Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

NIST Cybersecurity Framework Cross Reference

487 views

Published on

Consider a logical cross reference or grouping for Cybersecurity Framework subcategories. This could make an assessment easier and more meaningful.

The Cybersecurity Framework identifies categories and subcategories of practice, processes, and activities to be used in a cyber security assessment. But, categories often house unrelated subcategories and subcategories are dependent on other subcategories across various categories.

Published in: Technology
  • Be the first to comment

NIST Cybersecurity Framework Cross Reference

  1. 1. NIST Cybersecurity Framework Cross Referenced April, 2016 Prepared by: Jim Bothe & Jim Meyer © Copyright 2016 J2 Coordinated Response, LLC All rights Reserved.
  2. 2. NIST Cybersecurity Framework Cross Reference  Objective – To produce a meaningful cybersecurity assessment; and – In a reasonable amount of time.  But, the NIST subcategories need to be cross referenced – Many are related and – Many are interdependent.  Logical groupings should make the assessment easier. LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 2
  3. 3. Functions / Categories / Subcategories 5 6 3 5 3 Categories Identify Protect Detect Respond Recover © 2016 J2 Coordinated Response, LLC. All Rights Reserved. 24 35 18 15 6 Subcategories ISACA CMC April 13, 2016 Page: 3 NIST Cybersecurity Framework
  4. 4. Dependencies / Other Relationships  Identify relationships between Groups – One Group provides input to another. – The second Group is possibly constrained by the first. – Or the other Gambit is dependent on the first – In either case, weakness in the first limits strength in the second  A subcategory in 1 Group – May have interdependencies with another subcategory in the Group. – May have interdependencies with a subcategory in another. – These details are left to the assessor to recognize (at least for now). LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 4
  5. 5. Establish Risk Tolerance / Prioritize Assets LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 5 NOTE: Operational drivers inform risk tolerance and the identification of CRITICAL IT assets.
  6. 6. Risk – Assess, Address, Manage LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 6
  7. 7. Roles and Responsibilities LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 7
  8. 8. Access Control & Data Protection LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 8
  9. 9. Configuration Management LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 9
  10. 10. An Observation The groups identified thus far form the foundation of an effective cybersecurity architecture.  Establish Risk Tolerance, Prioritize Assets.  Risk – Address, Assess, Manage.  Roles and Responsibilities – well defined or not.  Configuration Management – defines what you are protecting. Recognize what is important and protect it – 53 subcategories. The remaining groups are:  Detect, Respond, Recover, Improve – 45 subcategories. NOTE: key dependencies are identified in these groups. © 2016 J2 Coordinated Response, LLC. All Rights Reserved. ISACA CMC April 13, 2016 Page: 10
  11. 11. Monitor & Detect Events LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 11
  12. 12. Respond LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 12
  13. 13. Recover LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 13
  14. 14. Improve LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 14
  15. 15. Risk – Assess, Address, Manage LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 15
  16. 16. Summary  Logical groups provide improve efficiency and meaning.  Categories often contain activities performed in different ways, by different individuals.  Organizations should create their sense of logical groups. LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 16

×