Understand the Cybersecurity Framework

Understand the Cybersecurity Framework

Framework OverviewThe Cybersecurity Framework (CSF) is a risk-based approach to addressing information security risk.  The framework is composed of the following components:Framework CoreThe Framework Core involves actions that meet the requirements and guidelines to address cybersecurity concerns.  The core consists of the following elements:FunctionsFunctions represent basic information security and assist the organization in managing cybersecurity risk through organization, risk management, making decisions, responding to threats and learning from the past.

·       Identify – The process of identifying critical business resources and related information security risks to ensure prioritization matches the business needs and risk management strategy.  Categories include:

o   Asset Management

o   Governance

o   Risk Assessment

·       Protect – The process of minimizing the impact of a potential breach of event.  Categories  include:

o   Access Control

o   Awareness and Training

o   Maintenance

·       Detect – The ability to quickly detect information security events.  Categories include:

o   Continuous monitoring

o   Anomalies

·       Respond – The ability to effectively react and contain information security events.  Categories include:

o   Response Planning

o   Communications

o   Analysis

·       Recover – The process of quickly returning to a normal operating environment in the event of cyber security incident.  Categories include:

o   Recovery Planning

o   Communications

CategoriesCategories are divisions within the core functions which align with the higher goals to address the identified needs.SubcategoriesSubcategories are a further subdivision of categories into more precise technical or management initiatives.Informative ReferencesInformative References are related standards, guidelines and practices that support the goals of subcategories.Framework Implementation TiersThe Framework Implementation Tiers illustrates how an organization sees cybersecurity risk and what processes are in place to manage these threats. The Tier’s range from Tier 1 to Tier 4 with an increased level of sophistication. An organizations threat environment, legal and regulatory responsibilities, objectives of the business, risk management program and organizational limitations are all considered when selecting the appropriate Tier. The organization’s selected Tier should align with the business, meet the organization’s risk tolerance and can be implemented with a reasonable amount of effort.  Success of the proper Tier selection is based upon how it meets the requirements outlined in the Framework Profile.Tier 1: PartialAt this Tier organizations are characterized with ad-hoc risk management practices. The organization has limited cybersecurity awareness with no global management approach. Collaboration of information with external entities is unlikely.Tier 2: Risk InformedManagement has approved the risk management practices, but a global policy may not have been implemented. Information security awareness exists, but has not been disseminated across the organization. The organization has realized its part within the larger environment, but there is no formal external interaction established.Tier 3: RepeatableA risk management program has been formally accepted with the creation of supporting policies that are updated regularly to address updates to the threat landscape. Due to the organizational understanding of its dependency and contribution with external partners, risk-based decisions are improved.Tier 4: AdaptiveBased on feedback and lessons learned, the organization’s risk management process is adapted.  Information security events are addressed based on risk-based policies, procedures and processes.  Accurate threat information is actively shared with external partners to improve posture prior to potential cybersecurity events. Framework ProfileThe Framework Profile aligns business requirements, appetite of risk and available resources with Functions, Categories, and Subcategories. This Profile allows the organization to develop a strategy, which aligns with organizational goals to reduce informational security risks. The Current Profile illustrates the existing cybersecurity level achieved. The Target Profile represents the needed outcomes to achieve the desired cybersecurity stance. Overall, the business needs and measured risk drive the prioritization of mediating gaps. Framework ImplementationThere are roughly three layers of information flow and decision making within an organization:

• Executive
• Business/Process
• Implementation/Operation

At the executive level, risk tolerance, business mission and available resources are communicated. The creation of a Profile occurs at the business/process level with guidance from information obtained from executives and collaboration with the implementation/operations group. Progress of the implementation of the Profile is communicated back to the business/process group, where an impact assessment is conducted. The results of the impact assessment are reported back to the executive level to update the organization’s risk management status.