Risk management and risk assessments go hand in hand, and most organizations have completed a security assessment based on maturity models at some point in their existence. However, more companies are realizing the need to complement maturity models with a risk-based approach for assessing their cybersecurity positions.
One such risk-based approach is based on the Factor Analysis of Information Risk (FAIR) model, which enables organizations to quantify security risk in financial terms. By using models such as FAIR, organizations can focus security investments on their top risks and prioritize these risks and their budgets while building their security strategy. Organizations can combine risk analysis frameworks; for example, Cimpress combined the FAIR model with the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) to establish a comprehensive, actionable security program.
NIST CSF and FAIR – Defining the Frameworks
The NIST frameworks and guidance are heavily relied upon by many chief information security officers (CISOs) and information security professionals to build comprehensive security programs. A couple of the most widely used NIST frameworks are NIST CSF and NIST 800-53.
NIST CSF provides security measures that have been widely adopted across multiple industries. NIST CSF groups security controls into five phases: identify, protect, detect, respond and recover. The NIST CSF is a subset of NIST 800-53, which provides a catalog of security and privacy controls for information systems and organizations to protect operations and ..
Support the originator by clicking the read the rest link below.
