Long Descriptions for Figures
Healthcare and Public Health Sector Cybersecurity Framework Implementation Guide
Figure 1: Notional Information and Decision Flows within an Organization
Figure 2 describes a common flow of information and decisions at the following levels within an organization:
- Executive
-
Business/Process
-
Implementation/Operations
The executive level communicates the mission priorities, available resources, and overall risk tolerance to the business/process level. The business/process level uses the information as inputs into the risk management process, and then collaborates with the implementation/operations level to communicate business needs and create a Profile. The implementation/operations level communicates the Profile implementation progress to the business/process level. The business/process level uses this information to perform an impact assessment. Business/process level management reports the outcomes of that impact assessment to the executive level to inform the organization’s overall risk management process and to the implementation/operations level for awareness of business impact.
Figure 2: Healthcare Implementation Process
The graphic illustrates how an organization could use the Framework to create a new
cybersecurity program or improve an existing program. These steps should be repeated as
necessary to continuously improve cybersecurity.
- Step 1: Prioritize and Scope
- Step 2: Orient
- Step 3: Create Target Profile
- Step 4: Conduct Risk Assessment
- Step 5: Create Current Profile
- Step 6: Determine, Analyze and Prioritize Gaps
Figure 4: Relating Cybersecurity Risk to Other Forms of Business Risk
Risk Types
|
Strategic Risk: Organizational strategies may not support business objectives
|
Operations Risk: Degredation of day-to-day operations (typically related to cash flow) |
Reporting Risk: Adverse Impact on credit & cash management
|
Compliance Risk: Adverse outcomes of regulatory or contractual non-compliance
|
Cybersecurity Risk: Compromise or unauthorized disclosure of sensitive information and related concerns |
(e.g., potential risk to planned M&A or divestment) |
(e.g., potential risk to continuity of operations)
|
(e.g., potential risk to accuracy of financial reporting.)
|
(e.g., potential risk of fines & penalties.)
|
Figure 5: Example NIST Cybersecurity Framework Scorecard
The NIST Cybersecurity Framework Scored is organized by function, category and level of compliance.
Figure 6: Generic Implementation Process
- Step 1: Prioritize and Scope
- Step 2: Orient
- Step 3: Create Target Profile
- Step 4: Conduct Risk Assessment
- Step 5: Create Target Profile
- Step 6: Determine, Analyze and Prioritize Gaps
- Step 7: Implement Action Plan