Information Security Frameworks: NIST CSF

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> The next Information Security Framework
00:00
we're going to look at is from NIST,
00:00
which is the National Institute of Standards
00:00
and Technologies.
00:00
Again, NIST is always going to be US focused,
00:00
and we're going to look at the CSF,
00:00
which stands for Cyber Security Framework.
00:00
We'll talk a little bit about the overview,
00:00
what the purpose of the Cyber Security Framework is,
00:00
and they give us seven steps
00:00
in order to adhere to the CSF.
00:00
Then we're going to talk about gap analysis and how
00:00
CSF leads us towards gap analysis and why it's important.
00:00
Let's get in-depth here with Cyber Security Framework,
00:00
and there are five desirable goals.
00:00
Within an organization, we, first of all,
00:00
want to be able to identify our assets.
00:00
Once we identify our assets, we want to protect them,
00:00
but we know that no proactive means
00:00
is 100 percent guaranteed,
00:00
so if there is a breach,
00:00
we want to be able to detect those breaches.
00:00
Of course, we want to be able to respond
00:00
accordingly and limit the damage.
00:00
Then, of course, we want to recover and get
00:00
back to a full state of operations.
00:00
The Cyber Security Framework gives us
00:00
ways to identify our assets,
00:00
means to protect how we detect,
00:00
how we respond,
00:00
and how we recover,
00:00
but you can really tie this into
00:00
your information security program.
00:00
Your framework can be the basis of your program,
00:00
in your programs where you have
00:00
your policies and procedures
00:00
and standards and guidelines and
00:00
your information security control.
00:00
Ultimately, you can look at these as
00:00
five desirable goals,
00:00
and then underneath some ways that we attain these goals.
00:00
For instance, how do we
00:00
figure out how to identify our assets?
00:00
Why we need that asset management strategy in place?
00:00
What are assets or how they're
00:00
maintained, how they're controlled?
00:00
We have to understand the business environment,
00:00
and you'll notice just like we've
00:00
talked about all along with risk,
00:00
you start by identifying your assets.
00:00
That's always first.
00:00
Then we have our proactive controls that
00:00
hopefully will prevent the risk from materializing.
00:00
Then we need detective controls
00:00
just in case those proactive controls don't work,
00:00
and then we move into reactive controls,
00:00
which would come in with incident response,
00:00
restoring from backups,
00:00
and other corrective actions.
00:00
Now, there are seven steps that NIST gives us.
00:00
When we start out,
00:00
what we want to begin with is
00:00
prioritizing and figuring out
00:00
the scope of this framework.
00:00
Am I doing this for an information security program,
00:00
for an organization, for a system to protect the system?
00:00
Am I doing this for a department?
00:00
We always start,
00:00
usually this means we're going to meet with
00:00
senior management and determine what
00:00
the scope of our project is because implementing
00:00
a framework is absolutely
00:00
going to be managed as a project.
00:00
We're going to meet with senior management
00:00
and figure out what their priorities
00:00
are and how large what this project is going to cover.
00:00
Then we orient ourselves,
00:00
and when we talk about orientation,
00:00
what I want to do is I want to put
00:00
the security environment in context of the business.
00:00
The most important thing that we can
00:00
do in cybersecurity is to make
00:00
sure our cybersecurity program
00:00
is in alignment with business objectives.
00:00
In order to do that,
00:00
I have to understand business objectives.
00:00
In the orientation piece,
00:00
again, Step 1 and to 2 go together,
00:00
this usually comes from meeting with
00:00
senior management and figuring
00:00
out our priorities, our scope,
00:00
but also how we're going to use cybersecurity to deliver
00:00
value to the organization
00:00
and figure out what our goals are.
00:00
Stakeholders need us to
00:00
increase customer confidence well, in that case,
00:00
we may decide to
00:00
become compliant with CSF in order to satisfy customers.
00:00
We may implement other means
00:00
to protect a particular system
00:00
because the value of the data that we held.
00:00
Steps 1 and 2 were really
00:00
understanding the why of what we're doing.
00:00
Now, the next piece,
00:00
I'm going to create a current profile.
00:00
I'm going to go out and do an assessment
00:00
of my environment.
00:00
Where are we now?
00:00
What controls do we have in place?
00:00
What's our risk profile?
00:00
When I say risk profile,
00:00
I'm talking about what is our current exposure to risk,
00:00
so that's going to require a risk assessment.
00:00
I'm going to look at where we are,
00:00
create a current profile.
00:00
Sometimes we refer to that as current state.
00:00
Our risk assessment tells us where we're lacking.
00:00
The next thing we want to do is create
00:00
a desired state or a target profile.
00:00
Step 3, where are we?
00:00
Step 4, how is that lacking?
00:00
Step 5, where do we want to be?
00:00
Then Step 6, how do we close the gap between current and
00:00
target or current state and
00:00
desired state as targets, sometimes referred to.
00:00
And when we talk about that,
00:00
that's conducting a gap analysis.
00:00
How do we close the gap between current and targeted?
00:00
Then, we need a plan.
00:00
How are we going to get there?
00:00
So you know, what we can really say is towards the end of
00:00
compliance with NIST Cyber Security Framework,
00:00
we should be able to conduct a gap analysis.
00:00
Where am I? Where do I want to be?
00:00
And that action plan is going to help us close the gap.
00:00
Now, I hate to spoil it.
00:00
But the answer to that is we're going to
00:00
close the gap through our information security program.
00:00
That's a spoiler for what's coming up down the line.
00:00
Now, in looking at the cybersecurity framework,
00:00
we said this comes to us from NIST.
00:00
It provides the functions,
00:00
our ultimate goals,
00:00
and then seven steps that lead up
00:00
towards bringing the distance between current state,
00:00
desired state to a
00:00
close through the process of gap analysis.
00:00
That's the Cyber Security Framework.
Up Next