The NIST Framework for Cybersecurity Matthew Todd SF Bay InfraGard
Get the Framework The National Institute of Standards and Technology [NIST] Framework for Improving Critical Infrastructure Cybersecurity http://www.nist.gov/cyberframework/
The Executive Order “It is the Policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” Executive Order 13636, February 12, 2013 This Executive Order calls for the development of a voluntary Cybersecurity Framework (“Framework”) that provides a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” to manage cybersecurity risk.
Industry standards and best practices What is it, exactly? Voluntary Risk-based framework Industry standards and best practices Provides organization, structure, and language Cost-effective Based on business needs Considers privacy Can complement or test existing programs
Key Goals of the Framework “Lifetime” Describe the current cybersecurity risk management posture Describe the target posture Identify and prioritize gaps Assess progress towards the target state Communicate with internal and external stakeholders Iterate It may be used outside of a cyclic process, as with a vendor.
The Framework: The Parts The Core The essential elements of a cybersecurity program A common language The Implementation Tiers A way to talk about the extent and sophistication of risk management The Profiles A description of current or target risk management programs
Describes activities and desired outcomes Functional areas: The Framework: Core A matrix of: Functions Categories Subcategories Informative references Describes activities and desired outcomes Functional areas: Identify Protect Detect Respond Recover
Function Unique Identifier Category Unique Identifier Subcategory References ID Identify ID.AM Asset Management ID.BE Business Environment ID.GV Governance ID.RA Risk Assessment ID.RM Risk Management Strategy PR Protect PR.AC Access Control PR.AT Awareness and Training PR.DS Data Security PR.IP Information Protection Processes and Procedures PR.MA Maintenance PR.PT Protective Technology DE Detect DE.AE Anomalies and Events DE.CM Security Continuous Monitoring DE.DP Detection Processes RS Respond RS.RP Response Planning RS.CO Communications RS.AN Analysis RS.MI Mitigation RS.IM Improvements RC Recover RC.RP Recovery Planning RC.IM RC.CO Function Category Subcategory References Identify Asset Management ID.AM-1: Physical devices and systems within the organization are inventoried CCS CSC 1 COBIT 5 BAI09.01, BAI09.02 ISA 62443-2-1:2009 4.2.3.4 ISA 62443-3-3:2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 NIST SP 800-53 Rev. 4 CM-8 Function Category Subcategory References Detect Security Continuous Monitoring DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events COBIT 5 APO07.06 ISO/IEC 27001:2013 A.14.2.7, A.15.2.1 NIST SP 800-53 Rev. 4 CA-7, PS-7, SA-4, SA-9, SI-4 Function Category Subcategory References Recover Improvements RC.IM-1: Recovery plans incorporate lessons learned COBIT 5 BAI05.07 ISA 62443-2-1:2009 4.4.3.4 NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
The Framework: Implementation Tiers Perspective on risks, and the extent of mitigation Organization-wide Four Tiers: Partial Risk-informed Repeatable Adaptive Can be used with executive management How to use the Tiers is not clearly defined in the Framework!
The Framework: Profiles A Profile is a description of a risk management program Current Profile is an assessment of the current state Target Profile is a goal state, considering: Risks Business requirements Available resources Regulatory or other requirements Current vs. Target is the gap
Organizational Structure Risk Management Executive Level BIA/ Risk Assessment Budget and Priorities Implementation Business/Process Level Desired Profile Progress to Goal Implementation/Operations Level
Put it All Together: A Basic Security Program Identify Business Objectives and Scope Identify Context (environment, regulations, etc.) Create a Current Profile Conduct a Risk Assessment Create a Target Profile Identify and prioritize gaps Create and implement an Action Plan Iterate!
The framework relies on your ability to objectively: Caution The framework relies on your ability to objectively: Identify current risk Assess mitigating controls Acknowledged risks can be used against you. Privacy risks Competing risks Seek independent counsel Prioritize: “What” and “Why” Ensure that privacy requirements are considered Identify and empower the right business owner to make key risk decisions
Other Sources SANS Critical Security Controls ISO/IEC 27000-series 20 key controls Available at http://www.sans.org/critical-security-controls ISO/IEC 27000-series International standard for information security Certifications are available, but non-US based (generally) Federal Financial Institution Examination Council (FFIEC) Examination “handbooks” “…uniform principles, standards, and report forms for the federal examination of financial institutions “ http://ithandbook.ffiec.gov/ US-CERT C-Cubed http://www.us-cert.gov/ccubedvp/getting-started-business PCI/DSS SSAE 16/SOC 2
The Framework Template An Excel spreadsheet Set high/low water marks Highlights areas in yellow and red Rolls up to categories Can be used internally or with vendors Available at member site or on request
Q&A