This post is to clarify the different between CSF Tiers and Maturity level.
A security maturity model is a set of characteristics or indicators that represent capability and progression within an organization’s security program.
The Cyber Security Framework Implementation Tiers are not intended to be maturity levels. The Tiers are intended to provide guidance to organizations on the interactions and coordination between cybersecurity risk management and operational risk management. The key tenet of the Tiers is to allow organizations to take stock of their current activities from an organization wide point of view and determine if the current integration of cybersecurity risk management practices is sufficient given their mission, regulatory requirements, and risk appetite. Progression to higher Tiers is encouraged when such a change would reduce cybersecurity risk and would be cost-effective.
NIST CSF Tiers
- Tier 1 – Partial: Organizational cybersecurity risk is not formalized and managed in an ad hoc and sometimes reactive manner. There is also limited awareness of cybersecurity risk management.
- Tier 2 – Risk-Informed: There may not be an organizational-wide policy for security risk management. Management handles cybersecurity risk management based on risks as they happen.
- Tier 3 – Repeatable: A formal organizational risk management process is followed by a defined security policy.
- Tier 4 – Adaptable: An organization at this stage will adapt its cybersecurity policies based on lessons learned and analytics-driven to provide insights and best practices. The organization is constantly learning from the security events that do occur in the organization and will share that information with a larger network.
Maturity Levels
Free Evaluation Tools:
References
- BUILDING CYBERSECURITYCAPABILITY, MATURITY,RESILIENCE (CMMI Institute & ISACA)
- Free NIST CSF Maturity Tool
from Blogger http://blog.51sec.org/2020/07/csf-security-tiers-vs-security-maturity.html