NIST CyberSecurity Framework management tool
Video outlining use: https://www.youtube.com/watch?v=hrdAhPtKpGE
2017 Markup version highlights changes from CSF v1.0 to CSF v1.1 for those migrating from the old version.
These excel documents provide a visual view of the NIST CyberSecurity Framework (CSF), adding in additional fields to manage to the framework.
There are currently 2 versions of the spreadsheet, listed as 2016 and 2017. The 2016 model is simpler, where the 2017 model intends to provide better usability and management.
The 2016 workbook has 3 main sheets, the first 2 are instructional and can be removed once one is comfortable with the tool. The 3rd sheet has demo-data, which can be replaced with actual data from an organization.
The 2016 version and 2017 markup versions are obsolete at this point. Only use the 2017 version, reflecting recent updates to the standard and supporting documentation.
The 2017 version has:
- a CMMI reference sheet
- Main sheet has collapsible sections for ease of display and management
- The CSF sub-categories are listed, expanding the Information Security Catalog to address each sub control
- The maturity functions are auto-calculated based on 4 areas: Process, Policy, Documentation, and Automation
- Track the CSF controls individually
- Prioritize risk using the CIS Controls (formerly the Critical Security Controls)
- Document solutions used to meet the controls via a service catalog
- Track budgetary requests to improve or maintain controls
- Document current maturity in each control and maturity goals, using the CMMI model
- Document a 3-5 year plan, tracking projects and recurring functions
Users can modify the tool to support alternate maturity models (ex: CSF recommends tiers). All data is fictitious and is represented as an example. Please update to reflect actual service catalog products and solutions as well as actual maturity and projects.
The sensitive information table is designed as a quick reference to publish in our organization, designed to help people understand potential compliance requirements based on various data fields. The document specifically addresses PCI, PHI, and PII. This can be adapted to include additional types. The Oregon laws are added due to our organization residing in Oregon. If you are outside Oregon, research your state/country laws and compliance as needed.