https://csrc.nist.gov/pubs/cswp/29/the-nist-cybersecurity-framework-20/ipd

 

We mentioned this on the call today.

 

So I did the normal thing, a word search, and a few other comments.

 

Transparency 0 mentions

Transparent 0 mentions

Consent 0 mentions

Notice 0 mentions

Authority 0 mentions

Authorization 2 mentions

 

Only one control

 

Identity Management, Authentication, and Access Control (PR.AA): Access to physical and logical assets is limited to authorized users, services, and hardware, and is managed commensurate with the assessed risk of unauthorized access (formerly PR.AC)

 

PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties (formerly PR.AC-01, PR.AC-03, PR.AC-04)

 

(There needs to be a notice created from the assessed risk, what is assessed in this case would also be a gap, as it is information risk, and not, for example, a control impact assessment.)

 

Also interestingly is that they do have a concentric view, all we need to do is change what is at the center.

 

 

Best,

Sal