Understanding the NIST Cybersecurity Framework September 30, 2014

Transcription

1 Understanding the NIST Cybersecurity Framework September 30, 2014 Earlier this year the National Institute of Standard and Technology released the Framework for Improving Critical Infrastructure Cybersecurity which has become commonly known as the Cyber Security Framework (CSF). The CSF was created in direct response to the President s Executive Order which acknowledges that while cyber threats against the nation s privately owned critical infrastructure are increasing in frequency and intensity there was not a common set of security best practices that could be easily leveraged to help organizations to control cybersecurity risk. The process to develop the CSF was an inclusive one that incorporated feedback from thousands of Government and Private Sector security experts. It also integrated principles from many other existing cybersecurity and risk management standards which include the NIST SP 800 series, COBIT, ISO/IEC, and the Critical Security Controls (CSC). Although the release of the CSF has been welcomed by all and recognized as an important step in providing for common cybersecurity standards some confusion still remains about exactly what the CSF means for organizations who are looking to improve their security posture. The CSF itself is not designed to be an expressly prescriptive set of security standards and best practices. Rather, it is designed to be a resource that introduces a common language and methodology that can help to guide informed business decisions to incorporate cybersecurity practices and investments in line with the specific requirements of each organization. In other words, the CSF does not provide a one size fits all list of security activities that should be implemented or, for that matter, even a specific list of essential security controls that should be a baseline starting point for every organization. The CSF does, however, present a list or catalog of common security activities mapped back to cybersecurity standards, a method for organizing, sharing, and measuring select sets of cybersecurity activities, and a method to assess the degree in which organizations have internalized and incorporated cybersecurity risk management into their overall operational and governance practices. These three components of the CSF are known respectively as the Framework Core, Framework Profiles, and Framework Implementation Tiers.

2 Framework Core The Framework Core is a set of cybersecurity activities, desired outcomes, and applicable cybersecurity references which were deemed to be applicable across all critical infrastructure sectors. This is the catalog of security activities that you should be at least considering if you want to effectively manage cybersecurity risk. One of the most significant aspects of the Core is not only what it contains but how it is organized. At the top level the Core is separated into five concurrent and continuous Functions: namely Identify, Protect, Detect, Respond, and Recover. Functions are farther broken down into Categories, and Subcategories. The Core Functions are not arbitrary selections of common security controls that may be somewhat related; these five security functions follow an incident response process. This means that at its Core, the CSF acknowledges that although proactive defensive security activities and measures are critical, security programs must be structured with the realization that even the best security can and will be defeated by determined adversaries, and that organizations must have the capability to detect, respond to, and recover from cyber intrusions. This incident response methodology also includes feedback loops to ensure that lessons learned are used to further improve protection and detection capabilities, and to help inform decision makers about actual cybersecurity risk posture. Security efforts must be thought of as live, real-time efforts that are constantly discovering and mitigating cyber threats and vulnerabilities versus a one-time, set-it-and-forget-it exercise that requires little afterthought or ongoing attention. Framework Profiles A Framework Profile is essentially a selection or set of security activities (categories and subcategories) from the Framework Core. Profiles have several important purposes. As part of an initial baselining activity each organization should assess its current security capabilities and organize them into a Current Profile. Organizations can then create a Target Profile consisting of desired security capabilities, perform a gap analysis between the Current and Target Profiles, and develop and implementation action plan for addressing the gap. Profiles are also a valuable tool for sharing best practices, or establishing standards amongst industry partners. As previously mentioned, the security activities from Framework Core are not designed to be either a minimum standard or the Target Profile for organizations. Business decisions must drive

3 the selection of control activities. Industry partners, regulating bodies, security consultants, not-for-profits, and others may use the common structure and language of the CSF to create minimum recommended standards in the form of a Profile. Establishment, propagation, and coordination of these common Profiles is required on top of the CSF to actually establish specific the actions that should be considered minimum cyber due care standards for organizations. Profiles schema should mirror the Functions, Categories, and Subcategories from the Framework Core but may also include additional security activities which are not currently found in Core but which would help to address specific security requirements. As an example of using Framework Profiles to share best practices, the Council on Cyber Security (CSC) has used its list of Critical Security Controls (CSC) to developed Profile that help organizations to focus on the most beneficial activities first. The CSC Framework Profile provides organizations with common set of prioritized, detailed, and actionable measures which should be implemented as a first step by any organization that is concerned with defending its systems and information against cyber threats. The CSC Profile can act as a road map and starting point for organizations who are looking to develop their own Profiles based on their specific security requirements. More information about the CSC may be found on the Council on Cyber Security s website. The CSC has adopted a "community first" approach to as a structured and consistent way to create a large community (e.g, State/Locals) to establish a starting baseline to understand threats, and the appropriate mitigating actions (the Controls) which can help the everyone get to prioritize and implement the most important security controls more faster and with more consistency. Activities like this are very usefully because they leverage the knowledge and experience of other similar organizations and relieve some of the requirement for each organization to do everything from scratch and on its own. Framework Implementation Tiers Framework Implementation Tiers function as a method to describe how well organizations have incorporated cybersecurity risk management into culture and practices throughout the organization. It looks to measure the rigor and sophistication of the risk management program and how well cybersecurity information flows and influences decisions across the organization but should not necessarily be thought of as a maturity level for a security program.

4 Individual requirements and risk tolerance should ultimately guide organizations to work towards a preselected target Implementation Tier. Tier measures of risk management integration range from Partial (Tier 1) to Adaptive (Tier 4). The Importance of Business Driving Security Improvements All too often cybersecurity is erroneously thought of as an Information Technology (IT) problem. The reality is that security efforts exist only to support business functions, and when not properly aligned security efforts are likely to be ineffective, inefficient, and could even hinder progress. The necessity of aligning cybersecurity efforts with business processes is one of the main objectives of the CSF. It is also the reason that the CSF cannot be overly prescriptive with dictating controls that should be implemented by every organization. Although commonalities exist, especially in related sectors, each organizations structure, goals, risk tolerance, culture, and system design will be unique and should be assessed to determine adequate levels of protection. Using business requirements to drive security efforts helps to understand possible business impact for information security shortcomings and prioritize defensive efforts and resource allocation towards the most important security activities. Additionally, equipping cybersecurity personnel with business context helps them to accurately design controls that follow critical security principles such as the rule of Least Privilege and helps them to baseline the norms and identify the anomalous. A first step then to understanding cybersecurity requirements for an organization is to have a firm and documented understanding of the organization itself and have clear documentation of how top level missions and goals, flow down to business processes which are supported by security efforts. It is for this reason that cybersecurity planning and implementation efforts must extend far beyond security and IT personal to include all stakeholders such as business process owners, executive management, audit and accountability personnel, and etc. Feedback loops also be created to ensure that all appropriate stakeholders are informed about the performance of the security program as its failure could have a far reaching and catastrophic impact to the organization. The CSF does not solve all cybersecurity problems or even tell an organization exactly what it needs to do or where to begin. It does; however, establish a common language and structure that organizations can use to assess and

5 rationalize their own security programs. It can also be used to propagate best practices and standards across related sectors, industries, and partnerships. When used in combination with critical business analysis, best practice Profiles, security assessments, and feedback from a living and active security program it can help organizations to significantly reduce cybersecurity risk, better detect and respond to security breaches, and successfully recover from significant cybersecurity-related events. Written by Alma Cole About the Author: Alma Cole is a member of the Critical Security Controls Editorial panel. He is the Vice President of Cybersecurity at Robbins-Gioia, LLC. He is responsible for customer-facing cybersecurity lines of business designed to bridge security performance gaps by implementing state-of-the-art, risk-based, intelligence-driven, and cost-effective cybersecurity solutions, service, and operations. Previously, Alma was the Chief Systems Security Officer for U.S. Customs and Border Protection (CBP) where he applied information assurance risk management strategies to ensure the consistent and secure delivery of IT systems and information in support of CBP s strategic goals and objectives. Prior to his work at CBP, he managed the DHS Security Operations Center, a 13 million dollar operation responsible for overall cyber incident management for all DHS Component information security incidents and continuous monitoring of DHS security posture. Alma is widely recognized as a cybersecurity subject matter expert for computer network defense and network response.