词条 | NIST Cybersecurity Framework |
释义 |
The NIST Cybersecurity Framework provides a policy framework of computer security guidance for how private sector organizations in the United States can assess and improve their ability to prevent, detect, and respond to cyber attacks. The framework has been translated to many languages and is used by the governments of Japan and Israel, among others.[1] It "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes." Version 1.0 was published by the US National Institute of Standards and Technology in 2014, originally aimed at operators of critical infrastructure. It is being used by a wide range of businesses and organizations and helps shift organizations to be proactive about risk management.[2][3][4] In 2017, a draft version of the framework, version 1.1, was circulated for public comment.[5] Version 1.1 was announced and made publicly available on April 16, 2018.[6] Version 1.1 is still compatible with version 1.0. The changes include guidance on how to perform self-assessments, additional detail on supply chain risk management and guidance on how to interact with supply chain stakeholders.[7] A security framework adoption study reported that 70% of the surveyed organizations see NIST's framework as a popular best practice for computer security, but many note that it requires significant investment.[8] It includes guidance on relevant protections for privacy and civil liberties.[9] In 2017, NIST published the NIST Baldrige Cyber Security Excellence Builder which leverages the 2014 framework. It includes a simpler self-assessment.{{citation needed|date=September 2017}} The questions are divided into six areas and a results section:{{citation needed|date=September 2017}}
OverviewThe NIST Cybersecurity Framework is designed for individual businesses and other organizations to use to assess risks they face. The framework is divided into three parts, "Core", "Profile" and "Tiers". The "Framework Core" contains an array of activities, outcomes and references about aspects and approaches to cybersecurity. The "Framework Implementation Tiers" are used by an organization to clarify for itself and its partners how it views cybersecurity risk and the degree of sophistication of its management approach. A "Framework Profile" is a list of outcomes that an organization has chosen from the categories and subcategories, based on its needs and risk assessments. An organization typically starts by using the framework to develop a "Current Profile" which describes its cybersecurity activities and what outcomes it is achieving. It can then develop a "Target Profile", or adopt a baseline profile tailored to its sector (e.g. infrastructure industry) or type of organization. It can then define steps switch from its current profile to its target profile. Functions and categories of cybersecurity activitiesThe NIST Cybersecurity Framework organizes its "core" material into five "functions" which are subdivided into a total of 23 "categories". For each category, it defines a number of subcategories of cybersecurity outcomes and security controls, with 108 subcategories in all. For each subcategory, it also provides "Informative Resources" referencing specific sections of a variety of other information security standards, including ISO 27001, COBIT, NIST SP 800-53, ANSI/ISA-62443, and the Council on CyberSecurity Critical Security Controls (CCS CSC, now managed by the Center for Internet Security). Special Publications (SP) aside, most of the informative references require aS paid membership or purchase to access their respective guides. The cost and complexity of the framework has resulted in bills from both houses of Congress that direct NIST to create Cybersecurity Framework guides that are more accessible to small and medium businesses.[10][11] Here are the functions and categories, along with their unique identifiers and definitions, as stated in the category column of its spreadsheet view of the core of the standard.[12] Identify"Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities."
Protect"Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services."
Detect"Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event."
Respond"Develop and implement the appropriate activities to take action regarding a detected cybersecurity event."
Recover"Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event."
See also
References{{NIST-PD|article=NIST Cybersecurity Framework|url=https://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf}}1. ^{{Cite web|url=https://www.nist.gov/sites/default/files/documents/2018/02/06/session_iii_-_barrett_csf.pdf|title=NIST Cybersecurity Framework|last=|first=|date=|website=|archive-url=|archive-date=|dead-url=|access-date=}} 2. ^{{Cite web|url=http://fedscoop.com/nist-workshop-plots-evolution-of-cybersecurity-framework|title=Workshop plots evolution of NIST Cybersecurity Framework|website=FedScoop|access-date=2016-08-02}} 3. ^{{Cite web|url=http://healthitsecurity.com/news/nist-cybersecurity-framework-updates-clarification-underway|title=NIST Cybersecurity Framework Updates, Clarification Underway|last=HealthITSecurity|access-date=2016-08-02}} 4. ^{{Cite web|url=http://www.pwc.com/us/en/increasing-it-effectiveness/publications/adopt-the-nist.html|title=Why you should adopt the NIST Cybersecurity Framework|last=PricewaterhouseCoopers|access-date=2016-08-04}} 5. ^{{Cite news|url=https://www.nist.gov/cyberframework/draft-version-11|title=Cybersecurity Framework Draft Version 1.1|last=Keller|first=Nicole|date=2017-01-10|work=NIST|access-date=2017-10-05|language=en}} 6. ^{{Cite news|url=https://www.nist.gov/news-events/news/2018/04/nist-releases-version-11-its-popular-cybersecurity-framework|title=NIST Releases Version 1.1 of its Popular Cybersecurity Framework|date=2018-04-16|work=NIST|access-date=2018-04-27|language=en}} 7. ^{{Cite news|url=https://expel.io/blog/whats-new-in-nist-csf/|title=What's New in NIST Cybersecurity Framework v1.1|date=2018-04-26|work=Expel|access-date=2018-05-26|language=en-US}} 8. ^{{Cite web|url=http://www.darkreading.com/attacks-breaches/nist-cybersecurity-framework-adoption-hampered-by-costs-survey-finds/d/d-id/1324901|title=NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds|last=|first=|date=|website=|publisher=Information Week Dark Reading|access-date=2016-08-02}} 9. ^{{Cite web|url=http://healthitsecurity.com/news/himss-nist-cybersecurity-framework-positive-can-improve|title=HIMSS: NIST Cybersecurity Framework Positive, Can Improve|last=HealthITSecurity|access-date=2016-08-02}} 10. ^{{Cite web|url=https://www.congress.gov/bill/115th-congress/senate-bill/770|title=MAIN STREET Cybersecurity Act of 2017|last=|first=|date=|website=congress.gov|archive-url=|archive-date=|dead-url=|access-date=October 5, 2017}} 11. ^{{Cite web|url=https://www.congress.gov/bill/115th-congress/house-bill/2105|title=NIST Small Business Cybersecurity Act of 2017|last=|first=|date=|website=congress.gov|archive-url=|archive-date=|dead-url=|access-date=October 5, 2017}} 12. ^{{Cite web|url=https://www.nist.gov/cyberframework/upload/framework-for-improving-critical-infrastructure-cybersecurity-core.xlsx|title=Cybersecurity Framework Core (Excel)|last=|first=|date=|website=|publisher=NIST|access-date=}} {{PD-notice}} External links
3 : Computer security standards|Infrastructure|Cyberwarfare |
随便看 |
|
开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。