by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
FCW : July 15, 2014
July 15, 2014 FCW.COM 29 zation taking action to stop or remedi- ate an attack. • "Recover" refers to ensuring busi- ness continuity or restoration after a security event. Those functions are further broken down into categories and subcatego- ries of cybersecurity outcomes at the programmatic, management and tech- nical levels. The Implementation Tiers describe four levels of cybersecurity risk man- agement sophistication: • Tier 1 (Partial) describes orga- nizations whose cyber risk manage- ment processes are not formalized and for whom risk is managed on an ad hoc basis. In Tier 1 organizations, cybersecurity risk is frequently viewed as "something that IT handles," and there is little to no collaboration on cybersecurity issues with external organizations. • Tier 2 (Risk Informed) describes organizations for whom cybersecu- rity risk management has become a high-level concern but one that is still concentrated in the hands of an IT department. Those organizations have begun to create initial policy and to consider their role in the larger industry response to cybersecurity risk. • Tier 3 (Repeatable) describes orga- nizations with coherent risk manage- ment policies and practices that are understood and implemented across the organization. It is connected to the larger industry effort to address cybersecurity risk and bene ts from the information shared by its industry partners. • Tier 4 (Adaptive) describes orga- nizations whose cybersecurity risk management is continuously improv- ing due to the application of lessons learned from personal and third-party experiences. Organizationally, Tier 4 companies have made cybersecurity risk management part of their corpo- rate culture and actively contribute risk information to larger industry efforts. The Implementation Tiers must not be seen as a hierarchy through which organizations should progress over time. They describe different levels of sophistication based on the business context and needs of an organization. Some businesses might quite satisfac- torily remain at Tier 1 because they do not require any greater degree of risk management sophistication. Each orga- nization must review its own business context and decide which tier is right for its business needs. The Pro le consists of a snapshot of an organization s business needs, digital resources and risk assessment against the backdrop of the Core s functions, categories and subcategories. The pro- le can be a snapshot of the current state of the organization or its desired state --- or one of each. Those two pro- les provide a road map for improving an organization s cybersecurity stance. Organizations can develop multiple pro les to match different geographies, markets or other needs. Many organizations might already be pursuing a cybersecurity road map as a stand-alone project or as part of larg- er initiatives --- such as the ISO 27000 series of standards, COBIT 5 and even NIST s SP 800 series --- and many ele- ments of the various standards overlap. Two frequently asked questions are: What s different about the framework, and what makes it preferable to other standards and speci cations? The answer depends on your partic- ular context. The framework s primary bene t is that its support by industry and the federal government gives it the best chance of being both guided by current industry best practices and aligned with government experience and regulatory intent. For those already working toward compliance with a dif- ferent standard, the good news is that the framework is intended to comple- ment other standards. As mentioned above, there is overlap between the standards, so compliance with one can mean compliance with the other. The challenge for many organiza- tions is translating the framework and other standards into an action plan that results in a stronger cyber- security stance in the real world. The framework provides a structure and process for understanding an organi- zation s cybersecurity risk and guid- ance for how to reduce that risk, but it does not specify the actions to be taken along that path. There are, of course, many paths to that ultimate goal. As a rst step, an organization could use organic resources to assess itself against the framework, or officials might bring in an outside expert to review their capabilities. After that, organizations should be able to deter- mine their risk levels and --- based on variables such as regulations, reputa- tion, competition and liability --- devel- op a road map to achieve the Imple- mentation Tier that makes the most sense for their business. Regardless of how you adopt the framework (or any other standard), the important thing is to begin now. The threat landscape has evolved and grown signi cantly more dangerous, and the only thing more dangerous is continuing to delay adoption of a more effective cybersecurity risk manage- ment strategy. You should begin with a frank assessment of your business needs, the digital assets supporting those needs and the risk posed by a com- promise of those assets. Then use the framework to determine your desired cybersecurity pro le and chart the course to achieve it. You probably won t arrive at your desired destina- tion tomorrow, but you will be moving in the right direction, and every day will bring you closer to your desired end state and, ultimately, make your organization more secure. ■ Michael Brown, a retired Navy rear admiral, is vice president and gen- eral manager of RSA's Global Public Sector.
June 15, 2014
July 30, 2014