A presentation given to the Central Texas chapter of the ISSA. We introduce the Cybersecurity Framework, compare it to an existing standard defining information security controls and management system requirements (ISO/IEC 27001), and provide some thoughts on what's next and where to find accompanying resources.
- 1. ComparingNIST'sCybersecurity FrameworkwithBestPrac3ce
DavidOchel email:[email protected] Twi?er:@lostgravity
2014-03-31
ThisworkislicensedunderaCrea3veCommonsA?ribu3on4.0Interna3onalLicense.
2. Agenda Introduc3ontotheCybersecurityFramework(CSF) Mo3va3on
Organiza3on Majorelementsandcoreprinciples CSFandBestPrac3ce
WhatisBestPrac3ce? ComparingCSFwithISO/IEC27001
Par3culari3esofcri3calinfrastructureprotec3on SomeMusings
FutureoftheCSF Resources Texas Informa3onSecurityManagementMaturity
Page2CybersecurityFramework/BestPrac3ce 3. INTRODUCTIONTOTHE
CYBERSECURITYFRAMEWORK(CSF) CSF/BestPrac3ce Page3 4. Mo3va3on
Cri3calInfrastructure Vitalinfrastructureprivateandpublicoperators
Lackofavailabilitywouldhavedebilita3ngimpactonthe
na3onssecurity,economy,publichealth,safety
Execu3veOrder13636;February12,2013 Threatinforma3onsharing
NIST:BaselineFrameworktoreducecyberrisk
Standards,methodologies,proceduresandprocessesthatalign
policy,business,andtechnologicalapproaches
VoluntaryCri3calInfrastructureCybersecurityProgram CSF/BestPrac3ce
4 5. Organiza3on Frameworkparts: Core Proles Implementa3onTiers
CSF/BestPrac3ce Page5 6. FrameworkCoreaControlsCatalog
5corefunc3ons,splitinto: Categories Subcategories technologyneutral
Cross-referencesto: COBIT CCSCSC ANSI/ISA-62443-2-1and-3-3
ISO/IEC27001 NISTSP800-53 CSF/BestPrac3ce Page6 7.
FrameworkCoreExample CSF/BestPrac3ce Page7 8. FrameworkProles
Describecurrentordesiredstateof cybersecurityac3vi3es
Aligncontrolswithbusinessrequirements, risktolerance,andresources
Notemplatesorformatprovided CSF/BestPrac3ce Page8 9. FrameworkTiers
Tiersindicatematurityof: Riskmanagementprocess
IntegratedRiskManagementProgram ExternalPar3cipa3on
donotrepresentmaturitylevels!? Tiers(denedon1/3ofapageeach)
1:Par3al 2:RiskInformed 3:Repeatable 4:Adap3ve CSF/BestPrac3ce
Page9 10. CSFANDBESTPRACTICE Page10CSF/BestPrac3ce 11.
Informa3onSecurityControls A?ributesofBestPrac3ce?! Benchmark
Requirementscatalog Comprehensive Accepted Industrystandard
Butnotcujngedge/ bestinclass? Auditable ? CSF/BestPrac3ce Page11
12. ITSecurity:ControlFrameworks Regulatory
(mostlyindustry-specic?) PseudoRegulatory (contractuallyenforced)
Voluntary HIPAA SOX(arguably) NERCCIP PCIDSS(etc.) SSAE16
NISTCybersecurity Framework TexasCybersecurity Framework*
NISTSP800-53* ISO/IEC27001 ISFStandardofGood Prac3ce
CSF/BestPrac3ce Page12 *Mandatoryforcertaingovernmentagencies. 13.
ISO/IEC27001 Informa3ontechnologySecuritytechniques
InformaXonsecuritymanagementsystems Requirements
Systemrequirements: Organiza3oncontext Leadership Planning Opera3on
Performanceevalua3on Improvement
Referencecontrolobjec3ves&controls
bestprac3cecatalogofbaselinecontrols CSF/BestPrac3ce Page13 14.
CSFand27001Commonali3es Voluntary
Catalogofinforma3onsecuritycontrols Smalldierencesinemphasis
Methodtodocumentcontrolselec3on (prolevs.statementofapplicability)
Nobuilt-inriskassessmentmethodology Scopedeni3onexpected/required
CSF/BestPrac3ce Page14 15. CSFand27001Dierences
CybersecurityFramework Rudimentarymaturity 3ers
Evenbasicrequirements areop3onal Poten3alforagility ISO/IEC27001
Cleardocumenta3on requirements Mandatorymanagement
systemrequirements Exclusionofcontrols requiresjus3ca3on
Establishedcer3ca3on schemes Well-denedterminology CSF/BestPrac3ce
Page15 16. WhichpartsoftheCSFare uniquetoICSenvironments? Tiers?
Nope.(Genericdescrip,onofriskmanagementand
informa,onsharingmaturity.) Core?
Nope.(Introduc,onacknowledgesthatITandICS
environmentsandconsidera,onsdier.Butthe
(sub-)categoriesdonotspecicallyaddressthis.) Proles?
Nope.(Justawaytocatalogcurrentanddesiredselec,on ofcontrols.)
CSF/BestPrac3ce Page16 17. WhichpartsoftheCSFare
uniquetoICSenvironments? Tiers?
Nope.(Genericdescrip,onofriskmanagementand
informa,onsharingmaturity.) Core?
Nope.(Introduc,onacknowledgesthatITandICS
environmentsandconsidera,onsdier.Butthe
(sub-)categoriesdonotspecicallyaddressthis.) Proles?
Nope.(Justawaytocatalogcurrentanddesiredselec,on ofcontrols.)
CSF/BestPrac3ce Page17 18. SOMEMUSINGS 18CSF/BestPrac3ce 19.
TheFutureoftheCSF mightbebright? Justanothercontrolsframework
Butwithpoten3al! Incen3ves SofarDHSoersmanagedservicestolocal/state
governments Privateindustryyettocome?
NISTRoadmapforframeworkdevelopment
Areasfordevelopment,alignment,andcollabora3on CSF/BestPrac3ce
Page19 20. Resources Informa3onSharing
Informa3onSharingandAnalysisCenters(ISACs) InfraGardpartnership
US-CERTsCri3calInfrastructureCyber Community(C3)VoluntaryProgram
Toolsandresources (self)assessment,(ICS-)CERTs,training/educa3on,
Sector-specicresources! CSF/BestPrac3ce Page20 21.
TexasSinceWeAreHere TexasCybersecurityFramework
Requirementsforsecuritygovernance andmanagement
Mandatoryforstateagencies Controlsbasedon800-53controls
DIRResources h?p://www2.dir.state.tx.us/security/Pages/
security.aspx CSF/BestPrac3ce Page21 22. SecurityManagement
ComplianceIsaStart,But CSF/BestPrac3ce Page22 Negligence?
Controls-Focused (DueDiligence?) Risk-Informed (GoodPrac3ce) Risk-
Governed Wherecompliance withmostcontrol frameworksmight getyou
(Technology/IT)Risk isorganiza3on-specic; compliancewithcontrol
frameworksrarelyis! ComparetoSSE-CMM(orothers)? Con3nuously
Improving Quan3ta3vely Controlled WellDened Plannedand Tracked
Performed Informally 23. Resources NISTCybersecurityFramework
h?p://www.nist.gov/cyberframework/ US-CERTC3VoluntaryProgram
h?p://www.us-cert.gov/ccubedvp Mappingof27001totheCSF
h?p://www.secuilibrium.com/1/post/2014/02/
comparing-isoiec-27001-with-nists-cybersecurity- framework.html
Contact: DavidOchel CSF/BestPrac3ce Page23
