NIST Cybersecurity Program Development Plan

The following steps describe an iterative process that you can use to establish a cybersecurity program for your organization. It describes a process that can be used
to develop a new cybersecurity program or improve an existing one. All or parts of this process can and should be repeated whenever necessary or appropriate. It should also
be repeated whenever you change the scope of your program, whenever your threats, vulnerabilities or risks change, and whenever your Target Profile or Target Tier changes.

Step 1. Define Scope of Cybersecurity Program

• Consider your corporate mission, objectives, and organizational priorities.

• Select the process or business unit that must have a cybersecurity program.

• Identify the systems and assets that support your process or business unit.

• Clarify the scope of systems and assets used by this process or business.

• Identify systems and assets related to your main systems and assets.

Step 2. Identify your Threats and Vulnerabilities

• Identify the regulatory requirements that apply to your process or business unit.

• Identify your organization’s general approach to risk and your tolerance for risk.

• Identify the threats and vulnerabilities that apply to your process or business unit.

Step 3. Define Current Profile and Current Tier

• Review the functions, activities, and tasks that make up the Framework Core.

• Use the Core of the Framework to define your organization’s Current Profile.

• Review the risk management practices that make up the Implementation Tiers.

• Use these Implementation Tiers to define your organization’s Current Tier.

Step 4. Assess both Potential and Emerging Risks

• Consider your risk management process and your previous risk assessment activities.

• Use previous risk management methods to guide your organization’s risk assessments.

• Analyze your organization’s operational environment and assess your cybersecurity risks.

• Identify and describe potential and emerging cybersecurity events, threats, and risks.

• Assess the likelihood that events will actually occur and the impact they could have.

• Use internal and external sources to better understand likelihoods and impacts.

Step 5. Establish your Target Profile and your Target Tier

• Review the functions, activities, and tasks that make up the Framework Core.

• Use the Core of the Framework to establish your organization’s Target Profile.

• Use input from internal and external stakeholders to refine your Target Profile.

• Use input from customers, suppliers, partners, and other external stakeholders.

• Use input from personnel, managers, contractors, and other internal stakeholders.

• Review the risk management practices that make up the Implementation Tiers.

• Use these Implementation Tiers to develop your organization’s Target Tier.

• Use input from internal and external stakeholders to refine your Target Tier.

Step 6. Identify Gaps in your Cybersecurity Program

• Identify framework gaps by comparing Current and Target Profiles.

• Prioritize framework gaps by considering risks, costs, and benefits.

• Identify implementation gaps by comparing Current and Target Tiers.

• Prioritize implementation gaps by considering risks, costs, and benefits.

Step 7. Execute Plan to Establish Cybersecurity Program

• Consider your organization’s high priority cybersecurity gaps.

• Consider your organization’s high priority framework gaps.

• Consider your organization’s high priority implementation gaps.

• Create an action plan to address high priority cybersecurity gaps.

• Consider your mission, objectives, risks, costs, and benefits.

• Define steps to address high priority cybersecurity gaps.

• Define steps to address high priority framework gaps.

• Define steps to address high priority implementation gaps.

• Execute your action plan to address high priority cybersecurity gaps.

• Take steps to establish your organization’s cybersecurity program.

• Take steps to address your high priority framework gaps.

• Take steps to achieve a higher cybersecurity implementation tier.

• Take steps to address your high priority implementation gaps.

The following flow diagram summarizes the above seven step
process and highlights the iterative aspects of this process.

How to Establish a Cybersecurity Program using NIST's Framework
OTHER CYBERSECURITY PAGES

Introduction to the NIST Cybersecurity Framework

Brief Overview of NIST Cybersecurity Framework Core

Detailed Structure of NIST Cybersecurity Framework Core

How to Create a Cybersecurity Program Using NIST Framework

NIST Cybersecurity Framework Core Translated into Plain English

NIST Cybersecurity Privacy Principles Translated into Plain English


Home Page

Our Library

A to Z Index

Customers

How to Order

Our Products

Our Prices

Guarantee

Praxiom Research Group Limited       help@praxiom.com       780-461-4514

 Updated on February 5, 2020. First published on January 27, 2020.

Legal Restrictions on the Use of this Page
Thank you for visiting this page. You are, of course, welcome to view our
 material as often as you wish, free of charge. And as long as you keep intact
 all copyright notices, you are also welcome to print or make one copy of this
 page for your own personal, noncommercial, home use. But, you are not
 legally authorized to print or produce additional copies or to copy and paste
 any of our material onto another web site or to republish it in any way.

Copyright © 2020 by Praxiom Research Group Limited. All Rights Reserved.

First Edmonton Place, 14th Floor, 10665 Jasper Avenue,
        Edmonton, Alberta, T5J 3S9, Canada