Understanding the NIST Cybersecurity Framework September 30, 2014



Similar documents
Why you should adopt the NIST Cybersecurity Framework

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session

Why you should adopt the NIST Cybersecurity Framework

How To Understand And Manage Cybersecurity Risk

PROTIVITI FLASH REPORT

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Framework for Improving Critical Infrastructure Cybersecurity

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

How To Write A Cybersecurity Framework

NIST Cybersecurity Framework. ARC World Industry Forum 2014

Risk Management in Practice A Guide for the Electric Sector

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

Framework for Improving Critical Infrastructure Cybersecurity

The NIST Cybersecurity Framework

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Building Security In:

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

Framework for Improving Critical Infrastructure Cybersecurity

IG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY

Testimony of Dan Nutkis CEO of HITRUST Alliance. Before the Oversight and Government Reform Committee, Subcommittee on Information Technology

CRR Supplemental Resource Guide. Volume 6. Service Continuity Management. Version 1.1

Managing Cybersecurity Risk in a HIPAA-Compliant World

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.

FFIEC Cybersecurity Assessment Tool

Framework for Improving Critical Infrastructure Cybersecurity

Navigating the NIST Cybersecurity Framework

Obtaining Enterprise Cybersituational

Critical Manufacturing Cybersecurity Framework Implementation Guidance

INFORMATION SECURITY STRATEGIC PLAN

Enterprise Security Tactical Plan

Remarks for Admiral David Simpson WTA Advocates for Rural Broadband Spring Meeting Cybersecurity Panel

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

istockphoto/ljupco 36 June 2015 practicallaw.com 2015 Thomson Reuters. All rights reserved.

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Continuous Monitoring in a Risk Management Framework. US Census Bureau Oct 2012

Enterprise Cybersecurity: Building an Effective Defense

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

HITRUST CSF Assurance Program

Five Core Principles of Successful Business Architecture

Information Technology Risk Management

Cybersecurity: What CFO s Need to Know

NIST Cybersecurity Framework & A Tale of Two Criticalities

NIST Cybersecurity Framework What It Means for Energy Companies

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

ICBA Summary of FFIEC Cybersecurity Assessment Tool

Cyber Security Risk Management

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity

Implementing the U.S. Cybersecurity Framework at Intel A Case Study

Feature. Developing an Information Security and Risk Management Strategy

Cybersecurity Framework: Current Status and Next Steps

FREQUENTLY ASKED QUESTIONS

Critical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order Improving Critical Infrastructure Cybersecurity

Frequently Asked Questions about the HITRUST Risk Management Framework

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

NIST Cybersecurity Framework Impacting Your Company? April 24, 2014 Presented By Sheila FitzPatrick, NetApp Jeff Greene, Symantec Andy Serwin, MoFo

The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide

Sempra Energy Utilities response Department of Commerce Inquiry on Cyber Security Incentives APR

Internal audit strategic planning Making internal audit s vision a reality during a period of rapid transformation

Middle Class Economics: Cybersecurity Updated August 7, 2015

Cybersecurity Enhancement Account. FY 2017 President s Budget

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

Health Industry Implementation of the NIST Cybersecurity Framework

Lessons from Defending Cyberspace

The Business Case for Security Information Management

Security Controls Implementation Plan

Information Security Management System for Microsoft s Cloud Infrastructure

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Business Continuity for Cyber Threat

RSA CYBERSECURITY POVERTY INDEX 2015

SECURE POWER SYSTEMS PROFESSIONALS (SPSP) PROJECT PHASE 3, FINAL REPORT: RECRUITING, SELECTING, AND DEVELOPING SECURE POWER SYSTEMS PROFESSIONALS

Applying Framework to Mobile & BYOD

No. 33 February 19, The President

Attachment A. Identification of Risks/Cybersecurity Governance

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Industrial Cyber Security Risk

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Managing cyber risks with insurance

Compliance series Guide to the NIST Cybersecurity Framework

Applying IBM Security solutions to the NIST Cybersecurity Framework

PREMIER SERVICES MAXIMIZE PERFORMANCE AND REDUCE RISK

Defending Against Data Beaches: Internal Controls for Cybersecurity

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

US-CERT Year in Review. United States Computer Emergency Readiness Team

Examining the Evolving Cyber Insurance Marketplace

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

CyberReady Solutions. Integrated Threat Intelligence and Cyber Operations MONTH DD, YYYY SEPTEMBER 8, 2014

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

IA Metrics Why And How To Measure Goodness Of Information Assurance

20+ At risk and unready in an interconnected world

Transcription:

Understanding the NIST Cybersecurity Framework September 30, 2014 Earlier this year the National Institute of Standard and Technology released the Framework for Improving Critical Infrastructure Cybersecurity which has become commonly known as the Cyber Security Framework (CSF). The CSF was created in direct response to the President s Executive Order 13636 which acknowledges that while cyber threats against the nation s privately owned critical infrastructure are increasing in frequency and intensity there was not a common set of security best practices that could be easily leveraged to help organizations to control cybersecurity risk. The process to develop the CSF was an inclusive one that incorporated feedback from thousands of Government and Private Sector security experts. It also integrated principles from many other existing cybersecurity and risk management standards which include the NIST SP 800 series, COBIT, ISO/IEC, and the Critical Security Controls (CSC). Although the release of the CSF has been welcomed by all and recognized as an important step in providing for common cybersecurity standards some confusion still remains about exactly what the CSF means for organizations who are looking to improve their security posture. The CSF itself is not designed to be an expressly prescriptive set of security standards and best practices. Rather, it is designed to be a resource that introduces a common language and methodology that can help to guide informed business decisions to incorporate cybersecurity practices and investments in line with the specific requirements of each organization. In other words, the CSF does not provide a one size fits all list of security activities that should be implemented or, for that matter, even a specific list of essential security controls that should be a baseline starting point for every organization. The CSF does, however, present a list or catalog of common security activities mapped back to cybersecurity standards, a method for organizing, sharing, and measuring select sets of cybersecurity activities, and a method to assess the degree in which organizations have internalized and incorporated cybersecurity risk management into their overall operational and governance practices. These three components of the CSF are known respectively as the Framework Core, Framework Profiles, and Framework Implementation Tiers.

Framework Core The Framework Core is a set of cybersecurity activities, desired outcomes, and applicable cybersecurity references which were deemed to be applicable across all critical infrastructure sectors. This is the catalog of security activities that you should be at least considering if you want to effectively manage cybersecurity risk. One of the most significant aspects of the Core is not only what it contains but how it is organized. At the top level the Core is separated into five concurrent and continuous Functions: namely Identify, Protect, Detect, Respond, and Recover. Functions are farther broken down into Categories, and Subcategories. The Core Functions are not arbitrary selections of common security controls that may be somewhat related; these five security functions follow an incident response process. This means that at its Core, the CSF acknowledges that although proactive defensive security activities and measures are critical, security programs must be structured with the realization that even the best security can and will be defeated by determined adversaries, and that organizations must have the capability to detect, respond to, and recover from cyber intrusions. This incident response methodology also includes feedback loops to ensure that lessons learned are used to further improve protection and detection capabilities, and to help inform decision makers about actual cybersecurity risk posture. Security efforts must be thought of as live, real-time efforts that are constantly discovering and mitigating cyber threats and vulnerabilities versus a one-time, set-it-and-forget-it exercise that requires little afterthought or ongoing attention. Framework Profiles A Framework Profile is essentially a selection or set of security activities (categories and subcategories) from the Framework Core. Profiles have several important purposes. As part of an initial baselining activity each organization should assess its current security capabilities and organize them into a Current Profile. Organizations can then create a Target Profile consisting of desired security capabilities, perform a gap analysis between the Current and Target Profiles, and develop and implementation action plan for addressing the gap. Profiles are also a valuable tool for sharing best practices, or establishing standards amongst industry partners. As previously mentioned, the security activities from Framework Core are not designed to be either a minimum standard or the Target Profile for organizations. Business decisions must drive

the selection of control activities. Industry partners, regulating bodies, security consultants, not-for-profits, and others may use the common structure and language of the CSF to create minimum recommended standards in the form of a Profile. Establishment, propagation, and coordination of these common Profiles is required on top of the CSF to actually establish specific the actions that should be considered minimum cyber due care standards for organizations. Profiles schema should mirror the Functions, Categories, and Subcategories from the Framework Core but may also include additional security activities which are not currently found in Core but which would help to address specific security requirements. As an example of using Framework Profiles to share best practices, the Council on Cyber Security (CSC) has used its list of Critical Security Controls (CSC) to developed Profile that help organizations to focus on the most beneficial activities first. The CSC Framework Profile provides organizations with common set of prioritized, detailed, and actionable measures which should be implemented as a first step by any organization that is concerned with defending its systems and information against cyber threats. The CSC Profile can act as a road map and starting point for organizations who are looking to develop their own Profiles based on their specific security requirements. More information about the CSC may be found on the Council on Cyber Security s website. The CSC has adopted a "community first" approach to as a structured and consistent way to create a large community (e.g, State/Locals) to establish a starting baseline to understand threats, and the appropriate mitigating actions (the Controls) which can help the everyone get to prioritize and implement the most important security controls more faster and with more consistency. Activities like this are very usefully because they leverage the knowledge and experience of other similar organizations and relieve some of the requirement for each organization to do everything from scratch and on its own. Framework Implementation Tiers Framework Implementation Tiers function as a method to describe how well organizations have incorporated cybersecurity risk management into culture and practices throughout the organization. It looks to measure the rigor and sophistication of the risk management program and how well cybersecurity information flows and influences decisions across the organization but should not necessarily be thought of as a maturity level for a security program.

Individual requirements and risk tolerance should ultimately guide organizations to work towards a preselected target Implementation Tier. Tier measures of risk management integration range from Partial (Tier 1) to Adaptive (Tier 4). The Importance of Business Driving Security Improvements All too often cybersecurity is erroneously thought of as an Information Technology (IT) problem. The reality is that security efforts exist only to support business functions, and when not properly aligned security efforts are likely to be ineffective, inefficient, and could even hinder progress. The necessity of aligning cybersecurity efforts with business processes is one of the main objectives of the CSF. It is also the reason that the CSF cannot be overly prescriptive with dictating controls that should be implemented by every organization. Although commonalities exist, especially in related sectors, each organizations structure, goals, risk tolerance, culture, and system design will be unique and should be assessed to determine adequate levels of protection. Using business requirements to drive security efforts helps to understand possible business impact for information security shortcomings and prioritize defensive efforts and resource allocation towards the most important security activities. Additionally, equipping cybersecurity personnel with business context helps them to accurately design controls that follow critical security principles such as the rule of Least Privilege and helps them to baseline the norms and identify the anomalous. A first step then to understanding cybersecurity requirements for an organization is to have a firm and documented understanding of the organization itself and have clear documentation of how top level missions and goals, flow down to business processes which are supported by security efforts. It is for this reason that cybersecurity planning and implementation efforts must extend far beyond security and IT personal to include all stakeholders such as business process owners, executive management, audit and accountability personnel, and etc. Feedback loops also be created to ensure that all appropriate stakeholders are informed about the performance of the security program as its failure could have a far reaching and catastrophic impact to the organization. The CSF does not solve all cybersecurity problems or even tell an organization exactly what it needs to do or where to begin. It does; however, establish a common language and structure that organizations can use to assess and

rationalize their own security programs. It can also be used to propagate best practices and standards across related sectors, industries, and partnerships. When used in combination with critical business analysis, best practice Profiles, security assessments, and feedback from a living and active security program it can help organizations to significantly reduce cybersecurity risk, better detect and respond to security breaches, and successfully recover from significant cybersecurity-related events. Written by Alma Cole About the Author: Alma Cole is a member of the Critical Security Controls Editorial panel. He is the Vice President of Cybersecurity at Robbins-Gioia, LLC. He is responsible for customer-facing cybersecurity lines of business designed to bridge security performance gaps by implementing state-of-the-art, risk-based, intelligence-driven, and cost-effective cybersecurity solutions, service, and operations. Previously, Alma was the Chief Systems Security Officer for U.S. Customs and Border Protection (CBP) where he applied information assurance risk management strategies to ensure the consistent and secure delivery of IT systems and information in support of CBP s strategic goals and objectives. Prior to his work at CBP, he managed the DHS Security Operations Center, a 13 million dollar operation responsible for overall cyber incident management for all DHS Component information security incidents and continuous monitoring of DHS security posture. Alma is widely recognized as a cybersecurity subject matter expert for computer network defense and network response.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information