ICT-Governance-Framework-Application

NIST CSF 2.0 Organisational Profile — Current State

Organization: CBA Consult ICT Governance Framework Target Environment
Scope: Multi-Tenant, Multi-Cloud Infrastructure (AWS, Azure, GCP) and SaaS Management
Version: 1.1 (Current State Profile)
Date: 18 June 2026
Status: Published baseline — Gate A remediation in progress (not CSF 2.0 certified)

This profile is a Current State crosswalk only. It does not constitute NIST CSF 2.0 certification. See NIST CSF 2.0 Compliance Review.


1. Introduction & Organizational Context

This Organisational Profile provides a formal crosswalk of the current operating state of the Multi-Cloud Multi-Tenant ICT Governance Framework against the NIST Cybersecurity Framework (CSF) 2.0 Core. It defines our risk management posture, institutional boundaries, and technical execution across all managed tenant domains.

Core Architecture Context


2. GOVERN (GV) Function Mapping

GV.OC: Organizational Context

Outcome: The organization’s mission, stakeholder expectations, and legal, regulatory, and contractual requirements are understood and inform cybersecurity risk management decisions.

GV.PO: Policy Establishment

Outcome: Organizational policies for cybersecurity risk management are established, communicated, and enforced.

GV.RM: Risk Management Strategy

Outcome: The organization’s priorities, constraints, risk tolerances, and assumptions are defined, communicated, and used to support operational risk decisions.

GV.RR: Roles, Responsibilities, and Authorities

Outcome: Cybersecurity roles, responsibilities, and authorities are established and communicated.

GV.OV: Oversight

Outcome: Results of organization-wide cybersecurity risk management activities are used to inform, improve, and adjust the risk management strategy.


3. IDENTIFY (ID) Function Mapping

ID.AM: Asset Management

Outcome: Physical and software assets are inventory-tracked and managed to support security posture objectives.


4. PROTECT (PR) Function Mapping

PR.AA: Identity Management, Authentication, and Access Control

Outcome: Access to physical and logical assets is limited to authorized users, services, and hardware.


5. DETECT (DE) & RESPOND (RS) Function Mapping

DE.CM: Continuous Monitoring

Outcome: Security and posture baselines are monitored continuously to uncover anomalies and drift.

DE.AE: Adverse Event Analysis

Outcome: Anomalies, indicators of compromise, and other potentially adverse events are analyzed.

RS.MA: Incident Management

Outcome: Incidents are logged, categorized, and integrated with external response workflows.


6. RECOVER (RC) Function Mapping

RC.RP: Recovery Planning

Outcome: Recovery objectives are established and plans are maintained.


7. Summary of Profile Targets & Next Steps

Priority Target Gate Status
Close executive dashboard mock data G-A2 Substantial — live metrics API; Strategic Initiatives demo-only  
Reconcile A034 mapping integrity G-A1 Open  
Persist production CASB catalog G-A3 Partial  
Complete PowerShell incident automation G-A4 Partial  
Live risk / Zero Trust assessment G-A6 Open  
Gate A Compliance Officer sign-off Gate A Pending  
Multi-cloud asset sync depth G-B1 Substantial  
End-to-end DR validation G-B3 Open  
Phase 3 CSF 2.0 control validation Phase 3 Blocked — Gate A  

This profile establishes our current-state baseline. Moving to a certified Target State Profile requires Gate A sign-off, Gate B completion, and Phase 3 validation per the Compliance Review remediation roadmap.

Related: Improvement Focus Areas Project README