CRI Profile - Cyber City Map

# CRI Profile The **CRI Profile** is a cybersecurity framework developed by the Cyber Risk Institute (CRI) specifically for the financial sector. It is based on NIST CSF and designed to help financial institutions manage and assess their cyber risk more efficiently and effectively. Here are some key points about CRI Profile v2.0: + **Main Goal:** Test once and Report to many without the burden of every company having to invest in separately mapping each regulatory framework. + **Global Standard:** Harmonizes 2500 regulatory requirements into 318 control objectives for diagnostics. + **Efficiency:** Reduce complexity and improve through baseline control objectives, making it easier to comply with regulatory requirements. + **Impact Tiers:** Provides a method for determining which diagnostic statements apply to an organization based on size and complexity. + **Customization:** The CRI Profile can be tailored to meet the specific requirements and regulatory focus in the financial industry, including top-level governance and third party concerns. ## Capability Scope | CRI Profile Function** | **Capability Scope** | | ---------------------------------------------------------------- | ----------------------------------------------------------------------------- | | Strategy and Framework (GV.SF) | | | Risk Management (GV.RM) | | | Supply Chain Risk Management (GV.SC) | [[Code Management]] | | Roles, Responsibilities, and Authorities (GV.RR) | | | Policies, Processes, and Procedures (GV.PO) | [[Policy Management]] | | Oversight (GV.OV) | | | Independent Risk Management Function (GV.IR) | | | Audit (GV.AU) | | | Asset Management (ID.AM) | | | Risk Assessment (ID.RA) | | | Improvement (ID.IM) | [[Failure Tracing]] | | Identity Management, Authentication, and, Access Control (PR.AA) | [[Identity and Access Management]] | | Awareness and Training (PR.AT) | [[Adversary Intelligence]] [[Training]] | | Data Security (PR.DS) | [[Data Management]] | | Platform Security (PR.PS) | [[Application Management]] [[Device Management]] [[Network Management]] | | Technology Infrastructure Resilience (PR.IR) | | | Continuous Monitoring (DE.CM) | | | Adverse Event Analysis (DE.AE) | [[Adversary Intelligence]] [[Alert Correlation]] | | Incident Management (RS.MA) | [[Incident Management]] | | Incident Analysis (RS.AN) | [[Failure Tracing]] [[Forensic Analysis]] | | Incident Response Reporting and Communication (RS.CO) | | | Mitigation (RS.MI) | [[Threat Mitigation]] | | Recovery Planning (RC.RP) | | | Communications (RC.CO) | | | Procurement Planning and Due Diligence (EX.DD) | | | Third Party Contracts and Agreements (EX.CN) | | | Monitoring and Managing Suppliers (EX.MM) | | | Relationship Termination (EX.TR) | | ## Inspiration & Resources + https://cyberriskinstitute.org/the-profile/ + [Josh Magri: The CRI Profile – A Simplified Approach to Better Assessment (fsisac.com)](https://www.fsisac.com/insights/podcast/josh-magri-the-cri-profile-a-simplified-approach-to-better-assessment) ## Release Notes + [[WIP - Q4 2024 Release]] ## [Cyber City Map](https://cybercitymap.com/) © 2023-2024 by [ThirdScore, Inc.](https://thirdscore.com/) All Rights Reserved.