Skip to main content

RACI, Cybersecurity and NICE Framework

The NICE framework from a RACI point of view

The NICE framework (NIST SP 800-181 rev. 1) established a standard approach for describing cybersecurity work, in order to help stakeholders share a common language and ideally improve how to identify, recruit, develop and retain talent. It breaks down cybersecurity work role categories into: Oversight and Governance; Design and Development; Implementation and Operation; Protection and Defense; Investigation. 

Which is very cybersecurity-centric and not related to common tools for project management within companies. Especially smaller enterprises that do not have dedicated people to mange and coordinate cybersecurity needs.

RACI chart is a project management tool used to define and clarify roles and responsibilities within a project team. It stands for Responsible, Accountable, Consulted, and Informed, and visually represents who is responsible for what, who is accountable for the outcome, who needs to be consulted, and who needs to be informed. 

How do we merge these tools easily in an organization that is smaller, leaner and more 
mission driven - to enable their necessary tools while not over-burdening them with process? 
I propose a simple mapping of the NIST Work Role Categories to RACI matrix:
  • Responsible -> Oversight and Governance provides Leadership &  Management - overall direction and expectations get set here.
  • Accountable -> Design and Development and Implementation and Operation - provides understanding of what needs to be protected and how. Documents, selects and tests solutions. In reality for small and medium enterprises this is often a third party. 
  • Consulted -> Overlap of Implementation and Operations along with Protection and Defense are those responsible for the daily usage of systems, as well as the weekly and monthly upkeep of systems, so they are consulted as part of business to ensure that the systems are not burdensome and enable daily operations to proceed apace. This is the education of any and all that touch systems within the enterprise.
  • Informed -> Internally this happens if there are problems, this is tagged as the NIST NICE work role of Investigation. Includes those outside the organization whose data you are handling in some way - such as customers and partners.   
Ideally if you are using a RACI mindset for many of your business decisions, when you drop into the world of the systems that support your business, and you're think about cybersecurity this, mapping is meant to help move from one point of reference to another. From who to what. 

Labels:
Location: Boston, MA, USA

Comments

Post a Comment

Popular posts from this blog

Let's Not Mess Around with Security on our Personal Systems Either!

Essential Security Practices for Your Personal Systems Ensuring a minimal level of cybersecurity, privacy, and availability on your personal systems means you need to manage the following essential practices. This is a brief overview of recommendations from sources like CISA, NSA, etc., focused on personal laptop, phone, and other systems' security. Anti-virus  I've found you'll get the best anti-virus protection and usability from a paid product - I've always had good luck with Norton labeled products. If you are looking for current vendor offerings see:  https://www.pcmag.com/picks/the-best-antivirus-protection Regardless of whether you choose to use a commercial product or open-source anti-virus tool, it is absolutely something you need to use. This is the minimally needed level of system security. Once installed, ideally, it should be invisible until there's a security problem it can't prevent or solve.   Backups You need to have at least a minimal level of ...
Post a Comment
Read more

Typescript - It might not be easier, but but it's surely different

Typescript is a statically typed language, that is a superset of JavaScript. I've had the discussions and debates about that aspect of the language. I am all for static typing. Any way my tools can help me be better is alright by me. So I avoid the ' any ' type designation and make sure I have guards on ' unknown ' types, as much as I can.  Any  does not carry any useful type information, while unknown does, and allows it to enforce type checking.  Anything can be assigned to a variable of type unknown , but an unknown value cannot be assigned to variables of other types without explicit type assertion or narrowing. Similarly, no operations are permitted on an unknown value until its type is refined. This behavior ensures type safety and prevents runtime errors. (Refined with help from google). I bring this up because I was arguing with the compiler recently because I'd assumed both made no use on any type information in any circumstance - because I haven't ...
Post a Comment
Read more