NIST CyberSecurity Framework management tool
Video outlining use: https://www.youtube.com/watch?v=hrdAhPtKpGE
Updated for the NIST CSF v1.1 update from 2018
2017 Markup version highlights changes from CSF v1.0 to CSF v1.1 for those migrating from the old version.
These excel documents provide a visual view of the NIST CyberSecurity Framework (CSF), adding in additional fields to manage to the framework.
There are currently 2 versions of the spreadsheet, listed as 2016 and 2017. The 2016 model is simpler, where the 2017 model intends to provide better usability and management.
2016 simple version
The 2016 workbook has 3 main sheets, the first 2 are instructional and can be removed once one is comfortable with the tool. The 3rd sheet has demo-data, which can be replaced with actual data from an organization.
2017 robust version
The 2017 version has:
- a CMMI reference sheet
- Main sheet has collapsible sections for ease of display and management
- The CSF sub-categories are listed, expanding the Information Security Catalog to address each sub control
- The maturity functions are auto-calculated based on 4 areas: Process, Policy, Documentation, and Automation
Key components of these tools:
- Track the CSF controls individually
- Prioritize risk using the CIS Controls (formerly the Critical Security Controls)
- Document solutions used to meet the controls via a service catalog
- Track budgetary requests to improve or maintain controls
- Document current maturity in each control and maturity goals, using the CMMI model
- Document a 3-5 year plan, tracking projects and recurring functions
Users can modify the tool to support alternate maturity models (ex: CSF recommends tiers). All data is fictitious and is represented as an example. Please update to reflect actual service catalog products and solutions as well as actual maturity and projects.
The sensitive information table is designed as a quick reference to publish in our organization, designed to help people understand potential compliance requirements based on various data fields. The document specifically addresses PCI, PHI, and PII. This can be adapted to include additional types. The Oregon laws are added due to our organization residing in Oregon. If you are outside Oregon, research your state/country laws and compliance as needed.