cybersecurity framework - what are pundits saying?

NIST Cybersecurity Framework What are Industry Leaders Saying?

The Gartner Group

Deloitte

PwC – Price Waterhouse

Intel

ISACA COBIT 5

Department of Energy & the Electricity Subsector

LinkedIn CSF April 2016 © 2016 J2 Coordinated Response, LLC.

All Rights Reserved. Page: 1

The Gartner Group on the Framework

30% of organizations are using the NIST Cybersecurity Framework already.

50% of organizations will by 2020.

Really?? Is that your experience?

The Framework is neither too prescriptive, nor too vague.

It is a tool to communicate with senior management and the board.

Originally delivered June, 2015 at National Harbor Place.

© 2016 J2 Coordinated Response, LLC. All Rights Reserved.

LinkedIn CSF April 2016 Page: 2

The Cybersecurity Framework

The Executive Order directed:

The development of a voluntary risk-based Cybersecurity Framework – a set of industry standards and best practices to help organizations manage cybersecurity risks.

The resulting Framework, created through collaboration between government and the private sector: – Use a common language to address and manage cybersecurity risk;

– Provide a cost effective mechanism to do this; and

– Avoid placing additional regulatory requirements on businesses.



Deloitte Retail Survey

In 2014, Deloitte surveyed executives in a diverse range of retail companies – both large and mid-sized.

The results reflect the Framework Tiers.

The survey did not focus on the Framework; it was much broader.

But, 20% of the respondents indicated they are using the Framework or plan to soon.

Deloitte (2015). 4 Ways to Engage Executives in Cyber Risk. Wall Street Journal: CIO Journal.

http://deloitte.wsj.com/cio/2015/07/20/4-ways-to-engage-executives-in-cyber-risk/.



http://deloitte.wsj.com/cio/2015/07/20/4-ways-to-engage-executives-in-cyber-risk/
















Cyber Security & Business Risk Management



Tier 2 Risk Informed

Tier 4 Adaptive

6% 6%

Tier 1 Partial

Tier 3 Repeatable

Ad hoc, not well organized.

Compliance focused.

Integrated with business risk governance.

24%

Comply, but protect sensitive

data & critical systems.

18% Business focus w/investment in threat intel and incident

response.

26%

Focus on business risk;

early maturity.

20%

Cybersecurity Focus & Business Risk Management

Integrated Risk Management

A key element of the Cybersecurity Framework is the integration of risk management.



Or in the words of Price Waterhouse Coopers

“It’s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management and with good reason.”

“Executive leaders and board members typically are well-versed in risk management, and framing cybersecurity in this context will enable security leaders to more effectively articulate the importance and goals of cybersecurity.”

“It can also help organizations prioritize and validate investments based on risk management.”

https://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/adopt-the-nist.pdf













Cybersecurity Framework in Action: Intel Use Case

Intel ran a prototype Framework assessment to evaluate its usefulness for their organization. It was deemed successful.

Phase 1 – Agree on approach; set target scores for functions and categories working with stakeholders; and the core team did an initial assessment.

Phase 2 – Assess current status; SMEs did independent individual assessments/current profile.

Phase 3 – Analyze results. Resolve / clarify differences for current profile.

Phase 4 – Communicate results.

http://www.intel.com/content/www/us/en/government/cybersecurity-framework-in-action-use-case-brief.html



















Intel Approach

Intel made 3 significant adjustments to reflect their organization

They extended Tiers to include People, Process, Technology, and Ecosystem (note: I didn’t borrow this term from Intel).

They defined the Tiers as a maturity model, more stringent than the guidance provided in the NIST documentation.

They added and removed subcategories, but this is expected.



Intel Adjusted the Framework

In the Detect Function – a 4th category was added: Threat Intelligence.

Kept the rest of the Categories

But, created their own Subcategories to reflect their environment and nomenclature.

They also initially assessed at the Category level.

Subcategories were assessed only when more information was needed for an informed decision.



Intel Findings

Total effort was 180 FTE Hours.

Most of the effort was in phase I

Much less effort in the actual assessment/initial profile. – SMEs received 1 hour of training, then recorded their assessment.

The following tools were developed: – Risk scoring worksheet,

– Heat map, and

– Customized tier definitions.



ISACA COBIT 5

ISACA CSX = Cybersecurity Nexus (ISACA’s branding for their cyber focus area).

From a document:

Implementing the NIST Cybersecurity Framework with COBIT 5 http://www.isaca.org/Education/COBIT-Education/Pages/Implementing-NIST-Cybersecurity-Framework-Using-COBIT-5.aspx

COBIT = Control Objectives for IT.

GEIT = Governance of Enterprise IT.

COBIT is 20 years old and now in release 5 = COBIT 5.



http://www.isaca.org/Education/COBIT-Education/Pages/Implementing-NIST-Cybersecurity-Framework-Using-COBIT-5.aspx
















COBIT 5 – Step by Step Input

For each step in the Framework implementation, the guide for applying COBIT 5 provides 2 useful lists:

Implementation Considerations – Purpose

– Inputs

– High level activities

– Outputs

Relevant COBIT 5 practices

Both lists provide valuable guidance even if COBIT 5 is not directly applied.

ISACA CMC April 2016 © 2016 J2 Coordinated Response, LLC.


Example: CSF Step 6 – COBIT 5 Phase 4

CSF Step 6 – Determine, Analyze, and Prioritize Gaps

COBIT 5 Phase 4 – What Needs to be Done?

Purpose – To understand what actions are required to attain stakeholder goals through identification of gaps between the current and target environments and alignment with organizational priorities and resources.

Inputs – (1) Target profile, (2) process, business and technical expertise, and (3) resource requirements.

High-level Activities – From identifying the gaps for each subcategory to creating and recording an action plans.

Outputs – (1) Profile gap analysis, (2) prioritized action plan, (3) risk acceptance documentation, and (4) performance target.



Example: CSF Step 6 – COBIT 5 Phase 4

Relevant COBIT 5 Practices (just a few, just a sampling):

EDM01.02 – Inform leaders and obtain their support.

APO02.05 – Define the strategic plan and roadmap.

APO02.06 – Communicate the IT strategy and direction.

APO08.04 – Work with stakeholders: coordinate and communicate.

BAI03.01 – Design high-level solutions.

NOTE: 27 COBIT 5 practices are identified for this CSF Step. Consider the practices a checklist; pick and choose those that apply.



Electricity Subsector Cybersecurity Capability Maturity Model (ESC2M2)

Developed by the Electricity Sector in Conjunction with the Department of Energy (DoE).

Originally Published in May 2012 – 3 months after the Presidential Policy Directive (PPD) 21 on critical infrastructure.

Revised and Republished in February 2014 concurrent with the NIST Cybersecurity Framework (CSF).

Published “Energy Sector Cybersecurity Framework Implementation Guide” January 2015. – Presents the ESC2M2 as Cybersecurity Framework Implementation

Approach.

http://energy.gov/oe/cybersecurity-capability-maturity-model-c2m2-program/electricity-subsector-cybersecurity

© 2016 J2 Coordinated Response, LLC.

All Rights Reserved. ISACA CMC April 13, 2016 Page: 16
















Benefits of Using the ESC2M2 Approach to CSF Implementation

The Maturity Model:

Has the Same Goal as the Framework.

Has Widespread Use – the Model Was Released Over 4 Years Ago, 2 Years Prior to the CSF Release.

Supports Bench Marking Across the Sector. But, CSF Would, Too.

Has 2 Variants: One for Electricity and One for Natural Gas.

The Model is Descriptive and Readily Applicable to Organizations with Different Size, Structure, and Purpose.

– NOTE: The Model Provides Great Guidance for a CSF Assessment.

Complete Coverage of Framework Practices.

Employs Progressive Maturity Levels.

Has a Self-Assessment Toolkit.


ISACA CMC April 13, 2016 Page: 17

ESC2M2 has Ten Domains

That Map Nicely to the Cybersecurity Framework:

1. Risk Management ID-RM

2. Asset, Change, & Configuration Management ID, PR, DE

3. Identity & Access Management ID, PR

4. Threat and Vulnerability Management ID, DE

5. Situational Awareness PR, DE

6. Information Sharing & Communications ID,

7. Event & Incident Response, Business Continuity DE, RS, RC

8. Supply Chain & External Dependencies Management ID

9. Workforce Management ID

10. Cybersecurity Program Management ID-GV © 2016 J2 Coordinated Response, LLC.

All Rights Reserved. ISACA CMC April 13, 2016 Page: 18

ESC2M2 Objectives

Each Domain has

Approach Objectives including – 1 or more specific objectives with activities specific to the domain.

A Management Objective describing – Level of institutional activities (institutionalization) and

– Fairly generic across domains.

Each objective has maturity steps – The maturity steps provide good guidance.


ISACA CMC April 13, 2016 Page: 19

For feedback contact us

Jim Bothe – [email protected] Mobile: (443) 956-8032

Jim Meyer – [email protected] Mobile: (301) 325-5563

Coordinated Response A cybersecurity incident response planning and consulting firm www.CoordinatedResponse.com

A Note on Incident Response & Security Assessments

LinkedIn CSF April 2016 Page: 20 © 2016 J2 Coordinated Response, LLC.

All Rights Reserved.

mailto:[email protected]

mailto:[email protected]

http://www.coordinatedresponse.com/

cybersecurity framework - what are pundits saying?

Internet