Earlier this year the National Institute of Standard and Technology (NIST) released the “Framework for Improving Critical Infrastructure Cybersecurity” —the Cyber Security Framework (CSF). Stakeholders worked with NIST to create CSF in direct response to the President’s Executive Order 13636 that acknowledges that no common set of security best practices that organizations could use to better control risk existed despite cyber threats increasing in frequency and intensity.
The process to develop the CSF was an inclusive one that incorporated feedback from thousands of Government and Private Sector security experts. It also integrated principles from many other existing cybersecurity and risk management standards which include the NIST SP 800 series, COBIT, ISO/IEC, and the Critical Security Controls (CSC).
Although the release of the CSF has been welcomed by all and recognized as an important step in providing for common cybersecurity standards, confusion still remains about exactly what the CSF means for organizations seeking to improve their security posture.
What is the CSF—And, more importantly, What it Isn’t
While the CSF isn’t a prescriptive set of security standards and best practices, it does offer guidance so organizations can make informed business decisions about how to incorporate cybersecurity practices and investments into their overall business plans.
In other words, the CSF does not provide a list of security activities that organizations should implemented. It does not offer a specific list of essential security controls that should be a baseline starting point for every organization. The CSF does, however, present a list or catalog of common security activities mapped back to cybersecurity standards.
It is a method for organizing, sharing, and measuring select sets of cybersecurity activities, and a way to assess the degree to which organizations have internalized and incorporated cybersecurity risk management into their overall operational and governance practices.
What is the Framework Core?
The three components of the CSF are known respectively as Framework Core, Profiles, and Implementation Tiers. The Framework Core is a set of cybersecurity activities, desired outcomes, and applicable cybersecurity references applicable across all critical infrastructure sectors. This is the catalog of security activities that organizations should consider if they want to effectively manage cybersecurity risk.
One of the most significant aspects of the Core is not only what it contains, but how it is organized. At the top level, the Core is separated into five concurrent and continuous Functions: (1) Identify, (2) Protect, (3) Detect, (4) Respond, and (5) Recover. These functions are farther broken down into Categories and Subcategories.
The Core Functions follow an incident response process. This means that at its Core, the CSF acknowledges that although proactive defensive security activities and measures are critical, security programs must be structured with the realization that even the best security can and will be defeated by determined adversaries. And that organizations must have the capability to detect, respond to, and recover from cyber intrusions.
This incident response methodology also includes feedback loops to ensure that lessons learned are used to further improve protection and detection capabilities, and to help inform decision makers about actual cybersecurity risk posture.
A Framework Profile is a set of security activities (categories and subcategories) from the Framework Core. Profiles have several important purposes. As part of an initial baselining activity, each organization should assess its current security capabilities and organize them into a Current Profile. Organizations can then create a Target Profile consisting of desired security capabilities. It will then perform a gap analysis between the Current and Target Profiles, and develop and implementation an action plan for addressing the gap.
Profiles are also a valuable tool for sharing best practices or establishing standards amongst industry partners. As previously mentioned, the security activities from Framework Core are not a minimum standard or the Target Profile for organizations. Business decisions must drive the selection of control activities. Industry partners, regulating bodies, security consultants, not-for-profits, and others may use the common structure and language of the CSF to create minimum recommended standards in the form of a Profile. Establishment, propagation, and coordination of these common Profiles are required on top of the CSF to establish the actions that should be considered minimum cyber due care standards for organizations.
Profiles schema should mirror the Functions, Categories, and Subcategories from the Framework Core but may also include additional security activities that are not currently found in Core but which would help to address specific security requirements.
As an example of using Framework Profiles to share best practices, the Council on Cyber Security (CSC) has used its list of Critical Security Controls (CSC) to developed Profile that help organizations to focus on the most beneficial activities first. The CSC Framework Profile provides organizations with a common set of prioritized, detailed, and actionable measures that should be implemented as a first step by any organization concerned with defending its systems and information against cyber threats.
The CSC Profile can act as a road map and starting point for organizations that are looking to develop their own Profiles based on their specific security requirements. More information about the CSC may be found on the Council on Cyber Security’s website: http://www.counciloncybersecurity.org/critical-controls.
Framework Implementation Tiers
Framework Implementation Tiers is a way to describe how well organizations have incorporated cybersecurity risk management into culture and practices. It looks to measure the rigor and sophistication of the risk management program and how well cybersecurity information flows and influences decisions across the organization, but should not necessarily be thought of as a maturity level for a security program. Individual requirements and risk tolerance should ultimately guide organizations to work towards a preselected target Implementation Tier. Tier measures of risk management integration range from Partial (Tier 1) to Adaptive (Tier 4).
The Importance of Business Driving Security Improvements
Too often cybersecurity is thought of as an Information Technology (IT) problem. But the reality is that security efforts exist only to support business functions, and when not properly aligned, security efforts are likely to be ineffective, inefficient, and could even hinder the progress of the business.
The necessity of aligning cybersecurity efforts with business processes is one of the main objectives of the CSF. It is also the reason that the CSF cannot be overly prescriptive with dictating controls that should be implemented by every organization. Although commonalities exist, especially in related sectors, each organizations structure, goals, risk tolerance, culture, and system design is unique and should be assessed to determine adequate levels of protection.
Using business requirements to drive security efforts helps to understand possible business impact for information security shortcomings and prioritize defensive efforts and resource allocation towards the most important security activities. Additionally, equipping cybersecurity personnel with business context helps them to accurately design controls that follow critical security principles such as the rule of Least Privilege and helps them to baseline the norms and identify anomalies.
First Steps in Cybersecurity
A first step to understanding cybersecurity requirements for an organization is to have a firm and documented understanding of the organization and have clear documentation of how top level missions and goals flow down to business processes which are supported by security efforts. This is why cybersecurity planning and implementation efforts must extend far beyond security and IT personnel to include all stakeholders such as business process owners, executive management, audit and accountability personnel, and more.
Feedback loops must also be created to ensure that all appropriate stakeholders are informed about the performance of the security program as its failure could have a far reaching and catastrophic impact to the organization.
The CSF doesn’t solve all cybersecurity problems or even tell an organization exactly what it needs to do or where to begin. It does, however, establish a common language and structure that organizations can use to assess and rationalize their security programs. It can also be used to propagate best practices and standards across related sectors, industries, and partnerships. When used in combination with critical business analysis, best practice Profiles, security assessments, and feedback from a living and active security program, it can help organizations to significantly reduce cybersecurity risk, better detect and respond to security breaches, and successfully recover from significant cybersecurity-related events.
Alma Cole, Vice President, Cybersecurity
Alma Cole joined Robbins Gioia (RG) following a distinguished career in government service. He held high-ranking cyber security positions in the Department of Homeland Security (DHS), most recently serving as Chief Systems Security Officer for the largest law enforcement agency in the country, U.S. Customs and Border Protection. Alma was also director of the DHS Security Operations Center, where he led the agency’s defense in the face of persistent and targeted cyber attacks. You can contact Alma at 703.548.7006 and learn more about RG’s cybersecurity solutions at http://www.robbinsgioia.com/what-we-do/solutions/intelligence-based-cyber-security.php