Skip to content
NIST CyberSecurity Framework management tool
Branch: master
Clone or download
Latest commit 9bdc50e Feb 20, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitattributes Initial commit Dec 7, 2017
LICENSE Initial commit Dec 7, 2017
NIST_CSF_Risk-CMM-2016.xlsx Add files via upload Aug 27, 2018
NIST_CSF_Risk_CMM-2017-markup.xlsx Add files via upload Aug 27, 2018
NIST_CSF_Risk_CMM-2017.xlsx fixed CSC/CIS reference numbers Aug 27, 2018
README.md
Sensitive Info Table_v3.7.xlsx Add files via upload Feb 9, 2018

README.md

NIST-CSF

NIST CyberSecurity Framework management tool

Video outlining use: https://www.youtube.com/watch?v=hrdAhPtKpGE

Updated for the NIST CSF v1.1 update from 2018

2017 Markup version highlights changes from CSF v1.0 to CSF v1.1 for those migrating from the old version.

These excel documents provide a visual view of the NIST CyberSecurity Framework (CSF), adding in additional fields to manage to the framework.

There are currently 2 versions of the spreadsheet, listed as 2016 and 2017. The 2016 model is simpler, where the 2017 model intends to provide better usability and management.

2016 simple version

The 2016 workbook has 3 main sheets, the first 2 are instructional and can be removed once one is comfortable with the tool. The 3rd sheet has demo-data, which can be replaced with actual data from an organization.

2017 robust version

The 2017 version has:

  • a CMMI reference sheet
  • Main sheet has collapsible sections for ease of display and management
  • The CSF sub-categories are listed, expanding the Information Security Catalog to address each sub control
  • The maturity functions are auto-calculated based on 4 areas: Process, Policy, Documentation, and Automation

Key components of these tools:

  • Track the CSF controls individually
  • Prioritize risk using the CIS Controls (formerly the Critical Security Controls)
  • Document solutions used to meet the controls via a service catalog
  • Track budgetary requests to improve or maintain controls
  • Document current maturity in each control and maturity goals, using the CMMI model
  • Document a 3-5 year plan, tracking projects and recurring functions

Users can modify the tool to support alternate maturity models (ex: CSF recommends tiers). All data is fictitious and is represented as an example. Please update to reflect actual service catalog products and solutions as well as actual maturity and projects.

Sensitive_Info_Table

The sensitive information table is designed as a quick reference to publish in our organization, designed to help people understand potential compliance requirements based on various data fields. The document specifically addresses PCI, PHI, and PII. This can be adapted to include additional types. The Oregon laws are added due to our organization residing in Oregon. If you are outside Oregon, research your state/country laws and compliance as needed.

You can’t perform that action at this time.