This is the summary of our introduction to the National Institute of Standards and Technology Cybersecurity Framework, also known as the CSF. This program is designed to provide you an understanding of the NIST Cybersecurity Framework and how to implement it. In this course, we have discussed the CSF functions of identify, protect, detect, respond, and recover, and their purposes. Under identify, we talked about developing organizational understandings to manage cybersecurity risks to systems, assets, data, and capabilities. We discussed the importance of having senior management involvement and buy-in, cyber and digital strategies, investment strategies, governance policies, roles and responsibilities, processes and procedures, risk assessments, business impact assessments, asset management, as well as physical and digital infrastructure and systems. We also talked about protect and applying safeguards to ensure delivery of critical infrastructure services by having awareness and training. staff engaged, supply chain and vendor risk management, security reviews, security incident reporting, access control, and information protection, for example, HR security, application security, data security and network security. Additionally, we talked about detect and conducting activities to identify the occurrence of cybersecurity events. Making sure that we have security monitoring, vulnerability management, continuous monitoring of applications, data, network, infrastructure and systems, threat intelligence, as well as input to cyber risk strategies. Under response, we talked about implementation of activities to take actions regarding a detected cybersecurity event by conducting incident response, planning, communications internally, externally and with customers, as well as continuous improvement, lessons learned and updating incident plan. Finally, we discussed recover and the development of plans for resiliency and to restore any capabilities or services that were impaired due to a cybersecurity event. We also discuss recovery planning and execution, business continuity and disaster recovery testing, business continuity and disaster recovery planning, communications, internal, external, and customers, continuous improvements as well as lessons learned and business continuity, disaster recovery plan updates. We discussed the 23 categories which were split across the five functional areas, and the 97 sub categories, which are the outcome-driven statements that provide considerations for creating or improving a cybersecurity program. Finally, the informative references and how the controls are mapped back to the CSF. We discussed the CSF purpose and the fact that the framework is a voluntary guidance based on existing standards, guidelines and practices for organizations to better manage and reduce their cybersecurity risks. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management of communications amongst internal and external organizational stakeholders. We also discussed the CSF core and that the framework core provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand, the core guides organizations in managing and reducing their cybersecurity risks in a way that completes an organization's existing cybersecurity and risk management process, as well as the implementation tiers. That the framework implementation tiers assist organizations in providing contexts on how an organization views their cybersecurity risk management. The tiers guide organizations to consider the appropriate level of rigor for their cybersecurity program and are often used as a communication tool to discuss risk appetite, mission priorities, and budget. Finally, we talked about the CSF profiles and the fact that the profiles are an organization's unique alignment of their organizational requirements and objectives, risk appetite and resources against the desired outcome of the framework core. The profiles are primarily used to identify and prioritize opportunities for improving cybersecurity at an organization. Over the next few screens, we'll close with some CSF implementation tips by looking at some areas to consider when implementing the cybersecurity framework. For example, knowing the stakeholders, understanding the why, leveraging industry frameworks, getting top management involvement, instilling accountability, demonstrating quick wins, using a continuous cycle, identifying new approaches, having formal documentation and training personnel. The first tip when implementing the cybersecurity framework is know the stake holders. In order to communicate effectively, you need to know your audience. For example, is it the executive and management team, or is it the internal or external stakeholder? Most activities need to be coordinated with internal and external parties, like a coordinating center, the Internet service provider, the owner of an attack system, a victim or other cybersecurity incident response teams or vendors. The second tip we can offer is understand the why, identify drivers and create a desire to change that is typically expressed in an outline of a business case. A driver is an internal or external event, condition or key issue that serves as a stimulus for change. A business case is a fundamental and important tool for justifying supporting, and ensuring successful outcomes. Then the associated risks will be described in the business case and managed through the life cycle. The third tip is in reference to leveraging industry frameworks. Remember, the CSF, Cybersecurity Framework, is in addition to an industry framework, not a replacement for it. You see on the screen some of the different frameworks already depicted for you based on governance, architecture, IT service management, or program and project management, etc, all the way on down. You'll see the ISO 38500, the COBIT, the COSO, the NIST 800-53, those are the types of frameworks that we were talking about being mapped to the categories and the functional areas. The fourth tip deals with getting top management involved. A security program should use a top-down approach, meaning that the initiation, support, and direction come from top management and they work their way through middle-management and eventually reach the staff members. This is in contrast to a bottom-up approach which refers to a situation where the staff members, usually the IT department, try to develop a security program without getting proper management support and direction. Bottom line here is that top-down gets you management buy-in, whereas bottom-up may not and is usually not supported, in other words, funded, resourced, etc. Executive management should specify and design the guiding principles, decision rights, and accountability framework for governance of enterprise, IT, and enterprise cybersecurity posture. We're talking about creating the appropriate environment, gaining the executive support and communications through the enterprise, recognize pain points and trigger events, leveraging those as a wake-up call to recognize the need to act, and linking risk scenario analysis to enterprise goals. This visualization will illustrate how potential scenarios can affect enterprise value creation objectives. Tip number 5, instill accountability, is all about establishing and clarifying roles and responsibilities. For example, board executives, business management, IT management, internal audits, and risk, compliance, legal personnel, and then establishing the responsibilities for each one of the roles so that it is clearly articulated as to what the responsibilities are. Tip number 6 deals with demonstrating quick wins. Quick wins can support an organization's overall program in the following ways: provides credibility to the program, helps obtain management buy-in, provides opportunity for success, provide senior management data on the viability of the program or project, it can justify costs as well as can create milestones with deliverables. Inputs into an incident management quick win would be something like conducting an audit for proper incident descriptions, proper privatization, proper categorization, following the escalation procedures, use of existing knowledge articles, and proper resolution of descriptions. You could establish business benefit ratings or classifications like contributing, synergistic, enabling, and direct. Ease of implementation classifications could be listed as difficult, challenging, moderate, or easy. Tip number 7 for implementing the cybersecurity framework is use a continuous cycle. A continuous cycle addresses the complexity and challenges typically encountered such as cost, quality, scope, and time. Over time, iterations become business as usual. You should create a sustainable approach where continual improvements occur naturally as a rhythm. Use iterations to continuously re-establish drivers and goals. Duration should be based on maturity and scope, but ideally shouldn't last more than six months per cycle. Listed here is tip number 8, new approaches. Confirm that action plans deliver expected benefits. Don't just move to the next initiative and consider this phase complete. Update organizational assessments. These include assessments regarding risk, processes, culture, and service delivery. Produce and communicate results to stake holders. Make reporting dashboards relevant and complete by communicating key performance indicators and key risk indicators. Finally, document lessons learned to improve future cycles. Post iteration reviews must be documented and required reading for future efforts. Here's tip number 9, maintain formal documentation. Treat the implementation as a formal recognized program. Follow the project management principles. Ensure that post project documentation is identified and cataloged for future reference and assurances. Update the knowledge management system. Use configuration entries in the Configuration Management Database, CMDB, or applicable system to re-baseline the configuration documentation. This includes assets, documents, controls, and services. Finally, review process inputs, outputs, and artifacts. Modifications should also consider what changes are required for all enablers, policies, organizational structure, and so on. Finally, tip number 10, train personnel because well-trained and confident resources are a key to successful adaptation of the cybersecurity framework or any framework for that matter. If you link training needs to value creation, the chances of successful implementation will rise significantly.
