Introduction

Everyone I’ve ever talked to who was given a responsibility of managing security of their company was always extremely busy, leaving very little time for self-education – I’ve been in the same boat for years.

Which is very unfortunate, because nothing can expedite your journey like learning from the experience of your peers. NIST Cybersecurity Framework is exactly that – a whole bunch of great minds with tremendous experience behind their belt coming up with a baseline upon which you can ground/expand your security program.

To scale up my small part in the global knowledge sharing ecosystem, I’m writing up this article which shortens NIST Cybersecurity Framework content to ~20% of its original size, hopefully making it consumable for a wider group of people. I certainly would have benefited from this type of exercise a decade ago, saving me a ton of time making mistakes I apparently didn’t need to make.

You can also expect a video series with my commentary coming out Q1 2022.

In any case, there is no exclusive content here and for the full format, please refer to https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf as NIST deserves all the credit for making it work.

Don’t be concerned that the latest release is dated April 16th, 2018. Recommendations outlined in the framework are timeless and while we are expecting a new revision, it should not hold you back. 

Goal of the framework

1. Describe orgs current security posture
2. Describe target security posture
3. Identify and prioritize opportunities for continuous improvement through repeatable process
4. Assess progress towards the target state
5. Communicate among internal and external stakeholders about security risk

Initially created to provide guidance on security critical infrastructure of the United States, evolved into a framework used by companies of all sizes all over the world.

The general premise was to identify “a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including measures and controls to identify, assess and manage risks”.

I like the emphasis on “applying the principles and best practices to improve security and resilience” and that the framework is meant to be customized for each individual organization taking into consideration their unique risks.

Frequent mention of “maximizing the impact of each dollar spent” and discouragement against using it as a compliance(which would be confusing due to flexibility of the framework) are also appreciated.

Components of the Framework

1. Framework Core – set of activities, outcomes and references common across sectors. Detailed guidance for developing Profiles, presented in a way that can be communicated throughout the org chart. Consists of five Functions and underlying key categories and subcategories. It’s not a checklists of actions to perform, but a checklist of outcomes.
2. Framework Profiles – help align and prioritize activities in the context of business requirements, risk tolerances and resources by defining the outcomes an org selected from the Framework Categories and Subcategories. Current Profile vs Target Profile
3. Framework Implementation Tiers – mechanism to view and understand the characteristics of an organization’s approach to managing security risk which in turn helps prioritizing and achieving security objectives  by describing current state from informal, reactive to agile, risk and threat aware, repeatable and adaptive.
   Tiers do not represent maturity levels which I realize is confusing.
   1. Tier 1 – Partial
   2. Tier 2 – Risk Informed
   3. Tier 3 – Repeatable
   4. Tier 4 – Adaptive
      

	Risk Management Process	Integrated Risk Management Program	External Participation
Tier 1	Not formalized, ad-hoc, reactive.Prioritization not informed by risk analysis.	Limited awareness of risk at the org level. Irregular, case-by-case basis, sometimes based on irrelevant information from outside sources.	Org doesn’t understand its role in the larger ecosystem, both in terms of dependencies or dependents. No threat intelligence or supply chain security awareness.
Tier 2	Approved by management, but not established as org-wide policy. Prioritization informed by org risk analysis.	Org-level awareness of risk, but lack of org-wide approach to managing risks. Security information is shared within the org on an informal basis. Consideration of security doesn’t happen on all levels of the organization. Risk assessments occur, but are not repeatable or reocurring.	Org understands its role in the larger ecosystem, but not for both dependencies and dependents. Org collects some intel from other entities and generates its own but doesn’t share it. Org is aware of the supply chain risks but doesn’t act consistently or formally on the risks.
Tier 3	Formally approved and established as policy. Practices are regularly updated.	Org-wide approach to manage risk. Risk-informed policies, processes and procedures are defined, implemented and reviewed. Response is consistent. Org monitors risk of org assets. Security is considered across all levels of the org.	Org may contribute to the community’s understanding of risk. Regularly collaborates and shares with other entities. Org is aware of the supply chain security and formally acts upon the risks, including generation of baselines.
Tier 4	Org adapts security practices based on lessons learnt and predictive indicators. Advanced technologies and practices are employed to continuously improve response mechanisms against evolving sophisticated threats.	Org objectives relation to security risk is understood and considered when making decisions. Senior executives monitor security risk same way as financial and other org risks. Org budget is based on understanding the current and predicted risk environment. All business units implement executive vision and analyze system-level risks against org risk tolerance. Security risk management is part of the org culture, is continuously analyzed which enables to quickly and efficiently account for risk in changing business objectives.	Org uses near real-time data to consistently act upon supply chain risks associated with used/offered products/services. It communicates proactively, building strong supply chain relationships.

4. Framework five Functions – meant to help analyze orgs entire risk management portfolio through five concurrent and continuous functions.
   1. Identify – risks to systems, people, assets, data and capabilities
   2. Protect – safeguards ensuring delivery of services
   3. Detect – identify the occurrence of a security event
   4. Respond – take action regarding detected security incident
   5. Recover – maintain resilience and restore services that were impacted by the security incident

Functions are not a linear path to the end state, but a cycle meant to create operational culture addressing security risk. 

Risk Management recap

Risk management is a process of identifying, assessing and responding to risk.

Risk is roughly a likelihood of an event occuring x potential resulting impact.

Based on the risk assessment, an org can determine acceptable (for them) level of risk tolerance.

Dealing with risk:

1. Mitigating the risk
2. Transferring the risk
3. Avoiding the risk
4. Accepting the risk aka doing nothing with it

Coordination of Framework Implementation

1. Executive – communicates business priorities, available resources and risk tolerance to process level.
2. Process level – uses the information from Executives for the risk management process and then collaborates with the implementation level. After obtaining information on progress from the Implementation level, performs an impact assessment and reports back to Executives.
3. Implementation level – executes the Profile and keeps Process level updated on the progres.

How to use the framework

Framework can be applied throughout the lifecycle phases of plan, design, build/buy, deploy, operate and decommission.

Overarching cybersecurity requirements should be declared and described as clearly as possible, while being aware that these may evolve during the remainder of the lifecycle.

List of system security features should be assessed when deploying the system to verify all features are implemented.  Outcomes determined by using the Framework should serve as a basis for ongoing operation of the system, i.e. occasional reassessment, capturing results in a Current Profile, to verify that security requirements are still fulfilled.

Establishing or Improving a Security Program

These steps should be repeated as necessary to continuously improve security. Continuous assessment and improvement can concern selected steps, not all of them at a time.

1. Step 1 – Prioritize and Scope.
   Organization identifies business objectives and risk tolerance for scoped systems.
2. Step 2 – Orient
   Once the scope of the security program has been determined for the business line or process, org identified related systems and assets, regulatory requirements and overall risk approach. Relevant entities are consulted to identify threats applicable to these systems.
3. Step 3 – Create a Current Profile
   Org develops a Current Profile by indicating which Category and Subcategory outcomes from the Framework Core are currently being achieved. If an outcome is partially achieved, that should be noted to aid subsequent steps.
4. Step 4 – Conduct a Risk Assessment
   Org analyzes the environment to recognize the likelihood and impact of a potential security event. 
5. Step 5 – Create a Target Profile
   Org develops a Target Profile focusing on the Framework Categories and Subcategories describing desired outcomes. Org can develop their own Categories/Subcategories to account for unique risks. Target profile should reflect criteria within the target Implementation Tier.
6. Step 6 – Determine, Analyze and Prioritize Gaps
   Org compares the Current vs Target profile to determine gaps to create a prioritized action plan reflecting business drivers, costs, benefits and risks. Org then determines resources necessary to address the gaps. 
7. Step 6 – Implement Action Plan
   Org determines which actions to take to address the gaps and adjusts current security practices in order to achieve the Target Profile. 

Supply Chain Risk Management

Current and Target profiles can be used to provide expectations for your vendors. Your suppliers are a part of your org’s ecosystem so you need to encompass them with risk management practices. 

Relationships with vendors and buyers should be factored into protective and detective capabilities of an organization, including response and recovery protocols. 

It is likely that you won’t be able to impose all of your criterias on a supplier, because a given offering doesn’t exist on the market or you can’t afford it, so you’ll need to accept the tradeoff. The SCRM during procurement will be beneficial regardless, because you can use the Current and Target Profiles to track residual risk of the purchased solution and be a base for periodic reassessment if the need be.

Risk self-assessment

Over time, self-assessment should improve decision making about investment priorities. This requires discipline and multiple iterations to get practical understanding of what metrics and measurements bring value to the risk considerations.

Not all metrics are useful, and some artificially generated data can spoil the reliability and credibility of the desired outcomes. 

Framework Core matrix – Categories

1. Identify
   1. Asset Management – the data, personnel, devices, systems and facilities are identified and managed consistent with their relative importance to business objectives and org’s risk strategy
      1. Inventory of devices, systems, applications, platforms and external systems
      2. Data flows are mapped
      3. Resources are prioritized based on their classification, criticality and business value
      4. Security roles and responsibilities for the entire workforce and external stakeholders are established
   2. Business Environment – mission, objectives, stakeholders and activities are understood and prioritized. This information is used to inform cybersecurity roles, responsibilities and risk management decisions
      1. Orgs role in the supply chain, critical infrastructure and industry are identified and communicated
      2. Priorities for business goals and activities are established and communicated
      3. Dependencies and critical functions are established
      4. Resilience requirements are established for all operating states such as under attack, during recovery, normal ops
   3. Governance – policies, procedures and processes to manage and monitor org’s regulatory, legal, risk, operational requirements are understood and influence the management of security risk
      1. Org security policy, security roles are established and communicated to internal and external stakeholders
      2. legal and regulatory requirements are understood and managed
      3. governance and risk management processes address security risks
   4. Risk Assessment – org understands the security risk to org operations, including mission, functions, image, reputation, assets and individuals
      1. asset vulnerabilities are identified and documented
      2. threat intelligence is received from forums and sources
      3. threats, their likelihood and potential business impacts are identified triaged and documented
      4. risk responses are identified and prioritized
   5. Risk Management Strategy – org priorities, constraints, risk tolerances and assumptions are established and used to support operational risk decisions
      1. risk management processes are agreed to by org stakeholders
      2. org risk tolerance is determined and clearly expressed
   6. Supply Chain Risk Management – priorities, constraints, risk tolerance and assumptions are established and used to support risk decisions related to the supply chain. Org has established processes to identify, assess and manage supply chain risks.
      1. supply chain risk management processes are established
      2. suppliers are identified, prioritized and assessed 
      3. contracts with suppliers are used to implement appropriate security measures
      4. suppliers are routinely reevaluated to confirm they’re meeting their contractual obligations
      5. response and recovery planning and testing are conducted with suppliers
2. Protect
   1. Identity Management, Authentication and Access Control – access to assets and facilities is limited to authorized users, processes and devices. Access is managed with the assessed risk of unauthorized access to authorized activities and transactions
      1. identities and credentials are issued, managed, verified, revoked and audited for devices, users and processes, all incorporating the principle of least privilege and separation of duties
      2. identities are bound to credentials and asserted in interactions
      3. type of authentication (single vs multi factor) is determined based on the risk of a given transaction
      4. physical access to assets and remote access to systems is managed and protected
      5. network integrity is protected
   2. Awareness and Training – Personnel and partners are provided security awareness education, based on policies, procedures and agreements.
      1. all users are informed and trained
      2. privileged users, external stakeholders, executives, security personnel understand their roles and responsibilities
   3. Data Security – Confidentiality, Integrity and Availability of information is protected
      1. data is protected at rest and in transit
      2. assets are formally managed throughout their lifecycle
      3. adequate capacity to ensure availability is maintained
      4. protections against data leaks are implemented
      5. integrity checking mechanisms are used to verify software, firmware, information and hardware integrity
      6. development and testing environments are separate from the production environment
   4. Information Protection Processes and Procedures – security policies, processes and procedures are maintained and used to manage protection of systems and assets
      1. baseline configuration of systems is maintained incorporating security principles such as concept of least functionality
      2. System Development Lifecycle to manage systems is implemented
      3. Configuration change control processes are in place
      4. backups are conducted, maintained and tested
      5. policy and regulations regarding the physical operating environment for org assets are met
      6. data is destroyed according to policy
      7. protection processes are improved and their effectiveness is shared
      8. Response plans (Incident Response and Business Continuity & Incident Recovery and Disaster Recovery) are in place, managed and tested
      9. security is included in HR practices such as deprovisioning or personnel screening
   5. Maintenance – maintenance and repairs are performed consistent with policies and procedures
      1. maintenance and repair of assets are performed and logged, with approved tools in a manner that prevents unauthorized access
   6. Protective Technology – technical security solutions are managed to ensure the security and resilience of systems and assets
      1. audit logs are determined, documented, implemented and reviewed in accordance with policy
      2. removable media is protected and its use restricted according to policy
      3. the principle of least functionality is incorporated by configuring systems to provide only essential capabilities
      4. communications and control networks are protected
      5. mechanisms such as failsafe, load balancing are implemented to achieve resilience requirements in normal and adverse situations
3. Detect
   1. Anomalies and Events – anomalous activity is detected and the potential impact of events is understood
      1. Baseline of network operations and expected data flows for users and systems is established and managed
      2. Detected events are analyzed to understand attack targets, methods and impact
      3. Event data are collected and correlated from multiple sources and sensors
      4. Incident alert thresholds are established
   2. Security Continuous Monitoring – systems and assets are monitored to identify security events and verify the effectiveness of protective measured
      1. The network and physical environments are monitored to detect potential cybersecurity events
      2. Personnel activity is monitored to detect potential security events
      3. Malicious code is detected
      4. Unauthorized mobile code is detected
      5. Vendors activity is monitored to detect potential security events
      6. Monitoring for unauthorized personnel, connections devices and software is performed
      7. Vulnerability scans are performed
   3. Detection Processes – detection processes and procedures are maintained and tested to ensure awareness of anomalous events
      1. Roles and responsibilities for detection are well defined to ensure accountability 
      2. Detection activities comply with applicable requirements
      3. Event detection information is communicated
      4. Detection processes are tested and continuously improved
4. Respond
   1. Response Planning – procedures and processes are executed and maintained to ensure response to detected security incidents
      1. Response plan is executed during or after an incident
   2. Communications – response activities are coordinated with internal and external stakeholders
      1. Personnel know their roles and order of operations when a response is needed
      2. Incidents are reported consistent with established criteria and information is shared consistent with response plans
      3. Coordination with stakeholders occurs consistent with response plans
      4. Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness
   3. Analysis – analysis is conducted to ensure effective response and support recovery activities
      1. Notifications from detection systems are investigated
      2. impact of the incident is understood
      3. incidents are categorized consistent with response plans
      4. forensics are performed
      5. processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources 
   4. Mitigation – activities are performed to prevents expansion of an event, mitigate its effects and resolve the incident
      1. Incidents are mitigated and/or contained
      2. Newly identified vulnerabilities are mitigated or documented as accepted risks
   5. Improvements – response activities are improved by incorporating lessons learned from current and previous detection/response activities
      1. Response plans incorporate lessons learned and response strategies are updated
5. Recovery
   1. Recovery Planning – processes and procedures are executed and maintained to ensure restoration of systems or assets affected by cybersecurity incidents
      1. recovery plan is executed during or after a security incident
   2. Improvements – Recovery planning and process are improved by incorporating lessons learned into future activities
      1. recovery plans incorporate lessons learned and recovery strategies are updated
   3. Communications – restoration activities are coordinated with internal and external stakeholders
      1. Public relations are managed
      2. Reputation is repaired after an incident
      3. Recovery activities are communicated to internal and external stakeholders

This post may be a subject to minor edits, including hyperlinks to future content.