Using the Cybersecurity Framework
Using the Cybersecurity Framework
Organizations can leverage the Framework to assess, identify, and manage risk associated with cybersecurity. The Framework can be used to develop a new security program or to supplement an existing cybersecurity program.
Basic Review of Cybersecurity Practices
The organizations current cybersecurity state can be compared with the standards outlined by the Framework Core. A Current Profile can be used to determine where the organization is meeting the defined goals and where gaps in their current posture exists as defined by the Framework Core. In addition to identifying where the organization is currently meeting its goals or where gaps existing, they may also identify where they may be overinvesting in certain areas.
Establishing or Improving a Cybersecurity Program
The following steps illustrate how an organization can improve or create a new Cybersecurity Program.1. Prioritize and Scope – Organization defines their mission objectives and priorities, which are used to decide the scope of systems that support the business. This can be adapted for different lines of businesses within the organization.2. Orient – Related systems, regulatory requirements, and the overall risk strategy are identified by the organization. In addition, associated threats and vulnerabilities of these systems are identified.3. Create a Current Profile – A Current Profile is developed which assesses the organization’s compliance with the Framework Core’s Categories and Subcategories.4. Conduct a Risk Assessment – A risk assessment is completed to evaluate the operational environment’s existing and emerging threat data.5. Create a Target Profile – A Target Profile is created which focuses on the Categories and Subcategories of the Framework while including the organization’s cybersecurity goals.6. Determine, Analyze, and Prioritize Gaps – A comparison of the Current and Target Profile occurs to determine if weaknesses exist. Prioritization of actions based on the organizations mission, risks associated with the Target Profile, and a cost benefit analysis occurs. Lastly, necessary resources to remediate the acknowledged gaps are identified.7. Implement Action Plan – A plan of action to address the identified gaps and meet the Target profile is created.
Communicating Cybersecurity Requirements with Stakeholders
The Cybersecurity Framework allows effective communication using a standard language (Current & Target Profiles, Categories, and Subcategories) that is familiar to the interdependent stakeholders responsible for providing critical services.
Identifying Opportunities for New or Revised Informative References
The Framework Core provides associated references (Cobit, ISO, NIST) to standards/guidelines. Additionally, it also allows the flexibility to utilize new references that better fit the needs of a given or newly developed Subcategory.
Methodology to Protect Privacy and Civil Liberties
According to an Executive Order, the privacy and civil liberties of individuals must be addressed as it relates to cybersecurity operational activities. Below are topics that can be used to address privacy and civil liberties.
- Governance of cybersecurity risk
- Approaches to identifying and authorizing individuals to access organizational assets and systems
- Awareness and training measures
- Anomalous activity detection and system and assets monitoring
- Response activities, including information sharing of other mitigation efforts
National Institute of Standards and Technology (February, 2014), Framework for Improving Critical Infrastructure Cybersecurity, pp.13-17, Retrieved from https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf