Professional Documents
Culture Documents
768760870587security Frameworks NIST CSF As An Enabler and Incident Response Approach
768760870587security Frameworks NIST CSF As An Enabler and Incident Response Approach
2
WHAT IS AN IT SECURITY FRAMEWORK?
3
IT SECURITY FRAMEWORKS SHOULD BE
CUSTOMIZED
4
Describe the current cybersecurity
Current State posture
TAXONOMY
repeatable processes
5
FRAMEWORKS CONSIDERED
& C O M PA R E D
Contractual Requirements
Regulatory Requirements
Statutory Requirements
Information & and Control
Ease of Management
Industry Recognized
Internal Compliance
Technology Association
Ease of Governance
Business Alignment
Value Proposition
(ISACA)
Risk Driven
Scalability
27001:2013 Security Organization of Process
Auditable
Management Standards
(ISO/IEC)
Framework
CIS CSC Critical Security Center for Technical
COBIT 2019 Controls to Internet Security Controls
Prevent Data (CIS)
ISO/IEC 27001:2013 Breach
6
COBIT is a framework for the governance and management of enterprise
information and technology.
WHAT COBIT IS
COBIT is aimed at the whole enterprise.
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 10 COBIT and Other Standards
9
COBIT OVERVIEW AND PRODUCT ARCHITECTURE
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 4 Basic Concepts 10
ISO 27001: 2013 FRAMEWORK
11
CIS CSC 7.1
• Tactical Focus
112
NIST
CYBERSECURITY
FRAMEWORK
OVERVIEW
13
NIST Help Organizations Manage
CYBERSECURITY Cyber Risks
FRAMEWORK –
3 GOALS
• The Framework is guidance not Provide Common language to
mandate
Discuss Cyber Risks
• Developed as a “lightweight”
approach
• No Formal Assessment program
• The Framework is not a one-
size-fits-all approach to
managing cybersecurity risk Create, Guide, Assess or Improve
Cybersecurity Programs
14
NIST CYBERSECURITY
FRAMEWORK V 1.1
• Three Pieces:
• Core: Cybersecurity
activities, desired outcomes
and applicable references
15 15
Identify Protect Detect Respond Recover
FRAMEWORK
CORE Asset
Management
Awareness Control
Anomalies &
Events
Response Planning
Recovery Planning
Awareness &
Training
• Consists of: Business
Environment
Communications
16
FRAMEWORK
TIERS
Consistent Proactive
Ad-hoc & Aware but
& &
Reactive Piecemeal
Informed Predictive
17
ORGANIZATION
CYBERSECURITY
PROFILE
18
KEY STEPS TO ADOPTING NIST CSF
19
FRAMEWORK ROADMAP
14 High-Priority Areas
Small Business
Referencing Internet of Things Secure Software
Awareness and
Techniques (IoT) Development
Resources
20
FOCUS ON
RESPONSE
21
PRACTICAL CONCERNS
People are the best You can’t see or stop You have limited Training is easy,
sensors, but they are everything – so plan budget and time, your practicing is hard
hard to tune for failure and adversary has infinite
embrace it when supplies of both
possible
22
RESPOND
Ensuring Response Planning process are executed during and after an incident
Managing Communications during and after an event with stakeholders, law enforcement,
external stakeholders as appropriate
Analysis is conducted to ensure effective response and support recovery activities including
forensic analysis, and determining the impact of incidents
Mitigation activities are performed to prevent expansion of an event and to resolve the incident
The organization implements Improvements by incorporating lessons learned from current and
previous detection / response activities
23
RESPOND DOESN’T WORK WITHOUT DETECT
How often are you looking What details are you Can you even define a
for events? provided to get context? “normal” event?
COMMON INCIDENT TYPES
RESPONSE
Response
Communications Analysis Mitigation Improvement
Planning
Ensure you
Know who needs understand the event Limit the scope and Review the event to
Prepare before and
information, when and and can design a impact as you resolve strengthen your
respond appropriately
how recovery that’s the event current capabilities
effective
CHECKLISTS
• Well developed checklists guide the investigation;
collect information and assist in reporting
• Checklists should be practiced before incidents
INCIDENT RESPONSE
TEAMS (IRTS)
• Pre-designated teams help to quickly assemble
people with useful skills.
• Depending on the incident, specialized skills
may be needed.
• IRTs may be centralized, distributed or a hybrid
model.
• IRT structure should be reviewed and approved by
senior management
A typical IRT includes: Other positions include:
Information security manager Incident response manager
s h a w n @ t h e r u b i c o n a d v i s o r y g ro u p . c o m
https://www.therubiconadvisorygroup.com/