SECURITY FRAMEWORKS:

NIST CSF AS AN ENABLER

M a y, 2 0 2 0
AGENDA
• Quick Introduction to Security Frameworks
• Review of the NIST CSF Framework
• Focus on Using CSF for Incident Response

2
 WHAT IS AN IT SECURITY FRAMEWORK?

At the core a security framework is a series of documented

processes used to define process and procedures and set
objectives or outcomes.

• A model to build and measure the information security

program and information security risks.

• Used to define and prioritize the tasks to execute

security functions

Effective Frameworks are adapted to the business’s needs

and objectives.

3
 IT SECURITY FRAMEWORKS SHOULD BE
CUSTOMIZED

• Frameworks may present options that do not fit the

intent of the business

• Spending effort where it is not needed is not productive

to managing a realistic information security program

• Customization should be done based upon the business

or regulatory drivers, cost and level of effort and
expected impact on the risk profile of the business.

• Multiple frameworks can work together as they often

have different goals or focus areas.

This Photo by Unknown Author is licensed under CC BY-SA

4
 Describe the current cybersecurity
Current State posture

Describe the target state for

Target State cybersecurity

A COMMON Identify and prioritize

Identify and prioritize opportunities for
improvement – focusing on continuous,

TAXONOMY
repeatable processes

Assess Assess progress toward the target state

Communicate to internal and external

Communicate stakeholders about cybersecurity risk in
a consistent manner

5
 FRAMEWORKS CONSIDERED
& C O M PA R E D

Framework Focus Area Industry Body Orientation

COBIT 2019 Governance & Information Business

Contractual Requirements
Regulatory Requirements

Flexibility & Adaptability

Internal Business Drivers
Management of Systems Audit Process

Statutory Requirements
Information & and Control

Ease of Management
Industry Recognized

Internal Compliance
Technology Association

Ease of Governance

Business Alignment
Value Proposition
(ISACA)

ISO/IEC Information International Business

Risk Driven
Scalability
27001:2013 Security Organization of Process

Auditable
Management Standards
(ISO/IEC)
Framework
CIS CSC Critical Security Center for Technical
COBIT 2019               Controls to Internet Security Controls
Prevent Data (CIS)
ISO/IEC 27001:2013               Breach

NIST Cybersecurity  --  -- -- --  -- --      NIST Cyber Civilian Critical National Institute Technical

Framework (CSF) Security Infrastructure of Standards and Controls
Framework Technology (NIST)
CIS Top 20 CSC  -- -- -- -- --  --  -- --  -- 

6
 COBIT is a framework for the governance and management of enterprise
information and technology.

WHAT COBIT IS
COBIT is aimed at the whole enterprise.

COBIT makes a clear distinction between governance and management.

COBIT defines the components to build and sustain a governance system.

COBIT defines the design factors that should be considered by the

enterprise to build a best-fit governance system.

COBIT addresses governance issues by grouping relevant governance

components into governance and management objectives that can be
managed to the required capability levels.

Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 1 Introduction

FABRIKAM
7
WHAT COBIT IS COBIT is not a full description of the
whole IT environment of an enterprise.
NOT
COBIT is not a framework to organize
business processes.

COBIT is not an (IT-)technical

framework to manage all technology.

COBIT does not make or prescribe any

IT-related decisions.

Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 1 Introduction

FABRIKAM
8
 COBIT AND OTHER STANDARDS

• One of the guiding principles applied throughout the

development of COBIT 2019 was to maintain the positioning of
COBIT as an umbrella framework.

• This means that COBIT 2019 continues to align with a number

of relevant standards, frameworks and/or regulations.

• COBIT does not contradict any guidance in the related

standards.

• COBIT does not copy the contents of these related

standards.

• COBIT provides equivalent statements or references to

related guidance.

Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 10 COBIT and Other Standards

9
 COBIT OVERVIEW AND PRODUCT ARCHITECTURE

Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 4 Basic Concepts 10
 ISO 27001: 2013 FRAMEWORK

• Risk-based approach – Risk Assessment

required to build and maintain

• Objectives are broken into 14 control areas

• What you do is based on the controls you

adopt – modular approach

• Can be certified against – internationally

recognized

11
CIS CSC 7.1

• Tiered Control Framework

• First 6 controls have most return for

effort in stopping incidents

• Vetted and Selected by Practitioners

• Tactical Focus

• Doesn’t meet most Audit standards for

compliance – no governance or policy
elements

112
NIST
CYBERSECURITY
FRAMEWORK
OVERVIEW

13
 NIST Help Organizations Manage
CYBERSECURITY Cyber Risks
FRAMEWORK –
3 GOALS
• The Framework is guidance not Provide Common language to
mandate
Discuss Cyber Risks
• Developed as a “lightweight”
approach
• No Formal Assessment program
• The Framework is not a one-
size-fits-all approach to
managing cybersecurity risk Create, Guide, Assess or Improve
Cybersecurity Programs

14
 NIST CYBERSECURITY
FRAMEWORK V 1.1

• Three Pieces:
• Core: Cybersecurity
activities, desired outcomes
and applicable references

• Tiers: Risk Context of the

organization – Rated 1 to 4
in increasing Rigor

• Profile: Business defined

outcomes – “as is” and “to
be” states are profiles

15 15
 Identify Protect Detect Respond Recover
FRAMEWORK
CORE Asset
Management
Awareness Control
Anomalies &
Events
Response Planning
Recovery Planning

Awareness &
Training
• Consists of: Business
Environment
Communications

• 5 Concurrent and Continuous Functions Data Security

Security
• 23 categories Governance Continuous Analysis Improvements
Monitoring
Info Protection &
• 108 subcategories Procedures

Risk Assessment Mitigation

Maintenance

Detection Process Communications

Risk Management Protective Improvements
Strategy Technology

16
FRAMEWORK
TIERS

Consistent Proactive
Ad-hoc & Aware but
& &
Reactive Piecemeal
Informed Predictive

17
ORGANIZATION
CYBERSECURITY
PROFILE

18
 KEY STEPS TO ADOPTING NIST CSF

Identify and align Review Consider Ensure Involve

Identify and align the Review controls already in Consider using NIST SP Ensure you consider all Involve key areas of the
program with place to identify your 800-171 as a “first step” to the functions equally business – educate and
organizational business primary controls and building key controls delegate controls to the
objectives establish enhancement or business areas
maturity tasks for later
growth.

19
 FRAMEWORK ROADMAP
14 High-Priority Areas

Cyber Supply Federal Agency

Confidence Cyber-Attack Cybersecurity
Chain Risk Cybersecurity
Mechanisms Lifecycle Workforce
Management Alignment

Governance and International

Identity Measuring Privacy
Enterprise Risk Aspects, Impacts,
Management Cybersecurity Engineering
Management and Alignment

Small Business
Referencing Internet of Things Secure Software
Awareness and
Techniques (IoT) Development
Resources

20
FOCUS ON
RESPONSE

21
PRACTICAL CONCERNS

People are the best You can’t see or stop You have limited Training is easy,
sensors, but they are everything – so plan budget and time, your practicing is hard
hard to tune for failure and adversary has infinite
embrace it when supplies of both
possible

22
RESPOND

Ensuring Response Planning process are executed during and after an incident

Managing Communications during and after an event with stakeholders, law enforcement,
external stakeholders as appropriate

Analysis is conducted to ensure effective response and support recovery activities including
forensic analysis, and determining the impact of incidents

Mitigation activities are performed to prevent expansion of an event and to resolve the incident

The organization implements Improvements by incorporating lessons learned from current and
previous detection / response activities

23
RESPOND DOESN’T WORK WITHOUT DETECT

Does your organization have

Are your existing detection
the sensors, processes and Do you have the right people
means effective? How much
practices to identify a looking at the details?
can they see?
cybersecurity event?

How often are you looking What details are you Can you even define a
for events? provided to get context? “normal” event?
COMMON INCIDENT TYPES
RESPONSE

Response
Communications Analysis Mitigation Improvement
Planning

Ensure you
Know who needs understand the event Limit the scope and Review the event to
Prepare before and
information, when and and can design a impact as you resolve strengthen your
respond appropriately
how recovery that’s the event current capabilities
effective

Deliverable: Deliverable: Root

Deliverable: Incident Deliverable: Incident Deliverable: Incident
Incident/Crisis Cause/After Action
Response Plan Checklist and Playbook Containment Plan
Communication Plan Analysis (5 Why’s)
 IR POLICY &
PLAYBOOK

• Need to outline who is involved

• Legal
• HR
• PR
• Executives
• IT
• Need to establish repeatable
practices
• Playbook & Checklists –
information gathering;
evidence collection;
reporting
28

CHECKLISTS
• Well developed checklists guide the investigation;
collect information and assist in reporting
• Checklists should be practiced before incidents
INCIDENT RESPONSE
TEAMS (IRTS)
• Pre-designated teams help to quickly assemble
people with useful skills.
• Depending on the incident, specialized skills
may be needed.
• IRTs may be centralized, distributed or a hybrid
model.
• IRT structure should be reviewed and approved by
senior management
 A typical IRT includes: Other positions include:
Information security manager Incident response manager

WHO IS ON Steering committee/advisory

board (governance position only)
Incident handler
Investigator
THE TEAM? Permanent/dedicated team
members
IT security specialists
IT specialists/representatives
Virtual/temporary team members
Business managers
Legal, HR, PR
Risk management specialist
Physical security/facilities
manager
RECOVERY &
IMPROVEMENT
• CSF expects continuous
improvements
• Root Cause feeds into to
enhancing your internal
capabilities
• Helps prioritize spend and
return on security
investment after an event
THANK YOU
S h a w n S i n e s , C I S S P, I T I L

s h a w n @ t h e r u b i c o n a d v i s o r y g ro u p . c o m
https://www.therubiconadvisorygroup.com/