NIST CSF 2.0 Implementation Examples
1
NIST CSF 2.0 Implementation Examples
February 26, 2024
Category
Subcategory
Implementation Examples
Organizational Context (GV.OC):
The circumstances — mission,
stakeholder expectations,
dependencies, and legal,
regulatory, and contractual
requirements — surrounding the
organization’s cybersecurity risk
management decisions are
understood
GV.OC-01: The organizational
mission is understood and informs
cybersecurity risk management
Ex1: Share the organization’s mission (e.g., through vision and mission
statements, marketing, and service strategies) to provide a basis for identifying
risks that may impede that mission
GV.OC-02: Internal and external
stakeholders are understood, and
their needs and expectations
regarding cybersecurity risk
management are understood and
considered
Ex1: Identify relevant internal stakeholders and their cybersecurity-related
expectations (e.g., performance and risk expectations of officers, directors, and
advisors; cultural expectations of employees)
Ex2: Identify relevant external stakeholders and their cybersecurity-related
expectations (e.g., privacy expectations of customers, business expectations of
partnerships, compliance expectations of regulators, ethics expectations of
society)
GV.OC-03: Legal, regulatory, and
contractual requirements regarding
cybersecurity — including privacy
and civil liberties obligations — are
understood and managed
Ex1: Determine a process to track and manage legal and regulatory requirements
regarding protection of individuals’ information (e.g., Health Insurance Portability
and Accountability Act, California Consumer Privacy Act, General Data Protection
Regulation)
Ex2: Determine a process to track and manage contractual requirements for
cybersecurity management of supplier, customer, and partner information
Ex3: Align the organization’s cybersecurity strategy with legal, regulatory, and
contractual requirements
GV.OC-04: Critical objectives,
capabilities, and services that
Ex1: Establish criteria for determining the criticality of the organization's
capabilities and services as viewed by internal and external stakeholders
剩余29页未读,继续阅读
资源评论
