NIST-COBIT-2019 Questions and Answers

Executives are the role that will benefit most from a better understanding of the current cybersecurity posture by applying the CSF. This is because executives are responsible for setting the strategic direction, objectives, and priorities for the organization, as well as overseeing the allocation of resources and the management of risks1. By applying the CSF, executives can gain a comprehensive and consistent view of the cybersecurity risks and capabilities of the organization, and align them with the business goals and requirements2. The CSF can also help executives communicate and collaborate with other stakeholders, such as regulators, customers, suppliers, and partners, on cybersecurity issues3.

References: 1: Implementing the NIST Cybersecurity Framework Using COBIT 2019 | ISACA 2: Cybersecurity Framework | NIST 3: Framework Documents | NIST

Anomalies and Events is one of the six categories within the Detect function of the NIST Cybersecurity Framework. The Anomalies and Events category aims to ensure that anomalous activity is detected in a timely manner and the potential impact of events is understood12.

References: 1: The Five Functions | NIST 2: Detect | NIST

The activity of determining an appropriate target capability level for each process occurs within Implementation Phase 3, as it helps to set an improvement target and identify gaps and potential solutions using COBIT’s guidance. This involves creating a detailed business case and a high-level program plan for the implementation12.

ReferencesDefining Target Capability Levels in COBIT 2019: A Proposal for RefinementCOBIT 2019 Design and Implementation COBIT Implementation, page 31.

According to the NIST Cybersecurity Framework, gaps identified between the current and target profiles should be addressed through a risk-based approach, which enables an organization to gauge the resources needed and prioritize the mitigation of gaps in a cost-effective manner. This approach also aligns the cybersecurity program with the business objectives and risk appetite of the organization12.

ReferencesExamples of Framework Profiles | NISTWhat is the NIST Cybersecurity Framework? | IBM

Analysis is one of the six categories within the Detect function of the NIST Cybersecurity Framework. The Analysis category aims to identify the occurrence of a cybersecurity event by performing data aggregation, correlation, and analysis12.

References: 1: The Five Functions | NIST 2: Cybersecurity Framework Components | NIST

According to the NIST Cybersecurity Framework, an organization should review cyber threat information from internal and external sources to gain a better understanding of the likelihood and impact of cybersecurity events. This information can help the organization to identify potential threats, vulnerabilities, and consequences, and to assess the current and target profiles of its cybersecurity posture12.

ReferencesIdentifying and Estimating Cybersecurity Risk for Enterprise Risk Management, page 19.COBIT VS NIST : A Comprehensive Analysis - ITSM Docs

Defining business cases is a primary input into Steps 2 and 3: Orient and Create a Current Profile, because it involves identifying the business drivers, mission, objectives, and risk appetite of the organization, as well as the scope and boundaries of the cybersecurity program12. A business case is a document that provides the rationale and justification for initiating a cybersecurity project or program, and describes the expected benefits, costs, risks, and alternatives34.

References: 1: Cybersecurity Framework Components | NIST 2: Implementing the NIST Cybersecurity Framework Using COBIT 2019 | ISACA 3: Business Case Development - ISACA 4: How to Write a Business Case for Cybersecurity Projects | Infosec

According to the NIST Cybersecurity Framework, after determining the tier levels and framework core outcomes, the next step is to compare the current and target profiles, which describe the organization’s current and desired cybersecurity posture based on the framework core functions, categories, and subcategories1. This comparison helps to identify the gaps and prioritize the actions for improvement2.

ReferencesCybersecurity Framework Components | NISTWhat is the NIST Cybersecurity Framework? | IBM

The most beneficial result of an effective CSF implementation plan is that cybersecurity risk management practices are formalized and institutionalized, which means that the organization has established and maintained a consistent and comprehensive approach to managing cybersecurity risks across its systems, processes, and people. This result can help the organization to reduce the likelihood and impact of cybersecurity events, improve its resilience and compliance, and enhance its reputation and trust12.

ReferencesPublic Draft: The NIST Cybersecurity Framework 2, page 1.Cybersecurity Framework | NIST

The most important reason to compare framework profiles is to identify gaps between the current and target state of cybersecurity activities and outcomes, and to prioritize the actions needed to address them12. Framework profiles are the alignment of the functions, categories, and subcategories of the NIST Cybersecurity Framework with the business requirements, risk tolerance, and resources of the organization3. By comparing the current profile (what is being achieved) and the target profile (what is needed), an organization can assess its cybersecurity posture and develop a roadmap for improvement4.

References: 1: Cybersecurity Framework Components | NIST 2: Implementing the NIST Cybersecurity Framework Using COBIT 2019 | ISACA 3: Examples of Framework Profiles | NIST 4: Connecting COBIT 2019 to the NIST Cybersecurity Framework - ISACA