Nist 800-53 Controls Spreadsheet – When is Information Security Officer on the strategy for managing the risks associated with the information assets of your organization? Reference must be used to ensure the coordinated management of security controls in an optimal, scalable and integrable manner? The potential responses would fall under the already recognized ISO / IEC 27001: 2013, COBIT, COSO or NIST SP 800-53 guidelines, just to name a few.
However, if you would like to take advantage of the best of each of these frameworks, industry best practices and methodologies and the experience of hundreds of volunteers in order to establish a consistent and practical line of work to address the risks Cybersecurity Currently, most likely the choice of the NIST Cybersecurity Framework (NIST Cybersecurity Framework – hereafter CSF).
This guide quickly presents a number of key concepts of this framework, with the flap of the first hand jacket of the theory behind this initiative and the advantages of its implementation.
History and Background
As a result of the increasing number of computer attacks on critical infrastructure systems and the impact that conflicts might have on the context of US national security, on February 12, 2013, President Barack Obama drafted the Executive Order ( EO) Cybersecurity of Critical Infrastructures (Executive Order 13636 – Improvement of Cybersecurity of Critical Infrastructures), where it is delegated to the NIST (National Institute of Standards and Technology) the development of a framework for the reduction of associated risks With this type of environment, with the support of government, industry and users.
The result of this work – subsequent to the publication of multiple preliminary versions and receipt of contributions from volunteers through the “Framework for Improving Cyber Security of Critical Infrastructure” model, known as the “NIST Cybersecurity Framework”, which was published On February 12, 2014.
It should be noted that this initiative is not a pioneer in its field. Since long before, NATO (through the Center for Excellence in Cooperative Cyber Defense – CCDCOE) had already developed a series of manuals aimed at protecting critical infrastructures for national defense, such as the “Manual of the Framework of Work National Cybersecurity Handbook “published in 2012. ISO / IEC with its ISO / IEC 27032: 2012” Information technology – Security techniques – Guidelines for cybersecurity “. This does not mean that the NIST cybersecurity framework excludes these documents, on the contrary, complements and improves them.
What are the objectives of the NIST cybersecurity framework?
The foundations of the CSF were established directly in Executive Order 13636:
Identify safety standards and guides applicable across all infrastructure sectors
Establish a common language for managing cybersecurity risks
Provide a prioritized, flexible, repeatable, neutral, performance-based and cost-effective approach based on business needs
Assist critical infrastructure managers and operators in identifying, inventorying and managing IT risks
Establish criteria for the definition of metrics for performance monitoring in implementation
Establish controls to protect intellectual property, privacy of individuals and civil liberties when cybersecurity activities are carried out
Identify areas for improvement that can be managed through future collaborations with companies and organizations oriented to the development of standards
There are no new levels when there are lines of action that cover the objectives of the executive order.
According to NIST: “The framework is a voluntary guide, based on existing standards, guidelines and practices for critical infrastructure organizations to manage better and reduce the risk of cybersecurity. In addition, it was designed to foster risk management communications and cybersecurity among internal and external stakeholders of the organization. ”
According to the above, the objectives of the framework in its implementation in an organization could be classified in the following points:
Describe the current cybersecurity stance
Describe the target state of cybersecurity
Identify and prioritize opportunities for improvement in the context of a continuous and repeatable process
Assess progress toward target state
Communication between internal and external stakeholders on cybersecurity risk
All this is framed in a risk management approach.
Is its implementation mandatory?
Not at the beginning. It is a discretionary implementation guide based on industry best practices and standards. However, business partners, customers, or even government organizations may require compliance with the framework within their contractual considerations.
What types of organizations do you apply?
Although the framework was developed with the protection of critical infrastructure in the United States in mind, its implementation is indistinguishable in any organization regardless of its size, risk or sophistication of cybersecurity.
It is important to keep in mind that the framework is not a static document, but that each organization can determine – based on its needs – the activities it considers to be priorities, thus allowing a personalized and gradual deployment.
Can it be implemented in organizations outside the United States?
Because the framework of the framework is based on the integration of the criteria of different international standards, guidelines and best practices, its implementation is not limited to the United States alone. In fact, its deployment beyond the borders of that country adds a new layer of cooperation and global integration in cybersecurity, an issue that is not restricted to a particular geographical area.
In what standards, guidelines and best practices is it based?
The CSF is based on and / or refers to the following standards, guidelines and best practices:
Control Objectives for Information and Related Technology (COBIT)
Council on CyberSecurity (CCS) Top 20 Critical Security Controls (CSC)
ANSI / ISA-62443-2-1 (99.02.01) -2009, Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program
ANSI / ISA-62443-3-3 (99.03.03) -2013, Security for Industrial Automation and Control Systems: System Security Requirements and Security Levels
ISO / IEC 27001: 2013, Information technology – Security techniques –Information security management systems –Requirements
NIST SP 800-53 Rev. 4: NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations
How is CSF schematized?
The framework is composed of three main parts: Framework Framework, Framework Implementation Tiers, and Framework Profiles.
Basic Framework (Framework Core)
It is a set of cybersecurity activities, expected results and applicable references that are common to critical infrastructure sectors, in terms of industry standards, guidelines and practices that enable the communication of cybersecurity activities and their outcomes throughout the Organization, from the executive level to the level of implementation / operation.
To do this, it employs five fundamental functions:
Identify: It allows to determine the systems, assets, data and competences of the organization, its business context, the resources that support the critical functions and the cybersecurity risks that affect this environment.
Protect: Develop and implement the countermeasures and safeguards necessary to limit or contain the impact of a potential cybersecurity event.
Detect (Detect): Enables the development and implementation of appropriate activities to identify the occurrence of a cybersecurity event through continuous monitoring.
Respond: Allows the definition and deployment of activities to react to an identified cyber security event and mitigate its impact.
Recover: Enables the deployment of activities for resilience management and return to normal operation after an incident.
In turn, each of these functions has cat
Framework Implementation Tiers
Implementation levels allow the organization to catalog itself within a predefined threshold based on current risk management practices, the threat environment, legal and regulatory requirements, business objectives and mission, and company constraints.
The levels of implementation levels are as follows:
Level 1 – Partial: At this level cybersecurity risk management practices are not formalized (ad-hoc) and usually act in a reactive way. Activity prioritization is not aligned with organizational risk objectives, the threat environment, or business requirements. There is minimal external involvement in terms of collaboration and sharing of information.
Level 2 – Risk Informed: At this level risk management practices are approved by Management, but may not be established as a global policy. There are procedures and processes defined and implemented and with qualified personnel. External participation is done informally.
Level 3 – Repeatable: At this level, formal risk management practices are regularly updated as part of analyzing changes in business requirements, threats or technologies. A framework of formal collaboration with third parties has been established.
Level 4 – Adaptive: Cybersecurity practices are based on lessons learned and predictive indicators derived from previous and current cybersecurity activities, through a process of continuous improvement of adaptation to changes. These tasks are part of the organizational culture. It collaborates actively with third parties, sharing information on cybersecurity events.
Figure 2. CFS implementation levels
The profiles are used to describe the current profile and the target profile of certain cybersecurity activities. The differential analysis between profiles allows the identification of gaps that should be managed to meet risk management objectives.
This requires the definition of an action plan that includes a prioritization of activities depending on the business needs and risk management processes of the organization. This risk-based approach allows the organization to estimate the necessary resources (eg, staff and funding) to achieve established cybersecurity goals in a cost-effective and prioritized manner.
According to the above descriptions, the overall architecture of the cybersecurity framework would be as follows:
Figure 3. NIST cybersecurity framework architecture (CSF)
How is CSF implemented?
The implementation of a CSF-based cybersecurity program consists of the following iterative steps:
Step 1 – Prioritization and definition of scope: By identifying the objectives and mission of the business and the high level priorities in organizational terms, the environment of applicability of controls is decided strategically. This environment can be the whole organization, a particular line of business or a process, keeping in mind that each of these elements may have different levels of risk tolerance.
Step 2 – Guidance: Identify the systems, assets, regulatory requirements, threats and vulnerabilities linked to the defined applicability environment.
Step 3 – Create a current profile: Through the functions of the basic framework and using the categories and subcategories, you get the results of implementing controls in the environment.
Step 4 – Execute a risk analysis: A risk analysis is performed to determine the probability and impact of cybersecurity events in the analyzed environment.
Step 5 – Create an objective profile: It establishes the objectives that in terms of cybersecurity the organization intends to cover.
Step 6 – Determine, analyze and prioritize perceived gaps: The differential analysis between the current profile and the objective profile defines a priority action plan in terms of cost / benefit, allowing the determination of resources and improvement actions.
Step 7 – Implement the action plan: Proceed with the alignment of controls and deployment of improvements in a gradual and monitored way.
All these actions must be implemented within a continuous improvement environment, allowing the organization to continuously optimize its security controls and scale to higher levels within the framework.
What software tools exist to support the implementation of CSF?
To facilitate the use of CSF content, NIST has developed a spreadsheet in Microsoft Excel, which contains the functions, categories, subcategories and informational references organized in such a way that they can be adapted to be converted into a worksheet.
In addition, the tool “NIST Cybersecurity Framework (CSF) Reference Tool” has been published, an interactive tool that allows navigation through the content of the CSF document and facilitate its export to different formats (CSV, XML, etc.).
On the other hand, the Baldrige program (which allows the design of an integrated approach to organizational performance management) has integrated the CSF criteria into its Baldrige Excellence Framework and September 15, 2016 Published a preliminary version of the document “Baldrige Cybersecurity Excellence Builder”. This is a self-assessment questionnaire that allows the organization to identify its level of maturity in terms of cybersecurity through different levels of maturity.
Finally, a large number of case studies, implementation guides, tools and educational resources can be found on the NIST industry resources page to support NIST industry development activities.