By COO & CFO Dwight Koop - Data breaches and cybersecurity costs have brought attention to the dire need for comprehensive, preventative IT security guidelines. Dwight Koop walks through the recent NIST Cybersecurity Framework updates and how it can help businesses in all industry sectors.
Six Myths about Ontologies: The Basics of Formal Ontology
The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecurity Framework
1.
The Chicago School of
Cybersecurity:
A Pragmatic Look at the NIST
Cybersecurity Framework
Dwight Koop, COO of Cohesive Networks
July 2015
Copyright Cohesive Networks
White Paper
2. A Pragmatic Look At Cybersecurity Risk And
Regulation For All Organizations
Executive Summary
In the last two years, there have been increasingly public data breaches and cybersecurity costs. But,
the recent news has also brought positive attention to the developments in the National Institute
of Standards andTechnology (NIST) Cybersecurity Framework.
The NIST Framework is an important advancement in improving cybersecurity for all organizations.
The Framework is a unifying single document that combines the best practices of preceding
standards. The document itself consists of three main sections: Profile, ImplementationTiers, and
Core. It is designed as a reference guide for organizations to conduct iterative cybersecurity
evaluations and prioritize the areas that matter most according to their risk profile.
The Framework is intended to be a living document to
guide how critical infrastructure organizations manage
current cybersecurity risks. Mandates from the White
House and Congress ensure the NIST Framework
authors adopt a risk management approach to
cybersecurity and consider private sector implications.
Organizations of all sizes and industries can use the
Framework to asses current cybersecurity capabilities,
then use it to set goals to improve and maintain security.
Because it is an ongoing work of collective industry
knowledge, the Framework has huge potential value for
any organization looking to improve cybersecurity.
There is a definite shift in industries as companies seek
actionable cybersecurity plans that can help prevent
costly data breaches rather than simply documenting
compliance checklists.As part of Cohesive’s work with
customers looking for guidance and practical advice, we
developed this guide to put the NIST Framework to
work for any organization’s cybersecurity needs.
2
July 2015
Copyright Cohesive Networks
NIST Cybersecurity for All
Cohesive Networks
The NIST Cybersecurity Framework Core section,
which groups actions an organization can take to
achieve business outcomes, as well as a categorization
of other standards and guidelines to reference.
3. A Pragmatic Look at Cybersecurity Risk and Regulation for all
organizations
Executive Summary 2
Cybersecurity Needs a Hero 4
Cybersecurity is the Solution, Not a Problem 4
Chicago School of Thought 5
Before the NIST Framework - the Fog of More 6
Protecting Data or Protecting the Process? 6
The NIST Timeline - Not Just Another Standard 6
Shift from Audit-Heavy Compliance to Risk-Based Security 7
An In-Depth Look at the Framework 8
How the NIST Cybersecurity Framework works 8
The Assessment Mechanism: NIST Framework Components 9
7 Steps to Implement the NIST Cybersecurity Framework 11
Putting the Framework Parts Together 11
Applying the Cybersecurity Framework 12
Step 1: Prioritize and define the scope of your framework 12
Step 2: Orient stakeholders around existing assets and practices 12
Step 3: Build your current profile 12
Step 4: Assign risk assessment tasks to IT teams 12
Step 5: Collect target profile highlights 12
Step 6: Determine, analyze, and prioritize gaps 13
Step 7: Implement action plan 13
Case Study: LocusView Standardizes Security Reporting 14
Put the NIST Framework to work 17
Bibliography 18
3
July 2015
Copyright Cohesive Networks
NIST Cybersecurity for All
Cohesive Networks
4. Cybersecurity Needs a Hero
Cybersecurity is the Solution, Not a Problem
The National Association of Corporate Directors (NCD) reports a majority of board
members are unhappy with how management teams report corporate cybersecurity risks1.
Undoubtedly, a driving force for the board-level pressure is the frequency and intensity of
negative cybersecurity news. The recent U.S. Cost of Data Breach Study from the
Ponemon Institute reports that average total cost of a data breach rose to $3.8 million in
2015 2.
Additionally, the costs for each individual lost or stolen record also increased from $145 in
2014 to $154 in 2015, as reported in the Ponemon Cost of Data Breach Study2.
Organizations are spending more on legal defense to fight both data breaches and the data
liabilities following customer or employee data loss, notes the Ponemon Institute. Corporate
boards and IT teams are finally taking notice of the horrible impacts of a weak
cybersecurity strategy.
The past two years also saw positive cybersecurity news for organizations looking for cures
for the common data breach: the National Institute of Standards andTechnology (NIST)
Cybersecurity Framework3.The world is looking to the 2013 U.S. government mandate to
see how organizations evaluate and adopt security standards to outmatch modern
cybercrime.
Cybersecurity compliance is a shifting target, and organizations of all sizes struggle to stay
one step ahead.The new NIST Cybersecurity Framework is glimmer of hope in an
otherwise overwhelming sea of policies, audit checklists, and narrow compliance standards.
The NIST Framework offers a useful, unified reference to cybersecurity best practices, and
after a through study, Cohesive Networks have outlined actionable advice to unravel the
NIST Framework and use it to improve cybersecurity in any organization.
4
July 2015
Copyright Cohesive Networks
NIST Cybersecurity for All
Cohesive Networks
5. Chicago School of Thought
The NIST Cybersecurity Framework combines the best of existing rules, assessments,
regulations, and guidelines into a unifying cybersecurity reference guide.While it is created
for critical infrastructure – banking, transportation, oil and gas, defense, public health, and so
on - the standard is applicable to most organizations.The NIST Framework is easy to apply,
once organizations begin to unravel the core components. The Framework is a single
process for enterprises to begin and update, using a risk-management approach to defense
in depth.
In the last two years, we have seen a shift in companies’ needs.Whereas before they looked
to implement documentation in order to pass compliance audits, now IT teams seek
actionable cybersecurity plans that can prevent costly data breaches. As our customers
search for guidance with security and ask for practical advice, we developed this white
paper so any organization can use the NIST Framework for its cybersecurity needs.
As a Chicago-based company, we take
pride in drawing analogies to the Chicago
School of architecture. In Chicago School
architecture there are no rigid design rules,
but a general application of design style.
Chicago School architects were some the
first to use new technologies like steel-
frame construction, use less exterior
ornamentation, and design the "Chicago
window” to let in more light and
ventilation4.
In keeping with the Chicago School of
thought, our overview of the NIST
Framework embraces new technologies
without the frills. with the purpose of
shedding light on how the Framework can
help all organizations. We encourage IT
teams to use these steps, becoming the
heroes organizations need to fight growing
cybersecurity threats and costs.
5
July 2015
Copyright Cohesive Networks
The Rookery Building, designed by Chicago School architects John
Wellborn Root and Daniel Burnham (Burnham and Root), mixes the
traditional architecture styles with newer construction techniques.The
building is considered the oldest standing high-rise in Chicago, and the
lobby was remodeled in 1905 by Frank Lloyd Wright.
NIST Cybersecurity for All
Cohesive Networks
6. Before the NIST Framework - the Fog of More
Protecting Data or Protecting the Process?
The compliance standards that came before the NIST Framework should read like a
familiar alphabet soup for those working in security for regulated industries: CERT, COBIT,
CSA, CSET, ISO, NIST 800, PCI, and so on. One of the most memorable comments from
the documentation is the description of pre-NIST standards as “the fog of more.”
The standards preceding the NIST Cybersecurity Framework offer competing priorities,
opinions, and processes. Certification boards have “pay-to-play” certifications, proprietary
software tools, approved vendor benchmarks, and all the trappings of stodgy cybersecurity
officiousness.
Thousands of documented standards cover security and technology topics ranging from
accounting to family privacy rights, and from personal health records to data storage
requirements. Reading through the Health Insurance Portability and Accountability Act
(HIPAA), one could easily replace any mention of “electronic health record” with “credit
card information” and mistake the documentation for the Payment Card Industry Data
Security Standard (PCI DSS).
All these standards and protections essentially attempt to do the same things: protect
sensitive data and ensure compliant organizations are not liable in the case of a data breach.
Yet the $162 million data breach shows that PCI compliance was not enough forTarget in
late 2013 5,6.
The NIST Timeline - Not Just Another Standard
In 2013, the Presidential Executive Order (EO) 13636 began the process of creating the
NIST Cybersecurity Framework7
. President Obama’s signed order called for improved
cybersecurity for critical infrastructure in the U.S. In this case, critical infrastructure includes
systems and assets that impact national security, economy, public health or safety.
The Executive Order directs the Department of Homeland Security (DHS) to “increase
the volume, timeliness, and quality” of cybersecurity threat reporting critical infrastructure7
.
6
July 2015
Copyright Cohesive Networks
NIST Cybersecurity for All
Cohesive Networks
7. Two main mandates of the Order are for the DHS and NIST to actively involve private
sector subject-matter experts and enterprises in the Framework development.The Order
tasks the DHS with improving communication and participation in Framework adoption
while NIST must develop and refine the Framework.
In late 2014, the Cybersecurity Enhancement
Act of 2014 (Public Law 113-274) became
law8.The Act directs NIST to continue
awareness and education programs, while
other U.S. government agencies must submit
ongoing strategic plans to report
cybersecurity tracking.
Perhaps fittingly, politics dictate that the
standards remain voluntary but offer yet-to-
be-determined incentives. So far, the DHS has
created the Critical Infrastructure Cyber
Community C³ to encourage adoption9.
Shift from Audit-Heavy
Compliance to Risk-Based
Security
Security standards that precede the NIST
Framework focus more on audits, compliance
objectives, policies and procedures, and
transactions.The traditional approaches were
tedious and costly, and worse, massive data
breaches includingTarget, Sony, and Anthem
occurred despite PCI DSS and HIPAA
compliance10.
The NIST Framework ratifies a shift from traditional audit-based standards toward more
risk-based prevention. Risk-based cybersecurity approaches focus on the business and
customer needs to both operate and ensure data is secure in any environment. Further,
7
July 2015
Copyright Cohesive Networks
NIST Cybersecurity for All
Cohesive Networks
8. there is a key difference in the NIST Framework approach: risk management departments
incorporate diverse knowledge and experiences rather than compliance tracking.
The NIST Framework acknowledges the shift toward risk-based security, and the fact that
government bodies brought in private sector experts is a huge advance for all organizations
looking for cybersecurity leadership. Additionally, because of the Congressional mandates,
risk-based security is more likely to be adopted by hundreds of U.S. governmental agencies
and regulatory authorities over existing standards and rules.
An In-Depth Look at the Framework
How the NIST Cybersecurity Framework works
The National Institute of Standards andTechnology (NIST) drafted the Framework after ten
months of collaboration with other standards organizations, the DHS, and private sector
subject matter experts12. The Cybersecurity Framework does not introduce any new
requirements, but is a collection of highlights from other standards.
The Framework covers a wide range of industries and potential risks, but it is designed for
massive critical infrastructure firms like nuclear facilities, national banks, and defense
manufacturers.The Framework is also intended to be an evolving, living document that will
incorporate cybersecurity threats, processes, new technologies and industry feedback.
Because it is a collection of iterative knowledge, the Framework has huge potential value
for any organization looking to establish cybersecurity standards.
8
July 2015
Copyright Cohesive Networks
• Chemicals
• Commercial
Facilities
• Communications
• Critical
Manufacturing
• Dams
• Defense Industrial
Base
• Emergency Services
• Energy
• Financial Services
• Food & Agriculture
• Government
Facilities
• Healthcare & Public
Health
• Information
Technology
• Nuclear Reactors,
Materials & Waste
• Transportation
Systems
• Water &
Wastewater
Systems
The 16 sectors of U.S. Critical Infrastructure:
NIST Cybersecurity for All
Cohesive Networks
9. The Assessment Mechanism: NIST Framework Components
The goal of the Framework is to be an adaptive, risk-based guide for organizations; it will
help assess and improve cybersecurity practices. Organizations should use the Framework
to asses current cybersecurity capabilities, and set goals and target profiles to improve and
maintain security practices. To more easily map target areas for risk management, the
Framework consists of three main sections: Profile, ImplementationTiers, and Core.
The NIST Framework’s Profile section is the measure of how an organization’s existing
security practices compare to recommended practices categorized in the Framework Core.
The Profile section focuses on business outcomes for potential cybersecurity scenarios.
Comparing “current” profiles to a “target” profiles can help organizations select Core
functions to prioritize.
Likewise, the ImplementationTiers give context to how organizations deal with a
cybersecurity risk. Tiers are a range of an organization’s progress in each risk management
practice, fromTier 1’s “partial” up toTier 4 “adaptive.” Tiers do not reflect cybersecurity
maturity levels. Organizations can asses current security practices and use the tier system to
prioritize improvements.
9
July 2015
Copyright Cohesive Networks
NIST Cybersecurity for All
Cohesive Networks
10. In the Framework Core, NIST categorizes activities, outcomes, and references into five
functions: identify, protect, detect, respond, and recover. Core is neatly organized into a
spreadsheet. Framework implementation teams can focus on the high-level functions, or
delve deeper into subcategories to target outcomes.Within each function, category, and
subcategory, NIST lists the references to sections of other security standards.
In the Framework close up below, the first row shows the Function, Category, and
Subcategory assigned by NIST. The columns to the right list the referenced sections from
CCS CSC, COBIT 5, ISA and so on.
10
July 2015
Copyright Cohesive Networks
NIST Cybersecurity for All
Cohesive Networks
11. 7 Steps to Implement the NIST Cybersecurity
Framework
Putting the Framework Parts Together
The NIST Framework is an important advancement for cybersecurity; is not a checklist but
rather, a reference designed for organizations to select the components that matter for
their use case.The Framework is a blueprint to assess, document, and lead teams through
cybersecurity evaluations over and over again. NIST expects organizations to use the
Framework to circulate cybersecurity information between the executive level, business or
project teams, and operations teams, as well as a way to refine the process at each step.
Organizations should begin by comparing existing
cybersecurity practices to the NIST Framework.
By overlaying the NIST Framework, teams should
be able to quickly identify any gaps in identifying,
assessing, or managing risks in their systems.
Then, teams can use the Framework as a
roadmap to improve and prioritize risk
management practices. NIST assumes the process
will repeat at regular intervals, and both the
Framework and an organization’s evaluations
should evolve to meet new cybersecurity threats.
The "Conformity Assessment,” or the process of comparing the Framework to
organizational cybersecurity practices, is the measure of how useful the Framework can be
for an organization. Once implemented, the process of re-assessing cybersecurity risk
should become more streamlined. Organizations can continue to improve their own
conformity assessments through internal feedback loops, data analytics, and outside
assessments.
11
July 2015
Copyright Cohesive Networks
NIST Cybersecurity for All
Cohesive Networks
12. Applying the Cybersecurity Framework
Organizations can begin to implement the NIST Framework by working through the
following seven steps:
Step 1: Prioritize and define the scope of your framework
The first step is both the easiest and most daunting: read through the NIST Framework
documentation. Use Profile, ImplementationTiers, and Core to determine how each function
might fit with your most pressing cybersecurity needs. For example, if a company must
protect financial data, it has a much higher risk profile and should focus on the “protect”
and “detect” functions.
Step 2: Orient stakeholders around existing assets and practices
Get executive buy-in and gather information. IT teams should implicitly know key
information about physical and virtual assets, people, networks, supply and distribution
chains. Coordinate cybersecurity practices with the responsible players within the
organization. For cybersecurity challenges that go deeper, orient firm-wide key stakeholders
with the risks, the Framework, and on-going process to avoid getting caught in that “fog of
more.”
Step 3: Build your current profile
Every organization should have some security defenses, standards, and procedures in place.
Comparing the NIST Framework’s Profile, ImplementationTiers and Core categories against
existing practices creates a realistic baseline of the current cybersecurity profile.And
comparing the Framework to existing assessments may be the first comprehensive
assessment.
Step 4: Assign risk assessment tasks to IT teams
To start from scratch, download one of the various self-assessment tools such as the ICS-
CERT13. We highly recommend delegating the self-assessment tools to application owners
across the IT organization. Not only will this ease the work load, but the NIST
implementation team can use it as a key tactic for raising awareness in the organization.
Moreover, distributing risk assessment tasks among IT teams is part of a shift from audit
compliance thinking toward actionable risk management.
Step 5: Collect target profile highlights
Delegating risk assessment tasks and orienting the organization will take longer than hiring
auditors. But the shared cybersecurity accountabilities and responsibilities give application
owners much more ownership in the outcomes.As a result, the implementation team will
12
July 2015
Copyright Cohesive Networks
NIST Cybersecurity for All
Cohesive Networks
13. receive many target profiles, budgets, and head-count requests from each team, but the
documentation is more thorough.
Step 6: Determine, analyze, and prioritize gaps
Compare the target profile to the initial current profile from Step 3. Rationalize the findings
and use the organization's existing processes to map top priorities in each business unit.
Naturally, business priorities and budgets guide what systems and applications are most
important.
Step 7: Implement action plan
Executive management should guide how the organization addresses the security holes, sets
priorities, and establishes the budget. Plus, key stakeholders across the organization should
take responsibility for both reducing risks and preventing future risks. No organization can
address every cybersecurity need immediately, so the organization must communicate the
ongoing and iterative nature of the NIST Framework.
The seven steps are similar to many of the other standards’ implementation guides.We
believe the NIST Framework will become the international cybersecurity standard for both
private sector and U.S. government agencies because of the nature of the Framework.
NIST and the DHS have created an empowering single document to highlight the best of
preceding standards, rather than attempt to replace them with a checklist.The legislative
mandates for input, updates, and participation will encourage more organizations to adopt
the Framework. Most of all, the NIST Framework embodies the industry shift from audit-
based compliance toward risk-based prevention.The NIST Framework is the biggest step
toward reducing the risks of attack from hackers, insider threats, and egregious scrutiny.
13
July 2015
Copyright Cohesive Networks
NIST Cybersecurity for All
Cohesive Networks
14. Case Study: LocusView Standardizes Security
Reporting
LocusView Solutions, a Chicago-based subsidiary of the GasTechnology Institute (GTI),
recently sought our expertise in NIST Cybersecurity Framework and compliance.
LocusView was facing an increasing stream of requests for documentation, certifications,
and penetration test results from their customers in the natural gas and energy sectors.The
IT team wanted to answer each request for security information with a consistent package
of responses.
Cohesive's primary role was to provideVNS3 firewall virtual machines to manage and
secure LocusView’s network. By leveraging Cohesive's experience with the cross-mapping
frameworks, LocusView was able to use the NIST Framework as a unifying process.Their
internal teams used NIST as a guide to update their risk-management approach to defense
in depth and a roadmap for repeatable reports to customers.
Step one
The first step in the process was to identify a short list of security standards with specific
recommendations for reaching an adaptive implementation level (or maturity level). For
LocusView, we needed to find the most useful tools for identifying the desired
cybersecurity profile.
In order to find any gaps in the company's current profile, we recommended using the
following guidelines:
• The Department of Energy Cybersecurity Capability Maturity Model (C2M2)
• The Department of Homeland Security US-Computer Emergency ReadinessTeam,
Cyber Resilience Review (US CERT-CRR)
• The Payment Card Industry Security Standards Council Self-Assessment
Questionnaire and Attestation of Compliance
These three guidelines provide cybersecurity questionnaires and self-evaluation tools that
streamline the first three steps of the NIST implementation process.Taken together, these
three are an exhaustive compilation of the requirements that are identified across the
much larger universe of cybersecurity frameworks and standards for each of the NIST
function subcategories.
In preparation for the second step, we reorganized each of the specific questions in the
DOE C2M2 Self-Assessment, CERT Self-Service CRR, and PCI Self-Assessment into the
Functional Categories and Subcategories found in the NIST Framework.
14
July 2015
Copyright Cohesive Networks
NIST Cybersecurity for All
Cohesive Networks
15. Step two
We worked with each of t LocusView’s application owners (including representation from
both the IT organization and business units) to address each set of questions. By staying
focused on answering each specific and prescriptive question, the process moved quickly
with considerably less discussion. For each question, the current and target responses were
tabulated into 5 categories:
Cyber Security Program Requirements
1. Policy, Procedures, & Organizational Documents
2. Registries (DatabaseTables of Current and Historical Cyber Security Records)
3. Logs (DatabaseTables of Cybersecurity Events, Changes, & Etc.)
4. Incident Case History Reports and Analytics
5. Gap Analysis, Budget, and Improvement Plan Documents
Any gaps?
By consolidating current and target profiles into the same discussion at the detail level, any
gaps can become clear to the LocusView team.We were able to document and discuss
action plans as issues arose, simplifying and shortening the process.
In this particular case, application owners shared a preconceived notion that PCI
requirements did not apply since the client did not handle credit card information. In
practice, and like the other assessment tools, the PCI Self-Assessment Questions deal with
the common cybersecurity concerns of any company:
• Network Segmentation
• Firewall ConfigurationTracking
• Access and Change Monitoring
• Network SegmentTraffic Flow Analytics
• Packet Inspection & Intrusion Detection
• Alert Reporting, and Response Process
Step three
The third step in the process was to create a “Cybersecurity Risk Management & Network
Operations Manual” for each of LocusView’s application teams.At this step, the value of
distributing accountability for cybersecurity to the application owners becomes clear.
Viewing the enterprise in totality results in confounding complexity.
For example, firewall access rules are usually very wide to include as many applications as
possible inside the corporate network.Yet, when we applied rules to each server running a
specific application suite, firewall access rules could become very narrow and specific.
15
July 2015
Copyright Cohesive Networks
NIST Cybersecurity for All
Cohesive Networks
16. For each application team we recommended LocusView use the following documentation
outline:
APPLICATION XXX
Cybersecurity Risk Management & Network Operations MANUAL
RISK MANAGEMENT STRATEGY STATEMENT
Enterprise Risk Management Process
Integrated Risk Management Program
ApplicationTeam Specific Roles and Responsibilities
External Participation
SCOPE OF RISK MANAGEMENT PROGRAM
Asset, Change, and Configuration Management
Cybersecurity Program Management
Supply Chain and External Dependencies Management
Identity and Access Management
Event and Incident Response, Continuity of Operations
Information Sharing and Communications
Risk Management
Situational Awareness
Threat andVulnerability Management
Workforce Management
IMMEDIATE INFRASTRUCTURE UPGRADE PROJECT PLANS
LONGTERM CYBERSECURITY ROADMAP AND MILESTONES
EDUCATION AND REASSESSMENT SCHEDULES
EVENT AND INCIDENT RESPONSE PROCEDURES
Appendix 1: Registry Of Primary Cybersecurity Risks
Appendix 2: Registry Of Stakeholders, ID's
Appendix 3: Registry Of Assets, Change Logs, & IP's
Appendix 4: Registry Of Firewall & IDS Rules
Appendix 5: Cybersecurity Event And Incident Logs
Appendix 6: C2M2 Self Assessment – Reports
Appendix 7: US-CERT-CRR – Reports
Appendix 8: PCI-DSS Attestation – Reports
Step four
The fourth and final step in the process was to convene the enterprise IT teams
responsible for networks administration, release control, and infrastructure change control
to consolidate the manuals from each team.
Outcome/Results
LocusView was able to use the NIST Cybersecurity Framework as a map to the
compliance areas that matter most to their organization.This approach to applying the
NIST Framework helped LocusView achieve cost savings and process simplicity.
With this holistic knowledge as a guide to the individual standards, by delegating the
process, and focusing in on the security of individual application sets, LocusView was able to
respond to each request for security information with a consistent package of answers.
Since our work, LocusView has used this approach for penetration tests and compliance
auditing.At the time of publication, LocusView has passed initial audits and the first of
several penetration tests.
16
July 2015
Copyright Cohesive Networks
NIST Cybersecurity for All
Cohesive Networks
17. Put the NIST Framework to work
As more organizations consider and move to cloud, IT teams will need a guide to
cybersecurity which works to both secure critical systems and pass industry standards.
Savvy IT security leaders must navigate the challenges of avoiding vendor lock-in, passing
compliance, while efficiently using existing resources.
The NIST Framework can help teams
get started, but all organizations
deserve to have clear guidelines and
advisors who value a practical and
honest approach to security.
At Cohesive Networks we like to think
of ourselves as “honest
Midwesterners.” We are real people
who have guided customers through
similar cloud security and compliance
scenarios. What’s our angle? We want
to put the Chicago technology scene
on the map the way Chicago School
architects built the first skyscrapers.
We want to build a rich technology
community though honest, hard work.
Don’t get caught in the “fog of more”
when it comes to cybersecurity
assessments. Use the NIST
Cybersecurity Framework as a map to
the compliance areas that matter most
to your organization. If you need a
guide, get in touch with me or any of
us at Cohesive Networks for that
honest Chicago School advice:
chicago@cohesive.net
17
July 2015
Copyright Cohesive Networks
NIST Cybersecurity for All
Cohesive Networks
18. Bibliography
References studies, articles, and standards. Formatted in the Chicago Manual of Style, of course.
1. Prince, Brian. “Boards Dissatisfied With Cyber, IT Risk Info Provided by Management.”
January 02, 2015. SecurityWeek. http://www.securityweek.com/boards-dissatisfied-cyber-it-risk-info-
provided-management.
2. Ponemon Institute. “2015 Cost of Data Breach Study: Global Analysis.” Ponemon Institute. May
2015. http://www.ponemon.org/news-2/23.
3. NIST Cybersecurity Framework “Framework for Improving Critical Infrastructure
Cybersecurity” http://www.nist.gov/cyberframework/upload/nist-cybersecurity-framework-
update-120514.pdf.
4. Wikipedia. “Chicago school (architecture).” May 16 2015. http://en.wikipedia.org/wiki/
Chicago_school_(architecture).
5. Lunden, Ingrid. “Target Says Credit Card Data Breach Cost It $162M In 2013-14.” TechCrunch.
February 25 2015. http://techcrunch.com/2015/02/25/target-says-credit-card-data-breach-cost-
it-162m-in-2013-14/
6. Burnette, Mark. “Key takeaways from the Target settlement for retailers.” Internet Retailer. May
21, 2015. https://www.internetretailer.com/commentary/2015/05/21/key-takeaways-target-
settlement-retailers.
7. The White House The Office of the Press Secretary, Executive Order -- Improving Critical
Infrastructure Cybersecurity (13636). February 12, 2013. https://www.whitehouse.gov/the-press-office/
2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity.
8. 113th Congress, S. 1353 - Cybersecurity Enhancement Act of 2014 (Public Law 113-274).
December 18, 2014. https://www.congress.gov/bill/113th-congress/senate-bill/1353.
9. Department of Homeland Security. About the Critical Infrastructure Cyber Community C³
Voluntary Program. February 12, 2015. http://www.dhs.gov/about-critical-infrastructure-cyber-
community-c%C2%B3-voluntary-program.
10. Mello Jr., John P. “Target Breach Lesson: PCI Compliance Isn't Enough.” Tech News World.
March 18, 2014. http://www.technewsworld.com/story/80160.html.
11. National Institute of Standards and Technology. Framework for Improving Critical Infrastructure
Cybersecurity (Version 1.0). February 12, 2014. http://www.nist.gov/cyberframework/upload/
cybersecurity-framework-021214.pdf
12. National Institute of Standards and Technology. Framework for Improving Critical Infrastructure
Cybersecurity (Version 1.0). February 12, 2014. http://www.nist.gov/cyberframework/upload/
cybersecurity-framework-021214.pdf
13. Department of Homeland Security, Industrial Control Systems Cyber Emergency Response
Team (ICS-CERT). Assessments. https://ics-cert.us-cert.gov/Assessments
18
July 2015
Copyright Cohesive Networks
NIST Cybersecurity for All
Cohesive Networks
19. Images:
1. National Institute of Standards and Technology. “Figure 1.” Framework for Improving Critical
Infrastructure Cybersecurity (Version 1.0). February 12, 2014. http://www.nist.gov/cyberframework/
upload/cybersecurity-framework-021214.pdf
2. Wikimedia Commons. Rookery Building, via http://upload.wikimedia.org/wikipedia/
commons/6/6b/Rookery_Building,_209_South_LaSalle_Street,_Chicago,_Cook_County,_IL_HABS_ILL,
16-CHIG,31-_(sheet_4_of_8).png.
3. The History of the NIST Cybersecurity Framework. Cohesive Networks. June 2015.
4. PricewaterhouseCoopers LLP. “Why you should adopt the NIST Cybersecurity Framework.”
Figure 1: Tiers of Cybersecurity Maturity. May 2014. http://www.pwc.com/en_US/us/increasing-it-
effectiveness/publications/assets/adopt-the-nist.pdf.
5. National Institute of Standards and Technology. “Appendix A, Framework Core.” Alternative
View: Appendix A - Framework Core Informative References. February 12, 2014. http://www.nist.gov/itl/
upload/alternative-view-framework-core-021214.pdf.
6. National Institute of Standards and Technology. “Figure 2: Notional Information and Decision
Flows within an Organization.” Framework for Improving Critical Infrastructure Cybersecurity (Version
1.0). February 12, 2014. http://www.nist.gov/cyberframework/upload/cybersecurity-
framework-021214.pdf
7. 7 Steps to Build Your Own NIST Cybersecurity Framework. Cohesive Networks. June 2015.
19
July 2015
Copyright Cohesive Networks
NIST Cybersecurity for All
Cohesive Networks
20. 20
July 2015
Copyright Cohesive Networks
NIST Cybersecurity for All
Cohesive Networks
About the Author
Dwight Koop is cofounder and chief operating officer for Cohesive
Networks. His experience spans enterprise IT and entrepreneurial
startups. Dwight was global head of data center operations and security
for Swiss Banks capital markets and O'Connor and Associates. He was
one of the founders and an EVP of the Chicago Board Options Exchange
during its early and rapid growth years. As COO of Bedouin, Inc, he was
instrumental in its acquisition by Borland, and as a VP at Borland he
played a significant role in its acquisition of Starbase. He was also COO of
Signet Assurance, where he is proud to say his engineering team
consisted of Eric Hughes, the noted cryptographer, and Bram Cohen, the
founder of BitTorrent.
Mr. Koop is also the Managing Member of Leporidae Holdings LLC, a
private asset management company. Leporidae recently sold its interest
in Rabbit Technologies Limited to VMWare.