NIST Cybersecurity Framework: Govern Security Controls
Establish and monitor the organization's cybersecurity risk management strategy, expectations, and policy.
Organizational Context
The organizational mission is understood and informs cybersecurity risk management
Cybersecurity decisions that are disconnected from the organization's actual mission tend to be eith...
Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered
Different stakeholders have very different security expectations: customers want their data protecte...
Legal, regulatory, and contractual requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
Failing to understand applicable laws and contracts is one of the most common and expensive complian...
Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated
When a security incident disrupts services that external parties rely on, the damage extends beyond ...
Outcomes, capabilities, and services that the organization depends on are understood and communicated
Organizations rarely operate entirely on their own infrastructure. Cloud providers, SaaS tools, paym...
Oversight
Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy
Strategy without feedback loops drifts. Organizations that set a security strategy once and never re...
The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks
Organizational requirements shift: new products launch, regulations change, the business enters new ...
Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments
Evaluating performance is how you distinguish a program that is working from one that merely looks a...
Policy
A cybersecurity risk management policy is established and enforced
A policy is the organization's written commitment about how it will handle security risk. Without on...
The cybersecurity policy is reviewed and updated to reflect changes in requirements, threats, and technology
A policy written two years ago reflects a threat landscape and technology stack that may no longer e...
Risk Management Strategy
Risk management objectives are established and agreed to by organizational stakeholders
Without agreed-upon risk management objectives, different parts of the organization will make securi...
Risk appetite and risk tolerance statements are established, communicated, and maintained
Risk appetite and tolerance statements answer the question of how much risk the organization is will...
Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
Cybersecurity risk that is managed in isolation from the broader enterprise risk program often fails...
Strategic direction that describes appropriate risk response options is established and communicated
When a new risk is identified, teams need to know what response options are available and which are ...
Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties
Cybersecurity risks do not respect organizational boundaries. A vulnerability in a supplier's system...
A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated
When different teams assess risk using different methods, you end up with an apples-to-oranges risk ...
Strategic opportunities (positive risks) are characterized and included in organizational cybersecurity risk discussions
Risk management is usually framed around threats, but security capabilities also create strategic op...
Roles, Responsibilities, and Authorities
Organizational leadership is responsible and accountable for cybersecurity risk
Security programs that lack executive ownership stall. Budget requests go unfunded, policy exception...
Cybersecurity roles, responsibilities, and authorities are established and enforced
Ambiguity about who owns security decisions causes gaps and delays. When an incident happens and nob...
Adequate resources are allocated to cybersecurity commensurate with risk
A security program without budget is a security theater. Organizations that skip resourcing conversa...
Cybersecurity is included in human resources practices
Employees are both the most common attack vector and the most effective security control. Integratin...
Cybersecurity Supply Chain Risk Management
A cybersecurity supply chain risk management program is established
Your security is only as strong as your weakest vendor. Third-party software, SaaS tools, and servic...
Supply chain risk management plans include provisions for activities after a supplier relationship ends
Ending a vendor relationship is a high-risk security event that most organizations handle poorly. Da...
Cybersecurity roles and responsibilities for suppliers and partners are established and coordinated
When a supplier causes a breach or an outage, ambiguity about who is responsible for what turns a ma...
Supply chain risk management is integrated into enterprise risk management processes
Vendor risks that live in a separate silo never get prioritized against business risks. When a criti...
Suppliers are known and prioritized by criticality
Most organizations have dozens or hundreds of vendors but only a handful that could cause catastroph...
Cybersecurity requirements are integrated into contracts with suppliers
A vendor agreement that says nothing about security gives you no leverage when something goes wrong....
Due diligence is performed before entering into supplier relationships
The cheapest time to find a security problem with a vendor is before you sign a contract. Once a sup...
Risks from suppliers are assessed, monitored, and responded to throughout the relationship
A vendor that passed their security review two years ago may look very different today. They may hav...
Relevant suppliers are included in incident planning, response, and recovery activities
Incidents rarely stay within your own perimeter. A breach at a key supplier can trigger your inciden...
Supply chain security practices are monitored throughout the technology product and service life cycle
A vendor's security posture at the time of acquisition is not their security posture two years into ...