This is an introduction to the National Institute of Standards and Technology Cybersecurity Framework, also known as the CSF. This program is designed to provide you an understanding of the NIST Cybersecurity Framework and how to implement it. Let's begin with the components of the cybersecurity framework. In this course, we'll focus on the core, tiers and profiles. The NIST Cybersecurity Framework is designed to complement existing business and cybersecurity operations, and can be used to understand current cybersecurity operations through the creation of a current state profile, establish or improve a cybersecurity program regardless of the maturity by reducing risk, communicate cybersecurity requirements with stakeholders, including suppliers and partners, identify opportunities for new or revised standards, assist in prioritizing improvement activities, in other words, gap assessments, and it enables investment decisions to address gaps. Remember that the framework provides a common language for understanding, managing, and expressing cybersecurity risks to internal and external stakeholders. It can be used to help identify and prioritize actions for reducing cybersecurity risk, and it's a tool for aligning policy, business, and technology approaches to managing that risk. In other words, it can help understand the organization's security status. To use the framework, an organization does not have to directly match every element of their organization's cybersecurity program with the framework elements, however, if they want to demonstrate their alignment with the framework, they'll need to align their program and practices with the objectives of the framework's core functions, tiers, and profiles. The cybersecurity framework guidance document does not directly address privacy and civil liberties issues, but it does include considerations to address privacy and civil liberty issues during the implementation. Why use the cybersecurity framework? Well, the cybersecurity framework provides a common and accessible language, it's understandable to many different professionals, and it's adaptable to many technologies, life cycle phases, sectors, and uses collaboration opportunities. It's meant to be customized, in other words, it's adaptable, and it's risk-based. It doesn't have provide how or how much cybersecurity is appropriate, but it's meant to complement, not replace an organization's cybersecurity program and risk management process. The cybersecurity framework will help organizations understand their security status, establish or improve cybersecurity program, communicate cybersecurity requirements with stakeholders, identify opportunities for new or revised standards, identify tools and technologies, and integrate privacy and civil liberties considerations into their cybersecurity program. Remember, meeting compliance does not make a system secure. Controls are implemented to secure a system and meet the compliance requirements. The cybersecurity framework is composed of three parts. The framework core, which presents industry standards, guidelines and practices in a manner that allows communications of cybersecurity activities and outcomes across the organization from the executive level to the implementation or operation level. Basically, it guides the organization and the management of security. The other element is the framework implementation tiers. These are the levels of implementation that assist in conducting the assessment and planning of cybersecurity activities. The tiers describe attributes to consider when creating a target profile or completing a current profile. Basically, it enables the informed trade-off analysis of expenditures versus risk. Finally, the framework profiles. They represent the outcome based on business needs that an organization has selected from the framework categories, and subcategories. The profiles can be characterized as the alignment of standards, guidelines, and practices to the framework core, in a particular implementation scenario. In other words, it communicates the cybersecurity requirements. Finally, the cybersecurity framework facilitates the cybersecurity activities and informative references organized around a particular outcome, and it enables the communication of cyber risk across an organization. We'll break these down for you over the next few screens. The NIST Cybersecurity Framework organizes its core material into five functions, which are subdivided into a total of 23 categories. For each category, it defines a number of subcategories of cybersecurity outcomes and security controls with 98 subcategories in all. For each subcategory, it also provides informative references, referencing specific sections of a variety of other information security standards, including ISO 27001 series COBIT, the NIST Special Publication 800-53 or 800-171, the International Society for Automation 62- 443, and the center for Internet security , critical security controls. First we're going to start with the core. The core is a set of desired cybersecurity activities and outcomes organized into categories which are aligned to informative references. The framework core is designed to be intuitive and act as a translation layer to enable communications between multi-disciplinary teams by using simplistic and non-technical language. The framework core comprises four elements, functions, categories, subcategories, and informative references. We're going to break these down. Let's start with functions. Functions provide a high level strategic view of the life-cycle of an organization's management of cybersecurity. The five functions are known as I-P-D-R-R, or Identity, protect, detect, respond, and recover. Each function is divided into categories, subcategories and informative references. Categories are the cybersecurity outcomes that are closely tied to programmatic needs and particular activities like ID for identity, and then further identified as AM for asset management, or BE for business environment. There are 23 categories split across the five functions. Some categories are the deepest level of abstraction in the core. There are 97 subcategories, which are the outcome-driven statements that provide considerations for creating or improving cybersecurity programs. The subcategories are shown on this screen. There are five from the business environment category, so you see it labeled as ID.BE.1 through five. Then, finally, the informative references. These informative references are broad references that are more technical than the framework itself. Remember, the framework is designed to be coupled with the organization's existing security control catalogs such as NIST 800-53 or NIST 800-171, COBIT, ISO 27000, the CIS, etc., In order to obtain more technical guidance. The court was designed to cover the entire breath while not being overly deep. It covers topics across the realm of cyber, physical, and personnel. When looking at the functional areas, you can ask the question under identity, what processes and assets need protection? If we're looking at protect, we would be asking the question what safeguards are available? For detect we'd be looking at what techniques can identify incidents. Under respond, we would be looking at what techniques can contain the impact of the incidents? For recover, we would be looking at what techniques can restore the capabilities? The core is intended to be understandable by everyone, apply to any type of risk management, define the entire breadth of cybersecurity, and span both preventive and reaction. The core enables cybersecurity activities and information references to be organized around particular outcomes. You can discern from these pictures how communications about cyber risk can be shared across an organization's various levels. The Framework Core is designed to be intuitive. It can be thought of as a translation layer that takes cybersecurity and translates it into other disciplines. It uses simple language to make it accessible to all parties regardless of their field or technical knowledge, while still remaining relevant to those who are technical. The framework implementation tiers provide context on how an organization views cybersecurity risks and the process in place to manage that risk. The tiers describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics in the framework and characterize an organization's practices over a range from partial tier 1, risk informed tier 2, risk informed and repeatable tier 3, all the way to tier 4, which is adaptive. During the tier selection process, an organization considers its risk management practices, the right environment, legal and regulatory requirements, business or mission objectives , and organizational constraints. The tiers provide context on how the organization views cybersecurity risks and the processes in place to manage that risk, and are further defined by their risk management process, integrated risk management program, and external participation. Under risk management process, they consider the levels to which the organization's cyber risk management practices are formalized and institutionalized. The attributes consider the extent to which prioritization of cybersecurity activities are informed by organizational risk objectives, the threat environment, and stakeholder requirements. With integrated risk management programs, they review the cybersecurity risks awareness at the organizational level. Levels increase as risk informed, management-approved processes and procedures are defined and implemented and as those are adapted based on information sharing and lessons learned from previous activities. External participation considers the levels to which the organization actively shares information with external partners to improve security before security events occur and to inform those partners about indicators, observations, or events. For example, tier 1 partial, this is an assignment within the partial tier recognizes that prioritization of cybersecurity activities may not be directly informed by organizational risk objectives, the threat environment or business requirements. Risk management process in this particular area would be organizational cybersecurity risk management practices, which are not formalized and risk is managed in an ad hoc and sometimes reactive manner. Under integrated risk management program in this particular tier, there is a limited awareness of cybersecurity risks at the organizational level. For external participation, the organization does not understand its role in the larger ecosystem with respects to either its dependencies or dependence. Under tier 2, risk informed, this is an assignment within the risk informed tier which acknowledges that risk management processes may be approved by management, but may not be established as an organization-wide policy. With risk management processes under this tier, risk management practices are approved by management, but may not be established as organizational-wide policies. Under integrated risk management programs in this tier, there is an awareness of cybersecurity risks at the organizational level, but an organization-wide approach to managing cybersecurity risks has not been established. Finally, in this tier, under external participation, generally the organization understands its role in the larger ecosystem with respects to either its own dependencies or dependence, but not both. In tier 3, repeatable, an assignment within the repeatable tier structure, the organizational cybersecurity practices are regularly updated based on the application of risk management processes. In this tier, under risk management processes, the organization's risk management practices are formally approved and expressed as policy. With integrated risk management programs in this tier, there is an organization-wide approach to manage cybersecurity risk. Risk and formed policies, processes, and procedures are defined, implemented as intended, and reviewed. Finally, under external participation in this particular tier, the organization understands its roles, dependencies, dependence in the larger ecosystem, and may contribute to the communities broader understanding of risks. It collaborates with and receives information from other entities, regularly, that compliment internally generated information, and it also shares information with other entities. Finally, tier 4, which is the adaptive tier. An assignment within this adaptive tier means that the organization adapts its cybersecurity practices, based on lessons learned and predictive. Risk management process under this adaptive tier, the organization adapts its cybersecurity practices based on previous and current cybersecurity activities, including lessons learned and predictive indicators. Integrated risk management program in this tier, provides an organization-wide approach to managing cybersecurity risk that uses risk and formed policies, processes, and procedures, to address potential cybersecurity events. The relationship between cybersecurity risk and organizational objectives, is clearly understood and considered when making decisions. Finally, external participation in this particular tier, here, the organization understands its roles, dependencies, and dependence in the larger ecosystem, and contributes to the community's broader understanding of risks. It receives, generates, and reviews prioritized information that informs continuous analysis of its risks as the threat and technology landscape evolve. Each tier demonstrates an increasing degree of rigor and sophistication of cybersecurity risk management and integration with the overall organizational needs. For example, how well integrated our cybersecurity risk decisions into the broader organizational risk decision, and to what degree does the organization share and receive cybersecurity information from its external parties? Each organization decides which tier matches its risk management needs and capabilities. Progression to higher tiers is encouraged when a change, cost-effectively reduces cybersecurity risks. Tiers are associated with the overall robustness of the organization's risk management process, and are not tied to functions categories or subcategories. Profiles are an organization's unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core. A framework profile represents the outcomes based on business needs that the organization has selected from the framework categories and subcategories. The profiles can be characterized as the alignment of standards, guidelines, and practices to the Framework Core, in a particular implementation scenario. They are about optimizing the cybersecurity framework, to best serve the organization. In other words, it aligns industry standards and best practices to the Framework Core, supports the prioritization and measurement while factoring in the business needs, and helps the organization progress from their current level of cybersecurity to a more sophisticated and improved target state. The framework is voluntary. So there is no right or wrong way to do it. One way of approaching profiles is for an organization to map their cybersecurity requirements, mission objectives, and operating methodologies, along with current practices against the subcategories of the Framework Core, to create a current state profile. These requirements and objectives can be compared against the current operating state of the organization, to gain an understanding of the gaps between the two. The profile goals are to identify opportunities for improving cybersecurity posture, support prioritization and measurements of progress, and conduct self-assessments and better communicate within the organization. The profile types would be, depending on the state, of course, current, which describes the as is state, and target, which describes the to be state. Comparing the two can identify opportunities for improving the cybersecurity posture, in other words, the gaps in cybersecurity programs. The levels that we have are enterprise-wide, which creates a profile based on the entire organization. All subunits have the same or overlapping mission and drivers in this particular level. Subsections of an organization, creates a profile based on some subsections, in other words, each unit needs their own profile, each subunit has different missions and drivers. Finally, selection is going to depend on the scope, which is determined by the organization. Profiles are a decision support tool for cybersecurity risk management and represent a fusion of business and company objectives with cybersecurity outcomes. Think about a profile as a customization of the core for a given sector, subsector, or organization. It could be a fusion of a business or mission logic and cybersecurity outcomes, as well as an alignment of cybersecurity requirements with operational methodologies, or the basis for assessments and expressing target states with decision support tools for cybersecurity risk management. Building a profile has three steps. One, mission objective, two, the cybersecurity requirements, which deals with legislation, regulations, internal and external policy, and best practices, and then three, the operating methodologies, which are the guidance and methodologies on implementing, managing, and monitoring. The organization identifies its business or mission objectives and has high-level organizational priorities. With this information, the organization makes strategic decisions regarding cybersecurity implementation and determines the scope of the systems and assets that support the selected mission objectives and identifies related systems and assets, regulatory requirements, and overall risk approach. The organization then consults sources to identify threats and vulnerabilities applicable to those systems and assets. In other words, it conducts a risk assessment, creates a target profile, and then analyzes the gaps. The organization determines which actions to take to address any identified gaps and adjusts its cybersecurity practices in order to achieve the target profile which are then monitored on a continuous basis to maintain the target cybersecurity state. When establishing a profile, first we need to define the business objectives. For example, physical devices and systems within the organization are inventory. Maybe there is no centralized inventorying of the organization's physical assets, but there may be an effort ongoing to inventory the assets. If we follow the NIST 800-171 framework, we would need to comply with controls 3.4.1 or 3.4.2. 3.4.1 is established and maintain baseline configurations and inventories of organizational systems, including hardware, software, firmware, and documentation throughout the respective system development life cycles. 3.4.2 establishes and enforces security configuration settings for information technology products employed in organizational systems. Remember, profile is aligned framework core elements with business requirements, risk tolerance, and organizational resources. The profiles can be used to identify opportunities for improving cybersecurity postures by comparing the current profile to a target profile. Profiles provide the roadmap to reduce cybersecurity risk consistent with the business practices. Resources and budget decision-making. The creation of these profiles and the gap analysis allows organizations to create a prioritized implementation plan. The priority, size of the gap, and the estimated costs of the corrective action helps organizations plan and budget for cybersecurity improvement activities. The voluntary and flexible nature of this framework lends it to being extremely cost-effective and can be used by organizations to prioritize cybersecurity activities regardless of its budget. This is tied into the organization's capital planning and investment control or CPIC process. Capital planning and investment control is a systematic approach to selecting, managing and evaluating information technology investments. CPIC is mandated by the Clinger-Cohen Act of 1996, which requires federal agencies to focus on results produced by IT investment. This is part of the management process which includes budgeting for resources, personnel, equipment, information security activities, those kinds of things, and prioritizing cybersecurity operations across the organization. Remember that the target profile indicates the outcome needed to achieve the desired cybersecurity risk management goals. We facilitate this by conducting a risk assessment, creating a target profile, then analyzing for gaps. The comparison of profiles, for example, the current profile and target profile helps reveal gaps that need to be addressed to meet organizational cybersecurity risk management objectives. We use the tiers to describe attributes that should be considered when creating a target profile or completing a current profile. The seven-step process is discussed later in this course. First, we prioritize and scope, second, we orient, third, we create a current profile, fourth, we conduct a risk assessment, fifth, we create a target profile, then sixth, we determine, analyze, and prioritize the gaps, and finally, we implement an action plan. The creation of profiles and the gap analysis allows organizations to create a prioritized roadmap, as we've stated before. The priority size of the gap and estimated costs of corrective actions help organizations plan and budget for cybersecurity activities. The resulting heat map is created to prioritize the resolution of key issues and to inform budgeting for improvement activities. Large variances or gaps should be addressed based on the organizational risk tolerance. In summary, in this course, we have discussed the cybersecurity framework components of cores, tiers, and profiles. We introduced the five cybersecurity functions, which were identify, protect, detect, respond, and recover. We discussed the three areas of each function, which were categories, subcategories, and informational references. We also discussed the translation layer and the implementation tiers, risk-management process, integrated risk management program, and external participation as part of those tiers. Finally, we discussed the profiles, goals, types, and levels, as well as the resources and budget decision-making process.
