2017 - ccsesa · the following text describes the use of the ccsf to accomplish the seven cobit...
TRANSCRIPT
![Page 1: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/1.jpg)
1 | P a g e
2017
ImplementingtheCCSESACybersecurityFramework
![Page 2: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/2.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
2|P a g e
CCSESACybersecurityGuidebookProudtocollaborateinsupportofresponsibletechnologyprojectingourchildrenandemployees.
CCSESA’smissionistostrengthentheserviceandleadershipcapabilitiesofCalifornia’s58CountySuperintendentsinsupportofstudent,schools,districtsandcommunities.
Empoweringeducationthroughassessmentandsecurity.
Bothgroupsworkingtosupportthethoughtful,responsibleandeffectiveintegrationofeducation,securityandtechnologytoincreasestudenteffectivenessandachievement.
SpecialThankstoanadvisorygroupthatprovidedqualitycontrolthroughoutthedevelopmentofthisproject:
• RajSra-Administrator,InformationSystems&TechnologyatFresnoCOE
• JustinNorcross-ChiefTechnologyOfficeratInyoCOE• GregLindner-ChiefTechnologyOfficeratLosAngeles
COE• DaneLancaster-SeniorDirector,Information
TechnologyatMarinCOE• NanetteWaggoner-Director,InformationTechnology
ServicesatMercedCOE• CarlFong-ExecutiveDirectorITatOrangeCOE• KarenConnaghan-AssistantSuperintendent/CTOat
SanDiegoCOE• LorrieOwens-Administrator,InformationTechnology
ServicesatSanMateoCOE• DavidWu-ChiefTechnologyOfficer/Asst.
SuperintendentatSantaClaraCOE• SallySavona-DivisionDirector,Technology&Learning
ResourcesatStanislausCOE
• StephenCarr-ChiefTechnologyOfficeratVenturaCOE• MarkArchon-Director,InstructionalTechnology
ServicesatFresnoCOE• VernAlvarado-InfrastructureManageratMercedCOE• PeterSkibitzki-DirectorofInformationTechnology
andCommunicationsatPlacerCOE• RichardD'Souza–InformationSecurityOfficer-
InformationTechnologyServicesatRiversideCOE• DavidEvans-SystemsSecurityandResearchOfficerat
SanBernardinoCOE• MitchHsu–DirectorofTechnologyServicesatVentura
COE• LuisWong–CEOK12HighSpeedNetwork
![Page 3: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/3.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
3|P a g e
ExecutiveSummaryInformationisakeyresourceforalleducationalinstitutions.Instructionaltechnologyandinformationtechnologythatsupportinformationareincreasinglyallencompassing,advanced,andconnected.Becauseofthis,informationsystemsareconstantlybeingattacked.Destructiveassaultsagainstschools,schooldistrictsandothereducationalinstitutionspointtowardareneweddedicationtomanagementofriskatanacceptablelevel.Manyschoolsaresteppinguptothischallenge;butthereisaneedtohelpindevelopingroadmapstoprotecteducationalassets.Onesolutionisanindustry-standardapproachthatlookstowardotherinstitutionsbeingsuccessfulthroughacombinationofmanageableprocessesandquantitativeimprovements.Thisguidebookwasdevelopedtodescribejustsuchpracticestoallowschoolsandschooldistrictstobetterunderstandriskinthemanagementofthatrisk.ThetextenablesthereadertoimplementindustryprovenmethodstoimplementtheprovidedCCSESACybersecurityFrameworkwhichisbuiltuponlegislationandpresidentialordersdescribedbelow.Applicationofthisframeworkfacilitatescommunicationaboutprioritiesandactivitiesinsimple,easytounderstandtermsmitigatingdistrictrisk.Inadditiontothetext,accompanyinge-Learningmoduleswillguidethereaderthroughthisprocess.
Asearlyas2013,Pres.BarackObamaissuedExecutiveOrder(EO)13636,ImprovingCriticalInfrastructureCybersecurity.Recallthatpriortothisexecutiveordertherehadbeenseveralsecuritybreachestargetingfinancialinstitutionsandretailestablishmentsresultinginsignificantlossestothedistricts.ThisExecutiveOrdercalledforthedevelopmentofa"voluntary"risk-basedframeworkcenteredonmanagingsecuritythatcouldprovideseveralcharacteristics:
• Theframeworkwouldbeprioritized.• Theframeworkwouldbeflexible.• Implementationoftheframeworkwouldberepeatable.• Theframeworkitselfisperformance-based.• Theframeworkwouldbecost-effective.
VariouspartnersdevelopedtheframeworkthroughpartnershipsincludinginternationalpartnershipsofbothFortune100andsmallerorganizations,whichincludedmanyoftheownersandoperatorsofcriticalinfrastructurethroughoutthenation.LeadershipforthedevelopmentoftheframeworkwasprovidedbytheNationalInstituteofStandardsandTechnology(NIST).Theframeworkprovidedarisk-basedapproachtoenablerapidsuccessinstepstoimprovetheoverallsecuritymaturitywithindistricts.CCSESArecognizesthatthevaluescloselyheldthroughthedistrictmirrorsthegovernanceandmanagementpracticesfosteredformanyyears.Collaboratingwithaknownindustry-standard,ControlObjectivesforInformationandrelatedTechnology(COBIT)5,providedforthedevelopmentandkeyprinciplesofthetwoframeworksallowedeachtomeldintoasinglesecurityframeworkinvolvingimplementationbyavarietyofaudiencesfromsmallschoolstolargeschoolstoCountyOfficesofEducation.
ThisdocumentmapseachoftheNISTstepsandactivitiesdevelopedbecauseoftheExecutiveOrderthusextendingCCSESA’sguidancewithpracticalandmeasurableactivities.Achievingtheobjectivesprescribedinthisframeworkwillallowschooldistrictstoleverageoperationalriskwhileunderstandingthatriskinamorebusiness-likecontextthusenablingdistrictstobeveryproactiveinmanagingrisk.
![Page 4: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/4.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
4|P a g e
Thisapproachprovidesaproactivevaluetothestakeholdersofthedistricttranslatinghigh-levelstrategicorenterprisegoalsintoamoremanageable,specificobjectiveratherthanasimpledisconnectedchecklistmodel.
WhiletheintentionofCCSESASecurityFrameworkistosupporteducationalservices,itisapplicabletoanyorganizationthatwishestobettermanageandreducecybersecurityrisk.Schoolsarenotimmunetocybersecurityattacks.Districtsareconnectedtocriticalfunctionsthroughvarioustelecommunicationservicesthatcanrenderthemvulnerabletohackingandothermaliciousattacks.Improvingtheoverallriskmanagementcapabilitiesbyeachmemberoftheschooldistrictwillultimatelyreducecybersecurityrisk.
CCSESA’sFrameworkprovidesdistrictswithauniqueandvaluableunderstandingofhowtoimplementtheNISTFrameworksandcorrelatethoseindicatorsprovidedintheframeworktoCOBIT5standardsaswellasISO27001specifications.TheISO270001standardsdefineaninformationsystemsmanagementprogram.Thislevelofunderstandingispresentedthroughouttheguidebookandprovidedtemplatesintheformofatoolkitaspartofthiseffort.WhiletheNISTFrameworkprovidesreferencestoimportantsecuritycontrols,theCCSESAFrameworkhelpstoapplythosesecuritycontrolsthroughconceptssuchastheCOBITgoalscascade.ThiscascadesupportstheidentificationofneedsandenterprisegoalsthatareachievedbyoutcomessupportingthesuccessfuluseoftheCOBITenablingprocessesandgovernancestructures.Byfollowingtheguidelinesspecifiedwithinthisframework,schooldistrictsareguidedtoattainoutcomesinamoremeasurablewaythanwithouttheunderlyingprocesses.Theuseofthisdocumentcanresultinadistrictunderstandingpotentialriskandbeingpreparedtodealwithunforeseencircumstancesandpotentialdisastersallowingthemtominimizetheirlossesintheeventofasecuritybreachordisaster.
![Page 5: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/5.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
5|P a g e
TableofContentsExecutiveSummary......................................................................................................................................3TableofContents.........................................................................................................................................5Section1.FrameworkImplementation........................................................................................................7
RelationshipoftheCOBIT5GoalsCascadetotheCCSF..........................................................................7StepsofImplementation........................................................................................................................10CSFStep1:PrioritizeandScope............................................................................................................13CSFStep2:Orient..................................................................................................................................17CSFStep3:CreateaCurrentProfile......................................................................................................18CSFStep4:ConductaRiskAssessment................................................................................................22CSFStep5:CreateaTargetProfile........................................................................................................23CSFStep6:Determine,Analyze,andPrioritizeGaps...........................................................................26CSFStep7:ImplementActionPlan.......................................................................................................30CSFActionPlanReview.........................................................................................................................36CSFLifecycleManagement....................................................................................................................38
AppendixA.Introduction...........................................................................................................................43Background............................................................................................................................................43GovernanceandManagementofEnterpriseInformationTechnology.................................................45IntroductiontotheFrameworkforImprovingCriticalInfrastructureCybersecurity.............................46IntroductiontoCOBIT5.........................................................................................................................48COBIT5GovernanceandManagement.................................................................................................49COBIT5GoalsCascade...........................................................................................................................49COBIT5Enablers....................................................................................................................................49COBIT5ProcessReferenceModel.........................................................................................................50COBIT5ImplementationGuidance........................................................................................................53ScopeandApproach..............................................................................................................................53
AppendixB.IntroductiontoNISTCybersecurityFramework1.0...............................................................55FrameworkBackground.........................................................................................................................55CoordinationofFrameworkImplementation........................................................................................62FrameworkCore.....................................................................................................................................63FrameworkImplementationTiers..........................................................................................................67FrameworkProfiles................................................................................................................................70RiskConsiderationsfromCOBITandtheCCSF.......................................................................................71
![Page 6: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/6.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
6|P a g e
TheRiskFunctionPerspective(COBIT5)................................................................................................72TheRiskManagementPerspective........................................................................................................73
AppendixC.CommunicatingCybersecurityRequirementswithStakeholders..........................................75AppendixD:FrameworkCore....................................................................................................................76AppendixE:CCSESACCSFToolkit...............................................................................................................91
ProfileMetadata....................................................................................................................................91CurrentStateProfile...............................................................................................................................93TargetStateProfile.................................................................................................................................94GapAnalysis...........................................................................................................................................95
AppendixF:ConsiderationsforCriticalInfrastructureSectors..................................................................97RoleIdentification..................................................................................................................................97ImplementationScope...........................................................................................................................97RiskConsiderations................................................................................................................................97QualityManagement.............................................................................................................................97ThreatandVulnerabilityInformation....................................................................................................98AutomatedIndicatorSharing.................................................................................................................98SupplyChainRiskManagement.............................................................................................................99CurrentandTargetProfiles....................................................................................................................99FrameworkNextSteps...........................................................................................................................99
![Page 7: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/7.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
7|P a g e
Section1.FrameworkImplementationThefollowingsectiondescribestheuseofCCSESA-suppliedmethodologiestoaccomplishtheimplementationguidanceintheCCSF“HowtoUse”SectionCCSFandCOBITeachprovidesevenhigh-levelsteps,orphases.Thesegenerallyalign,althoughCOBITprovidesapostexecutionassessment(Phase6—DidWeGetThere?)andongoinglifecyclemaintenanceactivities(Phase7—HowDoWeKeeptheMomentumGoing?)thatareimplicit,butnotfullydescribedintheCCSF.Itisimportanttonotethatimplementationisnotan“allornothing”endeavor.Thoseadoptingtheprocessesdescribedmayselectwhicheveroneswillassistinaccomplishingenterprisegoals.Inthissense,theprocessesareavailabletoselectfrom,notachecklisttoimplement.
ThefollowingtextdescribestheuseoftheCCSFtoaccomplishthesevenCOBITimplementationphases,providingthefollowinginformationabouteachphase:
• Thepurposeofthephase• Keyactivitiesinthephase• COBIT5practice(s)andprocess(s)thatsupport(s)applicationofthatphase(i.e.,realizationof
theapplicableCCSFCoreCategory/SubcategoryOutcome)
Theactivitiesandprocessesdescribedareinformativeandmayhelptheimplementationteamtodeterminewhattodoforeachphase,buttheyarenotprescriptiveandtheyshouldbetailoredtoachieveindividualdistrictgoalsandapproach.Keepinmindavailablebudget,resourceexpertiseandimplementationcosts.
RelationshipoftheCOBIT5GoalsCascadetotheCCSFTheCCSFrecognizesthat,becauseeveryschooldistrictfacesuniquechallengesandopportunities,includinghavingnumerousinternalandexternalstakeholders,eachhasuniquerequirementsforgovernanceandmanagementactivities.Thesestakeholdersdriverequirementsfortheenterprise,andthusthecybersecurityrisk.Asthoserequirementsareset,thedistrictcanusetheCOBIT5frameworkgoalscascadeandfurtherrefinethoserequirements.
TheCOBIT5frameworkdescribesthegoalscascadeas
“themechanismtotranslatestakeholderneedsintospecific,actionableandcustomizedenterprisegoals,IT-relatedgoalsandenablergoals.Thistranslationallowssettingspecificgoalsateven’levelandineveryareaoftheenterpriseinsupportoftheoverallgoalsandstakeholderrequirements,andthuseffectivelysupportsalignmentbetweenenterpriseneedsandITsolutionsandservices!'
TheCOBIT5goalscascadeisshowninFigure16.
![Page 8: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/8.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
8|P a g e
Thegoalscascadesupportstheidentificationofstakeholderneedsandenterprisegoals,whichthemselvescontributetounderstandingoftheoveralldistrictdriverssuchas“compliancewithexternallawsandregulations”or“businessservicecontinuityandavailability.”Theachievementofenterprisegoalsissupportedbytechnicaloutcomes,which,inturn,requiresuccessfulapplicationanduseofanumberofenablers.TheenablerconceptisdetailedwithintheCOBIT5framework.Enablersincludeprocesses,districtstructuresandinformation,andforeachenabler,asetofspecificrelevantgoalsdefinedinsupportoftechnicalgoals.InrelationtotheCCSF,theenablerssupportactivitiestoattainoutcomesintheCorecategoriesandsubcategories.
AnimportantnotethatwashighlightedthroughoutCCSFdevelopmentexerciseswasthattheremaybelayersofkeystakeholderswithvaryingenterprisegoals.Inthecriticalinfrastructurecommunity,forexample,districtgoalsmayincludedriversfromnationalpriorities,stakeholdersfromcriticalsector-
![Page 9: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/9.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
9|P a g e
specificagenciesorofficialsfromsectorcoordinatingcouncils.Thesearenotunlikeexistingenterprisegoals,suchas
“Compliancewithexternallawsandregulations.”
Examiningthedistrictgoalsinthisstepshouldincludeunderstandingbalancedprioritiesamongwhatisbestfortheenterpriseandanyexternalcommitments,suchasprovisioningofcriticalservices.
![Page 10: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/10.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
10|P a g e
StepsofImplementationThestepsoftheCCSFincludethefollowing:
1.PrioritizeandScope
2.Orient
3.CreateaCurrentProfile
4.ConductaRiskAssessment
5.CreateaTargetProfile
6.Determine,Analyzeand
PrioritizeGaps
7.ImplementActionPlans
![Page 11: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/11.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
11|P a g e
ThestepsofCOBIT5GoalsCascadeincludethefollowing
Thefollowingpagesrepresentanattemptatprovidingsomeconsiderationstoreviewinfollowingthe7-stepprocessofimplementingtheCCSESACybersecurityFramework.EachcomponentincludestherelevantcomponentofCOBIT5.TheCOBIT5referencesprovidedwillbecodedtoallowforeasyaccessusingtheCCSFdbase.Forexample:
EDM01.01translatestoEvaluating,DirectingMonitoringportionoftheCOBIT5ProcessMapforthegovernanceofenterpriseIT.AchartofthevariouscorrelationsarefoundattheconclusionofthisSection.
Phase1- Whatarethedrivers?
Phase2- Wherearewenow?
Phase3- Wheredowewanttobe?
Phase4- Whatneedstobedone?
Phase5- Howdowegetthere
Phase6- Didwegetthere?
Phase7- Howdowekeepthe
momentum going?
![Page 12: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/12.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
12|P a g e
COBIT5ProcessReferenceModel
![Page 13: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/13.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
13|P a g e
CSFStep1:PrioritizeandScope.COBITPhase1—WhatAretheDriversTheITGovernanceInstitute’sgovernanceguidanceforBoardsofDirectorsandExecutiveManagementpointsoutthat
“Informationsecuritygovernanceistheresponsibilityoftheboardofdirectorsandseniorexecutives.”
ItmustbeanintegralandtransparentpartofdistrictgovernanceandbealignedwiththeITgovernanceframework.Toexerciseeffectiveenterpriseandinformationsecuritygovernance,BoardsandSeniorExecutivesmusthaveaclearunderstandingofwhattoexpectfromtheirdistrict’sinformationsecurityprogram.ReviewerspointedoutthateffectivealignmentofbusinessdriverswithITGovernanceandManagementresultedinimprovedsecurityandbetterunderstandingofenterprisesecurityrequirements.ITGovernanceandManagement’sbasisinmissionsupportstheuseoflanguageandterminologythatarefamiliartotheexecutivelevel,ratherthantheuseoftechnicaljargonandbuzzwordsthataremisalignedwithcommonbusinessterms.Understandingofthegovernanceissuesandbenefits,inbusinessterms,supportsbuy-inandcommitmentfromseniormanagement.
Throughthesemethods,accomplishmentoftheCoreoutcomesthroughselecteddistrictgoalsandprocessesdirectlysupportstakeholdergoalsanddrivers,movingITGovernanceandManagementfrommerelyacomplianceexercisetoamethodtoprovidevaluetothedistrict.
![Page 14: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/14.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
14|P a g e
ImplementationConsiderationsforCCSFStep1Purpose
• Toobtainanunderstandingofthedistrictgovernanceapproach(includingriskarchitecture,businessdriversandcompliancerequirements)toinformriskassessmentactivitiesandtoprioritizesecurityactivity.
Inputs
• Enterprisepolicies,strategies,governanceandbusinessplans• Riskarchitecturestrategy• Currententerpriseenvironmentandbusinessprocesses• Enterprisevisionandmissionstatements
High-levelActivities
• Identifythekeyexecutiveboard-levelstakeholdersthatauthoritativelyspeaktomissiondriversandriskappetite.
• DeterminethescopetobeaddressedthroughapplicationoftheCCSF.Thislevelcouldbedistrictwideoranysubsectionofthedistrict.
• Identifydistrictmissionand/orservicesaddressedthroughuseoftheCCSF.• Identifytheapplicableriskarchitectureforthedistrictandavailablemethodsforrisk
identification,measurement,assessment,reportingandmonitoring.• Definerolesandresponsibilitiesforconveyingprioritizationandresourceavailability,
andforimplementingactionstoachieveITvalue.• Determinethesystems(people,processesandtechnology)requiredtoattainmissiongoals.• UsetheCOBIT5goalscascadetotranslatestakeholderneedsintospecific,actionable
andcustomizedenterprisegoals.ThiseffectivelysupportsalignmentamongenterpriseneedsandtheCCSFoutcomesfromsubsequentphases,andaidsinreportingprogresstowardgoals.
• Documenttheprioritizationdecisionsandresourcesavailableformanagingrisktotheappropriatelevel.Documentationshouldincludeaccountability,deadlinesandreportingmethod.
Outcomes
• Enterprisearchitecturevision• Organizationalmissionanddrivers• Organizationaldirectionregardingfundingandotherresources• Qualitymanagementsystem(QMS)• Understandingofthedistrict’spresentandfutureattitudetowardriskandITriskposition
![Page 15: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/15.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
15|P a g e
COBIT5Practice
CCSFDescription
COBIT5CORR
ELLATIONTOCCSESA
CYB
ERSECURITYFRA
MEW
ORK
IMPLEM
ENTA
TIONSTEP1
EDM01.01Evaluatethegovernancesystem.Continuallyidentifyengagewiththedistrict’sstakeholders,documentingandunderstandingofallrequirements,andmakeajudgmentonthecurrentandfuturedesignofgovernanceofthedistrict’sITenvironment.
APO01(ALL)Provideaconsistentmanagementapproachtoenablethedistrictgovernmentrequirementstobemet,coveringmanagementprocesses,districtstructures,rolesandresponsibilities,reliableandrepeatableactivities,andskillsandcompetencies.
APO02.01Understandenterprisedirection.Considerthecurrententerpriseenvironmentandbusinessprocesses,aswellastheenterprisestrategyandfutureobjectives.Consideralsotheexternalenvironmentofthedistrict(drivers,regulationsandbasisforcompetition).
APO03.01
Developthedistrictarchitecturalvision.Thearchitecturalvisionprovidesafirst-cut,high-leveldescriptionofthebaselineandtargetarchitectures,coveringthedistrict,information,data,applicationsandtechnologydomainsITdirectorswiththekeytooltosellthebenefitsoftheproposedcapabilitytostakeholderswithinthedistrict.Thearchitecturevisiondescribeshowthenewcapabilitywillmeetenterprisegoalsandstrategicobjectivesandaddressstakeholderconcernswhenimplemented.
APO04.02Maintainanunderstandingoftheenterpriseenvironment.Workwithrelevantstakeholderstounderstandthechallenges.Maintainanadequateunderstandingofdistrictstrategyinthecompetitiveenvironmentorotherconstraintssothatopportunitiesenabledbythenewtechnologiescanbeidentified
APO05.01
Establishthetargetinvestmentmix.ReviewandensureclarityoftheenterpriseinITstrategiesandcurrentservices.Defineanappropriateinvestmentmixedoncost,alignmentwithstrategyandfinancialmeasuressuchascostandexpectedROIoverthefulleconomiclifecycle,degreeofriskandtypeofbenefitfortheprogramsintheportfolio.AdjusttheenterpriseandITstrategieswerenecessary.
APO05.02Determinetheavailabilityofsourcesoffunds.Determinepotentialsourcesoffunds,differentfundingoptionsandtheimplicationsofthefundingsourceontheinvestmentreturnexpectations.
APO05.03Evaluateandselectprogramstobefunded.Basedontheoverallinvestmentportfoliomixrequirements,evaluateandprioritizeprogrambusinesscases,anddecideoninvestmentproposals.Allocatefundsandinitiateprograms.
APO06.01
Managefinanceandaccounting.EstablishingandmaintainingamethodtoaccountforallIT-relatedcosts,investmentsanddepreciationisanintegralpartoftheenterprisefinancialsystemsandchartofaccountstomanageinvestmentsandcostofIT.Captureandallocateactualcosts,analyzingvariancesbetweenforecastandactualcost,andreportusingtheenterprise’sfinancialmeasurementsystems.
APO06.02Prioritizeresourceallocation.Implementadecision-makingprocesstoprioritizetheallocationofresourcesandrulesfordiscretionaryinvestmentsbyindividualbusinessunits.Includethepotentialuseofexternalserviceprovidersandconsiderthebuy,develop,andrentoptions.
APO06.04Createmaintainbudgets.PrepareabudgetreflectingtheinvestmentprioritiessupportingstrategicobjectivesbasedontheportfolioofIT-enableprogramsandITservices.
APO06.05
Modelandallocatecosts.EstablishanduseanITcostingmodelbasedontheservicedefinition,ensuringtheallocationofcostsforservicesasidentifiable,measurableandpredictable,toencouragetheresponsibleuseofresourcesincludingthoseprovidedbyserviceproviders.Regularlyreviewingbenchmarktheappropriatenessofthecost/chargebackmodeltomaintainitsrelevanceandappropriatenesstotheevolvingbusinessandITactivities.
APO06.05Managecosts.Implementacostmanagementprocesscomparingactualcostofbudgets.Costshouldbemonitoredandreportedand,inthecaseofdeviations,identifiedinatimelymannerandtheirimpactonenterpriseprocessesandservicesassessed.
APO07.01
Maintainadequateandappropriatestaffing.EvaluatestaffingrequirementsandregularbasisoronmajorchangestotheenterpriseoroperationalorITenvironmentstoensurethattheenterprisehassufficienthumanresourcestosupportenterprisegoalsandobjectives.Staffingincludesbothinternalandexternalresources.
APO08.01 Understandbusinessexpectations.UnderstandcurrentbusinessissuesandobjectivesofbusinessexpectationsforIT.Ensurethatrequirementsareunderstood,managedandcommunicated,andtheirstatusagreedonandapproved.
![Page 16: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/16.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
16|P a g e
COBIT5Practice
CCSFDescription
APO08.03 Managethebusinessrelationship.Managetherelationshipwithcustomers(businessrepresentatives).Ensurethatrelationshiprolesandresponsibilitiesaredefinedandassigned,andcommunicationisfacilitated.
APO10.01 Identifyandevaluatesupplierrelationshipsandcontracts.Identifysuppliersandassociatedcontracts,thencategorizethemintotype,significanceandcriticality.Establishsupplierandcontractevaluationcriteriaandevaluatetheoverallportfolioofexistingalternativesuppliersandcontracts.
![Page 17: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/17.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
17|P a g e
CSFStep2:OrientCOBITPhase2—WhereAreWeNow?Havingidentifiedthedistrictmissionanddriversthatsupportstakeholderobjectives,thedistrictidentifiesrelatedsystemsandassetsthatenableachievingthosestakeholderneeds.ItisimportanttonotethattheCCSFdoesnotlimitthesesystemsandassetstopurelyITwhicharesubsetsoftheoveralllistofassetstobeconsidered.ExamplesofassetstoconsiderintheOrientstepinclude:
• facilitiesinwhichtechnologyresides,• operatorsthatensureequipmentfunctionssafelyandinfrastructurethatdeliversproductsto
customers.
Havinggainedanunderstandingofthecascadinggoals,andhowthebusinessandITfunctionneedtodelivervaluefromITinsupportoftheenterprisegoals,thedistrictthenidentifiesthreatsto,andvulnerabilitiesof,thosesystemsandassets.Thismustbeconductedwithanunderstandingofthedistrict’spresentandfutureattitudetowardriskandITriskposition.
BeforecreatingtheCurrentProfile,theimplementershouldreviewtheFrameworkImplementationTiersasdescribedinFigure13,p.68.SelectionoftheappropriateTierthatwillattainstakeholderneedsinanoptimalwaywillestablishthescaleforansweringthequestion,“Wherearewenow?”ThegoaloftheprocessistoestablishtheappropriatelevelsofgovernanceandmanagementtoaccomplishtheriskobjectivesdefinedinCOBITphase1andCCSFStep1.SelectionofaTierthatislessthansuitablemayresultinthelackofsufficientprocessestoaddressriskortocoordinatewithotherentities.ImproperselectionofthehighestTier,however,mayimposecostlydistrict-wideprogramsandprocesseswhosebenefitsarenotcommensuratewiththephase1goalsdefined.Thedialoguetodetermineappropriategoals,Tiersandactivities,inconsiderationoftheuniqueorganizationalcontextisoneofthekeybenefitsofapplyingthisframework.
![Page 18: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/18.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
18|P a g e
CSFStep3:CreateaCurrentProfileCOBITPhase2—WhereAreWeNow?(ContinuationfromCCSFStep2)TheCCSESACCSFCorecontainsapproximately100subcategoriesofoutcomes(don’tgetoverwhelmed),manyofwhicharesupportedbyoneormoreCOBITprocess.FortheCCSF,theusershouldcreatetheCurrentProfileforallthesubcategories.Viewedthroughthelensofthedistricttier,whichhelpsinformhowtoaccomplishanoutcome,theimplementerreviewseachsubcategoryanddeterminestheleveltowhichthatoutcomehasbeenattainedtofulfillstakeholdergoals.Foreachrowinthetemplate,determineandrecordthecurrentlevelofachievement,asguidedbytheprinciplesintheCOBITPAM(ProcessAssessmentModel,seep.67)andinCOBITAssessor’sGuide:UsingCOBIT5.Theassessor’sguideprovidesdetailedcriteriafordeterminingappropriateactivitiestoachievetheoutcomes.Inconsiderationofthatguidance,selecttheappropriatelevelofachievementforeachsubcategoryaccordingtothescaledetailedinFigure17.
Figure17-AchievementRatingScaleAbbreviation Description %Achieved
N NotAchieved 0-15
P PartiallyAchieved >15-50
L LargelyAchieved >50-85
F FullyAchieved >85-100
Source:ThistableisadaptedfromISO15504-2:2003,Section5.7.2andisusedextensivelyforquantifyingachievementduringassessment.
AppendixBprovidesafullCOBITCurrentProfiletemplatebasedontheCCSESCCSFCore,includingadetaileddescriptionoftheCurrentProfileelementsinFigureB.2.
![Page 19: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/19.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
19|P a g e
ImplementationConsiderationsforCCSESACCSFSteps2and3Purpose
1. Togainanunderstandingofthedistrictsystemsandassetsthatenablethemissiondescribedinphase1,determiningspecificITgoalsforprotectingthosesystems(inaccordancewithbusinessimpactrequirements).
2. Tounderstandoverarchingthreatsto,andvulnerabilitiesout,thosesystemsandassets,andusetheCurrentProfiletemplatetorecordcurrentoutcomeachievementlevels.
Inputs
• Organizationalmissionanddrivers• Understandingofthecascadinggoals• StatementofhowbusinessandITfunctiondelivervaluefromIT• Understandingofthedistrict’spresentandfutureattitudetowardriskandITriskposition• FrameworkImplementationTiers
High-levelActivities
• Determinebusinessandoperationalsystemsonwhichstakeholderdrivers(asdescribedinphase1)depend.Determinationshouldincludeanydownstreamdependenciesforidentifiedsystemsandassets.
• Ascertainavailabilitygoalsand/orrecoverygoalsforidentifiedsystemsandassetsinordertoprovidestakeholdervalueandfulfilldistrictobligations(suchascontractualavailabilityrequirements,criticalinfrastructureservicerequirements,andservicelevelagreements).
• ReviewtheFrameworkImplementationTiersandrecordtheTierselectedforthedistrict(withinthescopedeterminedinphase1).
• ConsideringthecharacteristicsofthedesiredTier,usingtheCOBIT5assessmentmethodology(basedonISO15504),completetheCurrentProfiletemplate,reviewingthrougheachsubcategoryandrecordingcurrentstatusrangingfromNotAchievedtoFullyAchieved.Ensurethatappropriaterationale/evidenceisincludedforeachcomponent.
Outputs
• Threatsto,andvulnerabilitiesof,importantsystemsandassets• Organizationalriskassessment• CurrentprofileIT-enabledservicecatalog• Serviceagreements• Availability,performanceandcapacitybaselinesforfuturecomparison
![Page 20: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/20.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
20|P a g e
COBIT 5 Practice
CCSFDescriptionCO
BIT5CO
RRELLATIONTOCCSESACYB
ERSECU
RITYFRA
MEW
ORK
IMPLEM
ENTA
TIONSTEP2
APO02.01 Understandenterprisedirection.Considerthecurrententerpriseenvironmentandbusinessprocesses,aswellastheenterprisestrategyandfutureobjectives.Consideralsotheexternalenvironmentoftheenterprise(industrydrivers,relevantregulations,basisforcompetition).
APO02.02 Assessthecurrentenvironment,capabilitiesandperformance.AssesstheperformanceofcurrentinternalbusinessandITcapabilitiesandexternalITservices,anddevelopanunderstandingoftheenterprisearchitectureinrelationtoIT.Identifyissuescurrentlybeingexperiencedanddeveloprecommendationsandareasthatcouldbenefitfromimprovement.Considerserviceproviderdifferentiatorsandoptionsandthefinancialimpactandpotentialcostandbenefitsofusingexternalservices.
APO03.02 Definereferencearchitecture.Thereferencearchitecturedescribesthecurrentandtargetarchitecturesforthebusiness,information,data,applicationandtechnologydomains.
APO04.01 Createanenvironmentconducivetoinnovation.Createanenvironmentthatisconducivetoinnovation,consideringissuessuchasculture,reward,collaboration,technologyforums,andmechanismstopromoteandcaptureemployeeideas.
APO07.02 IdentifykeyITpersonnel.IdentifykeyITpersonnelwhileminimizingrelianceonasingleindividualperformingacriticaljobfunctionthroughknowledgecapture(documentation),knowledgesharing,successionplanningandstaffbackup.
APO07.03 Maintaintheskillsandcompetenciesofpersonnel.Defineandmanagetheskillsandcompetenciesrequiredofpersonnel.Regularlyverifythatpersonnelhavethecompetenciestofulfilltheirrolesbasedontheireducation,training,and/orexperience,andverifythatthesecompetenciesarebeingmaintained,usingqualificationandcertificationprogramswereappropriate.Provideemployeeswithongoinglearningandopportunitiestomaintaintheirknowledge,skillsandcompetenciesatalevelrequiredtoachieveenterprisegoals.
APO007.05 PlanandtracktheusageofITandbusinesshumanresources.UnderstandandtrackthecurrentandfuturedemandforbusinessandIThumanresourceswithresponsibilitiesforenterpriseIT.Identifyshortfallsandprovideinputintosourcingplans,enterpriseandITrecruitmentprocessessourcingplans,andbusinessandITrecruitmentprocesses.
APO09.01 IdentifyITservices.AnalyzebusinessrequirementsandthewayinwhichIT-enabledservicesandservicelevelssupportbusinessprocesses.Discussandagreeonpotentialservicesandservicelevelswiththebusiness,andcomparethemwiththecurrentserviceportfoliotoidentifyneworchangedservicesorserviceleveloptions.
APO09.02 CatalogIT-enabledservices.Defineandmaintainoneormoreservicecatalogforrelevanttargetgroups.PublishandmaintainliveIT-enabledservicesintheservicecatalog.
APO09.03 Defineandprepareserviceagreements.Defineandprepareserviceagreementsbasedontheoptionsintheservicecatalog.Includeinternaloperationalagreements.
APO11.02 Defineandmanagequalitystandards,practicesandprocedures.Identifyandmaintainrequirements,standards,proceduresandpracticesforkeyprocessestoguidetheenterpriseinmeetingtheintentontheagreed-onQMS.ThisshouldbeinlinewiththeITcontrolframeworkrequirements.Considercertificationforkeyprocesses,districtunits,productsorservices.
APO12.01 Collectdata.IdentifyandcollectrelevantdatatoenableeffectiveIT-relatedriskidentification,analysisandreporting.
BAI03.11 DefineITservicesandmaintaintheserviceportfolio.DefineandagreeonneworchangedITservicesandserviceleveloptions.Documentneworchangedservicedefinitionsandserviceleveloptionstobeupdatedintheservicesportfolio.
![Page 21: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/21.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
21|P a g e
COBIT 5 Practice
CCSFDescription
BAR04.01 Assesscurrentavailability,performanceandcapacityandcreateabaseline.Assessavailability,performanceandcapacityofservicesandresourcestoensurethatcost-justifiablecapacityandperformanceareavailabletosupportbusinessneedsanddeliveragainstservicelevelagreements.Createavailability,performanceandcapacitybaselinesforfuturecomparison.
BAI04.03 Planforneworchangedservicerequirements.Planandprioritizeavailabilityperformanceandcapacityimplicationsofchangingbusinessneedsandservicerequirements.
BAI09.01 Identifyandrecordcurrentassets.Maintainanup-to-dateandaccuraterecordofallITassetsrequiredtodeliverservicesandensurealignmentwithconfigurationmanagementandfinancialmanagement.
BAI09.02 Managecriticalassets.Identifyassetsthatarecriticalinprovidingservicecapabilityandtakestepstomaximizethereliabilityandavailabilitytosupportbusinessneeds.
BAI10.01 Establishandmaintainaconfigurationmodel.Establishandmaintainalogicalmodeloftheservices,assetsandinfrastructureandhowtorecordconfigurationitems(CI)andtherelationshipsamongthem.IncludetheCISconsiderednecessarytomaintainserviceseffectivelyandtoprovideasinglereliabledescriptionoftheassetsinaservice.
BAI10.02 Establishandmaintainaconfigurationrepositoryandbaseline.Establishandmaintainaconfigurationmanagementrepositoryandcreatecontrolconfigurationbaselines.
BAI10.03 Maintainandcontrolconfigurationitems.Maintainanup-to-daterepositoryofconfigurationitemsbypopulatingwithchanges.
MEA03.01 Identifyexternalcompliancerequirements.Onacontinuousbasis,identifyandmonitorforchangesinlocalandinternationallaws,regulationsandotherexternalrequirementsthatmustbecompliedwithfromanITperspective.
MEA03.02 Optimizeresponsetoexternalrequirements.Reviewandadjustpolicies,principles,standards,proceduresandmethodologiestoensurethatlegal,regulatoryandcontractualrequirementsareaddressedandcommunicated.Considerindustrystandards,codesofgoodpracticeandgoodpracticeguidanceforadoptionandadaption.
![Page 22: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/22.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
22|P a g e
CSFStep4:ConductaRiskAssessmentCOBITPhase3-WhereDoWeWanttoBeBasedontheassessedCurrentProfileprocesscapabilitylevels,anappropriatetargetcapabilitylevelshouldbedeterminedforeachprocess.Thechosenlevelshouldconsideranyrelevantexternalandinternalbenchmarks(Forexample,government-providedtemplatesorguidance).Withtheunderstandingofvulnerabilitiesandthreatstovaluableassets,asdeterminedinphase2,performacomprehensiveriskassessmenttodeterminehowbesttoprotectthoseassets,detectandrespondtoattacksonthem,andrecoverfromanydegradationorinterruption.ManagedSecurityRiskAssessmentsshouldbeconductedbyanoutsideagencyskilledinthedevelopmentofservicebenchmarksforsecurity.
InadditiontothetwoCOBIT5processesthatdealspecificallywithrisk,EDM03EnsureRiskOptimizationandAPO12ManageRisk,thereisanadditionalCOBIT5guideforRISKwhichdealswithtwoperspectives
1. theriskfunctionand2. theriskmanagementprocess.
TheriskfunctionperspectivedescribeshowtheuseofCOBIT5enablerstoimplementeffectiveandefficientriskgovernanceandmanagement.
TheCOBIT5genericenablersareStakeholders,Goals,Life-cycleandGoodPractices.TheyprovideageneralperspectiveofwhattheRiskfunctionshouldconsiderwhenfulfillingtheirresponsibilities.Morespecificguidancecanbefoundintheenablersthemselves:
• Principles,PoliciesandFrameworks• Processes• Organizationalstructures• Culture,EthicsandBehavior• Information• Services,InfrastructureandApplications• People,SkillsandCompetencies.
TheuseofCOBIT5forRiskcombinesthisknowledgeintoanapproachtoriskmanagementisbotheffectiveandefficient.Aswithallprocesses,theriskmanagementfunctionanditsprocessesaredesignedtoachievespecificoutcomesthatalignwiththebusinessesgoalsandthedistrict’sstrategicobjectives.ThisapproachcombinesthebestpracticesofCOSOandISO31000withtheCOBIT5riskmanagementknowledgepooltobuildcapabilityinmanagingriskinaccordancewiththeISO15504standardforcapabilityimprovement.
![Page 23: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/23.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
23|P a g e
CSFStep5:CreateaTargetProfileCOBITPhase3-WhereDoWeWanttoBe(Continued)Theintentionofthedistrict’sTier,whichhelpsinformhowanoutcomeshouldbeaccomplished,reviewthrougheachofthesubcategoriesanddeterminetheleveltowhichthatoutcomeshouldbeattainedinamannerthatfulfillsdistrictgoals.
UsingtheinformationinAppendixBandtheCOBITTargetProfiletemplateprovidedinthetoolkit,theimplementershoulddeveloptheTargetProfilebasedontheCCSFCore,includingadetaileddescriptionoftheTargetProfileelements.
ImplementationConsiderationsforCCSESACCSFSteps4and5Purpose
1. Togainanunderstandingofthesecurity-specificgoals,fordistrictsystemsandassetsthatenablethemissiondescribedinphase1,toattainstakeholderriskmanagementgoals.
2. Thosesystemsandassets,todiscernthelikelihoodofcybersecurityeventsandthepotentialdistrictimpact.
Inputs
• CurrentProfile• Processcapabilitylevels/FrameworkImplementationTiers• Resultsofgoalsanalysis/processidentification• Security-relatedgoalsforapplicablesystemsandassets
High-levelActivities
• Basedonrecordedsecurity-relatedgoalsforapplicablesystemsandassets,conductriskanalysisactivitiestocatalogpotentialsecurityriskeventstothosesystemsandassets.
• Foreachpotentialeventrecordedabove,determinethelikelihoodofthatpotentialbeingrealizedandthepotentialimpactonthedistrict.TheCCSFnotesthatitisimportantthatdistrictsseektoincorporateemergingrisk,threatvulnerabilitydatatofacilitatearobustunderstandingofthelikelihoodandimpactofcybersecurityevents.
• DeterminewhetheranyFrameworkCoresubcategoriesareNotApplicabletothesystemsandassetsidentifiedasthescopeasanoutputfrom4-WhatNeedstoBeDone?1.
• Determinewhetheradditionalcategories/subcategories(assecurity-specificgoals)shouldbeaddedtotheTargetProfiletoaccountforuniquedistrictrisk.
• ConsideringthecharacteristicsofthedesiredTierdescription.Ensurethatappropriaterationale/evidenceisincludedforeachcomponent.
Outputs
• Catalogpotentialsecurityriskeventstocriticalsystemsandassets• Targetcapabilitylevel• Comprehensiveriskassessment• Targetprofile• Businessimpactassessmentresults• Referencearchitecture
![Page 24: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/24.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
24|P a g e
COBIT5Practice
CCSFDescriptionCOBIT5CORR
ELLATIONTOCCSESA
CYB
ERSECURITYFRA
MEW
ORK
IMPLEM
ENTA
TIONSTEP4and5
APO02.01 Understandenterprisedirection.Considerthecurrententerpriseenvironmentandbusinessprocesses,aswellastheenterprisestrategyandfutureobjectives.Consideralsotheexternalenvironmentoftheenterprise(industrydrivers,relevantregulations,basisforcompetition).
APO02.02 Assessthecurrentenvironment,capabilitiesandperformance.AssesstheperformanceofcurrentinternalbusinessandITcapabilitiesandexternalITservices,anddevelopanunderstandingoftheenterprisearchitectureinrelationtoIT.Identifyissuescurrentlybeingexperiencedanddeveloprecommendationsandareasthatcouldbenefitfromimprovement.Considerserviceproviderdifferentiatorsandoptionsandthefinancialimpactandpotentialcostandbenefitsofusingexternalservices.
APO03.02 Definereferencearchitecture.Thereferencearchitecturedescribesthecurrentandtargetarchitecturesforthebusiness,information,data,applicationandtechnologydomains.
APO04.01 Createanenvironmentconducivetoinnovation.Createanenvironmentthatisconducivetoinnovation,consideringissuessuchasculture,reward,collaboration,technologyforums,andmechanismstopromoteandcaptureemployeeideas.
APO07.02 IdentifykeyITpersonnel.IdentifykeyITpersonnelwhileminimizingrelianceonasingleindividualperformingacriticaljobfunctionthroughknowledgecapture(documentation),knowledgesharing,successionplanningandstaffbackup.
APO07.03 Maintaintheskillsandcompetenciesofpersonnel.Defineandmanagetheskillsandcompetenciesrequiredofpersonnel.Regularlyverifythatpersonnelhavethecompetenciestofulfilltheirrolesbasedontheireducation,training,and/orexperience,andverifythatthesecompetenciesarebeingmaintained,usingqualificationandcertificationprogramswereappropriate.Provideemployeeswithongoinglearningandopportunitiestomaintaintheirknowledge,skillsandcompetenciesatalevelrequiredtoachieveenterprisegoals.
APO07.05 PlanandtracktheusageofITandbusinesshumanresources.UnderstandandtrackthecurrentandfuturedemandforbusinessandIThumanresourceswithresponsibilitiesforenterpriseIT.Identifyshortfallsandprovideinputintosourcingplans,enterpriseandITrecruitmentprocessessourcingplans,andbusinessandITrecruitmentprocesses.
APO09.01 IdentifyITservices.AnalyzebusinessrequirementsandthewayinwhichIT-enabledservicesandservicelevelssupportbusinessprocesses.Discussandagreeonpotentialservicesandservicelevelswiththebusiness,andcomparethemwiththecurrentserviceportfoliotoidentifyneworchangedservicesorserviceleveloptions.
APO09.02 CatalogIT-enabledservices.Defineandmaintainoneormoreservicecatalogforrelevanttargetgroups.PublishandmaintainliveIT-enabledservicesintheservicecatalog.
APO09.03 Defineandprepareserviceagreements.Defineandprepareserviceagreementsbasedontheoptionsintheservicecatalog.Includeinternaloperationalagreements.
APO011.02 Defineandmanagequalitystandards,practicesandprocedures.Identifyandmaintainrequirements,standards,proceduresandpracticesforkeyprocessestoguidetheenterpriseinmeetingtheintentontheagreed-onQMS.ThisshouldbeinlinewiththeITcontrolframeworkrequirements.Considercertificationforkeyprocesses,districtunits,productsorservices.
APO012.01 Collectdata.IdentifyandcollectrelevantdatatoenableeffectiveIT-relatedriskidentification,analysisandreporting.
BAI03.11 DefineITservicesandmaintaintheserviceportfolio.DefineandagreeonneworchangedITservicesandserviceleveloptions.Documentneworchangedservicedefinitionsandserviceleveloptionstobeupdatedintheservicesportfolio.
BAR04.01 Assesscurrentavailability,performanceandcapacityandcreateabaseline.Assessavailability,performanceandcapacityofservicesandresourcestoensurethatcost-justifiablecapacityandperformanceareavailabletosupportbusinessneedsanddeliveragainstservicelevelagreements.Createavailability,performanceandcapacitybaselinesforfuturecomparison.
BAI04.03 Planforneworchangedservicerequirements.Planandprioritizeavailabilityperformanceandcapacityimplicationsofchangingbusinessneedsandservicerequirements.
BAI09.01 Identifyandrecordcurrentassets.Maintainanup-to-dateandaccuraterecordofallITassetsrequiredtodeliverservicesandensurealignmentwithconfigurationmanagementandfinancialmanagement.
BAI09.02 Managecriticalassets.Identifyassetsthatarecriticalinprovidingservicecapabilityandtakestepstomaximizethereliabilityandavailabilitytosupportbusinessneeds.
BAI10.01 Establishandmaintainaconfigurationmodel.Establishandmaintainalogicalmodeloftheservices,assetsandinfrastructureandhowtorecordconfigurationitems(CI)andtherelationshipsamongthem.IncludetheCISconsiderednecessarytomaintainserviceseffectivelyandtoprovideasinglereliabledescriptionoftheassetsinaservice.
BAI10.02 Establishandmaintainaconfigurationrepositoryandbaseline.Establishandmaintainaconfigurationmanagementrepositoryandcreatecontrolconfigurationbaselines.
BAI10.03 Maintainandcontrolconfigurationitems.Maintainanup-to-daterepositoryofconfigurationitemsbypopulatingwithchanges.
![Page 25: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/25.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
25|P a g e
COBIT5Practice
CCSFDescription
MEA03.01 Identifyexternalcompliancerequirements.Onacontinuousbasis,identifyandmonitorforchangesinlocalandinternationallaws,regulationsandotherexternalrequirementsthatmustbecompliedwithfromanITperspective.
MEA03.02 Optimizeresponsetoexternalrequirements.Reviewandadjustpolicies,principles,standards,proceduresandmethodologiestoensurethatlegal,regulatoryandcontractualrequirementsareaddressedandcommunicated.Considerindustrystandards,codesofgoodpracticeandgoodpracticeguidanceforadoptionandadaption.
![Page 26: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/26.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
26|P a g e
CSFStep6:Determine,Analyze,andPrioritizeGapsCOBIT5Phase4-WhatNeedstoBeDoneForeachofthesubcategoriesintheTargetProfile,considerthedifferencebetweenthetargetlevelofachievementinthecurrentlevel.Theresultofthisgapassessmentwillhelpidentifydistrictstrengthsandweaknesses.COBIT5highlightsseveralimportantconsiderationsforthisphase:
• Thisphasemayidentifysomerelativelyeasy-to-achieveimprovementssuchasimprovedtraining,thesharingofgoodpracticesinstandardizingprocedures;however,thegapanalysisislikelytorequireconsiderableexpertiseinbusinessandITmanagementtechniquestodeveloppracticalsolutions.Experienceinundertakingbehavioralanddistrictchangewillalsobeneeded.
• Understandingofprocesstechniques,advancedbusinessandtechnicalexpertise,andknowledgeofbusinessandsystemmanagementsoftwareapplicationsandservicesmaybeneeded.Toensurethatthisphaseisexecutedeffectively,itisimportantfortheteamtothebusinessandITprocessownersandotherrequiredstakeholders,engaginginternalexpertise.Ifnecessary,externaladviceshouldalsobeobtained.Riskthatwillnotbemitigatedafterclosingthegapsshouldbeidentifiedand,ifacceptable,formallyacceptedbymanagement.
Theopportunitiesforimprovementshouldbedocumentedinaprioritizedactionplantoaddressgaps.Theplanshoulddrawonmissiondrivers,andcost/benefitanalysis,anunderstandingofimpactandlikelihoodofrisktoachievetheoutcomesasdescribedintheTargetProfile.Theplanshouldalsoincludeconsiderationoftheresourcesnecessarytoaddressthegaps.UsingProfilesinthismannerenablesthedistricttomakeinformeddecisionsaboutcybersecurityactivities;supportsriskmanagement;enablesthedistricttoperformcost-effective,targetedimprovements.
![Page 27: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/27.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
27|P a g e
ImplementationConsiderationsforCCSFStep6:Determine,Analyze,andPrioritizeGaps
Purpose
Tounderstandwhatactionsarerequiredtoattainstakeholdergoalsthroughidentificationofgapsbetweenthecurrentandtargetenvironmentsandalignmentwithdistrictprioritiesandresources.
Inputs
• TargetProfile• Process,businessandtechnicalexpertise• Resourcerequirements
High-levelActivities
• ForeachsubcategorylistedintheTargetProfile,recordthedifferencebetweenadesiredcapabilitylevelandthecurrentstateasrecordedintheCurrentProfile,ifany.
• ForeachsubcategorywhereadifferencebetweenCurrentandTargetstatewasrecorded,utilizingCOBIT5:EnablingProcesses(asincludedintheFrameworkCore),determinerequiredactivitiesanddetailedactivities.ThesearedescribedinCOBIT5:EnablingProcessesasthehow,whyandwhattoimplementforeachgovernanceofmanagementpracticetoimproveITperformanceand/oraddressITsolutionandservicedeliveryrisk.AdditionalinformativereferencesfromtheFrameworkCoremayassistwithdeterminingappropriatecontrolsoractivities.
• Reviewingthepotentialactivitiesdefined,determinetheappropriatepriorityofthoseactivitiestoenableoptimalvaluerealizationwhileprovidingreasonableassuranceofriskmanagementpracticesareappropriatetoensurethattheactualITriskdoesnotexceedagreeduponriskappetite.
• Determinetheresourcesnecessarytoaccomplishtheactivitiesdescribed,inconsiderationofstakeholderguidancefromphase1regardingavailableresourcessuchasbudget,personnelandexpertise.
• Createandrecordanactionplanofactivitieswithmilestones,ensuringappropriateresponsibilityandaccountability,toachievethedesiredoutcomesaccordingtothedeterminepriorities.
Outputs
• Profilegapassessment• Prioritizedactionplan• Riskacceptancedocumentation• Performanceandconformancetargets
![Page 28: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/28.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
28|P a g e
RelevantCOBIT5Practices:CCSFStep6COBIT5PRACTICE
CCSFDescription
EDM01.02 Directthegovernancesystem.Informleadersandobtaintheirsupport,bi-inandcommitment.Guidetostructures,processesandpracticesforthegovernanceofITinlinewithagreed-upongovernessdesignprinciples,decision-makingmodelsandauthoritylevels.Definetheinformationrequiredforinformeddecisionmaking.
EDM02.02 Directvalueoptimization.DirectvaluemanagementprinciplesandpracticestoenableoptimalvaluerealizationfromIT-enabledinvestmentsthroughoutthefulleconomiclifecycle.
EDM03.02 Directriskmanagement.DirecttheestablishmentofriskmanagementpracticestoprovidereasonableassurancethatITriskmanagementpracticesareappropriatetoensurethattheactualITriskdoesnotexceedtheboard'sriskappetite.
EDM04.02 DirectresourcemanagementensuringtheadoptionofresourcemanagementprinciplestoenableoptimaluseofITresourcesthroughouttheirfulleconomiclifecycle.
EDEM05.02 Directstakeholdercommunicationandreportingensuringtheestablishmentofeffectivestakeholdercommunicationandreporting,includingmechanismsforensuringthequalityandcompletenessofinformation,oversightofmandatoryreporting,andcreatingacommunicationstrategyforstakeholders.
APO02.05 Definethestrategicplanandroadmap.Createastrategicplanthatdefines,incooperationwithrelevantstakeholders,howIT-relatedgoalswillcontributetotheenterprise'sstrategicgoals.IncludehowITwillsupportIT-enabledinvestmentprograms,businessprocesses,ITservicesandITassets.DirectITtodefinetheinitiativesthatwillberequiredtoclosethegaps,thesourcingstrategyandthemeasurementstobeusedtomonitorachievementofgoals,thenprioritizetheinitiativesandcombinetheminahigh-levelroadmap.
APO02.06 CommunicatetheITstrategyanddirection.CreateawarenessandunderstandingofthebusinessandITobjectivesanddirection,ascapturedintheITstrategy,throughcommunicationtoappropriatestakeholdersandusersthroughouttheenterprise.
APO08.04 Coordinateandcommunicate.Workwithstakeholdersandcoordinatetheend-to-enddeliveryofITservicesandsolutionsprovidedtothebusiness.
APO11.05 Integratequalitymanagementintosolutionsfordevelopmentandservicedelivery.Incorporaterelevantqualitymanagementpracticesandthedefinition,monitoring,reportingandongoingmanagementsolutionsdevelopmentandserviceofferings.
BAI02.04 Obtainapprovalofrequirementsandsolutions.Coordinatefeedbackfromaffectedstakeholdersand,atpredeterminedkeystages,obtainbusinesssponsororproductownerapprovalandsignoffonfunctionalandtechnicalrequirements,feasibilitystudies,riskanalysesandrecommendedsolutions.
BAI03.01 Designhigh-levelsolutions.Developanddocumenthigh-leveldesignsusingagreeduponandappropriatelyphasedorrapidagiledevelopmenttechniques.EnsurealignmentwiththeITstrategyandenterprisearchitecture.Reassessandupdatethedesignswhensignificantissuesoccurduringdetaileddesignorbuildingphasesorasasolutionevolves.Ensurethatstakeholdersactivelyparticipateinthedesignandapprovedversion.
BAI03.02R Designdetailedsolutioncomponents.Develop,documentandelaboratedetaileddesignsprogressivelyusingagreed-onandappropriatephasedorrapidagiledevelopmenttechniques,addressingallcomponents(businessprocessesandrelatedautomatedandmanualcontrols,supportingITapplications,infrastructureservicesandtechnologyproducts,andpartners/suppliers).Ensurethatthedetaileddesignincludesinternalandexternalservicelevelagreements(SLAs)andoperatinglevelagreements(OLAs).
BAI03.03 Developsolutioncomponents.Developsolutioncomponentsprogressivelyinaccordancewithdetaileddesignsfollowingdevelopmentmethodsanddocumentationstandards,qualityassurance(QA)requirements,andapprovalstandards.Ensurethatallcontrolrequirementsinthebusinessprocesses,supportingITapplicationsandinfrastructureservices,servicesandtechnologyproducts,andpartners/suppliersareaddressed.
BAI03.04 Procuresolutioncomponents.Procuresolutioncomponentsbasedontheacquisitionplaninaccordancewithrequirementsanddetaileddesigns,architectureprinciplesandstandards,andtheenterprise’soverallprocurementandcontractprocedures,QArequirements,andapprovalstandards.Ensurethatalllegalandcontractualrequirementsareidentifiedandaddressedbythesupplier.
BAI03.05 Buildsolutions.Installandconfiguresolutionsandintegratewithbusinessprocessactivities.Implementcontrol,securityandauditabilitymeasuresduringconfiguration,andduringintegrationofhardwareandinfrastructuralsoftware,toprotectresourcesandensureavailabilityanddataintegrity.Updatetheservicescataloguetoreflectthenewsolutions.
BAI03.06 PerformQA.DevelopresourceandexecuteaQAplanalignedwiththeQMStoobtainthequalityspecifiedintherequirementsdefinitionandtheenterprise’squalitypoliciesandprocedures.
BAI03.07 Prepareforsolutiontesting.Establishatestplanandrequiredenvironmentstotesttheindividualandintegratedsolutioncomponents,includingthebusinessprocessesandsupportingservices,applicationsandinfrastructure.
BARI03.08 Executesolutiontesting.Executetestingcontinuallyduringdevelopment,includingcontroltesting,inaccordancewiththedefinedtestplananddevelopmentpracticesintheappropriateenvironment.Engagebusinessprocessownersandendusersinthetestteam.Identify,logandprioritizeerrorsandissuesidentifiedduringtesting.
BAI05.01 Establishthedesiretochange.Understandthescopeandimpactoftheenvisionedchangeandstakeholderreadiness/willingnesstochange.Identifyactionstomotivatestakeholderstoacceptandwanttomakethechangeworksuccessfully.
![Page 29: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/29.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
29|P a g e
BAI05.02 Formaneffectiveimplementationteam.Establishaneffectiveimplementationteambyassemblingappropriatemembers,creatingtrust,andestablishingcommongoalsandeffectivenessmeasures.
BAI05.03 Communicatedesiredvision.Communicatethedesiredvisionforthechangeinthelanguageofthoseaffectedbyit.Thecommunicationshouldbemadebyseniormanagementandincludetherationalefor,andbenefitsof,thechange,theimpactsofnotmakingthechange;andthevision,theroadmapandtheinvolvementrequiredofthevariousstakeholders.
BAI05.04 Empowerroleplayersandidentifyshort-termwins.(HR)processes.Identifyandcommunicateshort-termwinsempowerthosewithimplementationrulesbyensuringthataccountabilitiesareassigned,providingtraining,andaligningdistrictstructuresandhumanresourcesthatcanberealizedandareimportantfromachangeenablementperspective.
BAI05.05 Enableoperationsinuse.Planandimplementalltechnical,operationalandusageaspectssuchthatallthosewhoareinvolvedinthefuturestateenvironmentcanexercisetheirresponsibility.
BAI05.06 Embednewapproaches.Embedthenewapproachesbytrackingimplementedchanges,addressingtheeffectivenessoftheoperationtakecorrectivemeasuresasappropriate,whichmayincludeenforcingcompliance.Inaddition,useplan,andsustainingongoingawarenesstoregulareducation.
MEA01.01 Establishamonitoringapproach.Engagewithstakeholderstoestablishandmaintainamonitoringapproachtodefinetheobjectives,scopeandmethodformeasuringbusinesssolutionservicedeliveryandcontributiontoenterpriseobjectives.Integratethisapproachwiththecorporateperformancemanagementsystem.
MEA01.02 Setperformanceandconformancetargets.Workwithstakeholderstodefine,periodicallyreview,updateandapproveperformanceandconformaltargetswithintheperformancemeasurementsystem.
![Page 30: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/30.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
30|P a g e
CSFStep7:ImplementActionPlanCOBITPhase5—HowDoWeGetTherePhase5includestheactualexecutionoftheprioritizedactionplan,asdefinedinphase4.Actionplanexecutionprovidesanopportunityforfrequentstakeholdercommunications,whichshoulduselanguageandterminologyappropriateforeachaudience.Forexample,ITmanagementdiscussionsmayconsiderspecificfacilitiesandprocesses,whileboardandexecutivediscussionsmaybemorerelatedtoannualizedlossexpectancyormarketopportunities.
Actionplanexecutionmaybegraduallyimplemented,buildingonthemomentumofprojectsuccess,buildingfurthercredibilityandimprovingsuccess.Theexecutionoftheactionplanprovidesanopportunitytofosteraneffectiveriskmanagementculturethroughoutthedistrict.Performancemeasuresandincrementalmetricswillhelpdocumentsuccessandsupportanyadjustmentsrequired.ManysuchmeasuresaredescribedintheCOBIT5processes,especiallythoseintheBuild,AcquireandImplement(BAI)andDeliver,ServiceandSupport(DSS)domains.
![Page 31: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/31.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
31|P a g e
ImplementationConsiderationCCSFStep7:ImplementActionPlanPurpose
Toexecutetheplan,asdefinedinphase4,toaddressgapsandimprovesecuritytoachievestakeholdergoalsinaprioritizedandcost-effectivemanner.
Inputs
• Prioritizedactionplan• Organizationalmissionanddrivers• Performanceandconformancetargets
High-levelActivities
• Executetheactionplanasdefinedinphase4.ConsiderrootcausesandsuccessfactorsfromthechallengeslistedintheCOBIT5implementationguideincluding:
o Makesmallimprovementstotesttheapproachandmakesureitworks.o Involvetheprocessownersandotherstakeholdersindevelopmentofthe
improvement.o Applyadequatetrainingwhererequired.o Developprocessesbeforeattemptingtoautomate.o Reorganize,ifrequired,toenablebetterownershipofprocesses.o Matchroles(specificallythosethatarekeyforsuccessfuladoption)toindividual
capabilitiesandcharacteristics.o Setclear,measurableandrealisticgoals(outcomeexpectedfromtheimprovement).o Setpracticalperformancemetrics(tomonitorwhethertheimprovementisdriving
achievementofgoals).o Producescorecardsshowinghowperformanceisbeingmeasured.o Communicateinbusinessimpacttermstheresultsandbenefitsbeinggained.o Implementquickwinsanddeliversolutionsinshorttimescales.o Assessperformanceinmeetingtheoriginalobjectivesandconfirmrealizationof
desiredoutcomes.• Considertheneedtoredirectfutureactivitiesandtakecorrectiveaction.• Assistintheresolutionofsignificantissues,ifrequired.• Ifnecessary,returntophase3andadjustTargetProfile,GapAssessmentandActionPlan.
Outputs
• Operatingproceduresforimplementedactionitems• Performancecommunicationsreports• Performancemetricsresults
![Page 32: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/32.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
32|P a g e
RelevantCOBIT5PracticeCCSFStep7:ImplementActionPlanCOBIT5Practices
CCSFDescription
EDM01.02 Directthegovernancesystem.Informleadersandobtaintheirsupport,buy-inandcommitment.Guidethestructures,processesandpracticesforthegovernanceofITinlinewithagreed-ongovernancedesignprinciples,decision-makingmodelsandauthoritylevels.Definetheinformationrequiredforinformeddecisionmaking.
EDM02.02 Directvalueoptimization.DirectvaluemanagementprinciplesandpracticestoenableoptimalvaluerealizationfromIT-enabledinvestmentsthroughouttheirfulleconomiclifecycle.
EDM03.02 Directriskmanagement.DirecttheestablishmentofriskmanagementpracticestoprovidereasonableassurancethatITriskmanagementpracticesareappropriatetoensurethattheactualITriskdoesnotexceedtheboard’sriskappetite.
EDM04.02 Directresourcemanagement.EnsuretheadoptionofresourcemanagementprinciplestoenableoptimaluseofITresourcesthroughouttheirfulleconomiclifecycle.
EDM05.02 Directstakeholdercommunicationandreporting.Ensuretheestablishmentofeffectivestakeholdercommunicationandreporting,includingmechanismsforensuringthequalityandcompletenessofinformation,oversightofmandatoryreporting,andcreatingacommunicationstrategyforstakeholders.
APO02.05 Definethestrategicplanandroadmap.Createastrategicplanthatdefines,inco-operationwithrelevantstakeholders,howIT-relatedgoalswillcontributetotheenterprise’sstrategicgoals.IncludehowITwillsupportIT-enabledinvestmentprograms,businessprocesses,ITservicesandITassets.DirectITtodefinetheinitiativesthatwillberequiredtoclosethegaps,thesourcingstrategyandthemeasurementstobeusedtomonitorachievementofgoals,thenprioritizetheinitiativesandcombinetheminahigh-levelroadmap.
APO02.06 CommunicatetheITstrategyanddirection.CreateawarenessandunderstandingofthebusinessandITobjectivesanddirection,ascapturedintheITstrategy,throughcommunicationtoappropriatestakeholdersandusersthroughouttheenterprise.
APO08.04 Co-ordinateandcommunicate.Workwithstakeholdersandco-ordinatetheend-to-enddeliveryofITservicesandsolutionsprovidedtothebusiness.
APO11.05 Integratequalitymanagementintosolutionsfordevelopmentandservicedelivery.Incorporaterelevantqualitymanagementpracticesintothedefinition,monitoring,reportingandongoingmanagementofsolutionsdevelopmentandserviceofferings.
BAI02.04 Obtainapprovalofrequirementsandsolutions.Co-ordinatefeedbackfromaffectedstakeholdersand,atpredeterminedkeystages,obtainbusinesssponsororproductownerapprovalandsign-offonfunctionalandtechnicalrequirements,feasibilitystudies,riskanalysesandrecommendedsolutions.
BAI02.01 Designhigh-levelsolutions.Developanddocumenthigh-leveldesignsusingagreed-onandappropriatephasedorrapidagiledevelopmenttechniques.EnsurealignmentwiththeITstrategyandenterprisearchitecture.Reassessandupdatethedesignswhensignificantissuesoccurduringdetaileddesignorbuildingphasesorasthesolutionevolves.Ensurethatstakeholdersactivelyparticipateinthedesignandapproveeachversion.
BAI03.02 Designdetailedsolutioncomponents.Develop,documentandelaboratedetaileddesignsprogressivelyusingagreed-onandappropriatephasedorrapidagiledevelopmenttechniques,addressingallcomponents(businessprocessesandrelatedautomatedandmanualcontrols,supportingITapplications,infrastructureservicesandtechnologyproducts,andpartners/suppliers).EnsurethatthedetaileddesignincludesinternalandexternalSLAsandOLAs.
BAI03.03 Developsolutioncomponents.Developsolutioncomponentsprogressivelyinaccordancewithdetaileddesignsfollowingdevelopmentmethodsanddocumentationstandards,QArequirements,andapprovalstandards.Ensurethatallcontrolrequirementsinthebusinessprocesses,supportingITapplicationsandinfrastructureservices,servicesandtechnologyproducts,andpartners/suppliersareaddressed.
BAI03.05 Procuresolutioncomponents.Procuresolutioncomponentsbasedontheacquisitionplaninaccordancewithrequirementsanddetaileddesigns,architectureprinciplesandstandards,andtheenterprise'soverallprocurementandcontractprocedures,QArequirements,andapprovalstandards.Ensurethatalllegalandcontractualrequirementsareidentifiedandaddressedbythesupplier.
BAI03.05 Buildsolutions.Installandconfiguresolutionsandintegratewithbusinessprocessactivities.Implementcontrol,securityandauditabilitymeasuresduringconfiguration,andduringintegrationofhardwareandinfrastructuralsoftware,toprotectresourcesandensureavailabilityanddataintegrity.Updatetheservicescataloguetoreflectthenewsolutions.
BAI03.06 PerformQA.Develop,resourceandexecuteaQAplanalignedwiththeQMS(seep.96)toobtainthequalityspecifiedintherequirementsdefinitionandtheenterprise’squalitypoliciesandprocedures.
BAI03.07 Prepareforsolutiontesting.Establishatestplanandrequiredenvironmentstotesttheindividualandintegratedsolutioncomponents,includingthebusinessprocessesandsupportingservices,applicationsandinfrastructure.
BAI03.08 Executesolutiontesting.Executetestingcontinuallyduringdevelopment,includingcontroltesting,inaccordancewiththedefinedtestplananddevelopmentpracticesintheappropriateenvironment.Engagebusinessprocessownersandendusersinthetestteam.Identify,logandprioritizeerrorsandissuesidentifiedduringtesting.
BAI.05.01 Establishthedesiretochange.Understandthescopeandimpactoftheenvisionedchangeandstakeholderreadiness/willingnesstochange.Identifyactionstomotivatestakeholderstoacceptandwanttomakethechangeworksuccessfully.
![Page 33: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/33.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
33|P a g e
RelevantCOBIT5PracticeCCSFStep7:ImplementActionPlanCOBIT5Practices
CCSFDescription
BAI05.02 Formaneffectiveimplementationteam.Establishaneffectiveimplementationteambyassemblingappropriatemembers,creatingtrust,andestablishingcommongoalsandeffectivenessmeasures.
BAI05.03 Communicatedesiredvision.Communicatethedesiredvisionforthechangeinthelanguageofthoseaffectedbyit.Thecommunicationshouldbemadebyseniormanagementandincludetherationalefor,andbenefitsof,thechange,theimpactsofnotmakingthechange;andthevision,theroadmapandtheinvolvementrequiredofthevariousstakeholders.
BAI05.04 Empowerroleplayersandidentifyshort-termwins.Empowerthosewithimplementationrolesbyensuringthataccountabilitiesareassigned,providingtraining,andaligningdistrictstructuresandHRprocesses.Identifyandcommunicateshort-termwinsthatcanberealizedandareimportantfromachangeenablementperspective.
BAI05.05 Enableoperationanduse.Planandimplementalltechnical,operationalandusageaspectssuchthatallthosewhoareinvolvedinthefuturestateenvironmentcanexercisetheirresponsibility.
BAI05.06 Embednewapproaches.Embedthenewapproachesbytrackingimplementedchanges,assessingtheeffectivenessoftheoperationanduseplan,andsustainingongoingawarenessthroughregularcommunication.Takecorrectivemeasuresasappropriate,whichmayincludeenforcingcompliance.
MEA01.01 Establishamonitoringapproach.Engagewithstakeholderstoestablishandmaintainamonitoringapproachtodefinetheobjectives,scopeandmethodformeasuringbusinesssolutionandservicedeliveryandcontributiontoenterpriseobjectives.Integratethisapproachwiththecorporateperformancemanagementsystem.
MEA01.02 Setperformanceandconformancetargets.Workwithstakeholderstodefine,periodicallyreview,updateandapproveperformanceandconformancetargetswithintheperformancemeasurementsystem.
MEA01.03 Collectandprocessperformanceandconformancedata.Collectandprocesstimelyandaccuratedataalignedwithenterpriseapproaches.
DSS01.01 Performoperationalprocedures.Maintainandperformoperationalproceduresandoperationaltasksreliablyandconsistently.
DSS01.02 ManageoutsourcedITservices.ManagetheoperationofoutsourcedITservicestomaintaintheprotectionofenterpriseinformationandreliabilityofservicedelivery.
DSS01.04 Managetheenvironment.Maintainmeasuresforprotectionagainstenvironmentalfactors.Installspecializedequipmentanddevicestomonitorandcontroltheenvironment.
DSS01.05 Managefacilities.Managefacilities,includingpowerandcommunicationsequipment,inlinewithlawsandregulations,technicalandbusinessrequirements,vendorspecifications,andhealthandsafetyguidelines.
DSS02.02 Record,classifyandprioritizerequestsandincidents.Identify,recordandclassifyservicerequestsandincidents,andassignapriorityaccordingtobusinesscriticalityandserviceagreements.
DSS02.03 Verify,approveandfulfillservicerequests.Selecttheappropriaterequestproceduresandverifythattheservicerequestsfulfilldefinedrequestcriteria.Obtainapproval,ifrequired,andfulfilltherequests.
DSS02.04 Investigate,diagnoseandallocateincidents.Identifyandrecordincidentsymptoms,determinepossiblecauses,andallocateforresolution.
DSS02.05 Resolveandrecoverfromincidents.Document,applyandtesttheidentifiedsolutionsorworkaroundsandperformrecoveryactionstorestoretheIT-relatedservice.
DSS02.06 Closeservicerequestsandincidents.Verifysatisfactoryincidentresolutionand/orrequestfulfillment,andclose.DSS02.07 Trackstatusandproducereports.Regularlytrack,analyzeandreportincidentandrequestfulfillmenttrendstoprovide
informationforcontinualimprovement.DSS03.01 Identifyandclassifyproblems.Defineandimplementcriteriaandprocedurestoreportproblemsidentified,including
problemclassification,categorizationandprioritization.DSS03.02 Investigateanddiagnoseproblems.Investigateanddiagnoseproblemsusingrelevantsubjectmanagementexpertsto
assessandanalyzerootcauses.DSS03.03 Raiseknownerrors.Assoonastherootcausesofproblemsareidentified,createknown-errorrecordsandan
appropriateworkaround,andidentifypotentialsolutions.DSS03.04 Resolveandcloseproblems.Identifyandinitiatesustainablesolutionsaddressingtherootcause,raisingchange
requestsviatheestablishedchangemanagementprocessifrequiredtoresolveerrors.Ensurethatthepersonnelaffectedareawareoftheactionstakenandtheplansdevelopedtopreventfutureincidentsfromoccurring.
DSS03.05 Performproactiveproblemmanagement.Collectandanalyzeoperationaldata(especiallyincidentandchangerecords)toidentifyemergingtrendsthatmayindicateproblems.Logproblemrecordstoenableassessment.
DSS04.02 Maintainacontinuitystrategy.Evaluatebusinesscontinuitymanagementoptionsandchooseacost-effectiveandviablecontinuitystrategythatwillensureenterpriserecoveryandcontinuityinthefaceofadisasterorothermajorincidentordisruption.
DSS04.03 Developandimplementabusinesscontinuityresponse.Developabusinesscontinuityplan(BCP)basedonthestrategythatdocumentstheproceduresandinformationinreadinessforuseinanincidenttoenabletheenterprisetocontinueitscriticalactivities.
![Page 34: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/34.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
34|P a g e
RelevantCOBIT5PracticeCCSFStep7:ImplementActionPlanCOBIT5Practices
CCSFDescription
DSS04.04 Exercise,testandreviewtheBCP.Testthecontinuityarrangementsonaregularbasistoexercisetherecoveryplansagainstpredeterminedoutcomesandtoallowinnovativesolutionstobedevelopedandhelptoverifyovertimethattheplanwillworkasanticipated.
DSS04.05 Review,maintainandimprovethecontinuityplan.Conductamanagementreviewofthecontinuitycapabilityatregularintervalstoensureitscontinuedsuitability,adequacyandeffectiveness.Managechangestotheplaninaccordancewiththechangecontrolprocesstoensurethatthecontinuityplaniskeptuptodateandcontinuallyreflectsactualbusinessrequirements.
DSS04.06 Conductcontinuityplantraining.Provideallconcernedinternalandexternalpartieswithregulartrainingsessionsregardingtheproceduresandtheirrolesandresponsibilitiesincaseofdisruption.
DSS04.07 Managebackuparrangements.Maintainavailabilityofbusiness-criticalinformation.DSS04.08 Conductpost-resumptionreview.AssesstheadequacyoftheBCPfollowingthesuccessfulresumptionofbusiness
processesandservicesafteradisruption.DSS05.01 Protectagainstmalware.Implementandmaintainpreventive,detectiveandcorrectivemeasuresinplace(especially
up-to-datesecuritypatchesandviruscontrol)acrosstheenterprisetoprotectinformationsystemsandtechnologyfrommalware(e.g.,viruses,worms,spyware,spam).
DSS05.02 Managenetworkandconnectivitysecurity.Usesecuritymeasuresandrelatedmanagementprocedurestoprotectinformationoverallmethodsofconnectivity.
DSS05.03 Manageendpointsecurity.Ensurethatendpoints(e.g.,laptop,desktop,server,andothermobileandnetworkdevicesorsoftware)aresecuredatalevelthatisequaltoorgreaterthanthedefinedsecurityrequirementsoftheinformationprocessed,storedortransmitted.
DSS05.04 Manageuseridentityandlogicalaccess.Ensurethatallusershaveinformationaccessrightsinaccordancewiththeirbusinessrequirementsandco-ordinatewithbusinessunitsthatmanagetheirownaccessrightswithinbusinessprocesses.
DSS05.05 ManagephysicalaccesstoITassets.Defineandimplementprocedurestogrant,limitandrevokeaccesstopremises,buildingsandareasaccordingtobusinessneeds,includingemergencies.Accesstopremises,buildingsandareasshouldbejustified,authorized,loggedandmonitored.Thisshouldapplytoallpersonsenteringthepremises,includingstaff,temporarystaff,clients,vendors,visitorsoranyotherthirdparty.
DSS05.06 Managesensitivedocumentsandoutputdevices.Establishappropriatephysicalsafeguards,accountingpracticesandinventorymanagementoversensitiveITassets,suchasspecialforms,negotiableinstruments,special-purposeprintersorsecuritytokens.
DSS05.07 Monitortheinfrastructureforsecurity-relatedevents.Usingintrusiondetectiontools,monitortheinfrastructureforunauthorizedaccessandensurethatanyeventsareintegratedwithgeneraleventmonitoringandincidentmanagement.
DSS06.02 Controltheprocessingofinformation.Operatetheexecutionofthebusinessprocessactivitiesandrelatedcontrols,basedonenterpriserisk,toensurethatinformationprocessingisvalid,complete,accurate,timely,andsecure(i.e.,reflectslegitimateandauthorizedbusinessuse).
DSS06.03 Manageroles,responsibilities,accessprivilegesandlevelsofauthority.Managethebusinessroles,responsibilities,levelsofauthorityandsegregationofdutiesneededtosupportthebusinessprocessobjectives.Authorizeaccesstoanyinformationassetsrelatedtobusinessinformationprocesses,includingthoseunderthecustodyofthebusiness,ITandthirdparties.Thisensuresthatthebusinessknowswherethedataareandwhoishandlingdataonitsbehalf.
DSS06.04 Manageerrorsandexceptions.Managebusinessprocessexceptionsanderrorsandfacilitatetheircorrection.Includeescalationofbusinessprocesserrorsandexceptionsandtheexecutionofdefinedcorrectiveactions.Thisprovidesassuranceoftheaccuracyandintegrityofthebusinessinformationprocess.
DSS06.05 EnsuretraceabilityofInformationeventsandaccountabilities.Ensurethatbusinessinformationcanbetracedtotheoriginatingbusinesseventandaccountableparties.Thisenablestraceabilityoftheinformationthroughitslifecycleandrelatedprocesses.Thisprovidesassurancethatinformationthatdrivesthebusinessisreliableandhasbeenprocessedinaccordancewithdefinedobjectives.
DSS06.06 Secureinformationassets.Secureinformationassetsaccessiblebythebusinessthroughapprovedmethods,includinginformationinelectronicform(suchasmethodsthatcreatenewassetsinanyform,portablemediadevices,userapplicationsandstoragedevices),informationinphysicalform(suchassourcedocumentsoroutputreports)andinformationduringtransit.Thisbenefitsthebusinessbyprovidingend-to-endsafeguardingofinformation.
MEA01.05 Ensuretheimplementationofcorrectiveactions.Assiststakeholdersinidentifying,initiatingandtrackingcorrectiveactionstoaddressanomalies.
MEA02.02 Reviewbusinessprocesscontrolseffectiveness.Reviewtheoperationofcontrols,includingareviewofmonitoringandtestevidence,toensurethatcontrolswithinbusinessprocessesoperateeffectively.Includeactivitiestomaintainevidenceoftheeffectiveoperationofcontrolsthroughmechanismssuchasperiodictestingofcontrols,continuouscontrolsmonitoring,independentassessments,commandandcontrolcenters,andnetworkoperationscenters.Thisprovidesthebusinesswiththeassuranceofcontroleffectivenesstomeetrequirementsrelatedtobusiness,regulatoryandsocialresponsibilities.
![Page 35: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/35.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
35|P a g e
RelevantCOBIT5PracticeCCSFStep7:ImplementActionPlanCOBIT5Practices
CCSFDescription
MEA02.03 Performcontrolself-assessments.Encouragemanagementandprocessownerstotakepositiveownershipofcontrolimprovementthroughacontinuingprogramofself-assessmenttoevaluatethecompletenessandeffectivenessofmanagement’scontroloverprocesses,policiesandcontracts.
MEA02.04 Identifyandreportcontroldeficiencies.Identifycontroldeficienciesandanalyzeandidentifytheirunderlyingrootcauses.Escalatecontroldeficienciesandreporttostakeholders.
MEA02.05 Ensurethatassuranceprovidersareindependentandqualified.Ensurethattheentitiesperformingassuranceareindependentfromthefunction,groupsordistrictsinscope.Theentitiesperformingassuranceshoulddemonstrateanappropriateattitudeandappearance,competenceintheskillsandknowledgenecessarytoperformassurance,andadherencetocodesofethicsandprofessionalstandards.
MEA02.06 Planassuranceinitiatives.Planassuranceinitiativesbasedonenterpriseobjectivesandstrategicpriorities,inherentrisk,resourceconstraints,andsufficientknowledgeoftheenterprise.
MEA02.08 Executeassuranceinitiatives.Executetheplannedassuranceinitiative.Reportonidentifiedfindings.Providepositiveassuranceopinions,whereappropriate,andrecommendationsforimprovementrelatingtoidentifiedoperationalperformance,externalcomplianceandinternalcontrolsystemresidualrisk.
MEA03.03 Confirmexternalcompliance.Confirmcomplianceofpolicies,principles,standards,proceduresandmethodologieswithlegal,regulatoryandcontractualrequirements.
MEA03.04 Obtainassuranceofexternalcompliance.Obtainandreportassuranceofcomplianceandadherencewithpolicies,principles,standards,proceduresandmethodologies.Confirmthatcorrectiveactionstoaddresscompliancegapsareclosedinatimelymanner.
![Page 36: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/36.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
36|P a g e
CSFActionPlanReviewCOBITPhase6—DidWeGetThere?Phase6providesthemechanismstoreviewtheexecutionoftheactionplanandconsiderperformanceregardingthemonitoringapproachpreviouslyestablished(e.g.,MEA01processesfromphases4and5).Thoseimplementingshouldconsiderhowwellthedistrictachievedperformanceandconformancetargets,updatingongoingimprovementandcommunicationactivitiesinaccordancewithestablishedchangemanagementprocesses.Thisreviewphaseprovidestheopportunitytosharebothpositiveandnegativeresultswithstakeholders,fosteringconfidenceinplannedsolutionsandensuringalignmentwithdistrictdriversandgoals.
Performanceandconformancedatamaybesharedwithinternalteamstoimprovesubsequentprocesses.Appropriatelysanitizedrisk,activityandperformanceresultsmaybesharedwithexternalpartners,consistentwiththedistricts’documentclassificationpolicyforpublicdocuments,tohelpimprovegeneralunderstandingofITriskmanagement.
ImplementationConsiderationCCSFActionPlanReview
Purpose
Toreviewapplicationoftheimprovegovernancemanagementpracticesandconfirmthattheactionplandeliverstheexpectedbenefits.
Inputs
• Operatingproceduresforimplementedactionitems• Communicationartifacts• Performancemetrics• Actionplanstatusreports
High-levelActivities
• Assesstheactivitiesforphase5toassurethatimprovementsandadditionsachievetheanticipatedgoalsandattainriskmanagementobjectives.
• Documentlessonslearnedfromimplementationactivitiestoimprovefuturecyclesandassistotherdistrictsandsimilarexercises.
• Identifyanyspecificongoingmonitoringneedsinsupportofphase7.
Outputs
• Organizationalassessment• Correctiveactionreports• Performanceresultstostakeholders• Lessonslearnedreports• resultsinformationsharing
![Page 37: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/37.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
37|P a g e
RelevantCOBIT5PracticesCCSFActionPlanReviewCOBIT5Practice
CCSFDescription
APO02.02 Assessisthecurrentenvironment,capabilitiesandperformance.AssesstheperformanceofcurrentinternalbusinessandITcapabilitiesandextendITservices,anddevelopanunderstandingoftheenterprisearchitectureinrelationtoIT.Identifyissuescurrentlybeingexperiencedanddeveloprecommendationsandareasthatcouldbenefitfromimprovement.Considerserviceproviderdifferentiatorsandoptionsandthefinancialimpactofpotentialcostsandbenefitsofusingexternalservices.
MEA01.05 Ensuretheimplementationofcorrectiveactions.Assiststakeholdersinidentifying,initiatingandtrackingcorrectiveactionstoaddressanomalies.
MEA02.02 Reviewbusinessprocesscontrolseffectiveness.Reviewtheoperationofcontrols,includingareviewofmonitoringandtestevidence,toensurethatcontrolswithinthebusinessprocessesoperateeffectively.Includeactivitiestomaintainevidenceoftheeffectiveoperationofcontrolthroughmechanismssuchasperiodictestingcontrols,continuouscontrolmonitoring,independentassessments,command-and-controlcenters,andnetworkoperationscenters.Thisprovidesthebusinesswiththeassuranceofcontroleffectivenesstomeetrequirementsrelatedtobusiness,regulatoryandsocialresponsibilities.
MEA02.03 Performcontrolself-assessments.Encouragemanagementprocessownerstotakepositiveownershipofcontrolledimprovementthroughacontinuingprogramofself-assessmenttoevaluatethecompletenessandeffectivenessofmanagement’scontroloverprocesses,policiesandcontracts.
MEA02.04 Identifyandreportcontroldeficiencies.Identifycontroldeficienciesandanalyzeandidentifytheirunderlyingrootcauses.Escalatecontroldeficienciesandreporttostakeholders.
MEA02.05 Ensurethatinsuranceprovidersareindependentandqualified.Ensurethattheentitiesperformingassuranceareindependentfromthefunction,groupsordistrictsinscope.Theentitiesperformingassuranceshoulddemonstrateanappropriateattitudeandappearance,competenceandtheskillsandknowledgenecessarytoperforminsurance,andadherencetocodesofethicsandprofessionalstandards.
MEA02.08 Executeassuranceinitiatives.Executetheplannedinsuranceinitiative.Reportonidentifiedfindings.Providepositiveassuranceopinions,whereappropriate,andrecommendationsforimprovementrelatingtoidentifiedoperationalperformance,externalcomplianceandinternalcontrolsystemresidualrisk.
MEA03.04 Obtainassuranceofexternalcompliance.Obtainandreportassuranceofcomplianceandadherencewithpolicies,principles,standards,proceduresandmethodologies.Confirmthatcorrectiveactionstoaddresscompliancegapsareclosedinatimelymanner.
![Page 38: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/38.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
38|P a g e
CSFLifecycleManagementCOBITPhase7-HowDoWeKeeptheMomentumGoingAneffectiveframeworkforgovernanceandmanagementofITaddressesthecompletelifecycleofITinvestment,ensuringthatitcreatesvalueinalignmentwithenterpriseobjectives.CombiningtheCCSFprinciplesandCOBIT5practiceshelpsensurevalue,managingriskandsupportingmissiondriversinaccordancewiththedirectionandsupportoftheexecutiveboardanddistrictbusinessmanagers.
Phase7providestheopportunitytoclosetheloopforcommunicationworkflowisintroducedinSection1-Implementation.Astechnicalassessmentisreported(suchasherperformancemetricssuchasthoseestablishedprocessesMEA01)tobusinessprocessowners,they,inturn,reportprogresstowardenterprisegoalsandmissionpriorities,usinglanguage,approachesandcommunicationsthataremeaningfultoexecutivemanagement.Momentum,gainbyprogressineffectivecommunication,drivesubsequentiterationsofthelifecycle.Updatedchallengesandopportunitiesleadtoupdatedriskassessmentsandpriorities,fosteringdistrictcommitmentandownershipofallaccountabilitiesandresponsibilities.Inthisway,successfulgovernanceandmanagementprocessesbecomeinstitutionalizedintheculture.
![Page 39: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/39.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
39|P a g e
ImplementationConsiderationCCSFLifeCycleManagementPurpose
Toprovideongoingreview/assessmentoftheoverallsuccessoftheinitiative,identifyfurthergovernanceorrequirements,andsupportcontinualimprovement.
Inputs
• Operatingprocedures• Monitoringplan• Performancemetrics
High-levelActivities
• Continuallymonitortheactivitiesforphase5toassurethatimprovementsandadditionsachievetheanticipatedgoalsandattainriskmanagementobjectives.
• Revieweffectivenessofimprovedgovernanceandmanagementpracticesanddocumentbenefitsprovided.
• Documentlessonslearnedfromimplementationactivitiestofurtherimprovefuturecyclesandassistotherdistrictsandsimilarexercises.
Outputs
• Assuranceofexternalcompliance• Lessonslearnedreports• Performanceresultstostakeholders• Investmentportfolioperformancereports• Servicelevelreports• Supplierperformanceandcompliancereports• Customersatisfaction/QMSreports• Informationsecuritymanagementsystem• Projectperformancereportsagainstkeyprojectperformancecriteria• Changecontrolplansandresults• Ongoingstatusandconfigurationreports
![Page 40: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/40.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
40|P a g e
RelevantCOBIT5PracticeCCSFLifeCycleManagementCOBIT5PRACTICES
CCSFDescription
EDM01.03 Monitorthegovernancesystem.Monitortheeffectivenessandperformanceoftheenterprise’sgovernanceofIT.Assesswhetherthegovernancesystemandimplementedmechanisms(includingstructures,principlesandprocesses)areoperatingeffectivelyandprovideappropriateoversightofIT.
EDM02.01 Evaluatevalueoptimization.ContinuallyevaluatetheportfolioofIT-enabledinvestments,servicesandassetstodeterminethelikelihoodofachievingenterpriseobjectivesanddeliveringvalueatareasonablecost.Identifyandmakejudgmentonanychangesindirectionthatneedtobegiventomanagementtooptimizevaluecreation.
EDM02.03 Monitorvalueoptimization.MonitorthekeygoalsandmetricstodeterminetheextenttowhichthebusinessisgeneratingtheexpectedvalueandbenefitstotheenterprisefromIT-enabledinvestmentsandservices.Identifysignificantissuesandconsidercorrectiveactions.
EDM03.03 Monitorriskmanagement.Monitorthekeygoalsandmetricsoftheriskmanagementprocessesandestablishhowdeviationsorproblemswillbeidentified,trackedandreportedforremediation.
EDM04.03 Monitorresourcemanagement.Monitorthekeygoalsandmetricsoftheresourcemanagementprocessesandestablishhowdeviationsorproblemswillbeidentified,trackedandreportedforremediation.
EDM05.03 Monitorstakeholdercommunication.Monitortheeffectivenessofstakeholdercommunication.Assessmechanismsforensuringaccuracy,reliabilityandeffectiveness,andascertainwhethertherequirementsofdifferentstakeholdersaremet.
APO04.03 Monitorandscanthetechnologyenvironment.Performsystematicmonitoringandscanningoftheenterprise’sexternalenvironmenttoidentifyemergingtechnologiesthathavethepotentialtocreatevalue(e.g.,byrealizingtheenterprisestrategy,optimizingcosts,avoidingobsolescence,andbetterenablingenterpriseandITprocesses).Monitorthemarketplace,competitivelandscape,industrysectors,andlegalandregulatorytrendstobeabletoanalyzeemergingtechnologiesorinnovationideasintheenterprisecontext.
APO04.04 Assessthepotentialofemergingtechnologiesandinnovationideas.Analyzeidentifiedemergingtechnologiesand/orotherITinnovationsuggestions.Workwithstakeholderstovalidateassumptionsonthepotentialofnewtechnologiesandinnovation.
APO04.05 Recommendappropriatefurtherinitiatives.Evaluateandmonitortheresultsofproof-of-conceptinitiativesand,iffavorable,generaterecommendationsforfurtherinitiativesandgainstakeholdersupport.
APO04.06 Monitortheimplementationanduseofinnovation.Monitortheimplementationanduseofemergingtechnologiesandinnovationsduringintegration,adoptionandforthefulleconomiclifecycletoensurethatthepromisedbenefitsarerealizedandtoidentifylessonslearned.
APO05.04 Monitor,optimizeandreportoninvestmentportfolioperformance.Onaregularbasis,monitorandoptimizetheperformanceoftheinvestmentportfolioandindividualprogramsthroughouttheentireinvestmentlifecycle.
APO05.05 Maintainportfolios.Maintainportfoliosofinvestmentprogramsandprojects,ITservicesandITassets.
APO05.06 Managebenefitsachievement.MonitorthebenefitsofprovidingandmaintainingappropriateITservicesandcapabilities,basedontheagreed-onandcurrentbusinesscase.
APO07.05T TracktheusageofITandbusinesshumanresources.TrackthecurrentandfuturedemandforbusinessandIThumanresourceswithresponsibilitiesforenterpriseIT.Identifyshortfallsandprovideinputintosourcingplans,enterpriseandITrecruitmentprocessessourcingplans,andbusinessandITrecruitmentprocesses.
APO07.06 Managecontractstaff.EnsurethatconsultantsandcontractpersonnelwhosupporttheenterprisewithITskillsknowandcomplywiththedistrict'spoliciesandmeetagreed-oncontractualrequirements.
APO08.05 Provideinputtothecontinualimprovementofservices.ContinuallyimproveandevolveIT-enabledservicesandservicedeliverytotheenterprisetoalignwithchangingenterpriseandtechnologyrequirements.
APO09.04 Monitorandreportservicelevels.Monitorservicelevels,reportonachievementsandidentifytrends.Providetheappropriatemanagementinformationtoaidperformancemanagement.
APO09.05 Reviewserviceagreementsandcontracts.Conductperiodicreviewsoftheserviceagreementsandrevisewhenneeded.
APO10.03 Managesupplierrelationshipsandcontracts.Formalizeandmanagethesupplierrelationshipforeachsupplier.Manage,maintainandmonitorcontractsandservicedelivery.Ensurethatneworchangedcontractsconformtoenterprisestandardsandlegalandregulatoryrequirements.Dealwithcontractualdisputes.
APO10.04 Managesupplierrisk.Identifyandmanageriskrelatingtosuppliers’abilitytocontinuallyprovidesecure,efficientandeffectiveservicedelivery.
APO10.05 Monitorsupplierperformanceandcompliance.Periodicallyreviewtheoverallperformanceofsuppliers,compliancetocontractrequirements,andvalueformoney,andaddressidentifiedissues.
APO11.04 Performqualitymonitoring,controlandreviews.MonitorthequalityofprocessesandservicesonanongoingbasisasdefinedbytheQMS.Define,planandimplementmeasurementstomonitorcustomersatisfactionwithqualityaswellasthevaluetheQMSprovides.Theinformationgatheredshouldbeusedbytheprocessownertoimprovequality.
![Page 41: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/41.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
41|P a g e
RelevantCOBIT5PracticeCCSFLifeCycleManagementCOBIT5PRACTICES
CCSFDescription
APO11.06 Maintaincontinuousimprovement.Maintainandregularlycommunicateanoverallqualityplanthatpromotescontinuousimprovement.Thisshouldincludetheneedfor,andbenefitsof,continuousimprovement.CollectandanalyzedataabouttheQMS,andimproveitseffectiveness.Correctnon-conformitiestopreventrecurrence.Promoteacultureofqualityandcontinualimprovement.
APO13.01 Establishandmaintainaninformationsecuritymanagementsystem(ISMS).EstablishandmaintainanISMSthatprovidesastandard,formalandcontinuousapproachtosecuritymanagementforinformation,enablingsecuretechnologyandbusinessprocessesthatarealignedwithbusinessrequirementsandenterprisesecuritymanagement.
APO13.02 Maintainaninformationsecurityplanthatdescribeshowinformationsecurityriskistobemanagedandalignedwiththeenterprisestrategyandenterprisearchitecture.Ensurethatrecommendationsforimplementingsecurityimprovementsarebasedonapprovedbusinesscasesandimplementedasanintegralpartofservicesandsolutionsdevelopment,thenoperatedasanintegralpartofbusinessoperation.
APO13.03 MonitorandreviewtheISMS.Maintainandregularlycommunicatetheneedfor,andbenefitsof,continuousinformationsecurityimprovement.CollectandanalyzedataabouttheISMS,andimprovetheeffectivenessoftheISMS.Correctnon-conformitiestopreventrecurrence.Promoteacultureofsecurityandcontinualimprovement.
BAI01.06 Monitor,controlandreportontheprogramoutcomes.Monitorandcontrolprogram(solutiondelivery)andenterprise(value/outcome)performanceagainstplanthroughoutthefulleconomiclifecycleoftheinvestment.Reportthisperformancetotheprogramsteeringcommitteeandthesponsors.
BAI01.10 Manageprogramandprojectrisk.Eliminateorminimizespecificriskassociatedwithprogramsandprojectsthroughasystematicprocessofplanning,identifying,analyzing,respondingto,andmonitoringandcontrollingtheareasoreventsthathavethepotentialtocauseunwantedchange.Riskfacedbyprogramandprojectmanagementshouldbeestablishedandcentrallyrecorded.
BAI01.11 Monitorandcontrolprojects.Measureprojectperformanceagainstkeyprojectperformancecriteriasuchasschedule,quality,costandrisk.Identifyanydeviationsfromtheexpected.Assesstheimpactofdeviationsontheprojectandoverallprogram,andreportresultstokeystakeholders.
BAI01.12 Manageprojectresourcesandworkpackages.Manageprojectworkpackagesbyplacingformalrequirementsonauthorizingandacceptingworkpackages,andassigningandco-coordinatingappropriatebusinessandITresources.
BAI03.09 Managechangestorequirements.Trackthestatusofindividualrequirements(includingallrejectedrequirements)throughouttheprojectlifecycleandmanagetheapprovalofchangestorequirements.
BAI03.10 Maintainsolutions.Developandexecuteaplanforthemaintenanceofsolutionandinfrastructurecomponents.Includeperiodicreviewsagainstbusinessneedsandoperationalrequirements.
BAI.04.04 Monitorandreviewavailabilityandcapacity.Monitor,measure,analyze,reportandreviewavailability,performanceandcapacity.Identifydeviationsfromestablishedbaselines.Reviewtrendanalysisreportsidentifyinganysignificantissuesandvariances,initiatingactionswherenecessary,andensuringthatalloutstandingissuesarefollowedup.
BAI05.07 Sustainchanges.Sustainchangesthrougheffectivetrainingofnewstaff,ongoingcommunicationcampaigns,continuedtopmanagementcommitment,adoptionmonitoringandsharingoflessonslearnedacrosstheenterprise.
BAI06(ALL) Manageallchangesinacontrolledmanner,includingstandardchangesandemergencymaintenancerelatingtobusinessprocesses,applicationsandinfrastructure.Thisincludeschangestandardsandprocedures,impactassessment,prioritizationandauthorization,emergencychanges,tracking,reporting,closureanddocumentation.
BAI07(ALL) Formallyacceptandmakeoperationalnewsolutions,includingimplementationplanning,systemanddataconversion,acceptancetesting,communication,releasepreparation,promotiontoproductionofneworchangedbusinessprocessesandITservices,earlyproductionsupport,andapost-implementationreview.
BAI08(ALL) Maintaintheavailabilityofrelevant,current,validatedandreliableknowledgetosupportallprocessactivitiesandtofacilitatedecisionmaking.Planfortheidentification,gathering,organizing,maintaining,useandretirementofknowledge.
BAI10.03 Maintainandcontrolconfigurationitems.Maintainanup-to-daterepositoryofconfigurationitemsbypopulatingwithchanges.
BAI10.04 Producestatusandconfigurationreports.Defineandproduceconfigurationreportsonstatuschangesofconfigurationitems.
BAI10.05 Verifyandreviewintegrityoftheconfigurationrepository.Periodicallyreviewtheconfigurationrepositoryandverifycompletenessandcorrectnessagainstthedesiredtarget.
DSS01(ALL) CoordinateandexecutetheactivitiesandoperationalproceduresrequiredtodeliverinternalandoutsourcedITservices,includingtheexecutionofpre-definedstandardoperatingproceduresandtherequiredmonitoringactivities.
DSS02(ALL) Providetimelyandeffectiveresponsetouserrequestsandresolutionofalltypesofincidents.Restorenormalservice;recordandfulfilluserrequests;andrecord,investigate,diagnose,escalateandresolveincidents.
![Page 42: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/42.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
42|P a g e
RelevantCOBIT5PracticeCCSFLifeCycleManagementCOBIT5PRACTICES
CCSFDescription
DSSS03(ALL) Identifyandclassifyproblemsandtheirrootcausesandprovidetimelyresolutiontopreventrecurringincidents.Providerecommendationsforimprovements.
DSS04(ALL) EstablishandmaintainaplantoenablethebusinessandITtorespondtoincidentsanddisruptionsinordertocontinueoperationofcriticalbusinessprocessesandrequiredITservicesandmaintainavailabilityofinformationatalevelacceptabletotheenterprise.
MEA01.04 Analyzeandreportperformance.Periodicallyreviewandreportperformanceagainsttargets,usingamethodthatprovidesasuccinctall-aroundviewofITperformanceandfitswithintheenterprisemonitoringsystem.
MEA01.05 Ensuretheimplementationofcorrectiveactions.Assiststakeholdersinidentifying,initiatingandtrackingcorrectiveactionstoaddressanomalies.
MEA02(ALL) Continuouslymonitorandevaluatethecontrolenvironment,includingself-assessmentsandindependentassurancereviews.Enablemanagementtoidentifycontroldeficienciesandinefficienciesandtoinitiateimprovementactions.Plan,organizeandmaintainstandardsforinternalcontrolassessmentandassuranceactivities.
![Page 43: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/43.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
43|P a g e
AppendixA.IntroductionBackgroundSecuritythreatstoeducationalsystemsarenotnew.Countyofficesofeducationandindividualschooldistrictshavebeenmanagingoperationalandinformationtechnologysecuritysystemsandvulnerabilityforanumberofyears.Theproblemisthattheopposition,thatisthosewhowishtoexploitschooldistrictinformationareadvancingatsucharapidratethatthemanagementofsecurityriskandvulnerabilitycanbeandisoverwhelming.Attacksoneducationalsystemsandtheincreasingrateofthoseattackspointtowardsadifficultfuturemanagingrisk.Thisisevidencedbytheincreasingdenialofserviceattacksagainstschooldistrictsinthepastfiveyearswhichinsomeinstanceshavebroughtthedistricttoastandstillandaffectedtheoveralleducationalprocess.Theseattackersarewell-organized,financiallystableandcanimplementsomeverysophisticatedtechniquesthatrenderattemptsatpreventionextremelydifficult.Yetschoolsanddistrictsarebecomingincreasinglymoredependentupontechnology,telecommunicationsandoverallconnectivity.Thistrendoftechnologydependencydoesnotappeartobeslowingandasnewtechnologyinnovationssuchasmobiledevicemanagement,BringYourOwnDevice(BYOD)andtheInternetofThings(iOT)becomecommonplace.Thisnecessitatestheneedtoprotecteducationalsystemsagainstcybersecurityattacks.
Tohelpaddresspotentialrisk,mitigatesecurityandvulnerabilityissuesandprovideoveralldirection,CCSESAhasdevelopedthisguidebooktoassistschools,districtsandCountyOfficesofEducationintheimplementationoftheNISTFrameworkforImprovingCriticalInfrastructurebetterknownastheCybersecurityFrameworkorCSF.
WhiletheCCSFwasoriginallycreatedtosupportinfrastructureproviders,theconcepts,practicesandproceduresareveryapplicabletoeducationalinstitutionsdesiringsomeformalityinmanagingandreducingoverallsecurityrisk.Theconnectednatureofourschoolsystemsandthesupportofdistrict-widecriticalinfrastructurecanbetterbeaddressedthroughaformalizedprocesstoallowsomelevelofstructure,servicesandcompliancy.Anyefforttomanageoverallsecurityriskwillultimatelyhelpreducecybersecurityattacks.
ThisguidebookaddressessomeofthetechnicalrequirementsneededtoapplytheNISTCybersecurityFramework,utilizingselecteddocumentsfromindustry-standards,principlesandpracticessuchasmanyofthosepracticesdevelopedbytheITGovernanceInstitute.TheanticipatedaudiencesutilizingthisguidebooktoestablishstandardswillrangefromBoardsofEducationtodistrict/campusmanagement,ITservicepersonnelanddistrictfaculty.ThefollowingFigure1identifiesseveraloftheprincipalrolesorfunctionsandpotentialbenefitstheycanexpectfromutilizingtheCCSF.
![Page 44: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/44.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
44|P a g e
Figure1-CSFImplementation-TargetAudienceandBenefitsRole Function PotentialBenefit
Executive BoardofEducationandExecutiveManagement
• Understandingresponsibilitiesandrolesincybersecuritywithinthedistrict.
• Betterunderstandingofcurrentcybersecurityposture.
• Betterunderstandingofcybersecurityrisktothedistrict.
• Betterunderstandingofthecybersecuritytargetstatetobedeveloped.
• Understandingofactionsrequiredtoclosegapsbetweencurrentcybersecuritypostureandthetargetstate.
Educational/Processes ITManagement • Awarenessofeducationalimpacts.• Understandingtherelationshipof
educationalsystemsandtheirassociatedriskappetite.
Educational/Processes ITProcessManagement
• Understandingofeducationalrequirementsandmissionobjectivesandtheirpriorities.
Educational/Processes RiskManagement • Enhancedviewoftheoperationalenvironmenttodiscernthelikelihoodofacybersecurityevent.
Educational/Processes LegalExperts • Understandingofcyberthreatstoeducationalunitsandtheirmissionobjectives.
• Understandingofallcompliancerequirementsforeacheducationalunit.
Implementation/Operator ImplementationTeams
• Understandingofsecuritycontrolsandtheimportanceinmanagingoperationalsecurityrisk.
• Detailedunderstandingofrequiredactionstoclosegapsincybersecurityrequirements.
Implementation/Operator Employees • Understandingofcybersecurityrequirementsfortheirassociatededucationalsystems
![Page 45: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/45.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
45|P a g e
GovernanceandManagementofEnterpriseInformationTechnologyCCSESAisdedicatedtosupportingtheknowledgeandskillstohelpeducatorsdetermineandachievestrategicgoalsandrealizepotentialeducationalbenefitsthroughtheeffectiveandinnovativeuseoftechnology.Throughoutthisguidebook,standardvocabularywillbeusedtodescribethevariousprocesses,activitiesplanning:
• Enterprise-Agroupofindividualsworkingtogetherforacommonpurpose,typicallywithinthecontextofaneducationalinstitutionsuchasaschool,districtorCountyofficeofeducation.
• Organization-Thestructureofrelatedorconnectedcomponentsofanenterprisedefinedbyaparticularscope.
• Governance-Ensuresthateducationalneeds,conditionsandoptionsareevaluatedtodeterminebalanced,agreed-onenterpriseobjectivestobeachieved;settingdirectionthroughprioritizationanddecision-makingandmonitoringperformanceacomplianceagainstagreed-upondirectionandobjectives.
• Management-Planning,building,operatingandmonitoringactivitiesinalignmentwiththedirectionssetforthbythegovernancebodytoachievetheenterpriseobjectives.
ThedocumentsincludedwithinthisguidebookroutinelyreferenceInformationTechnologyorIT.Whenusedinthiscontext,ITisreferringtothetechnicalprocessesandsolutionsinvolvinghardwareandsoftwarethatenableeducationalfunctionstoachievestrategicorenterpriseobjectives.Thereadershouldrealizethattechnologyincludes3components:
• InstructionalTechnology-specifictechnologiesusedintheeducationalprocessesofinstructingstudents.• OperationalTechnology-automatedmachineryorcontrolsystemssuchasenvironmentalcontrols.• InformationTechnology-Hardware/Software
Someoftheplanningandmanagementprocessesdescribedinthisguidebookwillbehelpfulinorganizingandevaluatingsupportingconvergenceofoperationaltechnology,instructionaltechnologyandinformationtechnology.Itisimportantthatthosewhoutilizetheprocessesinthisguidebookadoptanoverallcomprehensiveviewoftechnologyandnotisolatethetechnologybaseduponscopeorprocess.Averybroadviewofenterprisetechnologywillhelpsupportoveralleffectivecybersecuritymanagementinallphasesoftheeducationalprocess.
![Page 46: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/46.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
46|P a g e
IntroductiontotheFrameworkforImprovingCriticalInfrastructureCybersecurityBaseduponhighlyvisiblesituationsoccurringwithinthesecuritystructuresofourgovernment,retailestablishmentsandfinancialdistricts,therecognitionthatbroadsafeguardstoprotecttheseenterpriseswouldberequiredtopreventcompromiseofcriticalinfrastructure.Pres.BarackObamaissuedExecutiveOrder(EO)136361.ThisdirectedtheexecutivebranchoftheUSgovernmenttocollaboratewithindustrialandinternationalpartnerstoworkonthefollowinginitiatives:
1. Developatechnology-neutralvoluntarycybersecurityframework.2. Promoteandincentivizetheadoptionofcybersecuritypractices.3. Increasethevolume,timelinesandqualityofcyberthreatinformationsharing.4. Incorporatestrongprivacyandcivillibertiesprotectionsintoeveryinitiativetosecureour
criticalinfrastructure.5. Exploretheuseofexistingregulationtopromotecybersecurity.
InadditiontoEO13636,Pres.ObamaalsocreatedPresidentialPolicyDirective(PPD)-21:CriticalInfrastructureSecurityandResiliencewhichreplacedHomelandSecurityPresidentialDirective7.ThisimportantchangedirectedtheExecutiveBranchoftheUSGovernmenttotakethefollowingactionsforanyUScriticalinfrastructuresuchasthatlistedinFigure2.
• Developasituationalawarenesscapabilitythataddressesbothphysicalandcyberaspectsofourinfrastructureisfunctioninginnearrealtime.
• Understandthecascadingconsequencesofinfrastructurefailures.• Evaluateandmaturethepublic-privatepartnership.• UpdatetheNationalInfrastructureProtectionPlan.• Developacomprehensiveresearchanddevelopmentplan.
Figure2-Sector-SpecificAgenciesAsDescribedInPPD-21Sector SectorSpecificAgencyOrAgencies
Chemical DepartmentOfHomelandSecurityCommercialFacilities DepartmentOfHomelandSecurityCommunications DepartmentOfHomelandSecurityCriticalManufacturing DepartmentOfHomelandSecurityDams DepartmentOfHomelandSecurityDefenseIndustrialBase DepartmentOfDefenseEmergencyServices DepartmentOfHomelandSecurityEnergy DepartmentOfEnergyFinancialServices DepartmentOfTheTreasuryFoodAndAgriculture DepartmentsOfAgricultureAndHealthAndHumanServicesGovernmentFacilities DepartmentOfHomelandSecurityAndGen.ServicesAdministrationHealthcareAndPublicHealth DepartmentOfHealthAndHumanServicesInformationTechnology DepartmentOfHomelandSecurityNuclearReactors,MaterialsAndWaste DepartmentOfHomelandSecurityTransportationSystems DepartmentOfHomelandSecurityAndTransportationWaterAndWastewaterSystems EnvironmentalProtectionAgency
1ExecutiveOrder(EO)13636isavailablefromtheUSGovernmentPrintingOfficeatwww.gpo.gov/fdsys/pkg/FR-2013–02–19/pdf/2013-03915.pdf
![Page 47: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/47.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
47|P a g e
Section7oftheEO13636directedtheSecretaryofCommercetoaskNISTtoleaddevelopmentofaframework(theCCSF)toreducecyberrisktocriticalinfrastructure.Thisframeworkincludedasetofstandards,methodologies,proceduresandprocessesthatalignpolicy,businessandtechnologicalapproachestoaddresscyberrisk.TheEOdirectsNISTtoincorporatevoluntaryconsensusstandardsandindustrybestpractices,andtobeconsistentwithvoluntaryinternationalstandardswhensuchinternationalstandardswilladvancetheobjectivesoftheEO:
• CriticalsuccessfactorsoftheCCSFinsection7ofEO13636.ItrequiresthattheCCSF:• Provideaprioritized,flexible,repeatable,performance-basedandcost-effectiveapproach,
includinginformationsecuritymeasuresandcontrols,tohelpownersandoperatorsofcriticalinfrastructureidentify,assessandmanagecyberrisk.
• Focusonidentifyingcross-sectorsecuritystandardsandguidelinesapplicabletocriticalinfrastructure.
• Identifyareasforimprovementtofuturecollaborationwithparticularsectorsandstandards-developingdistricts.
• Provideguidancethatistechnologyneutralandthatenablescriticalinfrastructuresectorstobenefitfromacompetitivemarketforproductsandservicesthatmeetthestandards,methodologies,proceduresandprocessesdevelopedtoaddresscyberrisk.
• IncludeguidanceformeasuringtheperformanceofanentityandimplementingthecybersecurityFramework.
Toanswerthesegovernmentaldirectives,theNationalInstituteforStandardsandTechnology(NIST)releasedvariousrequestforinformation(RFI)in2013askingabroadarrayofquestionstogatherrelevantinputfromcross-sectorindustrypartners,academiaandotherstakeholders.NISTrequestedinformationonhowdistrictsarecurrentlyassessingriskandthreatstotheirdistrict;howcybersecurityfactorsintothatriskassessment;thecurrentusageofexistingcybersecurityframeworks,standardsandguidelines;andothermanagementpracticesrelatedtocybersecurity.Inaddition,NISTrequestedinformationaboutlegal/regulatoryaspectsofparticularframeworks,standards,guidelinesand/orbestpracticesandthechallengesdistrictsperceiveinmeetingthoserequirements.ThousandsofdatapointswereassembledandanalyzedbykeystakeholderswithintheNISTFramework.
Inordertoclarifymanyofthedatapointsreceived,NISTconductedseveralworkshopstorefinethefeedbackandgeneraterequiredreportingandpreparationforRFQdevelopment.BasedontheresponsestotheRFI,resultsofworkshopsandinterviews,andadditionalcommissionedresearch,NISTdevelopedaCybersecurityFrameworkthatidentifiedtheexistingpracticesinordertohelpadistrict’sriskmanagementpracticesasitrelatedtothepreventionanddetectionofaswellasresponsetoincludingrecoveryfromthevariousidentifiedcybersecurityissues.
ThefirstdraftoftheCCSFwasreleasedin2014identifyingthreeprimarycomponents:
• FrameworkCore• FrameworkImplementationTiers• FrameworkProfiles
Theguidebookprovidesdescriptionselsewhere.Initialresponsesfromdistrictsattemptingtoimplementtheframeworkweremixed.Alotofinformationbutnotalotofdetailonhowtoimplement
![Page 48: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/48.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
48|P a g e
thevariousimplementationtiersandprofiles.Theconceptswerenewandnotfullyunderstoodbythoseimplementationteamstaskedwiththeresponsibilityofimplementingastandardizedsecurityframework.Whatwasmissingappeartobeapracticalapproachtowardsimplementation.SeveralgroupsoptedtointegratetheNISTFrameworkwithanexisting,standardizedpracticedesignedtoassistvariousenterprisesinachievinggovernanceobjectivesandITmanagement.ThisstandardizedpracticeisrelatedtoCOBIT5.
IntroductiontoCOBIT5RecognitionoftheCOBITstandardshavebeeninexistenceforanumberofyearsbymostenterprisedistrictsasacomprehensiveframeworkdesignedtohelpdistrictsachievegovernanceandmanagementobjectivesforIT.Severalmodelsforimplementationareavailablerangingfromagradualapproachstartingsmallandbuildinguponinitialsuccessesorultimatelymanagedfortheentireenterprisetakingthefullintoendapproach.RegardlessofhowadistrictapproachestheimplementationoftheCOBITstandards.OptimalvaluefromITisobtainedbymaintainingabalancebetweenbenefitrealizationandoptimizingriskandresources.ThecurrentiterationofCOBITisversion5.0.Thisstandardisgenericinnatureandusefulforanyverticalsectormarketincludingeducationofallsizesfromsmallschooldistricts,twocharterschools,tothelargestofourschooldistricts.TheCOBIT5productfamilyisbelowinFigure3.
Figure3
COBIT5providesacomprehensiveframeworkassistingschooldistrictsinachievingtheirobjectivesforthegovernanceandmanagementoftheirtechnologyprogram.Theframeworkmaybeimplementedinagradualapproach,startingsmallandbuildingoninitialsuccess,ormanagedinaholisticmannerfortheentireschooldistricttakinginthefullend-to-endbusinessandITfunctionalareasofresponsibility.Ineitherapproach,coverthelpsenterprisescreateoptimalvaluefromITbymaintainingabalance
Figure3-CO
BIT5Prod
ctFa
mily
COBIT5
COBIT5EnablerGuides
COBIT5EnablighProcesses
COBIT5EnablingINformation
OtherEnablerGuides
COBIT5ProfessionalGuides
COBIT5Implementation
COBIT5forInformationSecurity
COBIT5forAssurance
COBIT5forRisk
OtherProfessionalGuides
![Page 49: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/49.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
49|P a g e
betweenrealizingbenefitsandoptimizingrisklevelsandresourceuse.Initself,COBIT5isverygenericandusefulforallenterprisesofallsizeswheretheschooldistricts,CountyofficeofeducationorevenHigherEducation.
ThebasisfortheCOBIT5frameworkisfivekeyprinciplesofgovernanceandmanagementofeducationalITenvironments:
1. Principle1:MeetingStakeholderNeeds(student,staff,administrationandevenparents)2. Principle2:CoveringtheEnterpriseTechnologyenvironment
(Information/Operation/Educational)3. Principal3:ApplyingaSingle,IntegratedFrameworkforallAudiencesandStakeholders4. Principle4:EnablingaHolisticApproach5. Principle5:SeparatingGovernancefromManagement
Together,thesefiveprinciplesenabletheenterprisetobuildaneffectivegovernanceandmanagementframeworkthatoptimizesinformationandtechnologyinvestmentandusethatforthebenefitofeducationalstakeholders.
Schooldistrictsexisttocreatevaluefortheirstudents.Consequently,anydistrictwillhavevaluecreationisagovernanceobjective.Valuecreationmeansrealizingbenefitsatanoptimalresourcecostwhileoptimizingrisk.Benefitscantakemanyformssuchasfinancialforcommercialenterprisesortaxpayerbenefitsandimprovepublicserviceforgovernmententities.
COBIT5GovernanceandManagementTheCOBIT5frameworkmakesacleardistinctionbetweengovernanceandmanagement.Thesetwodisciplinesencompassdifferenttypesofactivities,requiredifferentdistrictstructuresandservedifferentpurposes.TheCOBIT5viewonthekeydistinctionbetweengovernanceandmanagementis:
Governance-Governanceensuresthatstakeholderneeds,conditionsandoptionsareevaluatedtodeterminebalanced,agreed-onenterpriseobjectistobeachieved:settingdirectiontoprioritizationanddecision-making;andmonitoring.
Management-Managementplans,builds,runsandmonitorsactivitiesinalignmentwiththedirectionsetbythegovernancebodytoachievetheenterpriseobjectives.
COBIT5GoalsCascadeStakeholderneedshavetobetransformedintoadistrict’sactionablestrategy.TheCOBIT5goalscascadeisthemechanismtotranslatestakeholderneedsintospecific,actionableandcustomizedenterprisegoals,IT-relatedgoalsandenablergoals.Thistranslationallowssettingspecificgoalsateverylevelandineveryareaoftheenterpriseinsupportoftheoverallgoalsandstakeholderrequirements,andthuseffectivelysupportsalignmentbetweenenterpriseneedsandITsolutionsands3ervices.
COBIT5EnablersCOBIT5providesaholisticandsystemicviewongovernanceandmanagement,basedonanumberofenablers.Enablersarefactorsthat,individuallyandcollectively,influencewhethersomethingwillwork—inthiscase,governanceandmanagementoverenterpriseIT.Enablersaredrivenbythegoalscascade,i.e.,higher-levelIT-relatedgoalsdefinewhatthedifferentenablersshouldachieve.
![Page 50: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/50.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
50|P a g e
TheCOBIT5frameworkdescribessevencategoriesofenablers:
1. Principles,policiesandframeworks2. Processes3. Organizationalstructures4. Culture,ethicsandbehavior5. Information6. Services,infrastructureandapplications7. People,skillsandcompetencies
Anyenterprisemustalwaysconsideraninterconnectedsetofenablers.Eachenabler…
…needstheinputofotherenablerstobefullyeffective,e.g.,processesneedinformation,districtstructuresneedskillsandbehaviorand
…deliversoutputtothebenefitofotherenablers,e.g.,processesdeliverinformation,skillsandbehaviormakeprocessesefficient.
COBIT5ProcessReferenceModelProcessesareoneofthesevenenablercategoriesforGovernanceandManagement.COBIT5includesaprocessreferencemodel,defininganddescribingindetailanumberofgovernanceandmanagementprocesses.ThemodelprovidesaprocessreferencetoolthatrepresentsalloftheprocessesthatrelatetoITactivitiesnormallyfoundindistrict,offeringacommonreferencemodelunderstandabletooperationalITandbusinessmanagers.Theproposedprocessmodelisacomplete,comprehensivemodel,butitisnottheonlypossibleprocessmodel.Eachenterprisemustdefineitsownprocessset,takingintoaccountthespecificsituation.
IncorporatinganoperationalmodelandacommonlanguageforallpartsofthedistrictinvolvedinITactivitiesisoneofthemostimportantandcriticalstepstowardgoodgovernance.ItalsoprovidesaframeworkformeasuringandmonitoringITperformance,communicatingwithserviceproviders,andintegratingbestmanagementpractices.
COBIT5advocatesthatthedistrictimplementsgovernanceandmanagementprocessessuchthatthekeyareasarecovered,showninFigure4.
![Page 51: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/51.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
51|P a g e
Figure5belowshowsthecompletesetof37governanceandmanagementprocesseswithinCOBIT5.
![Page 52: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/52.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
52|P a g e
![Page 53: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/53.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
53|P a g e
COBIT5ImplementationGuidanceOptimalvaluecanberealizedfromleveragingCOBITonlyifitiseffectivelyadoptedandadaptedtosuit
eachschoolordistrict’suniqueenvironment.Eachimplementationapproachwillalsoneedtoaddress
specificchallenges,includingmanagingchangestocultureandbehavior.
CCSESAprovidespracticalandextensiveimplementationguidancethroughitsimplementationofthis
frameworkandCOBIT5,whichisbasedonacontinualimprovementlifecycle.Itisnotintendedtobea
prescriptiveapproachnoracompletesolution,butratheraguidetoavoidcommonlyencountered
pitfalls,leveragegoodpracticesandassistinthecreationofsuccessfuloutcomes.Theguideisalso
supportedbyanimplementationtoolkitcontainingavarietyofresourcesthatwillbecontinually
enhanced.Itscontentincludes:
• Self-assessment,measurementanddiagnostictools
• TheNISTFrameworkindbaseformatwithimplementationreferences
• E-Learningmodules
ThefollowingareimportanttopicscoveredinCOBIT5Implementation:
1. Makingabusinesscasefortheimplementationandimprovementofthegovernanceand
managementofIT
2. Recognizingtypicalpainpointsandtriggerevents
3. Creatingtheappropriateenvironmentforimplementation
4. LeveragingCOBITtoidentitygapsandguidethedevelopmentofenablerssuchaspolicies,
processes,principles,districtstructures,androlesandresponsibilities.
ScopeandApproachTheguidanceinthisframeworkisintendedtoassistschoolsordistrictswithunderstandingstepsfor
FrameworkimplementationusingCCSESAandCOBITmethodsandapproach.Theguideprovides
processes,exampletemplatesandguidanceforusingFrameworktoidentifyandachieveenterpriseand
districtobjectivesforthegovernanceandmanagementofIT.
Theinformationisorganizedasfollows:
ü Section1.FrameworkImplementation–Describestheapproachtoimplementation
withsupportingtemplates
ü AppendixA.Introduction–ProvidesthebackgroundofthedevelopmentoftheNIST,
COBITandotherframeworksandstandards
ü AppendixB.IntroductiontoNISTCybersecurityFramework1.0 -Providesadetailed
introductionintotheNISTCybersecurityFramework1.0anditsthreecomponents:
FrameworkCore,ImplementationTiersandProfiles
ü AppendixC.CommunicatingCybersecurityRequirementswithStakeholders–Providessamplesofcommunicationstrategies
ü AppendixD:FrameworkCore–AprintedcopyoftheCCSESAFrameworkCorefor
reference
ü AppendixE:CCSESCCSFToolkit–Providessamplesofspreadsheetsanddatabasesused
intheimplementationoftheCCSESACyberSecurityFramework
ü AppendixF:ConsiderationsforCriticalInfrastructureSectors
![Page 54: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/54.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
54|P a g e
Figure-6providesanoverviewofthisdocumentandthelocationofinformationtoanswersome
commonquestionsregardingtheimplementationoftheFramework.
![Page 55: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/55.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
55|P a g e
AppendixB.IntroductiontoNISTCybersecurityFramework1.0FrameworkBackgroundTheNISTCybersecurityFramework(akaCCSF)wasdevelopedinresponsetoUSPresidentialExecutive
Order13636,whichstates,
"Repeatedcyberintrusionsintocriticalinfrastructuredemonstratetheneedforimprovedcybersecurity.Thecyberthreattocriticalinfrastructurecontinuestogrowandrepresentsoneofthemostseriousnationalsecuritychallengeswemustconfront.”
KeepinmindwhatwasoccurringjustpriortothereleaseoftheEOin2013.Someveryhighprofile
districtssuchasTarget,HomeDepotandMichaelsencounteredsomeveryhighlyvisiblesecurity
breachesresultinginthecompromiseoflargeamountsofcustomerdataincludingcreditcard
information.Thedistrictsreactedaccordinglybutwithoutalotofdirectionorstandardization.
ThegoalsoftheObamaExecutiveOrderalignwellwiththeCOBIT5framework,whichrecognizesthat
“informationisakeyresourceforallenterprises,”and“informationtechnologyisincreasinglyadvanced
andhasbecomepervasiveinenterprisesandinsocial,publicandbusinessenvironments.”COBIT5
helpsenterprisestocreateoptimalvaluefromITbymaintainingabalancebetweenrealizingbenefits
andoptimizingrisklevelsandresourceuse.TheframeworkenablesITtobegovernedandmanagedina
holisticmannerfortheentireenterprise,takingintoaccountthefullend-to-endbusinessandIT
functionalareasofresponsibilityandconsideringtheIT-relatedinterestsofinternalandexternal
stakeholders.
Overthenextfewmonths,stafffromNIST(NationalInstituteofStandardsandTechnology)metwith
industrypartnerswithintheSMBandHighEdcommunitytoconsiderresponsestotheFebruary2013
RFI,andfurtherrefinedguidancetocreatearisk-basedframeworkforreducingrisk.
Participationandcommentsubmissionsincludedsignificantcontributionfromsmall-andmedium-sized
businesses(SMBs),andfromEducation(primarilyHigherEd).Thisinputgreatlyimprovedthe
understandingofthechallengesandrootcausesunderlyingrisk.ThesupportfromSMBsandHighEd
contributedtoabroadandflexibleframework.EachRFIresponseandeachsubsequentworkshop
commentwasreviewedandanalyzedbyNIST.Throughanalysisofresponsecoverageacrosscritical
infrastructuresectorsanddistricttypesandconsiderationoftermsandphrasesthatidentifiedkey
responsepoints,NISTidentifiedcommonalitiesandrecurringthemes.Thesethemeswereleveragedand
incorporatedthroughtheCCSFduringitsdevelopment.
![Page 56: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/56.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
56|P a g e
Figure7-NISTInitialFrameworkConsiderationsCategories FrameworkPrinciples CommonPoints InitialGroups
Them
es
• Flexibility
• Impactonglobal
operations
• Riskapproaches
• Leverage
approaches,
standardsand
bestpractices
• Senior
management
engagement
• Understanding
threatenvironment
• Businessrisk/risk
assessment
• Separationof
businessand
operational
systems
• Models/levelsof
maturity
• Incidentresponse
• Cybersecurity
workforce
• Metrics
• Privacy/civil
liberties
• Tools
• Dependencies
• Industrybest
practices
• Resiliency
• Critical
infrastructure
cybersecurity
nomenclature
Source:NIST,2013InitialAnalysisofCybersecurityFrameworkRFIResponses,USA,Figure1
TheCCSFisarisk-based(vscompliance-based)approachtomanagingcybersecurityriskandis
comprisedofthreeparts:
1. TheFrameworkCore,
2. TheFrameworkImplementationTiersand
3. TheFrameworkProfiles.
EachCCSFcomponentreinforcestheconnectionbetweenbusinessdriversandcybersecurityactivities.
TheFrameworkCore(detailedlaterinthisguidebook)isasetofcybersecurityactivities,desiredoutcomesandapplicablereferencesthatarecommonacrosscriticalinfrastructuresectors
includingEducation.
TheFrameworkImplementationTiersprovidecontextonhowadistrictviewscybersecurityriskandtheprocessesinplacetomanagethatrisk.Tiersdescribethedegreetowhichadistrict’s
cybersecurityriskmanagementpracticesexhibitthecharacteristicsdefinedintheFramework
(e.g.,risk-andthreat-aware,repeatable,andadaptive).TheTierscharacterizeadistrict’s
practicesoverarange,fromPartial(Tier1)toAdaptive(Tier4).
AFrameworkProfilerepresentstheoutcomesbasedonbusinessneedsthatadistricthas
selectedfromtheFrameworkCategoriesandSubcategories.TheProfilecanbecharacterizedas
thealignmentofstandards,guidelinesandpracticestotheFrameworkCoreinaparticular
implementationscenario.Profilescanbeusedtoidentifyopportunitiesforimproving
cybersecurityposturebycomparingaCurrentProfile(the“asis”state)withaTargetProfile(the
“tobe”state).
![Page 57: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/57.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
57|P a g e
InadditiontoprovidingacybersecurityFramework,theFrameworkforImprovingCriticalInfrastructure
cybersecurityalsoprovidesbasicimplementationguidancethroughaseven-stepprocess.
![Page 58: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/58.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
58|P a g e
Step7:ImplementActionPlan—Afterthegapsareidentifiedandprioritized,therequiredactionsaretakentoclosethegaps
andworktowardobtainingthetargetstate.
Step6:Determine,Analyze,andPrioritizeGaps—Organizationsconductagapanalysistodetermineopportunitiesfor
improvingthecurrentstate.Thegapsareidentifiedbyoverlayingthecurrentstateprofilewiththetargetstateprofile.
Step5:CreateaTargetProfile—Allowsdistrictstodeveloparisk-informedtargetstateprofile.Thetargetstateprofilefocuses
ontheassessmentoftheFrameworkCategoriesandSubcategoriesdescribingthedistrict’sdesiredcybersecurityoutcomes.
Step4:ConductaRiskAssessment—Allowsdistrictstoconductariskassessmentusingtheircurrentlyacceptedmethodology.
TheinformationusedfromthisstepintheprocessisusedinStep5.
Step3:CreateaCurrentProfile—Identifiestherequirementtodefinethecurrentstateofthedistrict’scybersecurityprogram
byestablishingacurrentstateprofile.
Step2:Orient—Providesdistrictsanopportunitytoidentifythreatsto,andvulnerabilitiesof,systemsidentifiedinthe
PrioritizeandScopestep.
Step1:PrioritizeandScope—Requeststhatdistrictsscopeandprioritizebusiness/missionobjectivesandhigh-leveldistrictal
priorities.Thisinformationallowsdistrictstomakestrategicdecisionsregardingthescopeofsystemsandassetsthatsupport
theselectedbusinesslinesorprocesseswithinthedistrict.
![Page 59: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/59.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
59|P a g e
WhilehundredsoforganizationsprovidedinputintothedesignoftheCybersecurity
Framework,COBITprincipleswasdeeplyengagedintheCCSFdevelopmentateachstage.Many
COBITprinciplesarevisibleintheCCSFimplementationsteps.Figure8illustratessomeparallelsbetweenCCSFimplementationstepsandCOBIT5frameworkprinciples.
![Page 60: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/60.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
60|P a g e
Figure8-ComparisonoftheCCSFImplementationStepswithCOBIT5PrincipalsCSFSteps1-7 COBITPrinciples1-5
Step1:PrioritizeandScope—Requeststhatdistrictsscopeandprioritizebusiness/missionobjectivesandhigh-leveldistrictpriorities.Thisinformationallowsdistrictstomakestrategicdecisionsregardingthescopeofsystemsandassetsthatsupporttheselectedbusinesslinesorprocesseswithinthedistrict.
Principle1:MeetingStakeholderNeeds—Enterprisesexisttocreatevaluefortheirstakeholdersbymaintainingabalancebetweentherealizationofbenefitsandtheoptimizationofriskanduseofresources.AnenterprisecancustomizeCOBIT5tosuititsowncontextthroughthegoalscascade,translatinghigh-levelenterprisegoalsintomanageable,specificgoalsandmapthesetospecificprocessesandpractices.
Step2:Orient—Providesdistrictsanopportunitytoidentifythreatsto,andvulnerabilitiesof,systemsidentifiedinthePrioritizeandScopestep.Step3:CreateaCurrentProfile—Identifiestherequirementtodefinethecurrentstateofthedistrict’scybersecurityprogrambyestablishingacurrentstateprofile.
Principle2:CoveringtheEnterpriseEnd-to-end—COBIT5integratesgovernanceofenterpriseITintoenterprisegovernance:
• Itcoversallfunctionsandprocesseswithintheenterprise;COBIT5doesnotfocusonlyonthe“ITfunction,"buttreatsinformationandrelatedtechnologiesasassetsthatneedtobedealtwithjustlikeanyotherassetbyeveryoneintheenterprise.
• ItconsidersallIT-relatedgovernanceandmanagementenablerstobeenterprise-wideandend-to-end,i.e.,inclusiveofeverythingandeveryone—internalandexternal—thatisrelevanttogovernanceandmanagementofenterpriseinformationandrelatedIT.
Step4:ConductaRiskAssessment—Allowsdistrictstoconductariskassessmentusingtheircurrentlyacceptedmethodology.TheinformationusedfromthisstepintheprocessisusedinStep5.
Principle3:ApplyingaSingle,IntegratedFramework—TherearemanyIT-relatedstandardsandgoodpractices,eachprovidingguidanceonasubsetofITactivities.COBIT5alignswithotherrelevantstandardsandframeworksatahighlevel,andthuscanserveastheoverarchingframeworkforgovernanceandmanagementofenterpriseIT.
Continuedonnextpage
![Page 61: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/61.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
61|P a g e
Figure8-ComparisonoftheCCSFImplementationStepswithCOBIT5PrincipalsCSFSteps1-7 COBITPrinciples1-5
Step5:CreateaTargetProfile—Allowsdistrictstodeveloparisk-informedtargetstateprofile.ThetargetstateprofilefocusesontheassessmentoftheFrameworkCategoriesandSubcategoriesdescribingthedistrict’sdesiredcybersecurityoutcomes.
Principle4:EnablingaHolisticApproach-EfficientandeffectivegovernanceandmanagementofenterpriseITrequireaholisticapproach,takingintoaccountseveralinteractingcomponents.COBIT5definesasetofenablerstosupporttheimplementationofacomprehensivegovernanceandmanagementsystemforenterpriseIT.Enablersarebroadlydefinedasanythingthatcanhelptoachievetheobjectivesoftheenterprise.TheCOBIT5frameworkdefinessevencategoriesofenablers:
1. Principles,PoliciesandFrameworks2. Processes3. OrganizationalStructures4. Culture,EthicsandBehavior5. Information6. Services,InfrastructureandApplications7. People,SkillsandCompetencies
Step6:Determine,Analyze,andPrioritizeGaps—Organizationsconductagapanalysistodetermineopportunitiesforimprovingthecurrentstate.Thegapsareidentifiedbyoverlayingthecurrentstateprofilewiththetargetstateprofile.
Principle5:SeparatingGovernancefromManagement—TheCOBIT5frameworkmakesacleardistinctionbetweengovernanceandmanagement.Thesetwodisciplinesencompassdifferenttypesofactivities,requiredifferentdistrictstructuresandservedifferentpurposes.
Step7:ImplementActionPlan—Afterthegapsareidentifiedandprioritized,therequiredactionsaretakentoclosethegapsandworktowardobtainingthetargetstate.
![Page 62: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/62.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
62|P a g e
CoordinationofFrameworkImplementationAnotherimportantaspectoftheCCSFisitsguidanceregardingstakeholdercommunications.NIST’sanalysisofindustryfeedbackduringthedevelopmentperiodindicatedthatriskdecisions,inmanydistricts,hadalignmentproblemswithenterprisedriversandgoals.AsCOBIT5forRiskpointsout,whenboardandexecutivemanagementattheenterpriselevel(seeCOBIT5processEDM03-EnsureRiskOptimization)defineriskcapacityandriskappetite,theprioritizationandapprovalprocessofriskresponseactionsareimproved.
TheCCSFcommonflowofinformationanddecisionsatthefollowinglevelswithinadistrictaresimilartothosedescribedinCOBIT5’sstakeholderroles,showninFigure9.
Figure9-ComparisonoCCSFandCOBITRolesCSFRole COBIT5Roles
ExecutiveLevel BoardofDirectorsandExecutiveManagementBusiness/Process Businessmanagementandbusinessprocessowners
Implementation/Operations
ITmanagementandITprocessowners(e.g.,headofoperations,chiefarchitect,ITsecuritymanager,businesscontinuitymanagementspecialist)andotherimplementationteammembers
TheExecutiveLevelcommunicatesinformationaboutdistrictgoalsandmissionpriorities,usinglanguage,approachesandcommunicationsthataremeaningfultoexecutivemanagement.ThisactivityiscomparabletotheCOBITimplementationphase“Phase1—WhatAretheDrivers?”Dialoguewithbusinessmanagementandbusinessprocessownersincludesdefinitionofappropriaterisktolerancesandavailableresources.TheBusiness/Processlevel,inturn,usestheinformationasinputsintotheriskmanagementprocess,andthencollaborateswiththeITmanagementandITprocessownerstocommunicatebusinessneeds.
ThesetwolevelsofmanagementdeterminethecurrentcybersecuritystateusingaFrameworkProfiletemplate(describedlaterinthisdocument.)TheCurrentProfileandTargetProfileprovideconsiderationscomparabletoCOBIT’snexttwoimplementationphases,“Phase2—WhereAreWeNow?”and“Phase3—WhereDoWeWantToBe?”Throughcomparisonofthetargetwiththecurrentstate,theimplementationteamisabletorecommendspecificandprioritizedactionstoachievestakeholdergoals,alignedwiththephase1businessdrivers,resourcerequirementsanddistrictriskappetite.Thisactionplan,comparabletoCOBITimplementationphases4and5,“Phase4—WhatNeedstoBeDone?”and“Phase5—“HowDoWeGetThere?”,providesacost-effective,agilegovernanceofenterpriseITapproachthatisscalabletoanysizedistrict.
AsFigure10illustrates,theinformationflowiscyclical,withongoingmonitoringasacriticalstep.TheCOBITimplementationphases“Phase6—DidWeGetThere?”and“Phase7—HowDoWeKeeptheMomentumGoing?”provideimportantconsiderationstoensureongoing,cost-effectivegovernanceandmanagement.Forexample,astechnicalchangesoccur(e.g.,changestophysical,processandtechnicalassets;updatedthreats;discoveredorremediatedvulnerabilities),theimplementation/operationslevelcommunicatestheProfileimplementationprogresstothebusiness/processlevel.
![Page 63: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/63.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
63|P a g e
Thebusiness/processlevelusesthisinformationtoperformanimpactassessmentinconsiderationofthebusinessdrivers.Business/processlevelmanagementreportstheoutcomesofthatimpactassessmenttotheexecutivelevel,usinglanguageandmethodsappropriatefortheboardofdirectors/executivemanagementcommunications,toinformthedistrict’soverallriskmanagementprocess.
FrameworkCoreTheFrameworkCoreisasetofcybersecurityactivitiessuitableforeducationalpractices,desiredoutcomesandapplicablereferences(notonlyeducationalbutotherSMB)thatarecommonacrosscriticalinfrastructuresectors.TheCorepresentsindustrystandards,guidelinesandpracticesinamannerthatallowsforcommunicationofcybersecurityactivitiesandoutcomesacrossthedistrictfromtheexecutivelevel(includingschoolboards)totheimplementation/operationslevelwithintheITDepartment.TheFrameworkCoreconsistsoffiveconcurrentandcontinuousFunctions:
![Page 64: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/64.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
64|P a g e
• Identify,• Protect,• Detect,• Respond,
• Recover.
Whenconsideredtogether,theseFunctionsprovideahigh-level,strategicviewofthelifecycleofaschooldistrict’smanagementofcybersecurityrisk.TheFrameworkCorethenidentifiesunderlyingkeyCategoriesandSubcategoriesforeachFunction,andmatchesthemwithexampleInformativeReferencessuchasexistingstandards,guidelinesandpracticesforeachSubcategory,asdepictedinFigure11.
NoticethehierarchicalfashionontheFramework.Thisisbestdepictedinavarietyofdbasetools,manyofwhichareavailablefromvariouslocationsontheweb(https://www.nist.gov/cyberframework/csf-reference-tool).Whatismissingisadetailedbreakdownofcriticalreferencesincludingstatespecificreferences.Thedbasetoolprovidedinthistoolkitcontainsanumberoftheselocalreferences.ThedbasehasbeendevelopedwithinaMicrosoftAccessformattoallowforeasyeditingandaugmentingwithadditionalresources.Inadditiontothedbasetool,anExcelversionoftheCorecomponentsisprovidedinmoredetailinthetoolkit.
![Page 65: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/65.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
65|P a g e
TheoutcomesintheCorehelpthereadertoanswerthefollowingquestions:
• Whatpeople,processesandtechnologiesareessentialtoprovidetherightservicestotherightstakeholders?
• WhatdoweneedtodotoprotectthoseassetsfromtheriskdiscoveredintheIdentifyfunction?• Whatdetectioncapabilitycanweimplementtorecognizepotentialorrealizedrisktodistrict
assetsfromidentifiedrisk?• Whatresponseandrecoveryactivitiesareappropriateandnecessarytocontinueoperations
(albeitdiminished)orrestoreservicesdescribedabove?
TheCCSFdescribesthefiveCorefunctionsas:
• Identify—developthedistrictunderstandingtomanagecybersecurityrisktosystems,assets,dataandcapabilities.TheactivitiesintheIdentifyFunctionarefoundationalforeffectiveuseoftheFramework.Understandingthebusinesscontext,theresourcesthatsupportcriticalfunctionsandtherelatedcybersecurityriskenablesadistricttofocusandprioritizeitsefforts,consistentwithitsriskmanagementstrategyandbusinessneeds.ExamplesofoutcomeCategorieswithinthisFunctioninclude:AssetManagement;BusinessEnvironment;Governance;RiskAssessment;andRiskManagementStrategy.
• Protect—developandimplementtheappropriatesafeguardstoensuredeliveryofcriticalinfrastructureservices.TheProtectFunctionsupportstheabilitytolimitorcontaintheimpactofapotentialcybersecurityevent.ExamplesofoutcomeCategorieswithinthisFunctioninclude:AccessControl;AwarenessandTraining;DataSecurity;InformationProtectionProcessesandProcedures;Maintenance;andProtectiveTechnology.
• Detect—developandimplementtheappropriateactivitiestoidentifytheoccurrenceofacybersecurityevent.TheDetectFunctionenablestimelydiscoveryofcybersecurityevents.ExamplesofoutcomeCategorieswithinthisFunctioninclude:AnomaliesandEvents;SecurityContinuousMonitoring;andDetectionProcesses.
• Respond—developandimplementtheappropriateactivitiestotakeactionregardingadetectedcybersecurityevent.TheRespondFunctionsupportstheabilitytocontaintheimpactofapotentialcybersecurityevent.ExamplesofoutcomeCategorieswithinthisFunctioninclude:ResponsePlanning;Communications;Analysis;Mitigation;andImprovements.
• Recover—developandimplementtheappropriateactivitiestomaintainplansforresilienceandtorestoreanycapabilitiesorservicesthatwereimpairedduetoacybersecurityevent.TheRecoverFunctionsupportstimelyrecoverytonormaloperationstoreducetheimpactfromacybersecurityevent.ExamplesofoutcomeCategorieswithinthisFunctionincludeRecoveryPlanning,Improvements,andCommunications.
EachFunctioniscomprisedofoneormoreCategories,process-specificoutcomesthatsupportcybersecuritymanagement.TheseCategories,inturn,arecomprisedofnumerousspecificSubcategoriesthatprovideprocessassessmenttodeterminecurrentstateandtargetgoals.Figure12belowprovidesanoverviewoftheFrameworkCategories.Pleasenote:MostdepictionsoftheNISTFrameworkare“heavily”codedusing2charactercodes.Whilethiswillgeneratesomeissues,itisprobablythebestwaytodepictsomethingofthisnature.Figure12alsoprovidesthenormalcodingschemeforyourreview.BeforelaunchingintotheCCSESAFrameworktool,familiarizeyourselfwiththisschemeforeaseofoperation.
![Page 66: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/66.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
66|P a g e
WhilemanydistrictsmaintaininternalprocessesandprocedurestoachievetheoutcomesinstantiatedbytheFrameworkCore,othersrequestedspecificguidanceastohowtogainthatachievement.Asillustrativeexamplesofpracticeswhichsomedistrictsusetoachievetheoutcomes,NISTprovidedinformativereferencestocross-sector,internationallyrecognizedguidance(includingCOBIT5)thatassistinaccomplishingeachSubcategory.
![Page 67: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/67.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
67|P a g e
FrameworkImplementationTiersTheCCSFincludesseverallevelsofImplementationTiers(Partial/RiskInformed/Repeatable/Adaptive)thatassistinconductingassessmentandplanningofcybersecurityactivities.TheTiersdescribeattributestoconsiderwhencreatingaTargetProfile(TO-BE)orcompletingaCurrentProfile(AS-IS).TheAdescriptionoftheTiersareprovidedindetailinFigure13.Whilenotconsideredamaturitymodel,theTiercharacteristicsdescribeaprogressionfromadhoctoadaptiveinthreecategories:
• RiskManagementProcess—Considerstheleveltowhichthedistrictcybersecurityriskmanagementpracticesareformalizedandinstitutionalized.Theattributesconsidertheextenttowhichprioritizationofcybersecurityactivitiesareinformedbydistrictriskobjectives,thethreatenvironmentandstakeholderrequirements.
• IntegratedRiskManagementProgram—Reviewsthecybersecurityriskawarenessatthedistrictlevel.Levelsincreaseasrisk-informed,management-approvedprocessesandproceduresaredefinedandimplementedandastheyareadaptedbasedoninformationsharingandlessonslearnedfrompreviousactivities.
• ExternalParticipation—Considerstheleveltowhichthedistrictactivelysharesinformationwithexternalpartnerstoimprovesecuritybeforeasecurityeventoccursandinformsthosepartnersaboutindicators,observationsorevents.
![Page 68: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/68.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
68|P a g e
Figure13-FrameworkImplementationTiersTier RiskManagement
ProcessIntegratedRisk
ManagementProgramExternalParticipation
Tier1:P
artia
lOrganizationalcybersecurityriskmanagementpracticesarenotformalized,andriskismanagedinanadhocandsometimesreactivemanner.Prioritizationofcybersecurityactivitiesmaynotbedirectlyinformedbydistrictriskobjectives,thethreatenvironmentorbusiness/missionrequirements.
Thereislimitedawarenessofcybersecurityriskatthedistrictlevelandadistrict-wideapproachtomanagingcybersecurityriskhasnotbeenestablished.Thedistrictimplementscybersecurityriskmanagementonanirregular,case-by-casebasisduetovariedexperienceorinformationgainedfromoutsidesources.Thedistrictmaynothaveprocessesthatenablecybersecurityinformationsharedwithinthedistrict.
Adistrictmaynothavetheprocessesinplacetoparticipateincoordinationorcollaborationwithotherentities.
Tier2:R
iskIn
form
ed
Riskmanagementpracticesareapprovedbymanagementbutmaynotbeestablishedasdistrict-widepolicy.Prioritizationofcybersecurityactivitiesisdirectlyinformedbydistrictriskobjectives,thethreatenvironmentorbusiness/missionrequirements.
Thereisanawarenessofcybersecurityriskatthedistrictlevelbutadistrict-wideapproachtomanagingcybersecurityriskhasnotbeenestablished.Risk-informed,management-approvedprocessesandproceduresaredefinedandimplemented,andstaffhasadequateresourcestoperformtheircybersecurityduties.Cybersecurityinformationsharedwithinthedistrictonaninformalbasis.
Thedistrictunderstandsitsroleinthelargerecosystem,buthasnotformalizeditscapabilitiestointeractandshareinformationexternally.
Tier3:R
epeatable
Thedistrict’sriskmanagementpracticesareformallyapprovedandexpressedaspolicy.Organizationalcybersecuritypracticesareregularlyupdatedbasedontheapplicationofriskmanagementprocessestochangesinbusiness/missionrequirementsandachangingthreatandtechnologylandscape.
Thereisadistrict-wideapproachtomanagecybersecurityrisk.Risk-informedpolicies,processesandproceduresaredefined,implementedasintendedandreviewed.Consistentmethodsareinplacetorespondeffectivelytochangesinrisk.Personnelpossesstheknowledgeandskillstoperformtheirappointedrolesandresponsibilities.
Thedistrictunderstandsitsdependenciesandpartnersandreceivesinformationfromthesepartnersthatenablescollaborationandrisk-basedmanagementdecisionswithinthedistrictinresponsetoevents.
![Page 69: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/69.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
69|P a g e
Figure13-FrameworkImplementationTiersTier RiskManagement
ProcessIntegratedRisk
ManagementProgramExternalParticipation
Tier4:A
daptive
Thedistrictadaptsitscybersecuritypracticesbasedonlessonslearnedandpredictiveindicatorsderivedfrompreviousandcurrentcybersecurityactivities.Throughaprocessofcontinuousimprovementincorporatingadvancedcybersecuritytechnologiesandpractices,thedistrictactivelyadaptstoachangingcybersecuritylandscapeandrespondstoevolvingandsophisticatedthreatsinatimelymanner.
Thereisadistrict-wideapproachtomanagingcybersecurityriskthatusesrisk-informedpolicies,processesandprocedurestoaddresspotentialcybersecurityevents.Cybersecurityriskmanagementispartofthedistrictcultureandevolvesfromanawarenessofpreviousactivities,informationsharedbyothersourcesandcontinuousawarenessofactivitiesontheirsystemsandnetworks.
Thedistrictmanagesriskandactivelysharesinformationwithpartnerstoensurethataccurate,currentinformationisbeingdistributedandconsumedtoimprovecybersecuritybeforeacybersecurityeventoccurs.
TheCCSFprovidesneitherdescriptiveguidanceregardinghowtomeasuretheseattributes,noraquantitativemethodtodeterminetheapplicableTier.NISTreceivednumerouscommentsduringthedevelopmentprocess,manysupportingamaturitymodelsimilartothatusedinElectricitySubsectorCybersecurityCapabilityMaturityModel(ES-C2M2)ortheCarnegie-MellonMaturityMatrixIndex.Strictcriteriaaredifficult,however,acrossabroadarrayofusers,andNISTisnotauthoritativefordecidingmandatorythresholds…youare!!!!Forthatreason,theTiersaresubjective,butaredesignedtohelpadistrictconsidercurrentriskmanagementpractices,threatenvironment,legalandregulatoryrequirements,business/missionobjectives,anddistrictconstraints.ThelackofaconcretemeasurementstandardiCCSFversion1.0isnotintendedtopreventsuchmeasurement;districts(andorganizedgroups,suchascriticalinfrastructuresectors)maydevelopcriteriatoaidincomparisonandcommunicationofTierselection.Tocorrectthis,CCSESArecommendsthatdistrictsparticipateinaSecurityRiskAssessmentfromareputablesecuritycompany.UsingthisFrameworkandotherstandardsprescribedbytheassessmentgroup,anadequateprofilecanbedeveloped.
TheFrameworkImplementationTiersaresimilartoCOBIT’sProcessCapabilityLevels(PCLs).WhilePCLsareassessed(inaccordancewiththeCOBITProcessAssessmentModel[PAM]publication)attheindividualprocess,thetiersapplytothedistrictitself,orasub-componentofthedistrict,dependingonthescopeoftheimplementation.ConsiderationsofthePCLsmayassistwithdeterminingtheappropriateFrameworktier.
RatingtheoutcomesdescribedinFigure13willrequireprofessionaljudgmentbytheimplementer.Thereasonsforselectingatier,andforagreeing/disagreeingwithanoutcomestatementintheProfiles,shouldbeclearlydocumentedsothatadvicecanbegivenonareasinwhichtheprocessescanbeimproved.
Specifically,thetierscompareinthefollowingways:
![Page 70: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/70.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
70|P a g e
Figure13-ComparisonoCCSFTierstoCOBIT5ProcessCapabilityLevels(PCLs)CSFTier Descriptor Description COBIT5PCL
1 Partial TheRiskManagementandinformationsharingprocessesareeithernotimplementtedorarenotyetformalenoughtoprovideconsistentdistrictbenefit.
PCL0-IncompletePCL1-Performed
2 RiskInformed
Theoutcomesimplementedinamanagedfashion,informedbydistrictriskprocessesandprovidingsignificantdistrictawarenessofcybersecurityriskmanagement.
PCL2-Managed
3 Repeatable Themanagedprocessimplementedusingadefinedmethodthatiscapableofachievingintendedoutcomes.
PCL3-Established
4 Adaptive Theoutcomesareachievedproactively,learningfromtheexperienceofinternalandexternalstakeholders,perhapsinformedthroughexternalinformationsources.
PCL4-PredicablePCL5-Optimizing
TheroleoftheTiersindeterminingriskapproachiscloselyrelatedtoCOBIT’sEDM03EnsureRiskOptimization.Asthedistrictadaptsitscybersecuritypracticesbasedonlessonslearnedandpredictiveindicators,andasthedistrictorschoolbuildsanenterpriseapproachtoriskmanagement,thedistrictisbetterabletoensureidentificationandmanagementofrisktotheenterprisevalue.Thisinturn,enablestheEDM03goalsof:ensuringthattechnology-relatedenterpriseriskdoesnotexceedriskappetiteandrisktolerance,theimpactoftechnologyrisktoenterprisevalueisidentifiedandmanaged,andthepotentialforcompliancefailuresisminimized.
FrameworkProfilesAFrameworkProfile(“Profile”)representstheoutcomesbasedonbusinessneedsthatadistricthasselectedfromtheFrameworkCategoriesandSubcategories.TheProfilecanbecharacterizedasthealignmentofstandards,guidelinesandpracticestotheFrameworkCoreinaparticularimplementationscenario.ProfilescanbeusedtoidentifyopportunitiesforimprovingcybersecurityposturebycomparingaCurrentProfile(the“asis”state)withaTargetProfile(the“tobe”state).ThisisreferredtoastheAS-IS/TO-BETransformation.
TodevelopaProfile,adistrictcanrevieweachoftheCoreCategoriesandSubcategoriesand,basedonbusinessdriversandariskassessment(usuallyconductedthrougha3rdparty),determinewhicharemostimportant;thedistrictaddsCategoriesandSubcategoriesasneededtoaddressitsrisk.TheCurrentProfilecanthenbeusedtosupportprioritizationandmeasurementofprogresstowardtheTargetProfile,factoringinbusinessneedsincludingcost-effectivenessandinnovation.Thegenerationofabusinesscasetosupportadditionalinvestmentinsecuritytechnology(hardware/processes/people)canbemade.TheuseofProfilestoconductself-assessmentsandtocommunicatewithinadistrictorbetweendistrictsarecommon.
![Page 71: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/71.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
71|P a g e
ToassistdistrictsinadoptingandimplementingtheFrameworkCCSFthenextSectionofthisguidebooklaysoutarecommendedseven-stepimplementationprocess.Eachstepisaprecursortothefollowingstep,althoughsomedistrictsmayconductsomestepsinadifferentorder.Forexample,adistrictmayadoptaTargetProfilebeforeperformingaCurrentProfile,ormightperformariskassessmentbeforedevelopingaCurrentProfile.Thesesteps,summarizedandwithdetailedimplementationrecommendationsdescribedlaterinthisguide,shouldberepeatedasnecessarytocontinuouslyimproveadistrict’scybersecurityandriskavoidance.
RiskConsiderationsfromCOBITandtheCCSFMaintaininganunderstandingofenterprisesecurityriskisakeycomponentoftheCCSF.StepfouroftheCCSFimplementationprocessincludestherequirementforperformingariskassessment.Riskassessmentsprovidestakeholdersandmanagersanopportunitytoweighsecurityvulnerabilities,threatstotheenterpriseandtechnologiesagainstoperationalrequirements.Riskassessmentsassistindefiningthesubcategoriesrequiredtoadequatelymitigatetherisktothedistrictandidentifytherigorinwhichthemitigationbeapplied.TherigorforimplementingcybersecuritycontrolsisattainedthroughImplementationTiersasdescribedinthisguidebook.
TheInstituteofRiskManagement(IRM)definesriskas“thecombinationoftheprobabilityofaneventanditsconsequence.Consequencescanrangefrompositivetonegative.”TheInternationalOrganizationforStandardizationdefinesriskintheinternationallyrecognizedISOGuide73,asthe“effectofuncertaintyonobjectives,”notingthataneffectmaybepositive,negativeoradeviationfromtheexpected.InthecontextofapplyingtheCCSF,then,theprimaryconsequencetobeconsideredisthelikelihoodofachievingstakeholdergoals.Similarly,COBIT5forRiskdefinesITriskasbusinessrisk,specifically,thebusinessriskassociatedwiththeuse,ownership,operation,involvement,influenceandadoptionofITwithinanenterprise.ITriskconsistsofIT-relatedeventsthatcouldpotentiallyimpactthebusiness.ITriskcanoccurwithbothuncertainfrequencyandimpact,andcreateschallengesinmeetingstrategicgoalsandobjectives.ITriskalwaysexists,whetheritisrecognizedbyanenterprise.
AsdescribedinCOBIT5forRiskandillustratedinFigure14,managedriskenablesbusinessdrivers,enhancesopportunities,andprovidesexecutivesandmanagerswithanunderstandingofthesecuritystrengthsandweaknesseswithinthedistrict.Whenriskispoorlymanaged,businessvalueisreduced,ITismisused,andexecutivesandmanagersareunawareofpotentialsecuritythreatsandvulnerabilitiesthatcouldleadtolostrevenueorreputation.
![Page 72: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/72.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
72|P a g e
TheRiskFunctionPerspective(COBIT5)COBIT5isanend-to-endframeworkthatconsidersoptimizationofriskasakeyvalueobjective.COBIT5considersgovernanceandmanagementofriskaspartoftheoverallgovernanceandmanagementforIT.Foreachenabler,theriskfunctionperspectivedescribeshowtheenablercontributestotheoverallriskgovernanceandmanagementfunction.Forexample,which:
• Processesarerequiredtodefineandsustaintheriskfunction,governandmanagerisk—EDMO1,APO01,etc.
• Informationflowsarerequiredtogovernandmanagerisk—riskuniverse,riskprofile,etc.• Organizationalstructuresarerequiredtogovernandmanagerisk—ERMcommittee,risk
function,etc.
Sections2through8ofCOBIT5forRiskcontainexamplesforeachenabler.TheseexamplesarefurtherelaboratedinappendixBofCOBIT5forRisk.ThedetailsofthefullscopeofCOBIT5forRiskisprovidedinFigure15.
![Page 73: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/73.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
73|P a g e
COBIT5forRiskprovidesspecificguidancerelatedtoallenablers:
1. Riskprinciples,policiesandframeworks2. Processesincludingrisk-function-specificdetailsandactivities3. Risk-specificdistrictstructures4. Intermsofculture,ethicsandbehavior,factorsdeterminingthesuccessofriskgovernance5. Risk-specificinformationtypesforenablingriskgovernanceandmanagementwithinthe
enterprise6. Withregardtoservices,infrastructureandapplications,servicecapabilitiesrequiredtoprovide
riskandrelatedfunctionstoanenterprise.7. Forthepeople,skillsandcompetenciesenabler,skillsandcompetenciesspecificforrisk
TheRiskManagementPerspectiveTheriskmanagementperspectiveaddressesgovernanceandmanagement,i.e.,howtoidentify,analyzeandrespondtoriskandhowtousetheCOBIT5frameworkforthatpurpose.Thisperspectiverequirescoreriskprocesses(COBIT5processesEDM03EnsureriskoptimizationandAPO12Managerisk)tobeimplemented.
TheCCSFleveragestheriskassessmentprocesstodefinehowdistrictswillimplementeachCoreSubcategory.Completingariskassessmentprovidesanunderstandingofthelikelihoodthatariskeventwilloccurandwhattheresultingimpactwillbe.Foreachpotentialeventrecordedabove,determinethelikelihoodofthateventoccurringandtheimpactifitoccurred.Districtsmaychoosetocompleteseveralriskassessmentsforeachbusinessareaandaggregatetheinformationtoformenterpriseriskassessments.
Forsomedistricts,aseparateriskassessmentmaybeconductedforeachbusinessarea(e.g.humanresources,accounting,customersupport)asdefinedbythePrioritizeandScopestep.SeparateriskassessmentsallowseparateTargetProfilestoensurethattheriskforthebusinessareaisaddressed
![Page 74: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/74.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
74|P a g e
withoutovercompensating.Theenterpriseriskassessmentprovidesabaselinetoensurethataminimumthresholdisdefined.Thisensuresthatlesssensitivebusinessareasarenotneglectedandthusprovideanavenueofattackformalicioususers.
Aftertheriskassessmentiscomplete,districtscandeterminetheacceptablelevelofriskforITassetsandsystems,expressedastheirrisktolerance,budgetandresources.TherisktoleranceisusedtodefinethecontrolsrequiredforeachSubcategoryandtherigorrequiredforimplementingthecontrolbydefiningthetargetstateprofile.
![Page 75: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/75.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
75|P a g e
AppendixC.CommunicatingCybersecurityRequirementswithStakeholdersAnimportantcomponentofboththeCCSFandtheCOBIT5frameworkinvolvesthegovernanceandmanagementofsuppliersandbusinesspartners.Asingledistrictmayentaildozensofexternalstakeholdersandsupplychain/serviceproviders.EachofthesestakeholdersbringsopportunitiestofulfillenterpriseandIT-relatedgoals;theyalsoaddadditionalvulnerabilityandpotentialrisktobeconsidered.ImplementationoftheCCSFusingCOBITprinciplesandprocessesprovidesacommonlanguagetocommunicatestakeholderneedsandrequirements.
TheresultingprocessenablesITtobegovernedandmanagedinaholisticmannerfortheentireenterprise,supportingtheprimarydistrictaswellasitssupplychainpartners,inapplyinganintegratedframework.ManyCOBIT5practicesincludesuppliercomponents,guidedbymanyelementsofAPOIOManagesuppliers.SpecificexamplesofusingtheCCSFthroughCOBIT5withexternalbusinesspartnersinclude:
• Documentsuppliermanagementaspects.Cooperativeagreementsprovideanopportunitytodocumentthedrivers,riskagreementsandgoals,usingasubsetoftheprocessesinphase1(Section3).
• Recordtheresultofsupplier/partnerassessmentsusingtheCurrentProfiletemplate.AlignmentaroundthisCCSF/COBITmodelsupportsCOBIT’sprincipleofasingleintegratedframeworkmodeltorecordandcommunicategoalsandperformance.
• RecordexpectationsandrequirementsthroughuseoftheTargetProfiletemplatedescribedinSection3,phase3.ThismodelishelpfulforconveyingspecificGovernanceandManagementobligations,forexampletoacloudprovidertowhichthedistrictisexportingdata.
Harmonizationofprocessesandcommunicationsforbothinternalandexternalstakeholdersimprovesconsistencyandsimplifiestracking/reporting.Throughuseofcommontemplatesandcommunicationpractices,achievementofaholisticapproachtogovernanceandmanagementofITwillensurethatgoalsarealignedandeffective.
![Page 76: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/76.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
76|P a g e
AppendixD:FrameworkCoreAsdescribedinAppendixB,theFrameworkCoreprovidesasetofactivitiestoachievespecificcybersecurityoutcomesandreferencesexamplesofguidancetoachievethoseoutcomes.TheCoreisnotachecklistofactionstoperform.Itpresentskeycybersecurityoutcomesidentifiedbyindustryashelpfulinmanagingcybersecurityrisk.TheCorecomprisesfourelements:Functions,Categories,SubcategoriesandInformativeReferences.
ThefollowingtablerepresentstheFrameworkCoreasprovidedinappendixAoftheNISTFrameworkforImprovingCriticalInfrastructureCybersecurity.Thistableisprovidedforreferenceonly.ActualfunctionalityisfromtheToolkitCCSFdbase.Youcanclickonthelinkslocatetheinformationquickly.
Alargeposterisincludedaspartofthetoolkit.
![Page 77: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/77.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
77|P a g e
Function Category Subcategory InformationReferencesIden
tify(ID
)
AssetManagement(ID.AM):Thedata,personnel,devices,systems,
andfacilitiesthatenablethe
districttoachievebusiness
purposesareidentifiedand
managedconsistentwiththe
relativeimportancetobusiness
objectivesinthedistrict'srisk
strategy.
ID.AM-1:Physicaldevicesandsystems
withinthedistrictareinventoried.
• CCSCSC1
• COBIT5BAI09.01,BAI09.02
• ISA624438–22–1:20094.2.3.4
• ISA62443.3–3:2013SR7.8
• ISA/IEC27001:20138.8.1.1,8.8.1.2
• NISTSP800–53REV.4CM-8
ID.AM-2:Softwareplatformsand
applicationswithinthedistrictor
inventory
• CCSCSC2
• COBIT5BAI09.01,BAI09.02,BAI09.05
• ISA62443–2–1:20094.2.3.4
• ISA62443.3–3:2013SR7.8
• ISO/IEC27001:2013A.8.1.1,A.8.1.2
• NISTSP800–53REV.4CM
ID.AM-3:Organizationalcommunicationanddataflowsare
mapped
• CCS CSC 1 • COBIT 5 DSS05.02 • ISA 62443-2-1:2009 4.2.3.4 • ISO/IEC 27001:2013 A.13.2.1 • NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9, PL-8
ID.AM-4:Externalinformationsystems
arecatalogued.• CCS CSC 1 • COBIT 5 DSS05.02 • ISA 62443-2-1:2009 4.2.3.4 • ISO/IEC 27001:2013 A.13.2.1 • NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9, PL-8
ID.AM-5:Resources(suchashardware,devices,dataandsoftware)
areprioritizedbasedonthe
classification,criticality,andbusiness
value.
• COBIT 5 APO02.02 • ISO/IEC 27001:2013 A.11.2.6 • NIST SP 800-53 Rev. 4 AC-20, SA-9
ID.AM-6:Cybersecurityrolesandresponsibilitiesfortheentire
workforceandthird-party
stakeholderssuchassuppliers,
customers,andpartnersare
established.
• COBIT 5 APO01.02, DSS06.03 • ISA 62443-2-1:2009 4.3.2.3.3 • ISO/IEC 27001:2013 A.6.1.1
![Page 78: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/78.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
78|P a g e
Function Category Subcategory InformationReferences
BusinessEnvironment(ID.BE):Thedistrict'smission,objectives,
stakeholders,andactivitiesare
understoodandprioritized;this
informationisusedtoinform
cybersecurityroles,responsibilities,
andriskmanagementdecisions.
ID.BE-1:Thedistrict'sroleinthesupplychainisidentifiedand
communicated.
• COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05
• ISO/IEC 27001:2013 A.15.1.3, A.15.2.1, A.15.2.2 • NIST SP 800-53 Rev. 4 CP-2, SA-12
ID.BE-2:thedistrict'splaceincriticalinfrastructureandindustrysectoris
identifiedandcommunicated.
• COBIT 5 APO02.06, APO03.01 • NIST SP 800-53 Rev. 4 PM-8
ID.BE-3:Prioritiesfordistrictmission,
objectives,andactivitiesare
establishedandcommunicated.
• COBIT 5 APO02.01, APO02.06, APO03.01 • ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6 • NIST SP 800-53 Rev. 4 PM-11, SA-14
ID.BE-4:Dependenciesandcriticalfunctionsfordeliveryofcritical
servicesareestablished.
• ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, A.12.1.3 • NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14
ID.BE-5:Resiliencerequirementsto
supportdeliveryofcriticalservicesare
established.
• COBIT 5 DSS04.02 • ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, A.17.1.2, A.17.2.1 • NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-14
Governance(ID.GV):Thepolicies,procedures,andprocessesto
manageandmonitorthedistrict's
regulatory,legal,risk,
environmental,andoperational
requirementsareunderstoodand
informthemanagementof
cybersecurityrisk.
ID.GV-1:Organizationalinformation
securitypolicyisestablished.• COBIT 5 APO01.03, EDM01.01, EDM01.02 • ISA 62443-2-1:2009 4.3.2.6 • ISO/IEC 27001:2013 A.5.1.1 • NIST SP 800-53 Rev. 4 -1 controls from all families
ID.GV-2:Informationsecurityroles
andresponsibilitiesarecoordinated
andalignedwithinternalrolesand
externalpartners.
• COBIT 5 APO13.12 • ISA 62443-2-1:2009 4.3.2.3.3 • ISO/IEC 27001:2013 A.6.1.1, A.7.2.1 • NIST SP 800-53 Rev. 4 PM-1, PS-7
ID.GV-3:Legalandregulatoryrequirementsregardingcybersecurity,
includingprivacyandcivilliberty
obligations,areunderstoodand
managed.
• COBIT 5 MEA03.01, MEA03.04 • ISA 62443-2-1:2009 4.4.3.7 • ISO/IEC 27001:2013 A.18.1 • NIST SP 800-53 Rev. 4 -1 controls from all families (except
PM-1) ID.GV-4:Governanceandriskmanagementprocessesaddress
cybersecurityrisks.
• COBIT 5 DSS04.02 • ISA 62443-2-1:2009 4.2.3.1, 4.2.3.3, 4.2.3.8, 4.2.3.9,
4.2.3.11, 4.3.2.4.3, 4.3.2.6.3
![Page 79: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/79.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
79|P a g e
Function Category Subcategory InformationReferences
• NIST SP 800-53 Rev. 4 PM-9, PM-11 RiskAssessment(ID.RA):the
districtunderstandsthe
cybersecurityrisktodistrict
operationsincludingmission,
functions,image,orreputation,
districtassetsandindividuals.
ID.RA-1:Assetvulnerabilitiesareidentifiedanddocumented
• CCS CSC 4 • COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04 • ISA 62443-2-1:2009 4.2.3, 4.2.3.7, 4.2.3.9, 4.2.3.12 • ISO/IEC 27001:2013 A.12.6.1, A.18.2.3 • NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, RA-3, RA-5, SA-
5, SA-11, SI-2, SI-4, SI-5 ID.RA-2:Threatandvulnerabilityinformationisreceivedfrom
informationsharingformsand
sources.
• ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 • ISO/IEC 27001:2013 A.6.1.4 • NIST SP 800-53 Rev. 4 PM-15, PM-16, SI-5
ID.RA-3:Threats,bothinternalandexternal,areidentifiedand
documented.
• COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04 • ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 • NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12, PM-16
ID.RA-4:Potentialbusinessimpacts
andlikelihoodsareidentified.• COBIT 5 DSS04.02 • ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 • NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-9, PM-11, SA-14
ID.RA-5:Threats,vulnerabilities,likelihoods,andimpactsareusedto
determinerisk.
• COBIT 5 APO12.02 • ISO/IEC 27001:2013 A.12.6.1 • NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-16
ID.RA-6:Riskresponsesareidentifiedandprioritized.
• COBIT 5 APO12.05, APO13.02 • NIST SP 800-53 Rev. 4 PM-4, PM-9
RiskManagement(ID.RM):Thedistrict'spriority,constraints,risk
tolerances,andassumptionsare
establishedandusedtosupport
operationalriskdecisions.
ID.RM-1:Riskmanagementprocesses
areestablished,managed,andagreed
tobydistrictstakeholders.
• COBIT 5 APO12.04, APO12.05, APO13.02, BAI02.03, BAI04.02
• ISA 62443-2-1:2009 4.3.4.2 • NIST SP 800-53 Rev. 4 PM-9
ID.RM-2:Organizationalrisktoleranceisdeterminedandclearlyexpressed.
• COBIT 5 APO12.06 • ISA 62443-2-1:2009 4.3.2.6.5 • NIST SP 800-53 Rev. 4 PM-9
ID-RM-3:Thedistrict'sdetermination
ofrisktoleranceisinformedbyitsrole• NIST SP 800-53 Rev. 4 PM-8, PM-9, PM-11, SA-14
![Page 80: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/80.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
80|P a g e
Function Category Subcategory InformationReferences
incriticalinfrastructureandsector
specificriskanalysis.
Protect(PR
)
AccessControl(PR.AC):Accesstoassetsandassociatedfacilitiesis
limitedtoauthorizedusers,
processes,ordevices,andto
authorizedactivitiesand
transactions.
PR.AC-1:Identitiesandcredentialsaremanagedforauthorizeddevicesand
users.
• CCS CSC 16 • COBIT 5 DSS05.04, DSS06.03 • ISA 62443-2-1:2009 4.3.3.5.1 • ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5,
SR 1.7, SR 1.8, SR 1.9 • ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1,
A.9.4.2, A.9.4.3 • NIST SP 800-53 Rev. 4 AC-2, IA Family
PR.AC-2:Physicalaccesstoassetsismanagedandprotected.
• COBIT 5 DSS01.04, DSS05.05 • ISA 62443-2-1:2009 4.3.3.3.2, 4.3.3.3.8 • ISO/IEC 27001:2013 A.11.1.1, A.11.1.2, A.11.1.4, A.11.1.6,
A.11.2.3 • NIST SP 800-53 Rev. 4 PE-2, PE-3, PE-4, PE-5, PE-6, PE-9
PR.AC-3:Remoteaccessismanaged.• COBIT 5 APO13.01, DSS01.04, DSS05.03 • ISA 62443-2-1:2009 4.3.3.6.6 • ISA 62443-3-3:2013 SR 1.13, SR 2.6 • ISO/IEC 27001:2013 A.6.2.2, A.13.1.1, A.13.2.1 • NIST SP 800-53 Rev. 4 AC�17, AC-19, AC-20
PR.AC-4:Accesspermissionsare
managed,incorporatingtheprinciples
ofleastprivilegeandseparationof
duties.
• CCS CSC 12, 15 • ISA 62443-2-1:2009 4.3.3.7.3 • ISA 62443-3-3:2013 SR 2.1 • ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, A.9.2.3, A.9.4.1,
A.9.4.4 • NIST SP 800-53 Rev. 4 AC-2, AC-3, AC-5, AC-6, AC-16
PR.AC-5:Networkintegrityisprotected,incorporatingnetwork
segregationwhereappropriate.
• ISA 62443-2-1:2009 4.3.3.4 • ISA 62443-3-3:2013 SR 3.1, SR 3.8 • ISO/IEC 27001:2013 A.13.1.1, A.13.1.3, A.13.2.1 • NIST SP 800-53 Rev. 4 AC-4, SC-7
AwarenessandTraining(PR.AT):Thedistrict'spersonneland
PR.AT-1:Allusersareinformedand
trained.• CCS CSC 9 • COBIT 5 APO07.03, BAI05.07
![Page 81: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/81.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
81|P a g e
Function Category Subcategory InformationReferences
partnersareprovided
Cybersecurityawarenesseducation
andareadequatelytrainedto
performtheirinformationsecurity-
relateddutiesandresponsibilities
consistentwithrelatedpolicies,
procedures,andagreements.
• ISA 62443-2-1:2009 4.3.2.4.2 • ISO/IEC 27001:2013 A.7.2.2 • NIST SP 800-53 Rev. 4 AT-2, PM-13
PR.AT-2:Privilegedusersunderstandrolesandresponsibilities.
• CCS CSC 9 • COBIT 5 APO07.02, DSS06.03 • ISA 62443-2-1:2009 4.3.2.4.2, 4.3.2.4.3 • ISO/IEC 27001:2013 A.6.1.1, A.7.2.2 • NIST SP 800-53 Rev. 4 AT-3, PM-13
PR.AT-3:Third-partystakeholderssuchassuppliers,customers,and
partnersunderstandrolesand
responsibilities.
• CCS CSC 9 • COBIT 5 APO07.03, APO10.04, APO10.05 • ISA 62443-2-1:2009 4.3.2.4.2 • ISO/IEC 27001:2013 A.6.1.1, A.7.2.2 • NIST SP 800-53 Rev. 4 PS-7, SA-9
PR.AT-4:Seniorexecutivesunderstandrolesandresponsibilities.
• CCS CSC 9 • COBIT 5 APO07.03 • ISA 62443-2-1:2009 4.3.2.4.2 • ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, • NIST SP 800-53 Rev. 4 AT-3, PM-13
PR.AT-5:Physicalandinformation
securitypersonnelunderstandroles
andresponsibilities.
• CCS CSC 9 • COBIT 5 APO07.03 • ISA 62443-2-1:2009 4.3.2.4.2 • ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, • NIST SP 800-53 Rev. 4 AT-3, PM-13
DataSecurity(PR.DS):Information
andrecords(data)aremanaged
consistentwiththedistrict'srisk
strategytoprotectthe
confidentiality,integrity,and
availabilityofinformation.
PR.DS-1:Data-at-restisprotected.• CCS CSC 17 • COBIT 5 APO01.06, BAI02.01, BAI06.01, DSS06.06 • ISA 62443-3-3:2013 SR 3.4, SR 4.1 • ISO/IEC 27001:2013 A.8.2.3 • NIST SP 800-53 Rev. 4 SC-28
PR.DS-2:Data-in-transitisprotected.• CCS CSC 17 • COBIT 5 APO01.06, DSS06.06 • ISA 62443-3-3:2013 SR 3.1, SR 3.8, SR 4.1, SR 4.2
![Page 82: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/82.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
82|P a g e
Function Category Subcategory InformationReferences
• ISO/IEC 27001:2013 A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3
• NIST SP 800-53 Rev. 4 SC-8 PR.DS-3:Assetsareformallymanaged
throughoutremoval,transfers,and
disposition.
• COBIT 5 BAI09.03 • ISA 62443-2-1:2009 4. 4.3.3.3.9, 4.3.4.4.1 • ISA 62443-3-3:2013 SR 4.2 • ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.8.3.3,
A.11.2.7 • NIST SP 800-53 Rev. 4 CM-8, MP-6, PE-16
PR.DS-4:Adequatecapacitytoensureavailabilityismaintained.
• COBIT 5 APO13.01 • ISA 62443-3-3:2013 SR 7.1, SR 7.2 • ISO/IEC 27001:2013 A.12.3.1 • NIST SP 800-53 Rev. 4 AU-4, CP-2, SC-5
PR.DS-5:Protectionsagainstdataleaksareimplemented.
• CCS CSC 17 • COBIT 5 APO01.06 • ISA 62443-3-3:2013 SR 5.2 • ISO/IEC 27001:2013 A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1,
A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3
• NIST SP 800-53 Rev. 4 AC-4, AC-5, AC-6, PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC-31, SI-4
PR.DS-6:Integritycheckingmechanismsareusedtoverify
software,firmware,andinformation
integrity.
• ISA 62443-3-3:2013 SR 3.1, SR 3.3, SR 3.4, SR 3.8 • ISO/IEC 27001:2013 A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3 • NIST SP 800-53 Rev. 4 SI-7
PR.DS-7:Thedevelopmentandtesting
environmentsareseparatefromthe
productionenvironment.
• COBIT 5 BAI07.04 • ISO/IEC 27001:2013 A.12.1.4 • NIST SP 800-53 Rev. 4 CM-2
InformationProtectionProcessesandProcedures(PR.IP):Securitypoliciesthataddresspurpose,
scope,roles,responsibilities,
PR.IP-1:Baselineconfigurationofinformationtechnology/industrial
controlsystemsiscreatedand
maintained.
• CCS CSC 3, 10 • COBIT 5 BAI10.01, BAI10.02, BAI10.03, BAI10.05 • ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3 • ISA 62443-3-3:2013 SR 7.6
![Page 83: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/83.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
83|P a g e
Function Category Subcategory InformationReferences
managementcommitment,and
coordinationamongdistrict
entities,processes,andprocedures
aremaintainedandusedto
manageprotectionofinformation
systemsandassets.
• ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4
• NIST SP 800-53 Rev. 4 CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9, SA-10
PR.IP-2:ASystemDevelopmentLife
Cycle(SDLC)tomanagesystemsis
implemented.
• COBIT 5 APO13.01 • ISA 62443-2-1:2009 4.3.4.3.3 • ISO/IEC 27001:2013 A.6.1.5, A.14.1.1, A.14.2.1, A.14.2.5 • NIST SP 800-53 Rev. 4 SA-3, SA-4, SA-8, SA-10, SA-11,
SA-12, SA-15, SA-17, PL-8 PR.IP-3:Configurationchangecontrolprocessesareinplace.
• COBIT 5 BAI06.01, BAI01.06 • ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3 • ISA 62443-3-3:2013 SR 7.6 • ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2,
A.14.2.3, A.14.2.4 • NIST SP 800-53 Rev. 4 CM-3, CM-4, SA-10
PR.IP-4:Backupsofinformationare
conducted,maintainedandtested
periodically.
• COBIT 5 APO13.01 • ISA 62443-2-1:2009 4.3.4.3.9 • ISA 62443-3-3:2013 SR 7.3, SR 7.4 • ISO/IEC 27001:2013 A.12.3.1, A.17.1.2A.17.1.3, A.18.1.3 • NIST SP 800-53 Rev. 4 CP-4, CP-6, CP-9
PR.IP-5:Policyandregulationsregardingthephysicaloperating
environmentfordistrictassetsare
met.
• COBIT 5 DSS01.04, DSS05.05 • ISA 62443-2-1:2009 4.3.3.3.1 4.3.3.3.2, 4.3.3.3.3, 4.3.3.3.5,
4.3.3.3.6 • ISO/IEC 27001:2013 A.11.1.4, A.11.2.1, A.11.2.2, A.11.2.3 • NIST SP 800-53 Rev. 4 PE-10, PE-12, PE-13, PE-14, PE-15,
PE-18 PR.IP-6:Dataisdestroyedaccordingto
policy.• COBIT 5 BAI09.03 • ISA 62443-2-1:2009 4.3.4.4.4 • ISA 62443-3-3:2013 SR 4.2 • ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.11.2.7 • NIST SP 800-53 Rev. 4 MP-6
PR.IP-7:Protectionprocessesarecontinuouslyimproved.
• COBIT 5 APO11.06, DSS04.05
![Page 84: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/84.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
84|P a g e
Function Category Subcategory InformationReferences
• ISA 62443-2-1:2009 4.4.3.1, 4.4.3.2, 4.4.3.3, 4.4.3.4, 4.4.3.5, 4.4.3.6, 4.4.3.7, 4.4.3.8
• NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-8, PL-2, PM-6 PR.IP-8:Effectivenessofprotectiontechnologiesissharedwith
appropriateparties.
• ISO/IEC 27001:2013 A.16.1.6 • NIST SP 800-53 Rev. 4 AC-21, CA-7, SI-4
PR.IP-9:Responseplans(IncidentResponseandBusinessContinuity)
andrecoveryplans(IncidentRecovery
andDisasterRecovery)areinplace
andmanaged.
• COBIT 5 DSS04.03 • ISA 62443-2-1:2009 4.3.2.5.3, 4.3.4.5.1 • ISO/IEC 27001:2013 A.16.1.1, A.17.1.1, A.17.1.2 • NIST SP 800-53 Rev. 4 CP-2, IR-8
PR.IP-10:Responseandrecoveryplansaretested.
• ISA 62443-2-1:2009 4.3.2.5.7, 4.3.4.5.11 • ISA 62443-3-3:2013 SR 3.3 • ISO/IEC 27001:2013 A.17.1.3 • NIST SP 800-53 Rev.4 CP-4, IR-3, PM-14
PR.IP-11:Cybersecurityisincludedinhumanresourcespracticesuchasde-
provisioningandpersonnelscreening.
• COBIT 5 APO07.01, APO07.02, APO07.03, APO07.04, APO07.05
• ISA 62443-2-1:2009 4.3.3.2.1, 4.3.3.2.2, 4.3.3.2.3 • ISO/IEC 27001:2013 A.7.1.1, A.7.3.1, A.8.1.4 • NIST SP 800-53 Rev. 4 PS Family
PR.IP-12:Avulnerabilitymanagement
planisdevelopedandimplemented• ISO/IEC27001:2013A.12.6.1,A.18.2.2
• NISTSP800-53Rev.4RA-3,RA-5,SI-2
Maintenance(PR.MA):Maintenanceandrepairsof
industrialcontrolsandinformation
systemcomponentsareperformed
consistentwithpoliciesand
procedures.
PR.MA-1:Maintenanceandrepairof
districtassetsisperformedandlogged
inatimelymanner,withapprovedand
controlledtools.
• COBIT 5 BAI09.03 • ISA 62443-2-1:2009 4.3.3.3.7 • ISO/IEC 27001:2013 A.11.1.2, A.11.2.4, A.11.2.5 • NIST SP 800-53 Rev. 4 MA-2, MA-3, MA-5
PR.MA-2:Remotemaintenanceof
districtassetsisapproved,loggedand
performedinamannerthatprevents
unauthorizedaccess.
• COBIT 5 DSS05.04 • ISA 62443-2-1:2009 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.4.4.6.8 • ISO/IEC 27001:2013 A.11.2.4, A.15.1.1, A.15.2.1 • NIST SP 800-53 Rev. 4 MA-4
![Page 85: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/85.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
85|P a g e
Function Category Subcategory InformationReferences
ProtectiveTechnology(PR.PT):Technicalsecuritysolutionsare
managedtoensurethesecurity
andresilienceofsystemsand
assets,consistentwithrelated
policies,proceduresand
agreements.
PR.PT-1:Audit/logrecordsaredetermined,documented,
implementedandreviewedin
accordancewithpolicy.
• CCS CSC 14 • COBIT 5 APO11.04 • ISA 62443-2-1:2009 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1,
4.4.2.2, 4.4.2.4 • ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR
2.12 • ISO/IEC 27001:2013 A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4,
A.12.7.1 • NIST SP 800-53 Rev. 4 AU Family
PR.PT-2:Removablemediais
protectedanditsuserestricted
accordingtopolicy.
• COBIT 5 DSS05.02, APO13.01 • ISA 62443-3-3:2013 SR 2.3 • ISO/IEC 27001:2013 A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3,
A.11.2.9 • NIST SP 800-53 Rev. 4 MP-2, MP-4, MP-5, MP-7
PR.PT-3:Accesstosystemsandassets
iscontrolled,incorporatingthe
principleofleastfunctionality.
• COBIT 5 DSS05.02 • ISA 62443-2-1:2009 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4,
4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
• ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7
• ISO/IEC 27001:2013 A.9.1.2 • NIST SP 800-53 Rev. 4 AC-3, CM-7
PR.PT-4:Communicationsandcontrol
networksareprotected.• CCS CSC 7 • COBIT 5 DSS05.02, APO13.01 • ISA 62443-3-3:2013 SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3,
SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 • ISO/IEC 27001:2013 A.13.1.1, A.13.2.1 • NIST SP 800-53 Rev. 4 AC-4, AC-17, AC-18, CP-8, SC-7
Det
ect(
DE) AnomaliesandEvents(DE.AE):
Anomalousactivityisdetectedina
DE.AT-1:Abaselineofnetworkoperationsandexpecteddataflows
• COBIT 5 DSS03.01 • ISA 62443-2-1:2009 4.4.3.3
![Page 86: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/86.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
86|P a g e
Function Category Subcategory InformationReferences
timelymannerandthepotential
impactofeventsisunderstood.
forusersandsystemsisestablished
andmanaged.
• NIST SP 800-53 Rev. 4 AC-4, CA-3, CM-2, SI-4
DE.AT-2:Detectedeventsareanalyzedtounderstandattacktargetsand
methods.
• ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8 • ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR
2.12, SR 3.9, SR 6.1, SR 6.2 • ISO/IEC 27001:2013 A.16.1.1, A.16.1.4 • NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, SI-4
DE.AT-3:Eventdataareaggregatedandcorrelatedfrommultiplesources
andsensors.
• ISA 62443-3-3:2013 SR 6.1 • NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, IR-8, SI-4
DE.AT-4:Impactofeventsis
determined.• COBIT 5 APO12.06 • NIST SP 800-53 Rev. 4 CP-2, IR-4, RA-3, SI -4
DE.AT-5:Incidentalertthresholdsareestablished.
• COBIT 5 APO12.06 • ISA 62443-2-1:2009 4.2.3.10 • NIST SP 800-53 Rev. 4 IR-4, IR-5, IR-8
SecurityContinuousMonitoring(DE.CM):Theinformationsystem
andassetsaremonitoredat
discreteintervalstoidentify
cybersecurityeventsandverifythe
effectivenessofproactive
measures.
DE.CM-1:thenetworkismonitoredto
detectpotentialcybersecurityoffense.• CCS CSC 14, 16 • COBIT 5 DSS05.07 • ISA 62443-3-3:2013 SR 6.2 • NIST SP 800-53 Rev. 4 AC-2, AU-12, CA-7, CM-3, SC-5,
SC-7, SI-4 DE.CM-2:Thephysicalenvironmentis
monitoredtodetectpotential
cybersecurityevents.
• ISA 62443-2-1:2009 4.3.3.3.8 • NIST SP 800-53 Rev. 4 CA-7, PE-3, PE-6, PE-20
DE.CM-3:Personnelactivityismonitoredtodetectpotential
cybersecurityevents.
• ISA 62443-3-3:2013 SR 6.2 • ISO/IEC 27001:2013 A.12.4.1 • NIST SP 800-53 Rev. 4 AC-2, AU-12, AU-13, CA-7, CM-10,
CM-11 DE.CM-4:Maliciouscodeisdetected.
• CCS CSC 5 • COBIT 5 DSS05.01 • ISA 62443-2-1:2009 4.3.4.3.8 • ISA 62443-3-3:2013 SR 3.2 • ISO/IEC 27001:2013 A.12.2.1
![Page 87: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/87.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
87|P a g e
Function Category Subcategory InformationReferences
• NIST SP 800-53 Rev. 4 SI-3 DE.CM-5:Unauthorizedmobilecodeis
detected.• ISA 62443-3-3:2013 SR 2.4 • ISO/IEC 27001:2013 A.12.5.1 • NIST SP 800-53 Rev. 4 SC-18, SI-4. SC-44
DE.CM-6:Externalserviceprovideractivityismonitoredtodetect
potentialcybersecurityevents.
• COBIT 5 APO07.06 • ISO/IEC 27001:2013 A.14.2.7, A.15.2.1 • NIST SP 800-53 Rev. 4 CA-7, PS-7, SA-4, SA-9, SI-4
DE.CM-7:Monitoringforunauthorized
personnel,connections,devices,and
softwareisperformed.
• NIST SP 800-53 Rev. 4 AU-12, CA-7, CM-3, CM-8, PE-3, PE-6, PE-20, SI-4
DE.CM-8:Vulnerabilityscansareperformed.
• COBIT 5 BAI03.10 • ISA 62443-2-1:2009 4.2.3.1, 4.2.3.7 • ISO/IEC 27001:2013 A.12.6.1 • NIST SP 800-53 Rev. 4 RA-5
DetectionProcesses(DE.DP):detectionprocessesand
proceduresaremaintainedand
testedtoensuretimelyand
adequateawarenessofanomalous
events.
DE.DP-1:Rolesandresponsibilitiesfordetectionarewelldefinedtoensure
accountability.
• CCS CSC 5 • COBIT 5 DSS05.01 • ISA 62443-2-1:2009 4.4.3.1 • ISO/IEC 27001:2013 A.6.1.1 • NIST SP 800-53 Rev. 4 CA-2, CA-7, PM-14
DE.DP-2:Detectionactivitiescomply
withallapplicablerequirements.• ISA 62443-2-1:2009 4.4.3.2 • ISO/IEC 27001:2013 A.18.1.4 • NIST SP 800-53 Rev. 4 CA-2, CA-7, PM-14, SI-4
DE.DP-3:Detectionprocessesaretested.
• COBIT 5 APO13.02 • ISA 62443-2-1:2009 4.4.3.2 • ISA 62443-3-3:2013 SR 3.3 • ISO/IEC 27001:2013 A.14.2.8 • NIST SP 800-53 Rev. 4 CA-2, CA-7, PE-3, PM-14, SI-3, SI-4
DE.DP-4:Eventdetectioninformation
iscommunicatedtoappropriate
parties.
• COBIT 5 APO12.06 • ISA 62443-2-1:2009 4.3.4.5.9 • ISA 62443-3-3:2013 SR 6.1 • ISO/IEC 27001:2013 A.16.1.2
![Page 88: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/88.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
88|P a g e
Function Category Subcategory InformationReferences
• NIST SP 800-53 Rev. 4 AU-6, CA-2, CA-7, RA-5, SI-4 DE.DP-5:Detectionprocessesarecontinuouslyimproved.
• COBIT 5 APO11.06, DSS04.05 • ISA 62443-2-1:2009 4.4.3.4 • ISO/IEC 27001:2013 A.16.1.6 • NIST SP 800-53 Rev. 4, CA-2, CA-7, PL-2, RA-5, SI-4, PM-
14
Respon
d(RS)
ResponsePlanning(RS.RP):Responseprocessesand
proceduresareexecutedand
maintained,toensuretimely
responsetodetectedcybersecurity
events.
RS.RP-1:Responseplanisexecutedduringorafteranevent.
• COBIT 5 BAI01.10 • CCS CSC 18 • ISA 62443-2-1:2009 4.3.4.5.1 • ISO/IEC 27001:2013 A.16.1.5 • NIST SP 800-53 Rev. 4 CP-2, CP-10, IR-4, IR-8
Communications(RS.CO):Responseactivitiesarecoordinated
withinternalandexternal
stakeholders,asappropriate,to
includeexternalsupportfromlaw
enforcementagencies.
RS.CO-1:Personnelknowtheirrolesinorderofoperationswhenaresponse
isneeded.
• ISA 62443-2-1:2009 4.3.4.5.2, 4.3.4.5.3, 4.3.4.5.4 • ISO/IEC 27001:2013 A.6.1.1, A.16.1.1 • NIST SP 800-53 Rev. 4 CP-2, CP-3, IR-3, IR-8
RS.CO-2:Eventsarereportedconsistentwithestablishedcriteria.
• ISA 62443-2-1:2009 4.3.4.5.5 • ISO/IEC 27001:2013 A.6.1.3, A.16.1.2 • NIST SP 800-53 Rev. 4 AU-6, IR-6, IR-8
RS.CO-3:Informationisshared
consistentwithresponseplans.• ISA 62443-2-1:2009 4.3.4.5.2 • ISO/IEC 27001:2013 A.16.1.2 • NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-4, IR-8, PE-6,
RA-5, SI-4 RS.CO-4:Coordinationwithstakeholdersoccursconsistentwith
responseplans.
• ISA 62443-2-1:2009 4.3.4.5.5 • NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
RS.CO-5:Voluntaryinformation
sharingoccurswithexternal
stakeholderstoachievebroader
cybersecuritysituationalawareness.
• NIST SP 800-53 Rev. 4 PM-15, SI-5
Analysis(RS.AN):Analysisisconductedtoensureadequate
responseandsupportrecovery
activities.
RS.AN-1:Notificationsfromdetection
systemsareinvestigated.• COBIT 5 DSS02.07 • ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8 • ISA 62443-3-3:2013 SR 6.1 • ISO/IEC 27001:2013 A.12.4.1, A.12.4.3, A.16.1.5
![Page 89: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/89.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
89|P a g e
Function Category Subcategory InformationReferences
• NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, PE-6, SI-4 RS.AN-2:Theimpactoftheincidentis
understood.• ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8 • ISO/IEC 27001:2013 A.16.1.6 • NIST SP 800-53 Rev. 4 CP-2, IR-4
RS.AN-3:Forensicsareperformed.• ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR
2.12, SR 3.9, SR 6.1 • ISO/IEC 27001:2013 A.16.1.7 • NIST SP 800-53 Rev. 4 AU-7, IR-4
RS.AN-4:Incidentsarecategorizedconsistentwithresponseplans.
• ISA 62443-2-1:2009 4.3.4.5.6 • ISO/IEC 27001:2013 A.16.1.4 • NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-5, IR-8
Mitigation(RS.MI):Activitiesareperformedtopreventexpansionof
anevent,mitigateitseffects,and
eradicatetheincident.
RS.MI-1:Incidentsarecontained.• ISA 62443-2-1:2009 4.3.4.5.6 • ISA 62443-3-3:2013 SR 5.1, SR 5.2, SR 5.4 • ISO/IEC 27001:2013 A.16.1.5 • NIST SP 800-53 Rev. 4 IR-4
RS.MI-2:Incidentsaremitigated.• ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.10 • ISO/IEC 27001:2013 A.12.2.1, A.16.1.5 • NIST SP 800-53 Rev. 4 IR-4
RS.MI-3:Newlyidentifiedvulnerabilitiesaremitigatedor
documentedasacceptedrisks.
• ISO/IEC 27001:2013 A.12.6.1 • NIST SP 800-53 Rev. 4 CA-7, RA-3, RA-5
Improvements(RS.IM):Organizationalresponseactivities
areimprovedbyincorporating
lessonslearnedfromcurrentand
previousdetection/response
activities.
RS.IM-1:Responseplansincorporatelessonslearned.
• COBIT 5 BAI01.13 • ISA 62443-2-1:2009 4.3.4.5.10, 4.4.3.4 • ISO/IEC 27001:2013 A.16.1.6 • NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
RS.IM-2:Responsestrategiesareupdated.
• NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
Recover
(RC)
RecoveryPlanning(RC.RP):Recoveryprocessesand
proceduresareexecutedand
maintainedtoensuretimely
RC.RP-1:Recoveryplanisexecutedduringorafteranevent.
• CCS CSC 8 • COBIT 5 DSS02.05, DSS03.04 • ISO/IEC 27001:2013 A.16.1.5 • NIST SP 800-53 Rev. 4 CP-10, IR-4, IR-8
![Page 90: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/90.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
90|P a g e
Function Category Subcategory InformationReferences
restorationofsystemsorassets
affectedbycybersecurityevents.
Improvements(RC.IM):Recoveryplanningandprocessesare
improvedbyincorporatinglessons
learnedintofutureactivities.
RC.IM-1:Recoveryplansincorporatelessonslearned.
• COBIT 5 BAI05.07 • ISA 62443-2-1 4.4.3.4 • NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
RC.IM-2:Recoverystrategiesareupdated.
• COBIT 5 BAI07.08 • NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
Communication(RC.CO):Restorationactivitiesare
coordinatedwithinternaland
externalparties,suchas
coordinatingcenters,Internet
ServiceProviders,ownersof
attackingsystems,victims,other
districtsandvendors.
RC.CO-1:Publicrelationsaremanaged.
• COBIT 5 EDM03.02
RC.CO-2:Reputationafteraneventisrepaired.
• COBIT 5 MEA03.02
RC.CO-3:Recoveryactivitiesarecommunicatedtointernal
stakeholdersandexecutiveand
managementteams.
• NIST SP 800-53 Rev. 4 CP-2, IR-4
Source:NIST,FrameworkforImprovingCriticalInfrastructureCybersecurity,USA,2014,AppendixA
![Page 91: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/91.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
91|P a g e
AppendixE:CCSESACCSFToolkitAsdiscussedinSection1,theCCSESCCSFToolkitisanExcelworkbookthatisbrokendownintothefollowingworksheets:
• ProfileMetadata• CurrentProfile• TargetProfile• ActionPlan
TheToolkitisdesignedtoprovideyouapathwaytoimplementtheindicatorscontainedwithintheCCSF.
ProfileMetadataTheprofilemetadatatable,showninFigureB.1,isusedtocaptureinformationregardingthedistrictandthebusinessunitorsystem(s)thatarerepresentedbytheprofile.Thisinformationistypicallycollectedinphases1and2oftheCCSFimplementationprocess.
Thefollowingisprovidedasanexample
![Page 92: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/92.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
92|P a g e
FigureB.1–ProfileMetaTemplate–EasternHighSchoolDistrict EasternConsolidatedSchoolDistrictDistrictInfrastructureSector SeeFigure2forexamplesDistrictBusinessUnit/Sector/Campus
SouthCampus
DistrictCurrentProfileScope
• Policiesandstandardsrelatingtooveralldatasecurityatthenetwork,host,databaseandapplicationlevelshavebeenestablished.
• Policies,standardsandprocedureshavebeenestablishedregardingthehandlingandprotectionofPII(PersonallyIdentifiableInformation)data.
• DataLossPrevention(DLP)measureshavebeendeployed.• EffectiveNetworkAccessControlshavebeenimplemented.• IntrusionPrevention/Detection(IPS/IDS)systemshavebeen
deployed.• Privacytraininghasbeenconducted.• Physicalandlogicalsecuritycontrolshavebeenestablishedat
allsitescontainingPII• data.• Aneffectiveincidentresponseprogramhasbeen
implemented.• CustomerPIIdatahasbeenproperlyseparatedfrom
corporatedata
BusinessRequirements
• Personnelsecurity• Physicalsecurity• Accountandpasswordmanagement• ConfidentialityofSensitivedata• Disaster/Recovery• SecurityAwarenessandeducation• Complianceandaudit
RiskConsiderations
• Enterprisesecurityarchitecture• Areweprotectingwhatreallymatters?• Isgovernancealignedwithsecurity?• Whatthreatsareweupagainst?• Areweplanningforcontinuity?• Dowehaveenoughinformationtoplanforrisk?• Isourdatasecure?
RiskAppetiteDecisions
• Ethicalleadershiphaslowrisk.• Academicreputationhaslowrisk.• Facultyriskishigh.• Studentselectionandretentionhasahighrisk• Communityriskislow.• Financialresourcesarelow.
![Page 93: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/93.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
93|P a g e
CurrentStateProfileThecurrentstateprofileisusedtotrackthegoalsofthecurrentcybersecurityprogram.Thetemplateincludesacapabilitytoidentifyhoweachsubcategorywithintheframeworkisbeingobtainedandthecurrentimplementationstatusofthatcapability.Inmanycases,districtsupdatetheircurrentsecuritypolicyandimplementthenewpolicyinaphasedapproach.Thecurrentstateprofiletemplateallowsdistrictstoaccuratelyrepresenttheirstatusinimplementingcurrentpoliciesandprocedures.FigureB.2identifiesthedatapointsortopicsrecordedinthecurrentstateprofile.
Topic RequiredInformationfromCCSF ExamplesFunction ApplicableFrameworkFunction Figure11–
ComponentsoftheFrameworkCore
Category ApplicableFrameworkCategory Figure12–FrameworkCoreIdentifiersandCategories
Subcategory ApplicableFrameworkSub-category FromAppendixA:FrameworkCore
RelevantCOBITProcess
TheCOBIT5informativereferenceusedtoidentifythedistrictpracticesrequiredtomeetthegoalsoftheCCSFsubcategory.
FromAppendixA:FrameworkCore
ImplementationStatus
Thecurrentachievementrating Figure17–AchievementRatingScale
OrganizationalPractices
Thedistrictpractice,policyorprocedurethatisrequiredtomeettheintendedgoalofthesubcategory.
Section3:RelevantCOBIT5Practices
Comments/Evidence Narrativedescribinghowtheachievementratingwasdeterminedandanyestablishedongoingactionstowardthegoalofthesubcategory.
![Page 94: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/94.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
94|P a g e
TargetStateProfileThetargetstateprofileprovidesanopportunitytocapturethedesiredstateofthecybersecurityprogram.Thetargetstateprofileshouldbecompletedinamannerthatidentifiestheprotectionsandcapabilitiesrequiredtomitigatethreatstothedistrict.Thisrisk-basedapproachensuresthatallareasoftheCCSFareaddressed,withafocusbeingappliedtothoseareasmostlikelytobeattacked.
Topic RequiredInformationfroCCSF ExamplesFunction ApplicableFrameworkFunction Figure11–Components
oftheFrameworkCoreCategory ApplicableFrameworkCategory Figure12–Framework
CoreIdentifiersandCategories
Subcategory ApplicableFrameworkSub-category FromAppendixA:FrameworkCore
RelevantCOBITProcess
TheCOBIT5informativereferenceusedtoidentifythedistrictpracticesrequiredtomeetthegoalsoftheCCSFsubcategory.
FromAppendixA:FrameworkCore
ImplementationStatus
Thecurrentachievementrating Figure17–AchievementRatingScale
OrganizationalPractices
Thedistrictpractice,policyorprocedurethatisrequiredtomeettheintendedgoalofthesubcategory.
Section3:RelevantCOBIT5Practices
Comments/Evidence Narrativedescribinghowtheachievementratingwasdeterminedandanyestablishedongoingactionstowardthegoalofthesubcategory.
RecommendedActions
Theactionsrequiredtoachievethetargetstategoals.
Highlevelactionitems(leavethetacticalplanningtoaprojectmanager)
ResourcesRequired Organizationalresourcesrequiredtocompletetherecommendedactions.
Infrastructureandhumanresources
![Page 95: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/95.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
95|P a g e
GapAnalysisForeachofthesubcategoriesintheTargetProfile,considerthedifferencebetweenthetargetlevelofachievementandthecurrentlevel.Understandingthegapsbetweenthecurrentandtargetdistrictpoliciesandpracticeswillhighlightopportunitiesforimprovement;understandingtherelativeimpactonriskwillhelpestablishpriority,schedule,andresourceallocation.Usingtheinformationfromthegapanalysis,conducttheActivityPlanning.
ToachievethedesiredoutcomesasdescribedintheCCSFandtoattainthestakeholdergoalsidentifiedinimplementationStep1,acomprehensiveactionplanisnecessary.Aspartoftheplanningprocess,implementersshoulddeterminetheappropriateauthoritieswhowillreview,approveandtracktheactivitiesandactionsdescribed.Itisimportantthatbusiness/missiondriversinformandsupporttheseactions.
Bylinkingtheactionslistedtotheenterpriseandtechnicalgoals(asdescribedintheCOBIT5goalscascadeandasdocumentedaspartofimplementationStep1),actionswillbeassessableandprioritizedtoachievethenecessaryvalueforthedistrict.Theseprioritiesandtheassociatedactions,maybereviewedandadjustedthroughperiodiccheckpointmeetingssuchasquarterlybriefings,programmanagementreviewsandsecuritytrainingexercises.AlistofactionplandatapointsisshowninFigureD.1.
Specificconsiderationsforactionplanningmayincludethefollowing:
• Arethereeducational-specificactionplanprocesses?• Whoisresponsiblefordefiningactionswithintheplan?• Howoftenwillactionplansbereviewedandupdated?Bywhom?• Whatspecificgovernanceandmanagementprocessesapplytoeducationtohelpstayontrack?• Whataretheadvantagestoachievingahigher/lowertier?• Whatarethedisadvantagestoachievingahigher/lowertier?• Whatregulatoryguidanceisavailabletohelpselecttheappropriatetierformydistrictifany?• Whatagencies,groups,orconsortiaexisttosupportdistrictcomplianceandsecurityprograms?• Howisfeedbackcapturedanddisseminatedthroughoutthedistrict?
![Page 96: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/96.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
96|P a g e
FigureD.1–ActionPlanDataPointsActionPlanDetail Description
ActionIdentifier UniqueidentifierassignedtoaspecificactionforreferencePriority District-definedpriorityforcompletingtheaction(H/M/L
or1-6)Assumption/Constraints District-definedfactorsthatmayimpacttheabilityto
completetheaction.(Strategiesshouldbeplannedtoovercomeeachconstraint)
Rationale Identifiestherationaleusedtodefinetheaction.LinkstoProfile(s),orregulatoryrequirements,shouldbeincludedwhenavailable.
SpecificAction Thediscrete,outcome-based,actiontobecompleted.ResourcesRequired Thedistrictresourcesneededtocompletetheaction.
(Infrastructureorpeople)Schedule/Milestones Keymilestonesorschedulesassignedtothespecificaction.Status UseRed/Amber/Greenstoplightstosignifythestatusof
theactionandidentificationofissuesthatmaycauseascheduledmilestonetobemissed.
Prerequisites/dependencies Identifiesotheractionsordistrictracto4sthatmustbecompletedpriortothisactionbeingcomplete.Keepinmindthatdependenciescanbeinternalorexternal.
ActionAssignee Pointofcontactassignedtheresponsibilityfortrackingandensuringthatheactioniscompleted.
Stakeholderroles Internalandexternaldistrictstakeholdersoftheaction.
![Page 97: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/97.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
97|P a g e
AppendixF:ConsiderationsforCriticalInfrastructureSectorsTheCCSFwasdevelopedasdirectedbyEO13636,indirectsupportofthecriticalinfrastructurecommunity.ForenterprisesthatareidentifiedwithoneofthesixteencriticalinfrastructuresectorslistedinFigure2,orenterprisesthatsupportentitiesinthosesectors,thefollowingconsiderationsmaybehelpfulforimplementingtheCCSFinthatcontext.
RoleIdentificationFromthePresidentoftheSchoolBoardtotheITSystemAdministrator,rolesvarywidelyamongcriticalinfrastructureproviders.TheCCSFgenerallyclassifiestheserolesintothreecategoriesasdescribedinAppendixB.Thereaderisencouragedtodeterminetheapplicabletitlesofeachroleandreferspecificallytothosetitlesinplanning/operations/monitoringdocuments.Doingsowillaidintheeducationandimplementationofcybersecurityactivitieswithoutconfusionaboutdisparateroleidentification.
ImplementationScopeTheapplicablescopeforCCSFimplementationwillvarywitheachenterprise.SomeentitiesmaytakeanexploratoryapproachandapplyCCSFtoasub-entitytogainexperience,whileothersmayapplyittotheentireenterpriseatonce.Suchdecisionsaretypicallybasedondistrictbusinessneedsandbudgets.
Thereadershoulddeterminewhetheranylegaland/orregulatorydriverswillaffectthatscope.Forexample,theHealthInsurancePortabilityandAccountabilityAct(HIPAA)describesspecificobjectivesfor“MeaningfulUse”ofcertifiedelectronichealthrecordtechnology.Jurisdictionalconsiderationsmayalsoimpactthescopedecisions—legalconsiderationsinonecountrymaybequitedifferentfromthoseinanotherportionoftheworld.Theseexternaldriversmayinfluencethegoalsconsideredandtheactionstakentoimprovecybersecurity.
RiskConsiderationsDeterminationoftheenterpriseriskarchitectureisanimportantelementofimplementationStep1becausemanyofthesubsequentactivitiessupportmaintainingabalancebetweenrealizingbenefitsandoptimizingrisklevelsandresourceuse.
Manycriticalinformationsectorsaresubjecttoexternaldriversthatimpactthoseriskdecisions.Thefinancialsector,forexample,hasmanyfactorsthatinfluenceacceptableriskconsiderations.DocumentationoftheseconsiderationsandfactorsduringStep1willsupportsubsequentstepsandwillensurethattheseimportantstakeholdergoalsareattainedandtrackedinaccordancewithregulatorymanagementandreportingrequirements.
QualityManagementQualitymanagementoverlayscloselywitheffectivecybersecuritypractices.COBIT5processAPO11ManagequalitydescribestheuseandmaintenanceofaQualityManagementSystem(QMS).ManagementpracticeAPOl1.01states,“EstablishandmaintainaQMSthatprovidesastandard,formalandcontinuousapproachtoqualitymanagementforinformation,enablingtechnologyandbusinessprocessesthatarealignedwithbusinessrequirementsandenterprisequalitymanagement.”
ApplyingtheAPOl1managementpracticeshelpsthedistrictdefineandmanagequalitystandards,practices,andproceduresinaccordwiththeprioritizationandriskdecisionsagreedonintheCCSFImplementationstepsdescribedearlierinthisdocument.Focusingqualitymanagementoncustomers
![Page 98: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/98.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
98|P a g e
andthestakeholdergoals(asestablishedinPhases1and2),andintegratingthosequalitymanagementprocessesaspartoftheactionplanwillhelpensurealignmentwithmissionneeds.Performingqualitymonitoring,controlandreviewshelpsensurethatdistrictprocessesandtechnologyaredeliveringvaluetothebusiness,continuousimprovementandtransparencyforstakeholders.
CriticalinfrastructureprovidersmayhaveadditionalQMSrequirementsforenterprisesystems.TherelevantgoalsformanagementofsuchaQMSshouldbeconsideredwhendevelopingProfilesanddeterminingactions.SuchreadersmaybeguidedbystandardsintheISO9000family,including:
• ISO9001:2008—SetsouttherequirementsofaQMS• ISO9000:2005—Coversthebasicconceptsandlanguage• ISO9004:2009—FocusesonhowtomakeaQMSmoreefficientandeffective• ISO19011:2011—SetsoutguidanceoninternalandexternalauditsofQMS
ThreatandVulnerabilityInformationMembersofthecriticalinfrastructurecommunityareparticulartargetsofcybersecuritythreats,oftenthroughinnovativeattackvectors.USusersareespeciallyencouragedtoworkwithapplicablegroupssuchasInformationSharingandAnalysisCenters(ISACs)andtheDepartmentofHomelandSecurity,includingtheUSComputerEmergencyReadinessTeam(CERT).InfraGard,apartnershipbetweentheFederalBureauofInvestigation(FBI)andtheprivatesector,isalsohelpful.Itisanassociationofpeoplewhorepresentbusinesses,academicinstitutions,stateandlocallawenforcementagencies,andotherparticipantsdedicatedtosharinginformationandintelligencetopreventhostileacts.
TheNationalCouncilofISACs(NCI)maybehelpfulinidentifyingwaystoassistinenterprisethreatandvulnerabilityunderstanding.NCIexiststoadvancethephysicalandcybersecurityofthecriticalinfrastructuresofNorthAmericabyestablishingandmaintainingaframeworkforvaluableinteractionbetweenandamongtheISACsandwithgovernment.
TheIndustrialControlSystemISAC(ICS-ISAC)establishedaprojectknownastheSituationalAwarenessReferenceArchitecture(SARA).SARA’sobjectiveistocompileandpublishanappliedguidetotheprocesses,practices,standardsandtechnologieswhichfacilitiesandotherscanusetoestablishsituationalawareness.
Enterprisesshoulddeterminetheconditionsunderwhichavulnerabilitymaybeaddressed.Forexample,somecriticalsystemsmaynotbeabletobeshutdowntosupportanimportantpatch,somitigatingcontrolsshouldbeidentifiedtoensureappropriatemeanstoachieveenterprisegoalsforbothavailabilityandsecurity.Theseconsiderationsapplytoallpeople,processesandtechnology(asdescribedinSection1)thatenablebusinessfunctions.
AutomatedIndicatorSharingTheNISTRoadmapforImprovingCriticalInfrastructureCybersecurityrecommendstheuseofautomatedsharingofindicatorinformationtoprovidedistrictswithtimely,actionableinformationthattheycanusetodetectandrespondtocybersecurityeventsastheyareoccurring.Recentintrusionshaveindicatedthatadversariesattackmultiplesectorparticipantsatonce,suchasrecentdenial-of-serviceattacksagainstmanymembersofthefinancialsector.
NISTrecommendsthatdistricts“useacombinationofstandardandproprietarymechanismstoexchangeindicatorsthatcanbeusedtobolsterdefensesandtosupportearlydetectionoffutureattack
![Page 99: 2017 - CCSESA · The following text describes the use of the CCSF to accomplish the seven COBIT implementation phases, providing the following information about each phase: • The](https://reader034.vdocuments.net/reader034/viewer/2022050219/5f653d312c6027001300516e/html5/thumbnails/99.jpg)
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
99|P a g e
attempts.Thesemechanismshavedifferingstrengthsandweaknessesandoftenrequiredistrictstomaintainspecificprocess,personnel,andtechnicalcapabilities.CCSFimplementersareencouragedtoworkwithNISTandsectorleadershiptoadoptandimprovepracticalapproachestoachieveautomatedindicatorsharing.
SupplyChainRiskManagementSimilarly,NISTpromotesincreasedadoptionofstandardsforsupplychainriskmanagement.NISTsaysthatthe“adoptionofsupplychainriskmanagementstandards,practicesandguidelinesrequiresgreaterawarenessandunderstandingoftheriskassociatedwiththetime-sensitiveinterdependenciesthroughoutthesupplychain,includinginandbetweencriticalinfrastructuresectors/subsectors.Thisunderstandingisvitaltoenabledistrictstoassesstheirrisk,prioritize,andallowfortimelymitigation.”
CSFimplementersareencouragedtoincludesupplychainriskasasubsetofthebroadriskassessmentandriskmanagementactivities.MoreinformationaboutsupplychainriskmanagementisavailablefromNIST’sComputerSecurityDivision.
CurrentandTargetProfilesDuringtheinitialdevelopmentoftheNISTguideline,itwaspointedoutthepotentialthatleadershipofindividualsectors(e.g.,sectorsupportingagencies,sectorcouncils,participatingcompanies)wouldprovidespecificguidanceoncreationandmaintenanceofCurrentandTargetProfiles.Suchguidancemightinclude:mappingfromtheCCSFCoretocomplianceframeworks,criteriafordeterminingthethresholdsdescribedinFigure17orrecommendationsregardingCoreSubcategories.
FrameworkNextStepsInannouncingthelaunchoftheCCSF,theSpecialAssistanttotheUSPresidentandtheUSCybersecurityCoordinator,MichaelDaniel,madethreerequeststhatareespeciallysignificantforUScriticalinfrastructurecommunity:
• “Weneedyoutokickthetires.WeneeddistrictstobeginusingtheFrameworkandseehowwellitcanworkfordifferentsizesandtypesofdistricts.”
• “WeneedyourfeedbacktomaketheFrameworkbetter.WeneedyoutoshareyourexperiencewithusonhowusingtheFrameworkworked—ordidn’twork—foryourdistrict.FeedbackisessentialtoimprovingtheFrameworkandmakingitbetterinfutureversions.”
• “Inshort,weneedyourcontinuedengagement.TheFrameworkisintendedtobealivingdocument.Weneedyourcollectiveexperienceandknowledgetomakeitbetterovertime.”
CCSESAencouragesallwhoimplementthisinitialversionoftheCybersecurityFrameworktohelpimproveitsvalue,toprovidefeedbacktotheCCSFcommunityandhelpthisframeworkachieveitsgoalofimprovingcybersecurityriskmanagement.ThroughCCSESA’sleadershipandthenewCybersecurityNexus(CSX),Californiadistrictscanbeparticularlyhelpfultoachievethatgoalandsafeguardenterprisesaroundtheglobe.