Jump to content

Recommended Posts

  There has been a lot of discussion regarding the Cybersecurity Framework Profiles; what they mean; and how they should be represented.  The Framework[1] document itself defines profiles as the mechanism for representing the outcomes of the selected Framework Core categories/subcategories.   Therefore, organizations can use the Framework Core as a template for either recording their current cybersecurity state (e.g. Current-State Profile) or defining their intended cybersecurity posture (e.g. Target-State Profile).   But how?


  While there are many thoughts for how a Framework Profile can be recorded, one of the prevailing thoughts is a simple matrix.  The matrix should start from the Framework Core, capturing Functions as well as the categories and subcategories selected by the organization.  To create a current-state profile, the matrix is extended to include additional columns of information such as:

  • The organization’s current policy as it relates to the applicable category/subcategory,
  • Technologies used to implement the policy
  • Assignees for implementing and managing the capability

  The level of detail captured for each of these data points is relevant to the ‘type’ of profile being developed.  For larger organizations using the Framework to provide enterprise level guidance, the ‘outcomes’ captured in the profile would be high-level making them applicable to the entire organization.  Each sub-organization within the enterprise can then, in turn, use the enterprise profile to develop a profile for their organization that demonstrates how they are meeting the enterprise goals.  For example PR.DS-1 (Protect.Data Security-1) at an enterprise level could state, all customer data will be encrypted at rest.  The sales organization would use the guidance provided in the enterprise profile to identify the location within their organization where customer data is stored.  The sales team would then update their profile for PR.DS-1 to state the customer data stored in the Contacts Database are encrypted at rest using AES encryption.  This provides enterprises the ability to create a profile with the data required to define their cybersecurity program that can flow through all the sub-organizations.


How is your organization developing profiles?

[1] Framework for Improving Critical Infrastructure Cybersecurity, version 1.0, Feb 12, 2014, http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf


Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now