Long Descriptions for Figures
Healthcare and Public Health Sector Cybersecurity Framework Implementation Guide
Figure 1: Notional Information and Decision Flows within an Organization
Figure 2 describes a common flow of information and decisions at the following levels within an organization:
- Executive
- Business/Process
- Implementation/Operations
The executive level communicates the mission priorities, available resources, and overall risk tolerance to the business/process level. The business/process level uses the information as inputs into the risk management process, and then collaborates with the implementation/operations level to communicate business needs and create a Profile. The implementation/operations level communicates the Profile implementation progress to the business/process level. The business/process level uses this information to perform an impact assessment. Business/process level management reports the outcomes of that impact assessment to the executive level to inform the organization’s overall risk management process and to the implementation/operations level for awareness of business impact.
Figure 2: Healthcare Implementation Process
The graphic illustrates how an organization could use the Framework to create a new cybersecurity program or improve an existing program. These steps should be repeated as necessary to continuously improve cybersecurity.
- Step 1: Prioritize and Scope
- Step 2: Orient
- Step 3: Create Target Profile
- Step 4: Conduct Risk Assessment
- Step 5: Create Current Profile
- Step 6: Determine, Analyze and Prioritize Gaps
For more information, please refer to pages 14-15 of the NIST Cybersecurity Framework.
Figure 4: Relating Cybersecurity Risk to Other Forms of Business Risk
| Risk Types | Strategic Risk: Organizational strategies may not support business objectives | Operations Risk: Degradation of day-to-day operations (typically related to cash flow) | Reporting Risk: Adverse Impact on credit & cash management | Compliance Risk: Adverse outcomes of regulatory or contractual non-compliance |
|---|---|---|---|---|
Cybersecurity Risk: Compromise or unauthorized disclosure of sensitive information and related concerns | (e.g., potential risk to planned M&A or divestment) | (e.g., potential risk to continuity of operations) | (e.g., potential risk to accuracy of financial reporting.) | (e.g., potential risk of fines & penalties.) |
Figure 5: Example NIST Cybersecurity Framework Scorecard
The NIST Cybersecurity Framework Scored is organized by function, category and level of compliance.
Figure 6: Generic Implementation Process
- Step 1: Prioritize and Scope
- Step 2: Orient
- Step 3: Create Target Profile
- Step 4: Conduct Risk Assessment
- Step 5: Create Target Profile
- Step 6: Determine, Analyze and Prioritize Gaps
- Step 7: Implement Action Plan