessment previously conducted. It is not feasible to expect all organizations to implement the highest level of security against all subcategories in the Framework Core on all systems and business units within an organization. For example, an organization that has a database that is used to schedule the organizations holiday party does not have the same risks and security concerns as a database used to store customer’s private data. Additionally, the Framework states that categories and subcategories may be added or removed from the profile to align with organizational goals and risk thresholds. (Categories and Subcategories can also be added and removed in Step 3 if appropriate.) It is also important to note that this step identifies the organizations target state goal based on the risk assessment and implementation tier previously selected. Understanding the desired implementation tier can assist organization completing a target state profile identify how (e.g automated or manual) the organization intends to implement the outcome of the subcategories. In many cases, organizations may not have the staff, time, or

funding to obtain this target, but the end goal should still be defined to ensure all activities working towards improving the organizations cybersecurity program are working towards that goal. How the organization develops the action plan (Step 6) for getting to the target state will identify what can be done with available resources.

Share this post

Link to post
Share on other sites
Sign in to follow this