S1M1

NIST Cybersecurity Framework (CSF): Part 1
Overview

  • Module Structure:

    • Module 1: NIST Frameworks

    • Module 2: Privacy and Data Security Standards

    • Module 3: CIS Critical Security Controls: Part 1

    • Module 4: CIS Critical Security Controls: Part 2

    • Module 5: COBIT 2019 Framework

Importance of Information Technology in Organizations

  • IT Definition: Systematic use of hardware and software for secure, efficient data (modify, access, store).

  • Rapid IT evolution demands regular tech evaluations.

Purpose of Technology Adoption in Organizations

  • Organizations adopt technology to:

    • Enhance/support business operations.

    • Protect digital and physical assets.

  • Effective management information systems are crucial.

National Institute of Standards and Technology (NIST) Background

  • Established: 1901, to boost U.S. industrial competitiveness and research.

  • Cybersecurity Focus: Began in 1995 with SP 800-12.

  • Key Frameworks: NIST CSF, Privacy Framework, SP 800-53.

Cybersecurity Framework (CSF) Overview

  • Type: Voluntary framework for cybersecurity risk management.

  • Components:

    1. CSF Core

    2. CSF Tiers

    3. CSF Organizational Profiles

CSF Core

  • Purpose: Describes cybersecurity outcomes for any organization, reducing risks.

  • Six Core Functions (Concurrent Phases):

    1. Identify (ID): Understand assets, suppliers, risks.

    2. Protect (PR): Secure assets to prevent/reduce incidents.

    3. Detect (DE): Discover attacks/incidents promptly.

    4. Respond (RS): Contain incident effects.

    5. Recover (RC): Restore operations post-incident.

    6. Govern (GV): Implied, overall management.

Details of CSF Core Functions
Identify (ID)

  • Focus: Understanding assets, suppliers, and cyber risks.

  • Goal: Improve risk management policies and practices.

Protect (PR)

  • Focus: Safeguarding assets to prevent/reduce cyber events.

  • Examples: Identity/access control, training, data/platform security, infrastructure resiliency.

Detect (DE)

  • Focus: Timely attack discovery via anomaly/indicator analysis.

Respond (RS)

  • Focus: Containing cyber incident effects.

  • Includes: Incident management, analysis, mitigation, reporting, communication.

Recover (RC)

  • Focus: Restoring normal operations post-incident; emphasizes recovery communication.

CSF Function Categories

  • Core functions broken into:

    • Categories: Link outcomes to specific activities.

    • Subcategories: Detail management/technical actions for outcomes.

CSF Practical Illustration: Falcon CPAs and Associates

  • Scenario: Falcon found high-risk behaviors (unauthorized weekend access, excessive USB use) leading to data theft via NIST software.

  • Response: Impact analysis, employee communication, mitigation, data restoration, enhanced protection, disciplinary/legal actions.

Concept of Concurrent Protective Measures

  • Analogy: A locked door (prevention) plus a security camera (detection) deters break-ins more effectively.

  • NIST Application: Detection tools, with prevention, enhance overall security and deter unauthorized access.

NIST Cybersecurity Framework (CSF): Part 2

CSF Tiers

  • Overview: Measures organizational security sophistication across four tiers.

  • Purpose: Benchmark cyber risk management approach; not prescriptive for CSF functions.

    1. Tier 1 (Partial): Reactive risk, minimal awareness, irregular efforts.

    2. Tier 2 (Risk-Informed): Risk-based priorities, often isolated; general awareness, inconsistent responses.

    3. Tier 3 (Repeatable): Established policies with routine updates; organization-wide monitoring.

    4. Tier 4 (Adaptive): Comprehensive, cybersecurity embedded in culture; continuous improvement against evolving threats.

CSF Organizational Profiles

  • Purpose: Measure CSF implementation success.

    • Current Profile: Describes existing cyber posture outcomes.

    • Target Profile: Defines desired future posture goals.

    • Community Profiles: Industry-wide collaborative outcomes.

Organizational Profile Development Steps

  • NIST's five steps:

    1. Scope the Organizational Profile.

    2. Gather pertinent information.

    3. Create the Organizational Profile.

    4. Analyze gaps (Current vs. Target), create action plan.

    5. Implement plan, revise profile.

NIST Privacy Framework

Overview of Privacy Framework

  • Published: Early 2020, to protect individual data.

  • Structure: Similar to NIST CSF, sharing risk management concepts.

Core Functions Comparison with CSF

  • Both share similar functions (P=Privacy, C=Cybersecurity):

    • Identify (P/C)

    • Protect (P/C)

    • Govern (P/C)

    • Control (P)

    • Communicate (P)

    • Detect (C)

    • Respond (C)

    • Recover (C)

Privacy Framework Core Functions Examples

  • Identify-P: Assess privacy risks.

  • Govern-P: Suggest governance for risk management.

  • Control-P: Identify best management structures for privacy risks.

  • Communicate-P: Encourage privacy risk discussions.

  • Detect: Discover privacy events.

  • Respond: Strategies for event reactions.

  • Recover: Post-event recovery processes.

Implementation Tiers for Privacy Framework

  • Mirrors NIST CSF with four levels:

    1. Partial (Tier 1)

    2. Risk-Informed (Tier 2)

    3. Repeatable (Tier 3)

    4. Adaptive (Tier 4)

NIST Security and Privacy Controls (SP 800-53)

Overview and Applicability

  • Purpose: Strict standards/controls for federal systems against sophisticated threats.

  • Comparison: Stricter than CSF/Privacy Framework; focuses on detailed controls.

Target Audience for SP 800-53

  • Intended for:

    • System administrators, developers.

    • Security/privacy personnel.

    • Auditors, evaluators.

    • Commercial entities (third-party vendors).

Organizational Responsibilities under SP 800-53

  • Requirements:

    • Establish clear security/privacy criteria.

    • Use trustworthy system components.

    • Integrate/document security practices thoroughly.

    • Maintain continuous system monitoring.

Control Families in SP 800-53

  • 20 Control Families address risk management:

    • AC - Access Control

    • AT - Awareness and Training

    • AU - Audit and Accountability

    • CA - Assessment, Authorization, and Monitoring

    • CM - Configuration Management

    • CP - Contingency Planning

    • IA - Identity and Authentication

    • IR - Incident Response

    • MA - Maintenance

    • MP - Media Protection

    • PE - Physical and Environmental Protection

    • PL - Planning

    • PM - Program Management

    • PS - Personnel Security

    • PT - PII Processing and Transparency

    • RA - Risk Assessment

    • SA - System and Services Acquisition

    • SC - System and Communications Protection

    • SI - System and Information Integrity

    • SR - Supply Chain Risk Management

Control Implementation Approaches

  • Three models:

    • Common Control: Organizational-level; inheritable.

    • System-specific Control: Information system level.

    • Hybrid Control: Combination of both.