Framework of frameworks – Leverages many different standards at the same time.
Identify Understand what’s important to the business and what the risks are Protect Develop safeguards to ensure CIA Detect Find bad things Respond What you do when bad things happen Recover How to restore what the bad guys broke
Defines set of activities that achieve specific cybersecurity outcomes Functions define 5 basic cybersecurity activities: Identify, Protect, Detect, Respond, Recover Closely align with existing methodologies for Incident Management Categories subdivide functions into program needs and activities: Examples: Asset Management, Event Detection, Access Control Subcategories divide category into specific management or technical activities Examples: Data in transit is protected, Malware is detected Informative References are specific standards, guidelines, practices, etc Maps into existing frameworks
Four Tiers that show how cybersecurity risks and processes are viewed within an organization Required Tier based on perceived risk/benefit analysis Tier 1 – Partial Tier 2 – Risk Informed Tier 3 – Repeatable Tier 4 - Adaptive
Tier 1: Processes not formalized, risk managed ad-hoc and reactive. Cybersecurity activities not related to organizational risk objectives, threats, business requirements, etc
Tier 2: Risk management practices approved by management but not organizational wide policy. Cybersecurity activities related to organizations risk objectives, threat environment.
Tier 3: Risk management practices are formal policies. Cybersecurity practices updated continuously based on changing business requirements and risks.
Tier 4: Organization changes cybersecurity practices based on lessons learned and predictive indicators from previous and current cybersecurity activities. Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organization actively adapts to a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely manner.
Critical Security Framework
Dick Bussiere | Technical Director | Asia Pacific
Why YOUshould care?
How wouldImeasuremy effectiveness?
Things to Ponder
205 Days until breach detected (APAC
Can you say with certainty that you are100%
Do you knowwith certainty that you haveNOT
Heard on the street…
Of organizations believesecurity should be a top
orhigh priority of the business
Of CEO’s viewsecurity as a top orhigh priority to
Of organizationscompletely agree that the
businesshasthe ability to defend itself from
• Brand & Reputation of Business
• Ongoing Business Operations
• Risk to Customers
• Is riskat anacceptable level?
• What level of risk arewe exposed to?
• Arewe compliant with all the regulations that
apply to us?
• Is thecybersecurityplatform operating as
well as it should be?
• Whereshould wespend additional money?
The Survey Says…
Security Frameworks guide the way…
• 84% Leverage a security framework
• Broad range of company sizes
Wide Range of Frameworks Utilized
• 44% used more than one framework
• EOY 2016 - CSF (43%), CIS (44%) ISO (44%)
Best practice & requirements drive CSF adoption
• 70% adopted CSF because they consider it best practice
• 29% adopted CSF because a partner required it
Security Framework Adoption is a Journey
• Only 1 in 5 rank their organization as very mature
• More than half of CSF adopters require significant
investment to fully conform
Survey conducted by Dimensional Research, March 2016
316 IT and Security Professionals interviewed in US
Why Cyber Security Framework?
Asksthe question“whatareyoudoing toimprove” ratherthan“did
Results in a shiftfrom compliance to actionand specificoutcomes
Has built-inmaturitymodel andgap analysis
No need to overlay another maturity modelon top of CSF
Measureswhereyou areand whereyou need to go
Can be implemented“piecemeal”as required,makingit moreappealing to
(Where you are and where you
want to go)
(How you view cybersecurity)
(What it does)
•Defines (measures) current state
•Defines (measures) desired state
•Tiers (4) that show how
cybersecurity risks and processes
are viewed within an organization
•Required Tier based on
perceived risk/benefit analysis
The Cyber Security Framework at 40,000
Risk Profile, Requirements & Resources
Use CSF to “Normalize to Common Language
CSF Component 2 – FrameworkImplementation Tiers
How cybersecurity risks and processes are viewed within organization
CSF Component 3 – FrameworkProfile
Presents overview of present and future
Usedtodefine currentstate and desired state
Canhelp measure progress...
How is CSF Different?
Expresses cybersecurity activities in a common language
Leverages existing standards –does not reinvent the wheel –can map existing
processes/guidelines into CSF
Provides crucial guidance for reinforcing security controls while maintaining a focus
on business objectives
Provides a vehicle to effectively measurecybersecurityeffectiveness independent of