Framework Implementation Tier selection considers the following about your business:

• Current risk management practices;
• Threat environment;
• Legal requirements;
• Business objectives; and
• Organizational constraints.

I suggest the executive team of the company meeting with key employees and identifying the 5 characteristics above. The more your company identifies up front with accuracy, the easier it will be to identify the correct tier.

To choose the correct tier, be sure that the level you select meets your organization’s goals, that your organization can implement it and that it reduces risks to critical assets and resources. It is recommended to leverage guidance from governmental departments and agencies, Information Sharing and Analysis Centers (ISAC), existing models and other sources to help in determining the correct tier.

Progression to higher tiers is encouraged when it would be cost effective and reduce cybersecurity risk for your organization.

Tier 1: Partial

Your company belongs here if:

• No cybersecurity risk management practices are identified;
• Risk is managed reactively;
• There is a limited awareness of cybersecurity risk;
• Cybersecurity risk management is implemented on situation by situation basis;
• Organization has no processes in place to collaborate with others.

Tier 2: Risk Informed

Your company belongs here if:

• Risk management practices are approved by management but not established as a company policy;
• Company-wide approach to managing cybersecurity risk is not established;
• Process and procedures are defined;
• Employees has resources to perform cybersecurity tasks;
• Cybersecurity information is shared within organization informally; and
• Knows organization knows its role but is not capable of sharing information externally.

Tier 3: Repeatable

Your company belongs here if:

• Cybersecurity risk management practices are identified, expressed as policy and updated regularly;
• Have a company-wide approach to managing cybersecurity risk;
• Policies, processes and procedures are defined, implemented and reviewed;
• Methods in place to respond effectively to risk changes;
• Employees know how to performed roles; and
• Organization collaborates with others in risk management decisions.

Tier 4: Adaptive

Your company belongs here if:

• Adapts cybersecurity practices based on lessons learned and predictive analysis;
• Actively adapts to changing cybersecurity risks;
• Effectively responds to threats in a timely manner;
• Uses company-wide risk-informed policies, processes and procedures to address potential cyber threats;
• Cybersecurity risk management is part of company’s culture;
• Cybersecurity risk management evolves from awareness of previous events, information shared by other sources and continuous awareness of own systems and networks; and
• Actively shares risk management information with partners.

By no means is this meant as a complete “how-to” guide to the cybersecurity framework; however, I believe that it gives a brief overview and identifies how effective this framework can be if organizations will take the time to identify their characteristics and use those details to accurately determine the company’s sense of cybersecurity management.