less than 3.2. Resource is to protect an organization in an overview of the C. I. A s Top 20 controls missed 853 controls and the NIST CSF.
The objectives of this lesson are to become familiar with the Center for Internet Security Top 20 security controls and how they are applied.
Become familiar with the NIST cybersecurity framework
and identify the nest 853 security controls and understand how they're used.
The C s top 20 security controls is a great resource for organizations large and small to understand how to use best practices to secure their enterprise.
There's a lot of resource is that actually will map the C. I. A s top 20 controls to the nest cybersecurity framework where other frameworks that are available there's also benchmarks available. If you've never taken a look at the capabilities and products available by
C. I. S, I highly recommend you go to their website, have got a link under the graphic on this slide and see what's available for your organization. A lot of what they have us free.
If you are a state, local or tribal organization, they actually provide free services through a grant from the Department of Homeland Security, and I really would recommend you checking them out. But if you get nothing else from them, the CIA's top 20 controls will help you look through the basic foundational and then
organizational security controls.
They also have benchmarks, as I mentioned before, but it allows you to go through and harden applications and systems using best practices. What things to turn off, what to turn on, how to monitor them, how to make them less susceptible to attacks. So a great resource. And it includes things like
office 3 65 and eight of the U. S. Installations.
So lots of great resource is it really can't speak highly enough about what C S has to offer.
Along with CS is NIST another free resource, this one from the federal government.
The NIST Cybersecurity framework, or CSF, is on version 1.1 as of July of 2020
and it's designed to be customized. It allows you to customize the controls based on your organization, your risk, tolerance and what you believe your organization needs to be successful. It also has a risk based catalogue of cybersecurity outcomes.
It evolves faster, and it's designed to be agile as well as modular, so you can pick and choose things that are applicable to you.
And it can also be updated as threats change. I mentioned earlier that it's a good idea to do your risk assessment annually for any organization.
So the CSF, it really plays nicely into that. Because as you go through your risk assessment of things have changed because of your company changing or your threat level changing for some reason, any number of things. Then you can modify your CSF profile accordingly.
When you look at the five corps
functions of the cybersecurity framework, this is how they're laid out. So identify, protect, detect, respond and recover. Are those five functions and the big questions here for identify what processes and assets need protection so again, you can't protect what you don't know.
What safeguards are available to your organization.
What techniques can you use to identify the incidents is for detect for respond what can mitigate impact of incidents and then for recover What techniques can restore your capabilities and you'll see the functions and then categories within. Set the categories
I won't read all of them. But you can see, for example, for identity.
What is that? Your governance process, for example, for detect. How do you detect anomalies and events within the environment and those air further broken out as you go deeper into the CSF?
There are four tiers with the CSF, and this is designed to be a self assessment, so it will guide you through the questions to ask and the things to consider on the bottom.
You can say that these capabilities air partially implemented in your organization level to is your risk informed. So you are making decisions based on the intelligence and the risks of your organization.
Step three is repeatable, so you do have
these functions in place and they're not just add hawk or done at a whim. But they're actually in process in policy and procedure, and you can repeat them and then the highest level. Level four is adaptive, and that means that you're an agile organization. You've got good cyber hygiene,
you are mature and your implementation of security controls
and you can adapt on the fly depending on what's going on in the organization and come up with creative, secure engineering solutions for threats within the organization.
Now missed 853 is Ah, large document. It's normally used as part is the as part of the risk management framework er rmf within the federal government,
and it includes a family of security and privacy controls. It's essentially a major catalog for security and privacy controls
in CSF. It's much more streamlined, as is the city C s Top 20 controls.
But if you're looking for some in depth information on potential security controls than 853 is your place to go.
So for this lesson, we'll talk about a quiz question. Which of these standards air targeted toward the U. S. Federal government?
missed 853 or nest cybersecurity framework?
The answer here is be Nest 853 is a document for federal government agencies to apply those security controls
to the risk management framework, or RMF. When they're going through that process,
you can certainly use those controls if you're doing any other kind of risk assessment or security controls for a private organization. But you're certainly not required, Teoh and they might be a little bit too cumbersome for small businesses or nonprofits that might be smaller if you're really looking just for ah,
easier way to measure your maturity level and
your capabilities and also designed a roadmap to increase those than look at CSF and the C. I. A s top 20 controls.
Next question. How many tears are there in the NIST cybersecurity framework? Self assessment
a four. B three, c five or D None of the above.
The answer here is four A. There were four tiers that I talked through on the cybersecurity tears. When you look at the maturity of the organization and how you've implemented those cyber security controls
so in summary in this lesson we talked about the C I. A s top 20 Missed CSF and nest 853. The reason I'm introducing these in this IR lifecycle presentation is because I think it's important as part of the whole planning process with incident response
that you incorporate this into your eye are planning process
because you have to know how mature the organization is and the capabilities available to you before he can really adequately provide. I are planning capabilities or processes. If you going through this process with the Top 20 controls or the CSF, and you highlight the fact that you actually have no, um,
hardware and software Asset Management Programme. Well, that's going to make it really difficult to implement some of the other things we've talked about with mature vulnerability management, for example, or high value assets. So having a framework like the C. I. A s top 20 or Nest CSF will be really important to your i r lifecycle
and just knowing what's in the realm of possibilities from an IR perspective.