Request Demo

NIST Cybersecurity Framework

NIST Cybersecurity Framework Scorecards Explained

down-arrow

The National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) is one of the most robust security frameworks available today. Developed from an executive order in close collaboration with government, industry, and academic representatives, Version 1 was proven to scale beyond the critical infrastructure enterprises for whom it was initially designed. Version 1.1 brought a greater focus to third-party risk management within the categories and subcategories, further solidifying the Framework’s ability to serve organizations of any size and industry.

Since its release, the NIST CSF has emerged as a gold-standard for bridging the gap between business and technical leaders - fostering a business-centric approach to cyber and risk management.

Why create a NIST Cybersecurity Framework Scorecard

A NIST CSF Scorecard helps risk and compliance leaders in two main ways: benchmarking their progress as they go about implementing the CSF and reporting out on that progress to stakeholders. Most importantly, a NIST Cybersecurity Framework scorecard uses risk assessment data to illustrate the cyber risks facing the organization in a way that business leaders can understand and use. Further, a robust CSF scorecard will also show a return on security investment (RoSI) calculation to show where investment needs to be made.

For many organizations, creating a NIST CSF scorecard is both critical and cumbersome. It often gets forgotten, given the amount of manual effort necessary to build one from a GRC tool or spreadsheet. It requires a holistic view of an organization’s cyber posture that spreadsheets and modular tools cannot provide. The CyberStrong IRM platform leverages its fully integrated solution to automate the reporting process and allows users to export a NIST CSF Scorecard in seconds.

What is a NIST Cybersecurity Framework Scorecard

A NIST Cybersecurity Framework scorecard is a representation of an organization’s cybersecurity posture as benchmarked against the NIST Cybersecurity Framework. NIST CSF scorecards break down an organization’s posture by category and then organized into the five functions of the Framework core.

Because the NIST CSF is outcomes-based, the categories in the scorecard draw from the informative references (the security controls in place based on the assessment) to roll that data up and deliver the RoSI data and completion costs at the category level.

Finally, alongside the RoSI data, a NIST CSF scorecard should also show the cybersecurity risk levels of both inherent and residual risk.

The CyberStong NIST CSF Scorecard uses the risk assessment data that is collected at the control level using NIST SP 800-30 risk assessment methodology to display the RoSI alongside the cost necessary to enhance the control and improve cyber posture.

The CyberStrong NIST CSF Scorecard also shows the opportunity for further risk remediation, allowing you and your team to focus your efforts on where there is the most significant opportunity to remediate.

For business leaders, quantifying cyber risk allows risk managers in other parts of the enterprise to roll that risk up into the enterprise-wide risk tolerance. A NIST CSF scorecard should also categorize risk based on the form of risk to organizational operations it poses (financial, reputational, etc.) should the control fail. This further enhances communication between business and technical leaders as they are all able to speak the same language regardless of the types of risk they manage.

Creating a NIST Cybersecurity Framework Scorecard

A NIST Cybersecurity Framework scorecard can be created by any information security team that has conducted a NIST CSF assessment. However, for teams operating out of spreadsheets or a modular GRC tool, the task of aggregating the necessary data is cumbersome, and the task of creating a scorecard is left incomplete. Using integrated risk management solutions that aggregate enterprise-wide assessment data allows a cybersecurity team to access the necessary data much more readily and in the case of CyberStrong, fully automate the creation of a NIST CSF scorecard.

Information security leaders adopting the NIST Cybersecurity Framework must find a way to operationalize the information they glean from their assessment. The NIST CSF scorecard takes the data that’s been collected and organized in a way that business leaders can understand and presents it in a way that makes that data useful and supports business growth.

 

You may also like

CIP-013 Implementation: Know ...
on April 8, 2020

As the deadline for NERC CIP-013 compliance approaches, power and utility organizations are focused on implementing supply chain risk management strategy across their global ...

Alison Furneaux
What to Know About Scaling NERC ...
on April 8, 2020

NERC CIP currently stands to be the oldest and most critical regulatory framework for protecting and securing our bulk electric systems as a whole as it relates to cybersecurity. ...

Why Glass-Box Reporting Beats ...
on April 7, 2020

In the wake of the Equifax and Marriott breaches, it is no secret that cybersecurity has made its way into the Boardroom. While many executives are experienced in managing myriad ...

Guidance for CIP-013: Effective ...
on April 2, 2020

Updated April 2, 2020 - Latest NERC CIP-013 Guidance NERC CIP-013 Overview On July 21, 2016, the Federal Energy Regulatory Commission (FERC) issued Order No. 829, directing the ...

Alison Furneaux
8 NIST Security Controls to Focus ...
on March 30, 2020

In times like these, attacks are exponentially more prevalent throughout some of our most prominent sectors. For information security leaders who have been working toward the ...

Three Areas of Cybersecurity ...
on March 27, 2020

These are strange times. As information security leaders across the globe watch their attack surface multiply with the rise of remote work, catalyzed by COVID-19, cybersecurity ...