INVITATION TO CYBERSECURITY 94 support, define, and direct the security efforts of the organization. Organizational leaders are sometimes referred to as the C-suite. The C-suite is the topmost leaders of an organization, and it is so-called because their titles begin with the letter C for the word Chief. For example, many large organizations are led by a Chief Executive Officer (CEO), Chief Operations Officer (COO), Chief Financial Officer (CFO), and a Chief Information Security Officer (CISO). The CISO (pronounced see so) is the officer in charge of cybersecurity. Organizational leaders may also be accountable to third parties. Third-party governance is oversight imposed on an organization by an outside organization. The third-party might be the local, state, or federal government, or some other body that sets operating standards in the name of public safety and security. The United States National Institute of Standards and Technology (NIST) produces standards and provides guidance to organizations. NIST has introduced several important standards related to cyber risk management. Some organizations that do business with the federal government are required by law to comply with some of NIST’s standards, but compliance is voluntary for most organizations. Because they define best practices, familiarity with these standards is a vital first step for practicing cybersecurity governance. Two of NIST’s most important cybersecurity standards are the Cybersecurity Framework (CSF) and the Risk Management Framework (RMF). These and numerous supporting documents are freely available online and provide guidance on how to manage cyber risks. They define benchmarks for appropriate cybersecurity. The CSF focuses on the functions of cyber risk management: govern, identify, protect, detect, respond, and recover (see Table 5.1). Each function has multiple categories and subcategories. The CSF walks organizations through the process of understanding and managing their cyber risks. Table 5.1 NIST Cybersecurity Framework (CSF)1 The RMF defines the steps that organizations need to take to implement cyber risk management: prepare, categorize, select, implement, assess, authorize, and monitor (see Table 5.2). There are several tasks and outcomes defined for each step. The RMF zooms 1 Source: NIST Cybersecurity Framework (CSF) 2.0
RkJQdWJsaXNoZXIy MTM4ODY=