Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Comparing	
  NIST's	
  Cybersecurity	
  
Framework	
  with	
  Best	
  Prac3ce	
  
David	
  Ochel	
  
email:	
  david@secui...
Agenda	
  
•  Introduc3on	
  to	
  the	
  Cybersecurity	
  Framework	
  (CSF)	
  
–  Mo3va3on	
  
–  Organiza3on	
  
–  Ma...
INTRODUCTION	
  TO	
  THE	
  
CYBERSECURITY	
  FRAMEWORK	
  (CSF)	
  
CSF	
  /	
  Best	
  Prac3ce	
   Page	
  3	
  
Mo3va3on	
  
•  Cri3cal	
  Infrastructure	
  
–  Vital	
  infrastructure	
  –	
  private	
  and	
  public	
  operators	
  ...
Organiza3on	
  
	
  
•  Framework	
  parts:	
  
– Core	
  
– Profiles	
  
– Implementa3on	
  Tiers	
  
CSF	
  /	
  Best	
  ...
Framework	
  Core	
  –	
  a	
  Controls	
  Catalog	
  
•  5	
  core	
  func3ons,	
  split	
  into:	
  
–  Categories	
  
–...
Framework	
  Core	
  –	
  Example	
  
CSF	
  /	
  Best	
  Prac3ce	
   Page	
  7	
  
Framework	
  Profiles	
  
•  Describe	
  current	
  or	
  desired	
  state	
  of	
  
“cybersecurity	
  ac3vi3es”	
  
•  Ali...
Framework	
  Tiers	
  
•  Tiers	
  indicate	
  maturity	
  of:	
  
–  Risk	
  management	
  process	
  
–  Integrated	
  R...
CSF	
  AND	
  BEST	
  PRACTICE	
  
	
  
Page	
  10	
  CSF	
  /	
  Best	
  Prac3ce	
  
Informa3on	
  Security	
  Controls	
  –	
  	
  
A?ributes	
  of	
  Best	
  Prac3ce?!	
  
•  Benchmark	
  
•  Requirements	...
IT	
  Security:	
  Control	
  Frameworks	
  	
  
Regulatory	
  
(mostly	
  industry-­‐specific?)	
  
“Pseudo	
  Regulatory”...
ISO/IEC	
  27001	
  
•  Informa3on	
  technology	
  –	
  Security	
  techniques	
  –	
  
InformaXon	
  security	
  managem...
CSF	
  and	
  27001	
  –	
  Commonali3es	
  
•  Voluntary	
  
•  Catalog	
  of	
  informa3on	
  security	
  controls	
  
–...
CSF	
  and	
  27001	
  –	
  Differences	
  
Cybersecurity	
  Framework	
  
ü Rudimentary	
  maturity	
  
3ers	
  
ü Even	...
Which	
  parts	
  of	
  the	
  CSF	
  are	
  	
  
unique	
  to	
  ICS	
  environments?	
  
•  Tiers?	
  
– Nope.	
  (Gener...
Which	
  parts	
  of	
  the	
  CSF	
  are	
  	
  
unique	
  to	
  ICS	
  environments?	
  
•  Tiers?	
  
– Nope.	
  (Gener...
SOME	
  MUSINGS	
  
18	
  CSF	
  /	
  Best	
  Prac3ce	
  
The	
  Future	
  of	
  the	
  CSF…	
  
•  …might	
  be	
  bright?	
  
–  Just	
  another	
  controls	
  framework	
  
–  B...
Resources	
  
•  Informa3on	
  Sharing	
  
– Informa3on	
  Sharing	
  and	
  Analysis	
  Centers	
  (ISACs)	
  
– InfraGar...
Texas…	
  Since	
  We	
  Are	
  Here	
  
•  Texas	
  Cybersecurity	
  Framework	
  
– Requirements	
  for	
  security	
  g...
Security	
  Management	
  –	
  	
  
Compliance	
  Is	
  a	
  Start,	
  But…	
  
CSF	
  /	
  Best	
  Prac3ce	
   Page	
  22...
Resources	
  
•  NIST	
  Cybersecurity	
  Framework	
  
–  h?p://www.nist.gov/cyberframework/	
  
•  US-­‐CERT	
  C3	
  Vo...
Upcoming SlideShare
Loading in …5
×

NISTs Cybersecurity Framework -- Comparison with Best Practice

6,209 views

Published on

A presentation given to the Central Texas chapter of the ISSA. We introduce the Cybersecurity Framework, compare it to an existing standard defining information security controls and management system requirements (ISO/IEC 27001), and provide some thoughts on what's next and where to find accompanying resources.

Published in: Technology
  • Great comparison. Here's another breakdown of NIST Cybersecurity Framework vs. NIST Special Publication 800-53: http://www.praetorian.com/blog/nist-cybersecurity-framework-vs-nist-special-publication-800-53
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

NISTs Cybersecurity Framework -- Comparison with Best Practice

  1. 1. Comparing  NIST's  Cybersecurity   Framework  with  Best  Prac3ce   David  Ochel   email:  david@secuilibrium.com   Twi?er:  @lostgravity   2014-­‐03-­‐31   This  work  is  licensed  under  a  Crea3ve  Commons  A?ribu3on  4.0  Interna3onal  License.  
  2. 2. Agenda   •  Introduc3on  to  the  Cybersecurity  Framework  (CSF)   –  Mo3va3on   –  Organiza3on   –  Major  elements  and  core  principles   •  CSF  and  Best  Prac3ce   –  What  is  Best  Prac3ce?   –  Comparing  CSF  with  ISO/IEC  27001   –  Par3culari3es  of  cri3cal  infrastructure  protec3on   •  Some  Musings   –  Future  of  the  CSF   –  Resources   –  Texas   –  Informa3on  Security  Management  Maturity   Page  2  Cybersecurity  Framework  /  Best  Prac3ce  
  3. 3. INTRODUCTION  TO  THE   CYBERSECURITY  FRAMEWORK  (CSF)   CSF  /  Best  Prac3ce   Page  3  
  4. 4. Mo3va3on   •  Cri3cal  Infrastructure   –  Vital  infrastructure  –  private  and  public  operators   –  Lack  of  availability  would  have  “debilita3ng  impact”  on  the   na3on’s  security,  economy,  public  health,  safety…   •  Execu3ve  Order  13636;  February  12,  2013   –  Threat  informa3on  sharing   –  NIST:  Baseline  Framework  to  reduce  cyber  risk   •  “Standards,  methodologies,  procedures  and  processes  that  align   policy,  business,  and  technological  approaches…”   –  Voluntary  Cri3cal  Infrastructure  Cybersecurity  Program   –  …   CSF  /  Best  Prac3ce   4  
  5. 5. Organiza3on     •  Framework  parts:   – Core   – Profiles   – Implementa3on  Tiers   CSF  /  Best  Prac3ce   Page  5  
  6. 6. Framework  Core  –  a  Controls  Catalog   •  5  core  func3ons,  split  into:   –  Categories   –  Subcategories   •  “technology  neutral”   •  Cross-­‐references  to:   –  COBIT   –  CCS  CSC   –  ANSI/ISA-­‐62443-­‐2-­‐1  and  -­‐3-­‐3   –  ISO/IEC  27001   –  NIST  SP  800-­‐53   CSF  /  Best  Prac3ce   Page  6  
  7. 7. Framework  Core  –  Example   CSF  /  Best  Prac3ce   Page  7  
  8. 8. Framework  Profiles   •  Describe  current  or  desired  state  of   “cybersecurity  ac3vi3es”   •  Align  controls  with  “business  requirements,   risk  tolerance,  and  resources”   •  No  templates  or  format  provided   CSF  /  Best  Prac3ce   Page  8  
  9. 9. Framework  Tiers   •  Tiers  indicate  maturity  of:   –  Risk  management  process   –  Integrated  Risk  Management  Program   –  External  Par3cipa3on   •  “do  not  represent  maturity  levels”!?   •  Tiers  (defined  on  1/3  of  a  page  each)   –  1:  Par3al   –  2:  Risk  Informed   –  3:  Repeatable   –  4:  Adap3ve   CSF  /  Best  Prac3ce   Page  9  
  10. 10. CSF  AND  BEST  PRACTICE     Page  10  CSF  /  Best  Prac3ce  
  11. 11. Informa3on  Security  Controls  –     A?ributes  of  Best  Prac3ce?!   •  Benchmark   •  Requirements  catalog   •  Comprehensive   •  Accepted   •  Industry  standard   •  But  not  cujng  edge  /     best  in  class?   •  Auditable   •  …?   CSF  /  Best  Prac3ce   Page  11  
  12. 12. IT  Security:  Control  Frameworks     Regulatory   (mostly  industry-­‐specific?)   “Pseudo  Regulatory”   (contractually  enforced)   Voluntary   •  HIPAA   •  SOX  (arguably)   •  NERC  CIP   •  …   •  PCI  DSS  (etc.)   •  SSAE  16   •  …   •  NIST  Cybersecurity   Framework   •  Texas  Cybersecurity   Framework*   •  NIST  SP  800-­‐53*   •  ISO/IEC  27001   •  ISF  Standard  of  Good   Prac3ce   •  …   CSF  /  Best  Prac3ce   Page  12   *  Mandatory  for  certain  government  agencies.  
  13. 13. ISO/IEC  27001   •  Informa3on  technology  –  Security  techniques  –   InformaXon  security  management  systems  –   Requirements     –  System  requirements:   •  Organiza3on  context   •  Leadership   •  Planning   •  Opera3on   •  Performance  evalua3on   •  Improvement   –  Reference  control  objec3ves  &  controls   •  “best  prac3ce”  catalog  of  baseline  controls   CSF  /  Best  Prac3ce   Page  13  
  14. 14. CSF  and  27001  –  Commonali3es   •  Voluntary   •  Catalog  of  informa3on  security  controls   – Small  differences  in  emphasis   – Method  to  document  control  selec3on     (“profile”  vs.  “statement  of  applicability”)   •  No  built-­‐in  risk  assessment  methodology   •  Scope  defini3on  expected/required   CSF  /  Best  Prac3ce   Page  14  
  15. 15. CSF  and  27001  –  Differences   Cybersecurity  Framework   ü Rudimentary  maturity   3ers   ü Even  basic  requirements   are  op3onal   ü Poten3al  for  agility   ISO/IEC  27001   ü Clear  documenta3on   requirements   ü Mandatory  management   system  requirements   ü Exclusion  of  controls   requires  jus3fica3on   ü Established  cer3fica3on   schemes   ü Well-­‐defined  terminology   CSF  /  Best  Prac3ce   Page  15  
  16. 16. Which  parts  of  the  CSF  are     unique  to  ICS  environments?   •  Tiers?   – Nope.  (Generic  descrip,on  of  risk  management  and   informa,on  sharing  “maturity”.)   •  Core?   – Nope.  (Introduc,on  acknowledges  that  IT  and  ICS   environments  and  considera,ons  differ.  But  the   (sub-­‐)categories  do  not  specifically  address  this.)   •  Profiles?   – Nope.  (Just  a  way  to  catalog  current  and  desired  selec,on   of  controls.)   CSF  /  Best  Prac3ce   Page  16  
  17. 17. Which  parts  of  the  CSF  are     unique  to  ICS  environments?   •  Tiers?   – Nope.  (Generic  descrip,on  of  risk  management  and   informa,on  sharing  “maturity”.)   •  Core?   – Nope.  (Introduc,on  acknowledges  that  IT  and  ICS   environments  and  considera,ons  differ.  But  the   (sub-­‐)categories  do  not  specifically  address  this.)   •  Profiles?   – Nope.  (Just  a  way  to  catalog  current  and  desired  selec,on   of  controls.)   CSF  /  Best  Prac3ce   Page  17  
  18. 18. SOME  MUSINGS   18  CSF  /  Best  Prac3ce  
  19. 19. The  Future  of  the  CSF…   •  …might  be  bright?   –  Just  another  controls  framework   –  But  with  poten3al!   •  Incen3ves   –  So  far  DHS  offers  managed  services  to  local/state   governments   –  Private  industry…  yet  to  come?   •  NIST  Roadmap  for  framework  development   –  Areas  for  development,  alignment,  and  collabora3on   CSF  /  Best  Prac3ce   Page  19  
  20. 20. Resources   •  Informa3on  Sharing   – Informa3on  Sharing  and  Analysis  Centers  (ISACs)   – InfraGard  partnership   •  US-­‐CERT’s  Cri3cal  Infrastructure  Cyber   Community  (C3)  Voluntary  Program   – Tools  and  resources   – (self)  assessment,  (ICS-­‐)CERTs,  training/educa3on,   …   •  Sector-­‐specific  resources!   CSF  /  Best  Prac3ce   Page  20  
  21. 21. Texas…  Since  We  Are  Here   •  Texas  Cybersecurity  Framework   – Requirements  for  security  governance     and  management   – Mandatory  for  state  agencies   – Controls  based  on  800-­‐53  controls   •  DIR  Resources   – h?p://www2.dir.state.tx.us/security/Pages/ security.aspx   CSF  /  Best  Prac3ce   Page  21  
  22. 22. Security  Management  –     Compliance  Is  a  Start,  But…   CSF  /  Best  Prac3ce   Page  22           Negligence?       Controls-­‐Focused   (Due  Diligence?)   Risk-­‐Informed   (Good  Prac3ce)   Risk-­‐   Governed     Where  compliance   with  most  control   frameworks  might     get  you…     (Technology  /  IT)  Risk   is  organiza3on-­‐specific;     compliance  with  control   frameworks  rarely  is!   Compare  to  SSE-­‐CMM  (or  others)?   •  Con3nuously   Improving   •  Quan3ta3vely   Controlled     •  Well  Defined     •  Planned  and   Tracked     •  Performed   Informally  
  23. 23. Resources   •  NIST  Cybersecurity  Framework   –  h?p://www.nist.gov/cyberframework/   •  US-­‐CERT  C3  Voluntary  Program   –  h?p://www.us-­‐cert.gov/ccubedvp   •  Mapping  of  27001  to  the  CSF   –  h?p://www.secuilibrium.com/1/post/2014/02/ comparing-­‐isoiec-­‐27001-­‐with-­‐nists-­‐cybersecurity-­‐ framework.html   •  Contact:   –  David  Ochel  <david@secuilibrium.com>   CSF  /  Best  Prac3ce   Page  23  

×