Frameworks: NIST CSF

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> The next information security framework
00:00
we're going to look at,
00:00
is from this, which is
00:00
the National Institute of Standards and Technologies.
00:00
Again, this is always going to be US focus.
00:00
We're going to look at the CSF,
00:00
which stands for Cybersecurity Framework.
00:00
We'll talk a little bit about the overview,
00:00
what the purpose of the cybersecurity framework is,
00:00
and they give us seven steps
00:00
in order to adhere to the CSF.
00:00
Then we're going to talk about gap analysis and how
00:00
CSF leads us towards gap analysis and why it's important.
00:00
Let's get in-depth here with cybersecurity framework,
00:00
and there are five desirable goals.
00:00
Within an organization,
00:00
we first of all want to be able to identify our assets.
00:00
Once we identify our assets, we want to protect them,
00:00
but we know that no proactive
00:00
means it's a 100 percent guarantee,
00:00
so if there is a breach,
00:00
we want to be able to detect those breaches.
00:00
Of course we want to be able to respond accordingly,
00:00
and limit the damage and then of course,
00:00
we want to recover and get back
00:00
to a full state of operations.
00:00
The cybersecurity framework gives us
00:00
ways to identify our assets,
00:00
means to protect how we detect,
00:00
how we respond and how we recover.
00:00
But you can really tie this into
00:00
your information security program.
00:00
Your framework can be the basis of your program.
00:00
In your programs where you have
00:00
your policies and procedures
00:00
and standards and guidelines,
00:00
and your information security control.
00:00
Ultimately you can look at these as
00:00
five desirable goals,
00:00
and then underneath some ways that we attain these goals.
00:00
For instance, how do we
00:00
figure out how to identify our assets?
00:00
Well, we need net asset management strategy in place.
00:00
What are assets or how they're maintained?
00:00
How they're controlled?
00:00
We have to understand the business environment
00:00
, and you'll notice,
00:00
just like we've talked about all along with risk,
00:00
you start by identifying
00:00
your assets, that's always first.
00:00
Then we have our proactive controls,
00:00
that hopefully will prevent the risk from materializing,
00:00
then we need detective controls,
00:00
just in case those proactive controls don't work,
00:00
and then we move into reactive controls,
00:00
which would come in with incident response
00:00
restoring from backups and other corrective actions.
00:00
Now there are seven steps that NIST gives us.
00:00
When we start out,
00:00
what we want to begin with is
00:00
prioritizing and figuring out
00:00
the scope of this framework.
00:00
Am I doing this for an information security program,
00:00
for an organization, for a system?
00:00
To protect the system?
00:00
Am I doing this for a department?
00:00
Usually this means we're going to
00:00
meet with senior management,
00:00
and determine what the scope of our project is,
00:00
because implementing a framework is
00:00
absolutely going to be managed as a project.
00:00
We're going to meet with senior management
00:00
and figure out what their priorities
00:00
are and how large what this project is going to cover.
00:00
Then we orient ourselves.
00:00
When we talk about orientation, what I want to do,
00:00
is I want to put
00:00
the security environment in context of the business.
00:00
The most important thing
00:00
that we can do in cybersecurity,
00:00
is to make sure
00:00
our cybersecurity program is in
00:00
alignment with business objectives.
00:00
In order to do that,
00:00
I have to understand business objectives.
00:00
In the orientation piece,
00:00
I'm again like with Step 1,
00:00
Step 1 and 2 go together,
00:00
this usually comes from meeting with senior management,
00:00
and figuring out our priorities, our scope,
00:00
but also how we're going to use
00:00
cybersecurity to deliver value to the organization,
00:00
to figure out what our goals are.
00:00
Stakeholders need us to
00:00
increase customer confidence well, in that case,
00:00
we may decide to
00:00
become compliant with CSF in order to satisfy customers.
00:00
We may implement other means
00:00
to protect a particular system,
00:00
because of the value of the data that we hope.
00:00
Steps 1 and 2,
00:00
we're really understanding the why, of what we're doing.
00:00
Now, the next piece,
00:00
I'm going to create a current profile.
00:00
I'm going to go out and do an assessment
00:00
of my environment.
00:00
Where are we now?
00:00
What controls do we have in place?
00:00
What's our risk profile?
00:00
When I say risk profile,
00:00
I'm talking about what is our current exposure to risk.
00:00
That's going to require a risk assessment.
00:00
I'm going to look at where we
00:00
are creating a current profile,
00:00
sometimes we refer to that as current state.
00:00
Our risk assessment tells us where we're lacking.
00:00
The next thing we want to do is created desired state,
00:00
or a target profile.
00:00
Step 3, where are we?
00:00
Step 4, how is that lacking?
00:00
Step 5, where do we want to be,
00:00
and then Step 6,
00:00
how do we close the gap between current and target?
00:00
Or current state and
00:00
desired state as targets sometimes refer to.
00:00
When we talked about that,
00:00
that's conducting a gap analysis.
00:00
How do we close the gap between current and targeted?
00:00
Then we need to plan.
00:00
How are we going to get there?
00:00
What we can really say is towards the end of
00:00
compliance with NIST Cybersecurity Framework,
00:00
we should be able to conduct a gap analysis.
00:00
Where am I, where do I want to be,
00:00
and that action plan is going to help us close the gap.
00:00
Now, I hate to spoil it,
00:00
but the answer to that is we're going to
00:00
close the gap through our information security program.
00:00
That's a spoiler for what's coming up down the line.
00:00
Now in looking at Cybersecurity Framework,
00:00
we said this comes to us from NIST.
00:00
It provides the functions,
00:00
our ultimate goals and
00:00
then seven steps that lead up towards,
00:00
bringing the distance between current state,
00:00
desired state, to a close.
00:00
Through the process of gap analysis.
00:00
That's the Cybersecurity Framework.
Up Next