This is an introduction to the National Institute of Standards, and Technology Cybersecurity Framework, also known as the CSF. This program is designed to provide you an understanding of the NIST Cybersecurity Framework and how to implement it. Over the next couple of screens, we're going to be discussing self-assessing cybersecurity risks. This is a new section that was added to version 1.1 of the CSF, which was missing in the old version 1.0. The self-assessing cybersecurity risks section explains how the cybersecurity framework can be used by organizations to understand and assess their cybersecurity risks, including the use of measurements. Self-assessment and measurements should improve the organization's decision making process about investment priorities. For example, measuring or characterizing aspects of an organization cybersecurity state, and trends over time can enable that organization to understand, and convey meaningful risk informed dependent organizational functions or units, suppliers, and other parties. Profiles, for example, can be used to conduct self-assessment, and communicate within an organization or between organizations. The self-assessment process can be used to emphasize the roles of measurements. For example, measure, and assign values to risk, and costs or the benefits of steps taken to reduce the risk, which helps improve decision making for investments and build strong trust relationships. The process can provide a clear understanding of the business objectives, relationships between objectives, and cyber outcomes, as well as management of distinct, separate cyber outcomes. Remember that the implementation of tiers is cumulative. For example, a Tier 1 category is required for a Tier 2 as well. This means that an organization striving for Tier 3 should consider practices listed under Tiers 1, 2, and then 3, the tiers again, as a reminder, are Tier 1 partial, Tier 2 risk informed, Tier 3, repeatable, and Tier 4 adaptive. Each tier addresses risk management processes, integrated risk management programs, and external participation. The processes used to influence target implementation to your selection, determine current implementation tiers, prioritize target profiles, review current profiles and measure controls based on informative references. What we're doing here is monitoring and evaluating our progress against key risks metrics and performance indicators. Leading indicators can be predictive, lagging indicators can be result oriented. We can use performance key indicators, or KPIs to feed or automate our metrics or verify measurements that are required for the organization. The frameworks we're going to be discussing next are all listed in the informative reference section of the CSF. For example, the CIS CSC Center for Internet Security, Critical Security Controls is a shortlist of high priority defensive actions. There are 20 controls in the CIS CSC, if the first six are implemented, they usually eliminate the vast majority of an organizations vulnerabilities. You see that I've broken them down for you here into three columns. You have your basic CIS controls, one through six. Then you have your foundational CIS controls 7 through 16, and then your organizational CIS controls 17 through 20. This is the framework that you're probably most familiar with, and this is the NIST 853 Rev. 4, it has 18 or 19 control families, and over 285 controls depending on the level of your categorization. For example, if your FIPS 199 categorization was a low level system, you may only have 114 controls applied that may be applicable to that system. A moderate impact will add additional controls, and then a high impact system will have even more controls. Again, remember that all of these controls are tailored to your organization. NIST 153 provides guidelines for selecting, and specifying security controls for information systems, as well as security controls catalog for the information systems to meet a protection need and then we also have our security components, which are organized into these 18 or 19 control families. The American National Standards Institute, ANSI, and International Society for Automation, ISA 62443. Formally, the ISA-99 is a series of standards, technical reports, and related information that defines procedures for implementing secure industrial automation and control systems. It's a series of standards and technical reports on cyber for security of industrial automation and control systems. You see that they're broken down into four areas: Your general, policy and procedures, system, and components. Here we have another framework listed in the informative references. It's COBIT, the Control Objectives for Information , and Related Technology. This is a framework for IT governance and management, and it's focused more on operational goals and regulatory compliance. COBIT was derived from the COSO Committee of Sponsoring Organizations Framework, which is very similar to the ISO 2700-series framework, but for financial systems. While the COSO framework is a model for corporate governance, COBIT is a model for IT governance. COSO deals more on the strategic level, while COBIT focuses more on the operational level. You can think of COBIT as a way to meet many of the COSO objectives but only from an IT perspective. The concept is pretty simple. You need to remember that everything in COBIT is ultimately linked to the stakeholders through a series of transforms called cascading goals. It helps organizations optimize the value of their IT by balancing resource utilization, risk levels, and realization of benefits. At any point in the organizations IT, governance or management process, we should be able to ask the question, why are we doing this? Be led to an IT goal that is tied to the enterprise goal, which in turn is tied to the stakeholders needs. It's a holistic approach based on five key principles: Meeting stakeholder needs, covering the enterprise end-to-end, apply in a single integrated framework, enabling a holistic approach, and separating governance from management. NIST Internal Report 8204, which is still in draft but has been released, provides a logical comparison between reference elements, such as those listed as Informative References, and the CSF core elements. The relationship represents a one-way mapping from the reference documents to the CSF. Relationships can be described using one of five cases derived from a branch of mathematics known as set theories. The formula is in 8204. The relationship of reference elements to the CSF core elements can be a subset of, intersects with, equivalent to, superset of, or not related to. For example, case 1 would show a scenario where the reference document elements contain unique concepts and share concepts with the CSF. The CSF element, let's just say it's PR84. The function is protect, the category is awareness and training and the subcategory is described as senior executives understand their roles and responsibilities. The reference document element using NIST special publication 800-171 as our framework, the requirement would be control 3.2.2. Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities. In this example, PR.AT-4 suggests a specific group of users. In this case, senior executives should be trained on their roles and responsibilities. Special publication, 800-171, requirement, 3.2.2 suggest that all users should be trained on their roles and responsibilities. Since all users contain senior executives and others, this relationship is a subset of. In case Number 2 shown on the slide here, this shows a scenario where the CSF element contains unique concepts. The reference document element contains unique concepts and the two elements share concepts. For example, the CSF element under RS.CO-2, the function is respond, the category communications, and the subcategory 2 would be described as, "Incidents are reported consistent with established criteria." Our reference document element would be NIST 800-171. Again, the requirements there for 3.6.2, are described as, "Track, document, and report incidents to appropriate organizational officials and/or authorities." Here the shared concepts are incidents and reporting. However, RS.CO-2, contains the concept of established criteria. NIST special publication 800-171 requirements, 3.6.2 contains the concept of track document appropriate organizational officials and authorities. Given that the elements being compared share concepts in addition to each element processing unique concepts, the relationship designation result in this case is a value of intersects with. In case Number 3 shown on the screen, this shows a scenario where the CSF element and the reference document elements only share concepts. For example, the CSF element PR.PT-3, which is protect for the functional area, protective technologies for the category, and then the subcategory -3 is described as the principles of least functionality is incorporated by configuring systems to provide only essential capabilities. Our reference document using NIST 800-171 again, requirement 3.4.6 is described as, "Employs the principles of least functionality by configuring organizational systems to provide only essential capabilities." Here the two examples show elements which are equivalent to based on the functional and semantic definitions of each. In case Number 4 shown on the screen, this shows us a scenario where the CSF elements contain unique concepts and share concepts with the reference document elements. For example, the Cybersecurity Framework Element PR.AC-1, again, the functional area protect the category is identity management and access control. Then the subcategory -1 is described as, "Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes." Our reference document using NIST special publication 800-171, again, requirements 3.5.1 is described as, "Identify system users processes acting on behalf of users and devices." In this example, it would be marked as superset of because to issue a credential, a process or user would have to be identified. While NIST special publication 800-171, requirement 3.5.1 contains this identification. The management verification, replication, and audit of the credentials is also contained in the CSF element. Finally, in case Number 5 shown on the screen, this shows a scenario where the CSF element and the reference document elements do not share any concepts. Some reference document elements may not relate to any framework elements. These reference document elements may be omitted or marked, not related to, with a blank CSF element field. If this reference element is blank, it is assumed that it is not related. In summary, in this course, we have discussed the frameworks which can be used for self-assessment NIST 800-53, ANSI/ISA 62443, and COBIT, as well as the reference relationships between the Informative References and the CSF.
