El NIST Cybersecurity Framework proporciona un marco para gestionar y reducir riesgos de ciberseguridad.
Versión: 950 • Publicado: 2024-02-15
Organiza las actividades de ciberseguridad en cinco funciones principales.
1
CA-000000000001
Establecer, comunicar y supervisar la estrategia, expectativas y políticas de gestión de riesgos de ciberseguridad.
PC-000000000030
1
The circumstances — mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements — surrounding the organization’s cybersecurity risk management decisions are understood.
PC-000000000031
2
The organizational mission is understood and informs cybersecurity risk management
PC-000000000032
3
Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered
PC-000000000033
4
Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed
PC-000000000034
5
Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated
PC-000000000035
6
Outcomes, capabilities, and services that the organization depends on are understood and communicated
PC-000000000044
7
The organization establishes and communicates roles and responsibilities for cybersecurity risk management and governance, and delegates authority to achieve its mission.
PC-000000000036
7
The organization’s priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions.
PC-000000000045
8
Roles and responsibilities for cybersecurity risk management are established and communicated
PC-000000000037
8
Risk management objectives are established and agreed to by organizational stakeholders
PC-000000000046
9
Roles and responsibilities for cybersecurity risk management are assigned and understood
PC-000000000038
9
Risk appetite and risk tolerance statements are established, communicated, and maintained
PC-000000000047
10
Authorities to carry out assigned roles and responsibilities are delegated
PC-000000000039
10
Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
PC-000000000048
11
Roles and responsibilities for cybersecurity risk management are reviewed and updated
PC-000000000040
11
Strategic direction that describes appropriate risk response options is established and communicated
PC-000000000049
12
Conflicts of interest and separation of duties are identified and addressed
PC-000000000041
12
Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties
PC-000000000042
13
A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated
PC-000000000043
14
Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions
2
CA-000000000002
Comprender los activos, riesgos y contexto de ciberseguridad de la organización.
3
CA-000000000003
Aplicar salvaguardas para gestionar los riesgos de ciberseguridad de la organización.
4
CA-000000000004
Descubrir y analizar posibles ataques y compromisos de ciberseguridad.
5
CA-000000000005
Tomar acciones ante un incidente de ciberseguridad detectado.
6
CA-000000000006
Restaurar activos y operaciones afectados por un incidente de ciberseguridad.