Running Head: CYBERSECURITY FRAMEWORK 1
CYBERSECURITY FRAMEWORK 5
Integrating NIST CSF with IT Governance Frameworks
Nkengazong Tung
University of Maryland University College
29 AUGUST 2019
IT governance is the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. In the eCommerce industry, IT governance develop structure by characterizing hierarchical detailing lines, oversight advisory groups, standards, approaches, and procedures. A well-characterized structure viably sets the working limits for the association (Moeller, 2017). It additionally sets guidelines by making or lining up with the corporate procedure and characterizing the short and long haul objectives for the association. In the eCommerce industry, it is important to note how the regulations are followed, how standards are followed by the process managers, how planning for the capacity of servers should be done, ensure all the IT assets are tracked, etc. This internal function that is self-checking the “health status” of the various process to ensure the smoother function is Governance. Comment by Michael Baker: Recommend subtitles that match rubric
IT management is overseeing IT services or innovation in an organization. It has several elements, all of which focus on aligning IT goals with business objectives in a way that creates the most value of an organization. These components are IT strategy, IT service and IT asset. Some of IT management issues faced by an eCommerce company include ways to secure customers information, providing value to the company, as well as supporting business operations. To address IT management challenges faced in eCommerce, IT policies must be put in place to define various processes within the organization. A policy is a set of guidelines that define how things are done within an organization. With a well-defined policy, activities in the eCommerce industry are well outlined and making it easy to operate.
Risk Management is the process used to identify, evaluate and respond to possible accidental losses in situations where the only possible outcomes are losses or no change in the status. It is an overall administration function that tries to evaluate and address the circumstances and end results of vulnerability and threat to an association (Susmann & Braman, 2016). The aim of threat management is to empower an association to advance towards its objectives and goals in the most immediate, proficient, and viable way. Risk management issues faced by an eCommerce company are loss of data, unauthorized access of data as well as system failure. To address risk management in the eCommerce industry, a comprehensive risk management plan must be developed to address possible risks that might cause harm to the system. A good risk management plan provides procedures as well as guideline on how to respond to threats and also unforeseen incidents. By having a well-laid plan, the ...
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
1. Running Head: CYBERSECURITY FRAMEWORK 1
CYBERSECURITY FRAMEWORK 5
Integrating NIST CSF with IT Governance Frameworks
Nkengazong Tung
University of Maryland University College
29 AUGUST 2019
IT governance is the processes that ensure the effective and
efficient use of IT in enabling an organization to achieve its
goals. In the eCommerce industry, IT governance develop
structure by characterizing hierarchical detailing lines,
oversight advisory groups, standards, approaches, and
procedures. A well-characterized structure viably sets the
working limits for the association (Moeller, 2017). It
additionally sets guidelines by making or lining up with the
corporate procedure and characterizing the short and long haul
2. objectives for the association. In the eCommerce industry, it is
important to note how the regulations are followed, how
standards are followed by the process managers, how planning
for the capacity of servers should be done, ensure all the IT
assets are tracked, etc. This internal function that is self-
checking the “health status” of the various process to ensure the
smoother function is Governance. Comment by Michael
Baker: Recommend subtitles that match rubric
IT management is overseeing IT services or innovation in an
organization. It has several elements, all of which focus on
aligning IT goals with business objectives in a way that creates
the most value of an organization. These components are IT
strategy, IT service and IT asset. Some of IT management issues
faced by an eCommerce company include ways to secure
customers information, providing value to the company, as well
as supporting business operations. To address IT management
challenges faced in eCommerce, IT policies must be put in place
to define various processes within the organization. A policy is
a set of guidelines that define how things are done within an
organization. With a well-defined policy, activities in the
eCommerce industry are well outlined and making it easy to
operate.
Risk Management is the process used to identify, evaluate and
respond to possible accidental losses in situations where the
only possible outcomes are losses or no change in the status. It
is an overall administration function that tries to evaluate and
address the circumstances and end results of vulnerability and
threat to an association (Susmann & Braman, 2016). The aim of
threat management is to empower an association to advance
towards its objectives and goals in the most immediate,
proficient, and viable way. Risk management issues faced by an
eCommerce company are loss of data, unauthorized access of
data as well as system failure. To address risk management in
the eCommerce industry, a comprehensive risk management
plan must be developed to address possible risks that might
cause harm to the system. A good risk management plan
3. provides procedures as well as guideline on how to respond to
threats and also unforeseen incidents. By having a well-laid
plan, the eCommerce industry can minimize or avoid threats by
responding to them at the right time. Comment by Michael
Baker: Does not match reference
ISO/IEC 27000
ISO/IEC 27000 is an international security body that guides
organizations in different sectors in meeting critical legislative
as well as regulatory requirements related to information
security. The role of this body is to ensure that organizations
secure their data via effective innovation, auditing as well as
employee awareness programmes. Cyber threats are among one
of the biggest threats any organization face, they are dynamic
hence difficult to address. These threats are conducted by
hackers who manipulate computer systems for their good.
ISO/IEC 27000 helps organizations in protecting their assets,
determining and monitoring risks as well as having a defined
plan to ensure that new security threats are attended to. This
standard plays a huge role in eCommerce industry as it defines
various guideline that addresses security issues within that
sector. Any industry dealing with information must register with
this body to ensure information security and also to meet
international standards. Comment by Michael Baker:
Programmers
ISACA
This is an international nonprofit body that focuses on the
development, adoption as well as the implementation of
internationally accepted information framework and processes.
It provides benchmark and tools for sectors that deal with
information systems. It also hosts forums that focus on various
managerial issues relating to control systems and IT
governance. ISACA’s coordinates various security certification
programs where anyone certified under this program can operate
4. all over the world. This body plays a significant role in
upgrading COBIT which helps the organization in different
sectors to manage their information and innovation.
NIST (National Institute of Standards and Technology)
NIST is a government body that develops innovation, metrics as
well as guidelines to enhance innovation and economic
competitiveness. It provides standards and security controls for
an information system, NIST standards are endorsed by the
government and organizations register with this body due to the
fact that it enhances best security practices across different
sectors (Akpose, 2016). One of the advantages of NIST
compliance is the fact that it helps in ensuring that an
organization infrastructure is secure it also provides guidelines
for companies to follow when attaining compliance with
specific regulations such as HIPAA. Ecommerce deals with
sensitive clients’ information such as their names, home address
as well as social security number which can cause harm in
wrong hands. To protect this information, eCommerce
companies should register with NIST which can guide them
towards securing their information and also their systems.
Comment by Michael Baker: You are missing complete
sections to include the summary.
Reference Comment by Michael Baker: References should be in
alphabetical order
Moeller (2017). IT governance: Improving systems processes
with service management, Cobit and ITIL. Hoboken
IT Governance Institute. (2015). Information security
governance: Rolling Meadows, IL: Author. Comment by
Michael Baker: Missing inline reference
Akpose, W. (2016). NIST Cybersecurity Framework: A
5. practitioner’s perspective. 6igma Associates.
Vaseashta, A., Susmann & Braman, E. (2016). Cyber Security
and Resiliency Policy Framework. IOS Press.
CSIA 350: Cybersecurity in Business & IndustryProject #1:
Integrating NIST’s Cybersecurity Framework with Information
Technology Governance FrameworksScenario
You have been assigned to your company’s newly established
Risk Management Advisory Services team. This team will
provide information, analysis, and recommendations to clients
who need assistance with various aspects of IT Risk
Management.
Your first task is to prepare a 3 to 4 page research paper which
provides an analysis of the IT Governance, IT Management, and
Risk Management issues and problems that might be
encountered by an e-Commerce company (e.g. Amazon, e-Bay,
PayPal, etc.). Your paper should also include information about
governance and management frameworks that can be used to
address these issues. The specific frameworks that your team
leader has asked you to address are:
· ISO/IEC 27000 Family of Standards for Information Security
Management Systems
· ISACA’s Control Objectives for Information Technology
(COBIT) version 5
· NIST’s Cybersecurity Framework (also referred to as the
“Framework for Improving Critical Infrastructure Security”)
The Risk Management Advisory team has performed some
initial research and determined that using these three
frameworks together can help e-Commerce companies ensure
that they have processes in place to enable identification and
management of information security related risks particularly
6. those associated with the IT infrastructure supporting online
sales, payment, and order fulfillment operations. (This research
is presented in the Background section below.) Your research
paper will be used to extend the team’s initial research and
provide additional information about the frameworks and how
each one supports a company’s risk management objectives
(reducing the risks arising from cyber threats and cyberattacks
against information, information systems, and information
infrastructures). Your research should also investigate and
report on efforts to date to promote the use both frameworks at
the same time.
Your audience will be members of the Risk Management
Services team. These individuals are familiar with risk
management processes and the e-Commerce industry. Your
readers will NOT have in-depth knowledge of either framework.
For this reason, your team leader has asked you to make sure
that you include a basic overview of these frameworks at the
beginning of your paper for the benefit of those readers who are
not familiar with CSF and COBIT.Background
Security Controls
Security controls are actions which are taken to “control” or
manage risk. Security controls are sometimes called
“countermeasures” or “safeguards.” For this assignment, it is
important to understand that it is not enough to pick or select
controls and then buy or implement technologies which
implement those controls. A structure is required to keep track
of the controls and their status -- implemented (effective, not
effective) and not implemented. The overarching structure used
to manage controls is the Information Security Management
System.
Information Security Management System (ISMS)
An Information Security Management System is the set of
policies, processes, procedures, and activities used to structure
the organizational unit which is responsible for managing the
7. cybersecurity or information security program in a business.
Companies can and do design their own structure for this
program including: scope, responsibilities, and resources. Many
companies, however, choose to use a defined standard to
provide guidance for the structure and functions assigned to this
organization. The ISO/IEC 27000 family of standards is one of
the most frequently adopted and is comprised of best practices
for the implementation of an information security program. The
ISO/IEC 27001 standard specifies the requirements for and
structure of the overall Information Security Management
System and ISMS program. The ISO/IEC 27002 standard
provides a catalog of security controls which can/should be
implemented by the ISMS program. For additional information
about the standards, please see this blog
https://www.itgovernance.co.uk/blog/what-is-the-iso-27000-
series-of-standards.
Note: there are a number of free resources which describe the
contents and purposes of the ISO/IEC 27000 family of
standards. For your work in this course, you do not need access
to the official standards documents (which are not freely
available).
Control Objectives for Information Technology (COBIT)
COBIT is a framework that defines governance and management
principles, processes, and organizational structures for
enterprise Information Technology. COBIT includes a
requirement for implementation of an Information Security
Management System and is compatible with the ISO/IEC 27000
series of standards for ISMS implementation.
COBIT 5 has five process areas which are specified for the
Governance and Management of enterprise IT. These areas are:
· Evaluate, Direct, and Monitor (EDM)
· Align, Plan, and Organize (APO)
· Build, Acquire, and Implement (BAI)
· Deliver, Service, and Support (DSS)
· Monitor, Evaluate, and Assess (MEA)
8. Beginning with version 5, COBIT has incorporated Information
Security as part of the framework. Three COBIT 5 processes
specifically address information security: APO 13 “Manage
Security,” DSS04 “Manage Continuity,” and DSS05 “Manage
Security Services.”[footnoteRef:1] [1: Source:
http://www.isaca.org/COBIT/Documents/COBIT-5-for-
Information-Security-Introduction.pdf ]
NIST Cybersecurity Framework (CSF)
The NIST Framework for Improving Critical Infrastructure
Security, commonly referred to as the Cybersecurity Framework
or CSF, was developed in collaboration with industry,
government, and academia to provide a common language and
common frame of reference for describing the activities
required to manage cyber-related risks and, in so doing, protect
and defend against cyber attacks. Unlike many NIST guidance
documents, the CSF was designed specifically for businesses –
to meet their needs and support attainment of business
objectives. Originally designed for companies operating in the
16 critical infrastructure sectors, the CSF is now being required
of federal government agencies and departments and their
contractors. The Executive Summary of the NIST CSF version
1.1 provides additional background and supporting information
about the purposes, goals, and objectives of the CSF.
The Cybersecurity Framework is presented in three parts:
· Core Functions (Identify, Protect, Detect, Respond, Recover)
· Implementation Tiers (risk management processes and
practices)
· Profiles (specific to a business or industry – goals and desired
outcomes)
Commonalities between ISO/IEC 27000, COBIT, and NIST CSF
There are a number of common elements between the
information security frameworks defined in the ISO/IEC 27000
family of standards, the COBIT standard, and the NIST
9. Cybersecurity Framework. Each of these frameworks addresses
risks that must be addressed by businesses that depend upon
digital forms of information, information systems, and
information infrastructures. Each framework presents structured
lists of IT Governance and IT Management activities (processes
and practices) which must be adopted and implemented in order
to effectively manage risk and protect digital assets from harm
or loss. Each framework also provides a list or catalog security.
Each framework also provides lists of goals or objectives which
must be met in order to assure the effectiveness of controls
implemented to defend against cyber threats and attacks.
The ISO/IEC 27001:2013 and COBIT 5 controls and process
areas have been cross referenced to the NIST Cybersecurity
Framework Functions, Categories, and Subcategories in the
NIST CSF document.[footnoteRef:2] Table 1 below shows
examples of the mapping between COBIT 5 and NIST CSF as
provided in Table 2: Framework Core: Informative References
in the NIST CSF document. [2: Source:
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.
pdf ]
Table 1. Example Mappings from ISO/IEC 27001 to COBIT 5
Processes to NIST CSF Functions
ISO/IEC 27001:2013[footnoteRef:3] [3: Names for many of the
ISO/IEC 27001 controls can be found here:
https://www.bsigroup.com/Documents/iso-27001/resources/BSI-
ISO27001-mapping-guide-UK-EN.pdf ]
COBIT 5 Process
NIST CSF Function
NIST CSF Category
NIST CSF Subcategory
A.5.1.1
APO 13.01
Identify
10. Governance (ID.GV)
ID.GV-1
A.16.1.6
DSS 04.02
Identify
Risk Assessment (ID.RA)
ID.RA-4
A.6.1.1, A.7.2.1, A.15.
DSS 05.04
Identify
Governance (ID.GV)
ID.GV-2
A.12.6.1, A.18.2.3
DSS 05.01, DSS 05.02
Identify
Risk Assessment (ID.RA)
ID.RA-1
Adoption and Use of IT Security Frameworks
A 2016 survey conducted by Dimensional Research for
Tenable[footnoteRef:4] found that over 80% of the responding
organizations used an IT security or cybersecurity frameworks
to structure their IT security management program. This finding
was similar across all sizes of companies and across industries.
Over 40% of the respondents used multiple frameworks. The
NIST CSF was utilized by over 40% of the respondents –
approximately the same number who adopted the ISO/IEC
27000 standards. One notable finding was that in some cases the
NIST CSF adoption was required by a business partner or a
federal contract. [4: Source:
https://static.tenable.com/marketing/tenable-csf-report.pdf ]
Research
1. Read / Review the weekly readings
2. Consult Aligning COBIT® 4.1, ITIL® V3 and ISO/IEC
27002 for Business Benefit http://www.isaca.org/Knowledge-
Center/Research/Documents/Aligning-COBIT-ITIL-V3-
11. ISO27002-for-Business-Benefit_res_Eng_1108.pdf for
additional information about the activities / controls included in
ISO/IEC 27002 and COBIT. This reference should be used in
conjunction with the “Informative References” listed in NIST’s
Cybersecurity Framework Core definitions.
3. Review the following outlines and explanations of the
ISO/IEC 27001 and 27002 standards
a. ISO/IEC 27001:2013 Plain English Outline (excerpts for
Information Security provisions) http://www.praxiom.com/iso-
27001-outline.htm and http://www.praxiom.com/iso-27001.htm
b. ISO 27002:2013 Translated into Plain English
http://www.praxiom.com/iso-27002.htm
4. Read the following analyses and articles about COBIT 5 and
its information security related functions.
a. COBIT 5 for Information Security (ISACA)
https://www.isaca.org/COBIT/Documents/COBIT-5-for-
Information-Security-Introduction.pdf
b. About COBIT 5 https://cobitonline.isaca.org/about
c. COBIT 5 for Risk – A Powerful Tool for Risk Management
http://www.isaca.org/COBIT/focus/Pages/cobit-5-for-risk-a-
powerful-tool-for-risk-management.aspx
d. 9 Burning Questions about Implementing NIST Cybersecurity
Framework Using COBIT 5 https://www.itpreneurs.com/blog/9-
burning-questions-about-implementing-nist-cybersecurity-
framework-using-cobit-5/
5. Read the following analyses and articles about adoption of
the NIST CSF
a. Trends in Security Framework Adoption
https://static.tenable.com/marketing/tenable-csf-report.pdf
b. How to Implement NIST CSF: A 4-Step Journey to
Cybersecurity Maturity https://www.rsam.com/wp-
content/uploads/2018/06/Rsam_NIST_CSF_Implementation_WP
-sept-2017.pdf
c. 5 Steps to Turn the NIST Cybersecurity Framework into
Reality https://www.securitymagazine.com/articles/88624-steps-
to-turn-the-nist-cybersecurity-framework-into-reality
12. 6. Find three or more additional sources which provide
information about best practices for implementing the NIST
Cybersecurity Framework Core and COBIT 5 (separately and
together).Write:
Use standard terminology including correctly used cybersecurity
terms and definitions to write a two to three page summary of
your research. At a minimum, your summary must include the
following:
1. An introduction or overview of the role that the Information
Security Management System plays as part of an organization’s
IT Governance, IT Management, and Risk Management
activities. The most important part of this overview is a clear
explanation of the purpose and relationships between
governance and management activities as they pertain to
managing and reducing risks arising from the use of information
technology.
2. An analysis section that provides an explanation of how
ISO/IEC 27000, 27001, 27002; COBIT 5; and NIST’s CSF can
be used to improve the effectiveness of an organization’s risk
management efforts for cybersecurity related risks. This
explanation should include:
a. An overview of ISO/IEC 27000, 27001, and 27002 that
includes an explanation of the goals and benefits of this family
of standards (why do businesses adopt the standards, what do
the standards include / address, what are the desired outcomes
or benefits).
b. An overview of COBIT 5 that includes an explanation of the
goals and benefits of this framework (why do businesses adopt
the framework, what does the framework include / address, what
are the desired outcomes or benefits).
c. An overview of the NIST Cybersecurity Framework (CSF)
which explains how businesses can use this framework to
support ALL of their business functions (not just critical
infrastructure operations).
d. Five or more specific examples of support to risk
management for e-Commerce and supporting business
13. operations that can be provided by implementing ISO/IEC
27000/1/2, COBIT 5, and NIST CSF.
3. A recommendations section in which you provide and discuss
five or more ways that e-Commerce companies can use the
standards and frameworks at the same time (as part of the same
risk management effort). You should focus on where the
frameworks overlap or address the same issues / problems. (Use
Table 2: Informative References to find overlapping functions /
activities.) You are not required to identify or discuss potential
pit falls, conflicts, or other types of “problems” which could
arise from concurrent use of multiple guidance documents.
4. A closing section that provides a summary of the issues, your
analysis, and your recommendations.Submit for Grading
Submit your work in MS Word format (.docx or .doc file) using
the Project #1 Assignment in your assignment folder. (Attach
the file.)Additional Information
1. Consult the grading rubric for specific content and formatting
requirements for this assignment.
2. Your 2-3 page white paper should be professional in
appearance with consistent use of fonts, font sizes, margins, etc.
You should use headings and page breaks to organize your
paper.
3. Your paper should use standard terms and definitions for
cybersecurity. See Course Content > Cybersecurity Concepts for
recommended resources.
4. The CSIA program recommends that you follow standard
APA formatting since this will give you a document that meets
the “professional appearance” requirements. APA formatting
guidelines and examples are found under Course Resources >
APA Resources. An APA template file (MS Word format) has
also been provided for your use
CSIA_Basic_Paper_Template(APA_6ed,DEC2018).docx.
5. You must include a cover page with the assignment title, your
name, and the due date. Your reference list must be on a
separate page at the end of your file. These pages do not count
towards the assignment’s page count.
15. IT governance is the processes that ensure the effective and
efficient use of IT in enabling an organization to achieve its
goals. In the eCommerce industry, IT governance develop
structure by characterizing hierarchical detailing lines,
oversight advisory groups, standards, approaches, and
procedures. A well-characterized structure viably sets the
working limits for the association (Moeller, 2017). It
additionally sets guidelines by making or lining up with the
corporate procedure and characterizing the short and long haul
objectives for the association. In the eCommerce industry, it is
important to note how the regulations are followed, how
standards are followed by the process managers, how planning
for the capacity of servers should be done, ensure all the IT
assets are tracked, etc. This internal function that is self-
checking the “health status” of the various process to ensure the
smoother function is Governance.
IT management is overseeing IT services or innovation in an
organization. It has several elements, all of which focus on
aligning IT goals with business objectives in a way that creates
the most value of an organization. These components are IT
strategy, IT service and IT asset. Some of IT management issues
faced by an eCommerce company include ways to secure
customers information, providing value to the company, as well
as supporting business operations. To address IT management
challenges faced in eCommerce, IT policies must be put in place
to define various processes within the organization. A policy is
a set of guidelines that define how things are done within an
organization. With a well-defined policy, activities in the
eCommerce industry are well outlined and making it easy to
operate.
Risk Management is the process used to identify, evaluate and
respond to possible accidental losses in situations where the
only possible outcomes are losses or no change in the status. It
16. is an overall administration function that tries to evaluate and
address the circumstances and end results of vulnerability and
threat to an association (Susmann & Braman, 2016). The aim of
threat management is to empower an association to advance
towards its objectives and goals in the most immediate,
proficient, and viable way. Risk management issues faced by an
eCommerce company are loss of data, unauthorized access of
data as well as system failure. To address risk management in
the eCommerce industry, a comprehensive risk management
plan must be developed to address possible risks that might
cause harm to the system. A good risk management plan
provides procedures as well as guideline on how to respond to
threats and also unforeseen incidents. By having a well-laid
plan, the eCommerce industry can minimize or avoid threats by
responding to them at the right time.
ISO/IEC 27000
ISO/IEC 27000 is an international security body that guides
organizations in different sectors in meeting critical legislative
as well as regulatory requirements related to information
security. The role of this body is to ensure that organizations
secure their data via effective innovation, auditing as well as
employee awareness programmes. Cyber threats are among one
of the biggest threats any organization face, they are dynamic
hence difficult to address. These threats are conducted by
hackers who manipulate computer systems for their good.
ISO/IEC 27000 helps organizations in protecting their assets,
determining and monitoring risks as well as having a defined
plan to ensure that new security threats are attended to. This
standard plays a huge role in eCommerce industry as it defines
various guideline that addresses security issues within that
sector. Any industry dealing with information must register with
this body to ensure information security and also to meet
international standards.
17. ISACA
This is an international nonprofit body that focuses on the
development, adoption as well as the implementation of
internationally accepted information framework and processes.
It provides benchmark and tools for sectors that deal with
information systems. It also hosts forums that focus on various
managerial issues relating to control systems and IT
governance. ISACA’s coordinates various security certification
programs where anyone certified under this program can operate
all over the world. This body plays a significant role in
upgrading COBIT which helps the organization in different
sectors to manage their information and innovation.
NIST (National Institute of Standards and Technology)
NIST is a government body that develops innovation, metrics as
well as guidelines to enhance innovation and economic
competitiveness. It provides standards and security controls for
an information system, NIST standards are endorsed by the
government and organizations register with this body due to the
fact that it enhances best security practices across different
sectors (Akpose, 2016). One of the advantages of NIST
compliance is the fact that it helps in ensuring that an
organization infrastructure is secure it also provides guidelines
for companies to follow when attaining compliance with
specific regulations such as HIPAA. Ecommerce deals with
sensitive clients’ information such as their names, home address
as well as social security number which can cause harm in
wrong hands. To protect this information, eCommerce
companies should register with NIST which can guide them
towards securing their information and also their systems.
Reference
18. Moeller (2017). IT governance: Improving systems processes
with service management, Cobit and ITIL. Hoboken
IT Governance Institute. (2015). Information security
governance: Rolling Meadows, IL: Author.
Akpose, W. (2016). NIST Cybersecurity Framework: A
practitioner’s perspective. 6igma Associates.
Vaseashta, A., Susmann & Braman, E. (2016). Cyber Security
and Resiliency Policy Framework. IOS Press.