the nist framework for cybersecurity matthew todd sf bay infragard
TRANSCRIPT
The NIST Frameworkfor CybersecurityMatthew ToddSF Bay InfraGard
Get the Framework
The National Instituteof Standards and Technology
[NIST]Framework for Improving
Critical Infrastructure Cybersecurity
http://www.nist.gov/cyberframework/
The Executive Order
“It is the Policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”Executive Order 13636, February 12, 2013
This Executive Order calls for the development of a voluntary Cybersecurity Framework (“Framework”) that provides a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” to manage cybersecurity risk.
What is it, exactly?
• Voluntary• Risk-based framework• Industry standards and best practices• Provides organization, structure, and language• Cost-effective• Based on business needs• Considers privacy• Can complement or test existing programs
Key Goals of the Framework “Lifetime”
1. Describe the current cybersecurity risk management posture
2. Describe the target posture3. Identify and prioritize gaps4. Assess progress towards the target state5. Communicate with internal and external
stakeholders6. Iterate
It may be used outside of a cyclic process, as with a vendor.
The Framework: The Parts
• The Core• The essential elements of a cybersecurity program• A common language
• The Implementation Tiers• A way to talk about the extent and sophistication of risk management
• The Profiles• A description of current or target risk management programs
The Framework: Core
• A matrix of:• Functions• Categories• Subcategories• Informative references
• Describes activities and desired outcomes• Functional areas:
• Identify• Protect• Detect• Respond• Recover
Function Unique
IdentifierFunction
Category Unique
IdentifierCategory Subcategory References
ID Identify
ID.AM Asset Management
ID.BE Business Environment
ID.GV Governance
ID.RA Risk Assessment
ID.RM Risk Management Strategy
PR Protect
PR.AC Access Control
PR.AT Awareness and Training
PR.DS Data Security
PR.IP Information Protection Processes and Procedures
PR.MA Maintenance
PR.PT Protective Technology
DE DetectDE.AE Anomalies and Events
DE.CM Security Continuous Monitoring
DE.DP Detection Processes
RS Respond
RS.RP Response Planning
RS.CO Communications
RS.AN Analysis
RS.MI Mitigation
RS.IM Improvements
RC RecoverRC.RP Recovery Planning
RC.IM Improvements
RC.CO Communications
Function Category Subcategory ReferencesDetect Security Continuous Monitoring DE.CM-6: External service
provider activity is monitored to detect potential cybersecurity events
COBIT 5 APO07.06 ISO/IEC 27001:2013
A.14.2.7, A.15.2.1 NIST SP 800-53 Rev. 4 CA-7,
PS-7, SA-4, SA-9, SI-4
Function Category Subcategory ReferencesIdentify Asset Management ID.AM-1: Physical devices and
systems within the organization are inventoried
CCS CSC 1 COBIT 5 BAI09.01, BAI09.02 ISA 62443-2-1:2009 4.2.3.4 ISA 62443-3-3:2013 SR 7.8 ISO/IEC 27001:2013
A.8.1.1, A.8.1.2 NIST SP 800-53 Rev. 4 CM-8
Function Category Subcategory ReferencesRecover Improvements RC.IM-1: Recovery plans
incorporate lessons learned COBIT 5 BAI05.07 ISA 62443-2-1:2009 4.4.3.4 NIST SP 800-53 Rev. 4 CP-2,
IR-4, IR-8
The Framework: Implementation Tiers
• Perspective on risks, and the extent of mitigation• Organization-wide• Four Tiers:
1. Partial2. Risk-informed3. Repeatable4. Adaptive
• Can be used with executive management
How to use the Tiers is not clearly defined in the Framework!
The Framework: Profiles
• A Profile is a description of a risk management program• Current Profile is an assessment of the current
state• Target Profile is a goal state, considering:
• Risks• Business requirements• Available resources• Regulatory or other requirements
• Current vs. Target is the gap
Implementation
Risk ManagementOrganizational Structure
Executive Level
Business/Process Level
Implementation/Operations Level
Budget and Priorities
Desired ProfileProgress to Goal
BIA/Risk Assessment
Put it All Together: A Basic Security Program
1. Identify Business Objectives and Scope2. Identify Context (environment, regulations, etc.)3. Create a Current Profile4. Conduct a Risk Assessment5. Create a Target Profile6. Identify and prioritize gaps7. Create and implement an Action Plan8. Iterate!
Caution
• The framework relies on your ability to objectively:• Identify current risk• Assess mitigating controls
• Acknowledged risks can be used against you.
• Privacy risks
• Competing risks
Seek independent counsel
Prioritize: “What” and “Why”
Ensure that privacy requirements are considered
Identify and empower the right business ownerto make key risk decisions
Other Sources
• SANS Critical Security Controls• 20 key controls• Available at http://www.sans.org/critical-security-controls
• ISO/IEC 27000-series• International standard for information security• Certifications are available, but non-US based (generally)
• Federal Financial Institution Examination Council (FFIEC)• Examination “handbooks”• “…uniform principles, standards, and report forms for the federal examination of financial
institutions “• http://ithandbook.ffiec.gov/
• US-CERT C-Cubed• http://www.us-cert.gov/ccubedvp/getting-started-business
• PCI/DSS• SSAE 16/SOC 2
The Framework Template
• An Excel spreadsheet• Set high/low water marks• Highlights areas in yellow and red• Rolls up to categories• Can be used internally or with vendors
Available at member site or on request
Q&A