NIST CyberSecurity Framework: An Overview

Download as PPTX, PDF

•43 likes•51,788 views

The document discusses the NIST Cybersecurity Framework, which provides guidelines for critical infrastructure security and management of cybersecurity risks. It was created through a collaboration between government and industry to help organizations manage and reduce cybersecurity risks. The framework consists of five concurrent and continuous functions - Identify, Protect, Detect, Respond, Recover. It also outlines implementation tiers from Partial to Adaptive to help organizations determine their cybersecurity risk management practices. The framework is meant to be flexible and not prescriptive in order to accommodate different sectors and risks profiles.

Technology

NIST CyberSecurity Framework: An Overview

1. Cyber Security Framework Overview of NIST Security Guidelines CS684 IT Security Policies & Procedures Tandhy Simanjuntak

2. NIST History Other frameworks Cyber Security Framework Study Case Conclusion Agenda

3. NIST

4. National Institute of Standard and Technology 1901 Non-regulatory Federal Agency U.S. Dept. of Commerce NIST

5. Mission NIST Innovation Industrial Competitiveness •  Measurement Science •  Measurement Standards •  Measurement Technology = Economic security = Quality of Life

6. Areas NIST Bioscience & Health Building & Fire Research Chemistry Electronics & Telco. Energy Environment / Climate Information Technology Manufacturing Materials Science Math Nanotechnology Physics Public Safety & Security Quality Transportation

7. History

8. Feb 12, 2013 Executive Order 13636 “Improving Critical Infrastructure Cybersecurity” http://blogs.reuters.com/great-debate/2013/07/08/obamas-key-nuclear-deal-wi

9. Critical Infrastructure[1] “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

10. http://www.iprem.ca/initiatives/InitiativesPics/CriticalInfrastructureSectors.jpg

11. Other Frameworks

12. Others Security Framework ISO/IEC 27002:2013 COBIT COSO HITRUST CSF

13. ISO/IEC 27002:2013 COBIT COSO HITRUST CSF ISO: International Organization for Standardization IEC: International Electrotechnical Commission Best practice recommendations • Information Security Management • Information Security Program elements Others Security Framework

14. ISO/IEC 27002:2013 COBIT COSO HITRUST CSF Control Objectives for Information and related Technology Best practices for IT management Defines program and management control functions Others Security Framework

15. ISO/IEC 27002:2013 COBIT COSO HITRUST CSF Committee of Sponsoring Organizations of the Treadway Commission Thought of Leadership for frameworks development Guidance • Enterprise risk management • Internal control • Fraud deterrence Others Security Framework

16. ISO/IEC 27002:2013 COBIT COSO HITRUST CSF Healthcare and Information Security Professionals First IT Security for Healthcare Leverages existing standards • HIPAA, NIST, ISO, PCI, FTC and COBIT Others Security Framework

17. NIST vs Other Framework Other Frameworks NIST Specific to industry Specific to management Any industry Standards & Guidelines Guidelines

18. Cyber Security Framework

19. Framework Introduction Feb 13  Feb 14 Voluntary risk-based framework • Government and private sectors Standards and best practices • Manage cyber security risks Protect individual privacy and civil liberties

20. Framework Core Framework Implementation Tiers Framework Profile Framework

21. Framework Core Framework Implementation Tiers Framework Profile Activities, outcomes & applicable references Industry standards, guidelines & practices 5 concurrent and continuous Functions Identify Protect Detect Respond Recover Framework

22. Framework Core Framework Implementation Tiers Framework Profile Understanding to manage cybersecurity risk to systems, assets, data, and capabilities Identify the occurrence of a cybersecurity event Safeguards to ensure delivery of critical infrastructure services Action regarding a detected cybersecurity event • Maintain plans for resilience • Restore any capabilities or services Identify Protect Detect Respond Recover Framework

23. Framework Core Framework Implementation Tiers Framework Profile Framework Functions Categories Subcategories Informative Reference IDENTIFY ID PROTECT PR DETECT DE RESPOND RS RECOVER RC

24. IDENTIFY PROTECT DETECT RESPOND RECOVER Framework Function Category Identifier Category IDENTIFY (ID) ID.AM Asset Management ID.BE Business Environment ID.GV Governance ID.RA Risk Assessment ID.RM Risk Management Strategy

26. Framework Function Category Identifier Category PROTECT (PR) PR.AC Access Control PR.AT Awareness and Training PR.DS Data Security PR.IP Information Protection Processes and Procedures PR.MA Maintenance PR.PT Protective Technology IDENTIFY PROTECT DETECT RESPOND RECOVER

27. IDENTIFY PROTECT DETECT RESPOND RECOVER Framework Function Category Identifier Category DETECT (DE) DE.AE Anomalies and Events DE.CM Security Continuous Monitoring DE.DP Detection Processes

28. IDENTIFY PROTECT DETECT RESPOND RECOVER Framework Function Category Identifier Category RESPOND (RS) RS.RP Response Planning RS.CO Communications RS.AN Analysis RS.MI Mitigation RS.IM Improvements

29. IDENTIFY PROTECT DETECT RESPOND RECOVER Framework Function Category Identifier Category RECOVER (RC) RC.RP Recovery Planning RC.IM Improvements RC.CO Communications

30. Cybersecurity Risks Manage Risks Partial Risk Informed Repeatable Adaptive Framework Core Framework Implementation Tiers Framework Profile Framework Consideration • Risk management practices, threat environment, legal & regulatory req., objectives & constraints

31. Elements: •Risk Management Process •Integrated Risk Management Program •External Collaboration Framework Core Framework Implementation Tiers Framework Profile Framework

32. Risk Management Process Integrated Risk Management Program External Participation Partial • Not formalized • Reactive • Limited awareness • Irregular risk management • Private information No external collaboration Risk Informed • Approved practices • Not widely use as policy • More awareness • Risk-informed, processes & procedures • Adequate resources • Internal sharing Not formalized to interact & share information Repeatable • Approved as Policy • Update regularly • Organization approach • Risk-informed, processes & procedures defined & implemented as intended, and reviewed • Knowledge & skills • Collaborate • Receive information Adaptive Continuous improvement • Risk-informed, processes & procedures for potential events • Continuous awareness • Actively Actively shares information

33. Framework Core Framework Implementation Tiers Framework Profile Alignment of Framework Core and business requirements, risk tolerance & resources Establish roadmap to reduce risk aligned with organizational and sector goals Describe current and desired state of specific events Action plan to address gaps Framework

34. Create or improve a program 1. Prioritize and Scope 2. Orient 3. Create current profile 4. Conduct Risk assessment 5. Create target profile 6. Determine, Analyze & Prioritize Gaps 7. Implement Action Plan

35. Study Case

36. http://www.intel.com/content/www/us/en/government/cybersecurity-framework-in-action-use-case-brief.html

37. Conclusion

38. Conclusion Reduce and better manage cybersecurity risks Not a one-size-fits-all approach

39. Reference 1. NIST (2014). Framework for Improving Critical Infrastructure Cybersecurity. Retrieved from NIST site: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf 2. ISF (2007). The Standard of Good Practice for Information Security. Retrieved from Security Forum site: https://www.securityforum.org/userfiles/public/SOGP.pdf 3. IASME (2015) IASME Self-Assessment Questionnaire. Retrieved from IASME site: https://www.iasme.co.uk/index.php 4. Johnson, S. (2008). NERC Cyber Security Standards. SANS. Retrieved from SANS site: https://files.sans.org/summit/scada08/Stan_Johnson_NERC_Cyber_Security_Standards.pdf 5. Center for Internet Security. Retrieved from http://www.cisecurity.org/. 6. Solutionary (n.d.) Security Frameworks. Retrieved from Solutionary site: http://www.solutionary.com/compliance/security-frameworks/ 7. Intel (2015). The Cybersecurity Framework in Action: An Intel Use Case. Retrieved from Intel site: http://www.intel.com/content/www/us/en/government/cybersecurity-framework-in-action-use- case-brief.html

Editor's Notes

#2: http://www.internetsociety.org/deploy360/wp-content/uploads/2012/03/NIST-logo-1.jpg
#6: Founded in 1901, NIST is a non-regulatory federal agency within the U.S. Department of Commerce. NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. http://nist.gov/public_affairs/general_information.cfm
#7: http://nist.gov/subject_areas.cfm
#11: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
#12: http://www.iprem.ca/initiatives/InitiativesPics/CriticalInfrastructureSectors.jpg
#14: ISO/IEC 27002:2013 The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) provide best practice recommendations on information security management and program elements. ISO defines the broadest structure of an effective overall program, supporting information security as a systems issue that includes technology, practice, and people, and describes the need for a formal security program. COBITThe Control Objectives for Information and related Technology (COBIT) is a set of best practices for IT management. COBIT focuses on defining program and management control functions. It is designed to help ensure IT programs are implemented and managed effectively to maximize the investment of technology efficiently. While not specifically a security standard, strong COBIT compliance typically indicates a higher quality of control over internal practices that help manage an effective security infrastructure, as well as sound business practice. COSOThe Committee of Sponsoring Organizations of the Treadway Commission defined the Control Objectives for their Internal Control – Integrated Frameworks, the widely accepted control frameworks for enterprise governance and risk management, and similar compliant frameworks. COSO defines a set of business, management, and security relevant controls that can be used to demonstrate good business practice controls, and can be used to show compliance with Sarbanes-Oxley requirements. HITRUST CSFDeveloped in collaboration with healthcare and information security professionals, the Common Security Framework (CSF) is the first IT security framework developed specifically for healthcare information. The HITRUST CSF: Leverages existing, globally recognized standards, including HIPAA, NIST, ISO, PCI, FTC and COBIT Scales according to type, size and complexity of an implementing organization Provides prescriptive requirements to ensure clarity Follows a risk-based approach offering multiple levels of implementation requirements determined by risks and thresholds Allows for the adoption of alternate controls when necessary Evolves according to user input and changing conditions in the healthcare industry and regulatory environment Solutionary is a HITRUST Common Security Frameworks (CSF) Assessor. This means that Solutionary is able to deliver healthcare certification work including readiness assessments and remediation associated with the CSF. In addition to the organizational certification, Solutionary has a team of security professionals certified as CSF Practitioners for effective and efficient implementation of the CSF. http://www.solutionary.com/compliance/security-frameworks/
#15: ISO/IEC 27002:2013 The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) provide best practice recommendations on information security management and program elements. ISO defines the broadest structure of an effective overall program, supporting information security as a systems issue that includes technology, practice, and people, and describes the need for a formal security program.
#16: COBITThe Control Objectives for Information and related Technology (COBIT) is a set of best practices for IT management. COBIT focuses on defining program and management control functions. It is designed to help ensure IT programs are implemented and managed effectively to maximize the investment of technology efficiently. While not specifically a security standard, strong COBIT compliance typically indicates a higher quality of control over internal practices that help manage an effective security infrastructure, as well as sound business practice.
#17: COSOThe Committee of Sponsoring Organizations of the Treadway Commission defined the Control Objectives for their Internal Control – Integrated Frameworks, the widely accepted control frameworks for enterprise governance and risk management, and similar compliant frameworks. COSO defines a set of business, management, and security relevant controls that can be used to demonstrate good business practice controls, and can be used to show compliance with Sarbanes-Oxley requirements. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of the five private sector organizations listed on the left and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence. We hope you will find the information on this site to be helpful and we welcome your input. http://www.coso.org/
#18: HITRUST CSFDeveloped in collaboration with healthcare and information security professionals, the Common Security Framework (CSF) is the first IT security framework developed specifically for healthcare information. The HITRUST CSF: Leverages existing, globally recognized standards, including HIPAA, NIST, ISO, PCI, FTC and COBIT Scales according to type, size and complexity of an implementing organization Provides prescriptive requirements to ensure clarity Follows a risk-based approach offering multiple levels of implementation requirements determined by risks and thresholds Allows for the adoption of alternate controls when necessary Evolves according to user input and changing conditions in the healthcare industry and regulatory environment Solutionary is a HITRUST Common Security Frameworks (CSF) Assessor. This means that Solutionary is able to deliver healthcare certification work including readiness assessments and remediation associated with the CSF. In addition to the organizational certification, Solutionary has a team of security professionals certified as CSF Practitioners for effective and efficient implementation of the CSF.
#19: HITRUST CSFDeveloped in collaboration with healthcare and information security professionals, the Common Security Framework (CSF) is the first IT security framework developed specifically for healthcare information. The HITRUST CSF: Leverages existing, globally recognized standards, including HIPAA, NIST, ISO, PCI, FTC and COBIT Scales according to type, size and complexity of an implementing organization Provides prescriptive requirements to ensure clarity Follows a risk-based approach offering multiple levels of implementation requirements determined by risks and thresholds Allows for the adoption of alternate controls when necessary Evolves according to user input and changing conditions in the healthcare industry and regulatory environment Solutionary is a HITRUST Common Security Frameworks (CSF) Assessor. This means that Solutionary is able to deliver healthcare certification work including readiness assessments and remediation associated with the CSF. In addition to the organizational certification, Solutionary has a team of security professionals certified as CSF Practitioners for effective and efficient implementation of the CSF.
#21: In enacting this policy, the Executive Order calls for the development of a voluntary risk-based Cybersecurity Framework – a set of industry standards and best practices to help organizations manage cybersecurity risks. The resulting Framework, created through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses
#22: The Framework Core is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level. The Framework Core consists of five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover. When considered together, these Functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. The Framework Core then identifies underlying key Categories and Subcategories for each Function, and matches them with example Informative References such as existing standards, guidelines, and practices for each Subcategory. • Framework Implementation Tiers (“Tiers”) provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework (e.g., risk and threat aware, repeatable, and adaptive). The Tiers characterize an organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4). These Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk-informed. During the Tier selection process, an organization should consider its current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints. • A Framework Profile (“Profile”) represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories. The Profile can be characterized as the alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a “Current” Profile (the “as is” state) with a “Target” Profile (the “to be” state). To develop a Profile, an organization can review all of the Categories and Subcategories and, based on business drivers and a risk assessment, determine which are most important; they can add Categories and Subcategories as needed to address the organization’s risks. The Current Profile can then be used to support prioritization and measurement of progress toward the Target Profile, while factoring in other business needs including cost-effectiveness and innovation. Profiles can be used to conduct self-assessments and communicate within an organization or between organizations
#23: The Framework Core is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level. The Framework Core consists of five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover. When considered together, these Functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. The Framework Core then identifies underlying key Categories and Subcategories for each Function, and matches them with example Informative References such as existing standards, guidelines, and practices for each Subcategory.
#24: Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy. • Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology. • Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes. • Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements. • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.
#25: Functions organize basic cybersecurity activities at their highest level. These Functions are Identify, Protect, Detect, Respond, and Recover. They aid an organization in expressing its management of cybersecurity risk by organizing information, enabling risk management decisions, addressing threats, and improving by learning from previous activities. The Functions also align with existing methodologies for incident management and help show the impact of investments in cybersecurity. For example, investments in planning and exercises support timely response and recovery actions, resulting in reduced impact to the delivery of services. • Categories are the subdivisions of a Function into groups of cybersecurity outcomes closely tied to programmatic needs and particular activities. Examples of Categories include “Asset Management,” “Access Control,” and “Detection Processes.” • Subcategories further divide a Category into specific outcomes of technical and/or management activities. They provide a set of results that, while not exhaustive, help support achievement of the outcomes in each Category. Examples of Subcategories include “External information systems are catalogued,” “Data-at-rest is protected,” and “Notifications from detection systems are investigated.” • Informative References are specific sections of standards, guidelines, and practices common among critical infrastructure sectors that illustrate a method to achieve the outcomes associated with each Subcategory. The Informative References presented in the Framework Core are illustrative and not exhaustive. They are based upon cross-sector guidance most frequently referenced during the Framework development process. Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy. • Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology. • Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes. • Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements. • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.
#26: Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy. • Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology. • Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes. • Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements. • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.
#27: Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy. • Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology. • Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes. • Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements. • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.
#28: Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy. • Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology. • Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes. • Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements. • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.
#29: Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy. • Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology. • Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes. • Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements. • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.
#30: Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy. • Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology. • Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes. • Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements. • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.
#31: Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy. • Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology. • Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes. • Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements. • Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications.
#32: • Framework Implementation Tiers (“Tiers”) provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework (e.g., risk and threat aware, repeatable, and adaptive). The Tiers characterize an organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4). These Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk-informed. During the Tier selection process, an organization should consider its current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints.
#34: Tier 1: Partial • Risk Management Process – Organizational cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc and sometimes reactive manner. Prioritization of cybersecurity activities may not be directly informed by organizational risk objectives, the threat environment, or business/mission requirements. • Integrated Risk Management Program – There is limited awareness of cybersecurity risk at the organizational level and an organization-wide approach to managing cybersecurity risk has not been established. The organization implements cybersecurity risk management on an irregular, case-by-case basis due to varied experience or information gained from outside sources. The organization may not have processes that enable cybersecurity information to be shared within the organization. • External Participation – An organization may not have the processes in place to participate in coordination or collaboration with other entities. Tier 2: Risk Informed • Risk Management Process – Risk management practices are approved by management but may not be established as organizational-wide policy. Prioritization of cybersecurity activities is directly informed by organizational risk objectives, the threat environment, or business/mission requirements. • Integrated Risk Management Program – There is an awareness of cybersecurity risk at the organizational level but an organization-wide approach to managing cybersecurity risk has not been established. Risk-informed, management-approved processes and procedures are defined and implemented, and staff has adequate resources to perform their cybersecurity duties. Cybersecurity information is shared within the organization on an informal basis. • External Participation – The organization knows its role in the larger ecosystem, but has not formalized its capabilities to interact and share information externally. Tier 3: Repeatable • Risk Management Process – The organization’s risk management practices are formally approved and expressed as policy. Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape. • Integrated Risk Management Program – There is an organization-wide approach to manage cybersecurity risk. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Consistent methods are in place to respond effectively to changes in risk. Personnel possess the knowledge and skills to perform their appointed roles and responsibilities. • External Participation – The organization understands its dependencies and partners and receives information from these partners that enables collaboration and risk-based management decisions within the organization in response to events. Tier 4: Adaptive • Risk Management Process – The organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities. Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organization actively adapts to a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely manner. • Integrated Risk Management Program – There is an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. Cybersecurity risk management is part of the organizational culture and evolves from an awareness of previous activities, information shared by other sources, and continuous awareness of activities on their systems and networks. • External Participation – The organization manages risk and actively shares information with partners to ensure that accurate, current information is being distributed and consumed to improve cybersecurity before a cybersecurity event occurs.
#35: • A Framework Profile (“Profile”) represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories. The Profile can be characterized as the alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a “Current” Profile (the “as is” state) with a “Target” Profile (the “to be” state). To develop a Profile, an organization can review all of the Categories and Subcategories and, based on business drivers and a risk assessment, determine which are most important; they can add Categories and Subcategories as needed to address the organization’s risks. The Current Profile can then be used to support prioritization and measurement of progress toward the Target Profile, while factoring in other business needs including cost-effectiveness and innovation. Profiles can be used to conduct self-assessments and communicate within an organization or between organizations
#36: Step 1: Prioritize and Scope. The organization identifies its business/mission objectives and high-level organizational priorities. With this information, the organization makes strategic decisions regarding cybersecurity implementations and determines the scope of systems and assets that support the selected business line or process. The Framework can be adapted to support the different business lines or processes within an organization, which may have different business needs and associated risk tolerance. Step 2: Orient. Once the scope of the cybersecurity program has been determined for the business line or process, the organization identifies related systems and assets, regulatory requirements, and overall risk approach. The organization then identifies threats to, and vulnerabilities of, those systems and assets. Step 3: Create a Current Profile. The organization develops a Current Profile by indicating which Category and Subcategory outcomes from the Framework Core are currently being achieved. Step 4: Conduct a Risk Assessment. This assessment could be guided by the organization’s overall risk management process or previous risk assessment activities. The organization analyzes the operational environment in order to discern the likelihood of a cybersecurity event and the impact that the event could have on the organization. It is important that organizations seek to incorporate emerging risks and threat and vulnerability data to facilitate a robust understanding of the likelihood and impact of cybersecurity events. Step 5: Create a Target Profile. The organization creates a Target Profile that focuses on the assessment of the Framework Categories and Subcategories describing the organization’s desired cybersecurity outcomes. Organizations also may develop their own additional Categories and Subcategories to account for unique organizational risks. The organization may also consider influences and requirements of external stakeholders such as sector entities, customers, and business partners when creating a Target Profile. Step 6: Determine, Analyze, and Prioritize Gaps. The organization compares the Current Profile and the Target Profile to determine gaps. Next it creates a prioritized action plan to address those gaps that draws upon mission drivers, a cost/benefit analysis, and understanding of risk to achieve the outcomes in the Target Profile. The organization then determines resources necessary to address the gaps. Using Profiles in this manner enables the organization to make informed decisions about cybersecurity activities, supports risk management, and enables the organization to perform cost-effective, targeted improvements. Step 7: Implement Action Plan. The organization determines which actions to take in regards to the gaps, if any, identified in the previous step. It then monitors its current cybersecurity practices against the Target Profile. For further guidance, the Framework identifies example Informative References regarding the Categories and Subcategories, but organizations should determine which standards, guidelines, and practices, including those that are sector specific, work best for their needs.
#38: In enacting this policy, the Executive Order calls for the development of a voluntary risk-based Cybersecurity Framework – a set of industry standards and best practices to help organizations manage cybersecurity risks. The resulting Framework, created through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses
#40: The Framework is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure. Organizations will continue to have unique risks – different threats, different vulnerabilities, different risk tolerances – and how they implement the practices in the Framework will vary. Organizations can determine activities that are important to critical service delivery and can prioritize investments to maximize the impact of each dollar spent. Ultimately, the Framework is aimed at reducing and better managing cybersecurity risks.

NIST CyberSecurity Framework: An Overview

More Related Content

What's hot (20)

Viewers also liked (15)

Similar to NIST CyberSecurity Framework: An Overview (20)

Recently uploaded (20)

NIST CyberSecurity Framework: An Overview

Editor's Notes