This is an introduction to the National Institute of Standards and Technology cybersecurity framework, also known as the CSF. This program is designed to provide you an understanding of the NIST cybersecurity framework and how to implement it. In this course, we focus on the 5 NIST risk management framework core functions, starting with identity. The framework core consists of 5 high level functions identify, protect, detect, respond and recover known as IPDRR. And there are 23 categories split across the 5 functions covering topics across cyber, physical and personnel without getting too deep into each category. Over the next few screens, we'll break down each of the functions with their respective categories, subcategories and informative references. Remember, there is no hierarchy of functions and the framework does not intend the functions to operate as a checklist. Rather, organizations must address the functions concurrently and continuously. The first of 5 functions is identifying, this refers to the development and understanding of the organizational cybersecurity risks to manage systems, people, assets, data and capabilities. The activities in the identify function formed the foundations for using the framework. The organization needs to understand the resources that support its critical business functions and the related cybersecurity risks to focus. And prioritize its efforts consistent with its risk management strategy and business needs, for example, asset management. This is what do you have, and where is it, defining the business environment. This is dependent on business processes, supply chain management, etcetera. Governance, this is any regulatory requirements such as Sarbanes–Oxley, Gramm-Leach-Bliley, GDPR, PCI-DSS, etcetera for risk assessment. What we're looking at here is what are the threats? Natural, man-made, et cetera, and finally under risk management strategy. This is how are the threats mitigated, what controls need to be in place, and what framework is best based on the business? Remember, an asset is an item perceived as having value, they are either tangible or intangible. Tangible are things that you can touch such as inventory or infrastructure and are easy to quantify. Valuation is done via quantitative risk management techniques. Intangible assets like intellectual property have value, but cannot be easily quantified, like a share of a partnership or the value of a mailing list. Other assets include people, they are considered assets to the organization because they provide a service or value and liquid assets such as cash or negotiable items. Methods for evaluating intangible assets include exclusive possession. This is the value of information which could be tied to its confidentiality, like a trade secret. It may be of great value to the organization as long as it's protected, but if the information got out, that value may be lost. For example, the Kentucky Fried Chicken special chicken recipe or the McDonald's special sauce. Utility, this is the integrity and relevance of information. Information of great value to one part of the organization may have negative value to another part of the organization that is required to store, process and update that information. Cost to acquire or create, this is a straightforward, conservative method to determine asset value. Another one is liability, the potential cost to the organization, if the availability integrity and, or confidentiality of the information was compromised. Convertibility, this relates to assets like intellectual property which has value because it can be converted into cash, profit, or some other tangible asset. Organizational impact, information could be valued based on the impact to the organization. If the availability, integrity and, or confidentiality of the information was compromised. Timing, some information is valuable based on its release, for example, financial information, that can be more valuable just before the release of an earning statement. Valuation, organizations can perform valuation in one of two ways, quantitatively or qualitatively. Quantitative assessments assigned real numbers, costs for example, to an asset or resource. The asset value, the business impact, the frequency of need, the safeguards, the exploit, portability, those types of things. The key to remember here when we're talking about quantitative assessment is that it is based on real numbers and costs. Qualitative assessment produces the results that are descriptive versus measurable. This analysis is more subjective, no real numbers, mostly opinion based on scenarios of lost possibilities and ranking of seriousness or criticality of the assets or resources. Usability is using grades like high, medium or low, or other classifications. Arrangements of assets into categories is one of the methods that we can use to express the value of assets or resources without using numbers. The key to remember here is that this is judgment-based, it's based on best practices, intuition and experience to be able to do qualitative analysis. The identity function also describes the classification of all assets, anything that can be breached or damaged is an asset that needs to be secured. And to secure it, you need to know you have it in the first place, which is why we inventory information and assets. You can't protect it if you don't know you have it, once an asset has been inventory, management can prioritize and protect its highest risk. Most valuable and critical assets based on probability of attack and consequences of a breach. It is necessary to develop a consistent and eruptive approach to identifying and assessing cybersecurity. This function is also about governance across the institution's ecosystem, starting with the executive's alignment of the business context of cyber risk. The functions can be used to assess the internal security processes of your vendors and partners. Institutions can measure their processes and procedures against their own tailored approaches of the NIST framework. First, you need to understand that categories are the subdivision of functions, identify, protect, detect, respond and recover. Those are the functions, and we break them into groups of cybersecurity outcomes, closely tied to programmatic needs and particular activities. Categories are the groups of cybersecurity's anticipated and results tied to the organization's needs and particular activities for a given function. For example, access control is a category under the protect function, continuous security monitoring is a category under the detect function and mitigation is a category under the respond. The categories in this group fall into the identity function, as an example, asset management identified as ID period AM. Here, the data, personnel devices, systems and facilities that enable the organization to achieve business purposes are identified. And managed in a manner consistent with their relative importance to the business objectives and the organization's risk strategy. Business environment identified as ID period BE, the organization's missions objectives, stakeholders and activities are understood and prioritized. This information is used to inform cybersecurity roles, responsibilities and risk management decisions. Governance identified as ID period GV, here, the policies, procedures and processes to manage and monitor the organizations. Regulatory, legal, risk, environmental and operational requirements are understood and inform the management of cybersecurity risk. Under risk assessment identified as ID period RA, the organization understands the cyber risks to the organizational operations. Including mission, functions, image or reputation, as well as organizational assets and individuals. For risk management strategy identified as ID period RM, the organization's priorities, constraints, risk tolerances and assumptions are established and used to support operational risk decisions. And finally, supply chain risk management identified as ID period SC, this one was added in version 1.1 of the cybersecurity framework because it did not exist under 1.0. Here, the organization's priorities, constraints, risk tolerances and assumptions are established and used to support risk decisions associated with managing supply chain risks. The organization has in place the processes to identify, assess and manage supply chain risks. Over the next few sections, we'll be talking about subcategories and informative references. Subcategories further divide a given category into specific activities that support the desired achievement in each category. Subcategories are the deepest level of abstraction in the core. There are 97 subcategories which are outcome driven statements that provide considerations for creating or improving a cybersecurity program. For example, catalog external information is a subcategory of identity management and access control, which is a category under the protect functional area. Malicious code is detected is a subcategory of security continuous monitoring, which is a category under the detect functional area. And finally, incidents are contained is a subcategory of mitigation, which is a category under the respond functional area. The other column is for informative references. These informative references are broad references that are more technical than the framework itself. The framework itself is designed to be coupled with one of these informative references. Organizations often use these control catalogs such as NIST 853, Colbert, ISO 27000 series and so on. To obtain more technical guidance on the controls that they should be implementing for their organization. Informative references are the security standards, guidelines and practices that show a methodology to achieve the outcomes associated with each subcategory. The framework includes a non-exhaustive collection of informative references assembled during the process of developing the framework. Examples are Colbert, which is the control objective for information and related technology created by the Osaka Information Systems and Audit and Control Association. For IT management and governance, ISO/IEC 27000-series, the NIST 800-53 Rev 4 series and also the NIST 800-171. This is the same for all functional areas across the CSF. The subcategories will be illustrated by a dashed, and then a number, dash 1-2-3-4 et cetera. Here, we're going to be talking about identify -1, which is the ID period AM. The next few screens show you the layout of the subcategories and the informative references for each category under the identify function. I've already provided you the description listed under the category, so I'll focus more on the subcategories. Here is the asset management subcategories and informative references. You'll see that we have the ID period AM-1, which refers to physical devices and systems within the organization, our inventory. The next column over is the informative references, which show all of the different publications which could map to that particular subcategory. For example, NIST special publication 800-53 Rev 4 shows you the CM, configuration management and PM, program management controls. There, you have the -8 and also, the -5, if you were using the ISO 27000 series, you would have the control of A period 8, period 1, period 1. You would also have the A period 8, period 1, period 2, if you are using ISA 62443, the control would be 4.2.3.4 and SR7.8. Under Kobe, it's the Bai 09.02 and under CIS, it would be the CSC Control 1, every one of the subcategories has a cross-match for informative reference. That means that if you've implemented an informative reference for your organization, you could then look at the controls which then satisfy the subcategory and the category under the functional area. You'll see here, all of the subcategories for the IDAM function, which is again the asset management category, and then the subcategories for every one of them. The -2 subcategory would be software, platforms and applications within the organization are inventory. The -3 is organizational communications and data flows are mapped, the -4 external information systems are catalog. -5 is resources such as hardware devices, data time, personnel and software are prioritized based on their classification, criticality and business value. And the last one under am is the -6, cybersecurity roles and responsibilities for the entire work force and third party stakeholders are established. So again, you see the cross-reference between the framework catalogs and the CSF, showing you the different elements item. Listed on the screen are the business environment subcategories and informative references. The -1 for business environment is the organization's roles in the supply chain is identified and communicated. The -2 would be the organization's place in critical infrastructure and its industry sector is identified and communicated. The -3 is priorities for organizational mission objectives and activities are established and communicated. -4 is dependencies in critical functions for delivery of critical services are established. And the -5, resilience requirements to support delivery of critical services are established for all operating states, such as under duress or attack or during recovery normal operations. These are the governance subcategories and informative references. The -1 under governance is organizational cybersecurity policy is established and communicated. -2, cybersecurity roles and responsibilities are coordinated and aligned with the internal roles and external partners. The -3 under governance is legal and regulatory requirements regarding cybersecurity, including privacy and civil liberty obligations, are understood and managed. And finally, the -4, governance and risk management processes address cybersecurity risks. Next slide, these are the risk assessment subcategories and informative references. For the risk assessment subcategories, -1 is asset vulnerabilities are identified and documented. The -2 is cyber threat intelligence is received from information sharing forums and sources. The -3 is threats, both internal and external are identified and documented. The -4 is potential business impacts and likelihoods are identified. The -5 is threats vulnerabilities, likelihoods and impacts are used to determine risks. And finally, the -6 under risk assessment is risk response are identified and prioritized. Next slide, here are the risk management subcategories and informative references. Under risk management -1, risk management processes are established, managed and agreed to by organizational stakeholders. -2, organizational risk tolerance is determined and clearly expressed. -3, the organization's determination of risk tolerance is informed by its roles in critical infrastructure and sector specific risk analysis. Next slide, and the last one under identified, is the supply chain, subcategories and informative references. Supply chain -1, cyber supply chain risk management processes are identified, established, assessed, managed and agreed to by organizational stakeholders. Suppliers and third-party partners of information systems, components and services are identified, prioritized and assessed using a cyber supply chain risk assessment process. Supply chain -3 is contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization cybersecurity program and cyber supply chain risk management plan. The -4 under supply chain is suppliers and third-party partners are routinely assessed using audits, test results or other forms of evaluation to confirm they are meeting contractual obligations. And the last one under supply chain is -5, response and recovery planning and testing are conducted with suppliers and third-party providers. In summary, in this course, we discussed the categories, subcategories and informative references under the identify functional area.
