By: Justin Fimlaid
In my previous post there’s a big difference between a security assessment and a security program review. The NIST Cybersecurity Framework is a leader and go-to in developing a security program. The NIST Cybersecurity Framework is broken down into 3 parts – the core, implementation tiers, and profiles. If you need assistance in getting started with the NIST Cybersecurity Framework and maturing your security processes you can contact us or get more information about NIST here: NIST Cybersecurity Framework
The Core provides a set of desired Cybersecurity activities, outcomes, and creates a common language folks can understand. You can think of this as core capabilities implemented in a way that everyone can understand and talk about.
The second part is the Implementation Tiers. The implementation tiers guide organizations to consider the appropriate rigor of security based company strategic goals and objectives. You can think of this of as a maturity model for your organization that considers executive risk appetite. Simply put, it measures where you’re at today and gives you a framework to decide how good you actually want to be in the future.
The third and last tier is the Profile. Profiles are about optimizing the Cybersecurity Framework to best serve the organization. The Framework is voluntary, so there is no ‘right’ or ‘wrong’ way to do it. One way of approaching profiles is for an organization to map their cybersecurity requirements, mission objectives, and operating methodologies, along with current practices against the subcategories of the Framework Core to create a Current-State Profile. These requirements and objectives can be compared against the current operating state of the organization to gain an understanding of the gaps between the two. Profiles, really, help to create a prioritized implementation plan based on risk, priority, budget, timing.
As you get started with NIST Cybersecurity Framework to establish your security program it can be a little overwhelming at first. If you’re unsure how to start, or where, start with the Core. Once you get comfortable with the Core then you can start taking on the Tiers and Profiles.
So let’s start breaking down the Core. The Core consists of three parts:
- Functions, 5 in total.
- Categories, 23 in total.
- Subcategories. 108 in total.
Simply put this is a way to organize the logical groupings of the NIST CSF functions and capabilities so you can perform logical mappings between the security controls and desired functions and vise-versa.
The Core Functions
The Core includes five high level functions:
The Identify Function assists in developing your ability to manage your security program related to governance of the program and manage over cybersecurity risk. This function also assists in developing an organizational understanding to managing cybersecurity risk to systems, people, assets, data, and capabilities. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.
The Protect Function establishes core safeguards to protect and ensure delivery of core services. Performed correctly this function will also give you the ability to limit or contain the impact of a potential cybersecurity event.
The Detect Function defines the appropriate activities to identify the occurrence of a cybersecurity event. Developing this function allows you to quickly identify a cybersecurity event and respond quickly so you can contain the event. Your ability to detect directly affects your ability to timely exercise the Response function.
The Respond Function includes a series of actions and activities to take action regarding a detected cybersecurity incident. The Respond Function supports the ability to contain the impact of a potential cybersecurity incident.
The Recover Function identifies appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity incident.
These 5 functions are not only applicable to cybersecurity risk management, but also to risk management at large.
The Core Categories:
The next level down is the 23 Categories that are split across the five Functions. The image below depicts the Framework Core’s Functions and Categories:
A Short Description of Categories:
- Asset Management: The organization identifies data, personnel, devices, systems and facilities that enable the organization and achieve business goals.
- Business Environment: The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.
- Governance: The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.
- Risk Assessment: The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
- Risk Management Strategy: The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions
- Supply Chain Risk Management: Identifies, establishes, and assesses cyber supply chain risk management and gains stakeholder agreement.
- Identity Management and Access Control: Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions.
- Awareness and Training: The organization’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements.
- Data Security: Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.
- Information Protection Processes and Procedures: Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.
- Maintenance: Maintenance and repairs of industrial control and information system components is performed consistent with policies and procedures.
- Protective Technology: Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements
- Anomalies and Events: Anomalous activity is detected in a timely manner and the potential impact of events is understood.
- Security Continuous Monitoring: The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures
- Detection Processes: Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.
- Response Planning: Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events.
- Communications (Respond): Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies.
- Analysis: Analysis is conducted to ensure adequate response and support recovery activities.
- Mitigation: Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident.
- Improvements: Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities.
- Recovery Planning: Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events.
- Improvements: Recovery planning and processes are improved by incorporating lessons learned into future activities.
- Communications (Recover): Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors
The Core Subcategories:
After categories, there’s subcategories and there is 108 of those. As we go from Function (capability) to Category, to subcategory we get a little more granular with each step and level we go down.
Framework Implementation Tiers:
Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework. The Tiers include:
- Partial (Tier 1)
- Risk Informed (Tier 2)
- Repeatable (Tier 3)
- Adaptive (Tier 4)
Framework Implementation Tiers (“Tiers”) provide context on how an organization views cybersecurity risk and the organizational processes in place to manage that risk. The Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework (e.g., risk and threat aware, repeatable, and adaptive). The Tiers characterize an organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4). These Tiers reflect a progression from informal, reactive responses to approaches that are agile and risk-informed. During the Tier selection process, an organization should consider its current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints.
The Core Profile:
Overview of Profiles
As an organization determines how to use the Cybersecurity Framework Core to assist in managing their cybersecurity risks, they can develop organization-specific Profiles to map their current state and a desired future state based on their goals and mission.
The following excerpt from the Cybersecurity Framework describes Profiles:
“Through use of the Profiles, the Framework will help the organization align its cybersecurity activities with its business requirements, risk tolerances, and resources.
. . . A Framework Profile (“Profile”) represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories. The Profile can be characterized as the alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a “Current” Profile (the “as is” state) with a “Target” Profile (the “to be” state).”
Tailoring a Profile
Profile development tailors the Cybersecurity Framework to focus on the cybersecurity areas of particular concern to an industry, organization, or functional area as identified through its risk management processes. By evaluating the elements of the Cybersecurity Framework against a particular mission, a Profile is created that shows priorities based on evaluation of the mission against the Cybersecurity Framework Functions, Categories, and Subcategories.
Implementing and Leveraging Profiles in Organizations
The Cybersecurity Framework and Profiles created with it provide a consistent way to discuss security objectives and activities in reader-friendly terminology that is consumable for multiple roles – from executives to technical implementers. Within organizations, benefits include describing how security investments will be used to a Board of Directors, and measuring progress in meeting cybersecurity objectives year over year. Advantages provided by industry-focused Profiles include defining consistent priorities across a sub-sector, and enabling conversations by discussing security activities using consistent terminology. Industry-specific Profiles are intended to:
- minimize future work by each organization
- decrease the chance that organizations accidentally omit a requirement
- encourage consistent analysis of cybersecurity-risk in the operational environment
- align industry and organizational cybersecurity priorities
Organizations that are part of an industry or sub-sector that has one or more industry-focused Profiles generally use those industry-focused Profiles to inform decisions made when constructing their organization-focused Profiles and measuring progress.
NuHarbor Security is a national leader in security advisory services. If you need assistance with the NIST Cybersecurity Framework or any framework, please contact us.