Join Malcolm Shore for an in-depth discussion in this video Understanding the NIST cybersecurity framework, part of Foundations of Cybersecurity.
- View Offline
- The national and economic well-being of a country is inextricably linked to its ability to maintain an effective critical infrastructure. Cyberspace has become an important element of that critical infrastructure. The inclusion of cyberspace international critical infrastructures was formally recognized by all nations at the third global conference on cyberspace. Held in Seoul in 2013, with the publication of the Seoul Framework for a commitment to open and secure cyberspace.
This framework states, "the global and open nature "of the Internet is a driving force in accelerating progress "towards development. Governments, business, "organizations and individual owners and users of "cyberspace must assume responsibility for, "and take steps to enhance, the security of their "information technologies". In 2014, the US National Institute of Standards in Technology issued the framework for improving critical infrastructure cybersecurity.
The NIST Framework is fast becoming the de facto standard for the private sector. Let's take a look at it. The NIST Cybersecurity Framework is an action- oriented approach to security, and consists of three elements. The Framework core, the Framework profile, and the Framework implementation tiers. The Framework core provides a set of activities to achieve cyber security, described in the five areas of identify, protect, detect, respond and recover.
Each of these activities is decomposed into categories, and then further decomposed into sub-categories. The framework implementation tiers provide the benchmarks which defines four levels of cybersecurity maturity. The basic level of cybersecurity maturity is the partial implementation tier. This is characterized by enterpriserist management being some ad hoc and reactive, where cybersecurity activities aren't based on risk objectives or business outcomes, and where there's little external collaboration.
At the next level of maturity, risk management practices are formalized, but may not be adopted across the enterprise. There's informal sharing of cybersecurity information internally, but not externally. The third tier of maturity, repeatable, is where risk management is formalized and mandated as policy, and processes exist to respond to changes in risk. Collaboration and information exists both internally and externally.
The highest maturity level, adaptive, extends the third level with the awareness and agility to apply continuous changes to cybersecurity activities as a result of changes to assets, threat and vulnerabilities. The framework profile is used to align business outcomes and cybersecurity activites, providing a view of risks and development plan to bridge the two. The framework category is a subdivision of one of the five areas, and is a logical grouping of activities.
There are twenty categories of security activities in total, for example we can see that the detect group decomposes into the three categories of anomalies and events, security continuous monitoring, and detection processes. A category is further decomposed into a set of sub-categories, each of which is an activity described as a process, and associated compliance criteria. Subcategories include informative references, which are sections of standards or guidelines which describe how to implement and operate the process.
For example, the detection process category is broken down into five sub-categories. Roles and responsibilities, compliant with requirements, activities tested, detection information is communicated, and continuous improvement. Each of these sub categories is reference to the relevant NIST, ISO, and COBIT standards. The NIST Cybersecurity Framework doesn't introduce its own set of controls. It provides a higher level framework, which can be used to develop a contemporary cybersecurity profile for an organization.
But it relies on existing control frameworks for its implementation. COBIT, ISA, otherwise known as IEC6244, ISO 27001, and NIST SP800-53. The Cybersecurity Framework requires two profiles to be maintained. The first is the current state of cybersecurity, as assessed against the subset of enterprise specific activities that have been selected as being required, that is what cybersecurity looks like now.
The second is the target state of cybersecurity, such as the acceptable level of risk against each of the enterprise specific activities. A security plan is the set of prioritized projects required to close the gap between the current and target state framework profiles. The mission priorities are set at the executive level, and management action is directed based on risk at the time. At the business process level, the key focus of activities is risk management within the available budget.
The business may not be able to mitigate all risk in one improvement cycle, due to budget constraints, and new risks may arise. And so at an operational level, there will be a continuous cycle of improvements and profile updates. For an organization that is starting up its security program, there are some key actions required to take advantage of the Cybersecurity Framework. The first is to identify the key business outcomes. Then understand the threats and vulnerabilities to those outcomes.
Create a profile. Conduct a risk assessment. Decide on the target profile. Determine, analyze and prioritize the gaps to create the action plan. And establish and execute a program to implement the plan.
By the end of this course, you'll have a greater understanding of the threats that affect private, corporate, and government networks, and the knowledge to prevent attacks and defeat them.
- Dissecting cyber risk
- Working with NIST, COBIT 5, DSS05, and other frameworks
- Exploring cybercrime
- Understanding how malware hides
- Selecting security controls
- Managing user access and identity
- Monitoring your network
- Managing incident response