Service Relocations

National Institute of Standards and Technology (NIST)

NIST Cybersecurity Framework

Business frameworks play an integral part in the development of strategy and the execution of it. They provide a systematic approach to decision-making, allowing organisations to assess their current situation, identify areas for improvement, and develop plans for growth and success.

Cyber Security is no different … “You need a framework!”

Introduction

The National Institute of Standards and Technology (NIST) is an American based organisation and part of the US Department of Commerce.

The NIST Cybersecurity Framework (CSF) is one of the most widely used cybersecurity frameworks in the world including Australia. The CSF provides a basis for improved communication regarding cybersecurity expectations, planning, and resources needed to manage cybersecurity risks.

It also offers a common vocabulary of high-level cybersecurity outcomes that can be used by any organisation regardless of its size, sector, or maturity to better understand, assess, prioritize, and communicate its cybersecurity efforts.

CSF Core

The CSF Core Functions are … GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND and RECOVER to organize cybersecurity outcomes at their highest level.

Can we use this image OR do we need to get someone from “UPWORK” to redraw it? … Please discuss with Andrew / legal reasons etc.

CSF Organizational Profiles

A CSF Organizational Profile describes an organization’s current and / or target cybersecurity posture in terms of the Core’s outcomes.

The five (5) steps shown in the figure illustrate one way that a business could use an organizational profile to help inform continuous improvement of its cybersecurity.

Can we use this image OR do we need to get someone from “UPWORK” to redraw it? … Please discuss with Andrew / legal reasons etc.

STEP 1.

Scope the Organizational Profile.

An organization can have as many Organizational Profiles as desired, each with a different scope.

Example:

A Profile could address an entire organization or scoped to an organization’s financial systems to counter ransomware threats

STEP 2.

Gather the information needed to prepare the Organizational Profile.

Example:

Organizational policies, risk management priorities and resources, enterprise risk profiles, business impact analysis (BIA) registers, cybersecurity requirements and standards followed by the organization, practices and tools (e.g., procedures and safeguards), and work roles

STEP 3.

Create the Organizational Profile.

Determine what types of information the Profile should include for the selected CSF outcomes, and document the needed information.

STEP 4.

Analyse the gaps between the Current and Target Profiles, and create an action plan.

Conduct a gap analysis to identify and analyse the differences between the Current and Target Profiles, and develop a prioritized action plan (e.g., risk register, risk detail report, Plan of Action and Milestones [POA & M]) to address those gaps.

STEP 5.

Implement the action plan, and update the Organizational Profile.

Follow the action plan to address the gaps and move the organization toward the Target Profile. An action plan may have an overall deadline or be ongoing.

 

CSF Tiers

An organization can choose to also use Tiers to inform its Current and Target Profiles.

Tiers characterize the rigor of an organization’s cybersecurity risk governance and management practices, and they provide context for how an organization views cybersecurity risks and the processes in place to manage those risks.

Can we use this image OR do we need to get someone from “UPWORK” to redraw it? … Please discuss with Andrew / legal reasons etc.

Table ‘A’ Notional Illustration of the CSF Tiers

Tier Cybersecurity Risk Governance Cybersecurity Risk Management
 

 

 

 

 

 

 

Tier 1.

 

Partial

 

 

 

 

 

Application of the organizational cybersecurity risk strategy is managed in an ad hoc manner.

 

Prioritization is ad hoc and not

formally based on objectives or threat environment

 

There is limited awareness of cybersecurity risks at the organizational level.

 

The organization implements cybersecurity risk management on an irregular, case-by-case basis.

 

The organization may not have processes that enable cybersecurity information to be shared within the organization.

 

The organization is generally unaware of the

cybersecurity risks associated with its suppliers and the products and services it acquires and uses.

 

 

­­­

 

 

 

 

Tier Cybersecurity Risk Governance Cybersecurity Risk Management
 

 

 

 

 

 

 

Tier 2.

 

Risk

Informed

 

 

 

 

 

 

Risk management practices are

approved by management but may

not be established as organization-

wide policy.

 

The prioritization of cybersecurity

activities and protection needs is directly informed by organizational

risk objectives, the threat

environment, or business / mission

requirement.

 

There is an awareness of cybersecurity risks at the organizational level, but an organization-wide approach to managing cybersecurity risks has not been established.

 

Consideration of cybersecurity in organizational objectives and programs may occur at some but not all levels of the organization.

 

Cyber risk assessment of organizational and external assets occurs but is not typically repeatable or reoccurring.

 

Cybersecurity information is shared within the

organization on an informal basis.

 

The organization is aware of the cybersecurity risks associated with its suppliers and the products and services it acquires and uses, but it does not act consistently or formally in response to those risks

 

 

 

 

 Tier Cybersecurity Risk Governance Cybersecurity Risk Management
 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Tier 3.

 

Repeatable

 

 

 

 

 

 

 

 

 

 

The organization’s risk management

practices are formally approved and

expressed as policy.

 

Risk-informed policies, processes, and

procedures are defined, implemented

as intended, and reviewed.

 

Organizational cybersecurity practices

are regularly updated based on the

application of risk management

processes to changes in business / mission requirements,

threats, and technological landscape.

 

There is an organization-wide approach to managing cybersecurity risks. Cybersecurity information is routinely shared throughout the organization.

 

Consistent methods are in place to respond effectively to changes in risk. Personnel possess the knowledge and skills to perform their appointed roles and responsibilities.

 

The organization consistently and accurately monitors the cybersecurity risks of assets. Senior cybersecurity and non-cybersecurity executives communicate regularly regarding cybersecurity risks. Executives ensure that cybersecurity is considered through all lines

of operation in the organization.

 

The organization risk strategy is informed by the cybersecurity risks associated with its suppliers and the products and services it acquires and uses.

 

Personnel formally act upon those risks through mechanisms such as written agreements to communicate baseline

requirements, governance structures (e.g., risk councils), and policy implementation and monitoring.

 

These actions are implemented consistently and as intended and are continuously monitored and reviewed

 

 

 

 

 Tier Cybersecurity Risk Governance Cybersecurity Risk Management
 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Tier 4.

 

Adaptive

 

There is an organization-wide

approach to managing cybersecurity

risks that uses risk-informed policies,

processes, and procedures to address potential cybersecurity events.

 

The relationship between cybersecurity risks and organizational objectives is clearly understood and considered when making decisions.

 

Executives monitor cybersecurity risks in the same context as financial and other organizational risks. The organizational budget is based on an understanding of the current and predicted risk environment and risk tolerance.

 

Business units implement executive

vision and analyse system-level risks in the context of the organizational risk tolerances.

 

Cybersecurity risk management is part of the organizational culture. It

evolves from an awareness of previous activities and continuous awareness of activities on organizational systems and networks.

 

The organization can quickly and efficiently account for changes to business / mission objectives in how risk is approached and communicated.

 

There is an organization-wide approach to managing cybersecurity risks. Cybersecurity information is routinely shared throughout the organization.

 

Consistent methods are in place to respond effectively to changes in risk. Personnel possess the knowledge and skills to perform their appointed roles and responsibilities.

 

The organization consistently and accurately monitors the cybersecurity risks of assets. Senior cybersecurity and non-cybersecurity executives communicate regularly regarding cybersecurity risks.

 

Executives ensure that cybersecurity is considered through all lines of operation in the organization.

 

The organization risk strategy is informed by the cybersecurity risks associated with its suppliers and the products and services it acquires and uses.

 

Personnel formally act upon those risks through mechanisms such as written agreements to communicate baseline

requirements, governance structures (e.g., risk councils), and policy implementation and monitoring.

 

These actions are implemented consistently and as intended and are continuously monitored and reviewed

 

 

 

 

 

 

 

Categories

Each Core Function of the Cybersecurity Framework is divided into Categories, which are related cybersecurity outcomes that collectively comprise the Function.

Table ‘C’ CSF 2.0 Core Function and Category names and identifiers

Function Category Identifier
Govern (GV) Organizational Context GV.OC
Risk Management Strategy GV.RM
Roles, Responsibilities, and Authorities GV.RR
Policy GV.PO
Oversight GV.OV
Cybersecurity Supply Chain Risk Management GV.SC
Identify (ID) Asset Management ID.AM
Risk Assessment ID.RA
Improvement ID.IM
Protect (PR) Identity Management, Authentication, and Access Control PR.AA
Awareness and Training PR.AT
Data Security PR.DS
Platform Security PR.PS
Technology Infrastructure Resilience PR.IR
Detect (DE) Continuous Monitoring DE.CM
Adverse Event Analysis DE.AE
Respond (RS) Incident Management RS.MA
Incident Analysis RS.AN
Incident Response Reporting and Communication RS.CO
Incident Mitigation RS.MI RS.MI
Recover (RC) Incident Recovery Plan Execution RC.RP
Incident Recovery Communication RC.CO

These categories will resonate with those charged with operationalizing risk management within an organization and simplify the process of developing your cybersecurity policies, plans & procedures.