Cybersecurity Framework - What are Pundits Saying?

NIST Cybersecurity Framework
What are Industry Leaders Saying?
 The Gartner Group
 Deloitte
 PwC – Price Waterhouse
 Intel
 ISACA COBIT 5
 Department of Energy &
the Electricity Subsector
LinkedIn CSF April 2016
© 2016 J2 Coordinated Response, LLC.
All Rights Reserved.
Page: 1

The Gartner Group on the Framework
 30% of organizations are using the NIST Cybersecurity
Framework already.
 50% of organizations will by 2020.
Really?? Is that your experience?
 The Framework is neither too prescriptive, nor too vague.
 It is a tool to communicate with senior management and the
board.
Originally delivered June, 2015 at National Harbor Place.
LinkedIn CSF April 2016 Page: 2

The Cybersecurity Framework
The Executive Order directed:
 The development of a voluntary risk-based Cybersecurity
Framework – a set of industry standards and best practices to
help organizations manage cybersecurity risks.
 The resulting Framework, created through collaboration
between government and the private sector:
– Use a common language to address and manage cybersecurity risk;
– Provide a cost effective mechanism to do this; and
– Avoid placing additional regulatory requirements on businesses.

Deloitte Retail Survey
 In 2014, Deloitte surveyed executives in a diverse range of
retail companies – both large and mid-sized.
 The results reflect the Framework Tiers.
 The survey did not focus on the Framework; it was much
broader.
 But, 20% of the respondents indicated they are using the
Framework or plan to soon.
 Deloitte (2015). 4 Ways to Engage Executives in Cyber Risk.
Wall Street Journal: CIO Journal.
http://deloitte.wsj.com/cio/2015/07/20/4-ways-to-engage-executives-in-cyber-risk/.

Cyber Security & Business Risk Management
Page: 5
Tier 2
Risk Informed
Tier 4
Adaptive
6% 6%
Tier 1
Partial
Tier 3
Repeatable
Ad hoc, not
well organized.
Compliance
focused.
Integrated with
business risk
governance.
24%
Comply, but
protect sensitive
data &
critical systems.
18% Business focus
w/investment
in threat intel
and incident
response.
26%
Focus on
business risk;
early maturity.
20%
Cybersecurity Focus &
Business Risk
Management

Integrated Risk Management
 A key element of the Cybersecurity Framework is the
integration of risk management.

Or in the words of Price Waterhouse Coopers
 “It’s important to note that the Framework casts the
discussion of cybersecurity in the vocabulary of risk
management and with good reason.”
 “Executive leaders and board members typically are well-
versed in risk management, and framing cybersecurity in this
context will enable security leaders to more effectively
articulate the importance and goals of cybersecurity.”
 “It can also help organizations prioritize and validate
investments based on risk management.”
https://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/adopt-the-nist.pdf
Page: 7

Cybersecurity Framework in Action: Intel Use Case
Intel ran a prototype Framework assessment to evaluate its
usefulness for their organization. It was deemed successful.
 Phase 1 – Agree on approach;
set target scores for functions and categories working with
stakeholders; and the core team did an initial assessment.
 Phase 2 – Assess current status;
SMEs did independent individual assessments/current profile.
 Phase 3 – Analyze results.
Resolve / clarify differences for current profile.
 Phase 4 – Communicate results.
http://www.intel.com/content/www/us/en/government/cybersecurity-framework-in-action-use-case-brief.html
Page: 8

Intel Approach
Intel made 3 significant adjustments to reflect their organization
 They extended Tiers to include People, Process, Technology,
and Ecosystem (note: I didn’t borrow this term from Intel).
 They defined the Tiers as a maturity model, more stringent
than the guidance provided in the NIST documentation.
 They added and removed subcategories, but this is expected.
Page: 9

Intel Adjusted the Framework
 In the Detect Function – a 4th category was added: Threat
Intelligence.
 Kept the rest of the Categories
 But, created their own Subcategories to reflect their
environment and nomenclature.
 They also initially assessed at the Category level.
 Subcategories were assessed only when more information
was needed for an informed decision.
Page: 10

Intel Findings
 Total effort was 180 FTE Hours.
 Most of the effort was in phase I
 Much less effort in the actual assessment/initial profile.
– SMEs received 1 hour of training, then recorded their assessment.
 The following tools were developed:
– Risk scoring worksheet,
– Heat map, and
– Customized tier definitions.
Page: 11

ISACA COBIT 5
 ISACA CSX = Cybersecurity Nexus
(ISACA’s branding for their cyber focus area).
 From a document:
Implementing the NIST Cybersecurity Framework with COBIT 5
http://www.isaca.org/Education/COBIT-Education/Pages/Implementing-NIST-
Cybersecurity-Framework-Using-COBIT-5.aspx
 COBIT = Control Objectives for IT.
 GEIT = Governance of Enterprise IT.
 COBIT is 20 years old and now in release 5 = COBIT 5.
Page: 12

COBIT 5 – Step by Step Input
For each step in the Framework implementation, the guide for
applying COBIT 5 provides 2 useful lists:
 Implementation Considerations
– Purpose
– Inputs
– High level activities
– Outputs
 Relevant COBIT 5 practices
Both lists provide valuable guidance even if COBIT 5 is not
directly applied.
ISACA CMC April 2016
Page: 13

Example: CSF Step 6 – COBIT 5 Phase 4
CSF Step 6 – Determine, Analyze, and Prioritize Gaps
COBIT 5 Phase 4 – What Needs to be Done?
 Purpose – To understand what actions are required to attain
stakeholder goals through identification of gaps between the
current and target environments and alignment with
organizational priorities and resources.
 Inputs – (1) Target profile, (2) process, business and technical
expertise, and (3) resource requirements.
 High-level Activities – From identifying the gaps for each
subcategory to creating and recording an action plans.
 Outputs – (1) Profile gap analysis, (2) prioritized action plan, (3)
risk acceptance documentation, and (4) performance target.
Page: 14

Example: CSF Step 6 – COBIT 5 Phase 4
Relevant COBIT 5 Practices (just a few, just a sampling):
 EDM01.02 – Inform leaders and obtain their support.
 APO02.05 – Define the strategic plan and roadmap.
 APO02.06 – Communicate the IT strategy and direction.
 APO08.04 – Work with stakeholders: coordinate and
communicate.
 BAI03.01 – Design high-level solutions.
NOTE: 27 COBIT 5 practices are identified for this CSF Step.
Consider the practices a checklist; pick and choose those that
apply.
Page: 15

Electricity Subsector Cybersecurity Capability
Maturity Model (ESC2M2)
 Developed by the Electricity Sector in Conjunction with the
Department of Energy (DoE).
 Originally Published in May 2012 – 3 months after the
Presidential Policy Directive (PPD) 21 on critical infrastructure.
 Revised and Republished in February 2014 concurrent with the
NIST Cybersecurity Framework (CSF).
 Published “Energy Sector Cybersecurity Framework
Implementation Guide” January 2015.
– Presents the ESC2M2 as Cybersecurity Framework Implementation
Approach.
http://energy.gov/oe/cybersecurity-capability-maturity-model-c2m2-program/electricity-subsector-cybersecurity
ISACA CMC April 13, 2016 Page: 16

Benefits of Using the ESC2M2 Approach to
CSF Implementation
The Maturity Model:
 Has the Same Goal as the Framework.
 Has Widespread Use – the Model Was Released Over 4 Years Ago, 2 Years
Prior to the CSF Release.
 Supports Bench Marking Across the Sector.
But, CSF Would, Too.
 Has 2 Variants: One for Electricity and One for Natural Gas.
 The Model is Descriptive and Readily Applicable to Organizations with
Different Size, Structure, and Purpose.
– NOTE: The Model Provides Great Guidance for a CSF Assessment.
 Complete Coverage of Framework Practices.
 Employs Progressive Maturity Levels.
 Has a Self-Assessment Toolkit.

ESC2M2 has Ten Domains
That Map Nicely to the Cybersecurity Framework:
1. Risk Management ID-RM
2. Asset, Change, & Configuration Management ID, PR, DE
3. Identity & Access Management ID, PR
4. Threat and Vulnerability Management ID, DE
5. Situational Awareness PR, DE
6. Information Sharing & Communications ID,
7. Event & Incident Response, Business Continuity DE, RS, RC
8. Supply Chain & External Dependencies Management ID
9. Workforce Management ID
10. Cybersecurity Program Management ID-GV

ESC2M2 Objectives
Each Domain has
 Approach Objectives including
– 1 or more specific objectives with activities specific to the domain.
 A Management Objective describing
– Level of institutional activities (institutionalization) and
– Fairly generic across domains.
 Each objective has maturity steps
– The maturity steps provide good guidance.

For feedback contact us
 Jim Bothe – Jim.Bothe@CoordinatedResponse.com
Mobile: (443) 956-8032
 Jim Meyer – Jim.Meyer@CoordinatedResponse.com
Mobile: (301) 325-5563
 Coordinated Response
A cybersecurity incident response planning
and consulting firm
www.CoordinatedResponse.com
 A Note on Incident Response & Security Assessments

Cybersecurity Framework - What are Pundits Saying?

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (18)

Ähnlich wie Cybersecurity Framework - What are Pundits Saying?

Ähnlich wie Cybersecurity Framework - What are Pundits Saying? (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Cybersecurity Framework - What are Pundits Saying?