You're reading from Unveiling NIST Cybersecurity Framework 2.0 Secure your organization with the practical applications of CSF

Product type Paperback

Published in Oct 2024

Publisher Packt

ISBN-13 9781835463079

Length 182 pages

Edition 1st Edition

Concepts

Cybersecurity

Author (1):

Jason Brown

View More author details

Table of Contents (17) Chapters

Preface

1. Part 1:Why Select the NIST Cybersecurity Framework?

2. Chapter 1: Introduction to Cybersecurity Frameworks FREE CHAPTER

3. Chapter 2: NIST Cybersecurity Framework Fundamentals

4. Part 2: NIST Cybersecurity Framework Functions

5. Chapter 3: Govern

6. Chapter 4: Identify

7. Chapter 5: Protect

8. Chapter 6: Detect

9. Chapter 7: Respond

10. Chapter 8: Recover

11. Part 3: Applying the Framework

12. Chapter 9: How to Deal with Cyber Risk

13. Chapter 10: Policies, Standards, and Procedures

14. Chapter 11: Assessment

15. Index

Why subscribe?

16. Other Books You May Enjoy

Tiers

When rolling out a new program, we must first understand where they are at (the current state) and where they intend to go (the future state). While framework profiles are used to determine current and future states, we need to first assess the current state. We will focus more on performing these types of assessments later in this chapter. We must first understand how to rank our program against the framework.

Auditing firms tend to rank the NIST CSF on a maturity ranking by leveraging the Capability Maturity Model Integration (CMMI). This changes the framework’s original intention in evaluating and reducing risks. There are some similarities between the framework tiers and CMMI. Most of the similarities come in the form of documentation and official organizational policies. However, this was not the intent of the framework.

In fact, the framework specifically states that it is not intended to be evaluated as a maturity model. This is not to say that maturity should not be part of the evaluation; it should. In fact, you will see similarities between the framework tiers and the CMMI. However, we will be staying as true to the intent of the framework as possible, as its intent is to reduce overall cyber risk.

There are plenty of criteria that go into evaluating your current environment and how it aligns with the framework tiers. The framework score values are between tier 1 (partial) and tier 4 (adaptive). This will help visualize what controls are missing and highlight where improvements are needed.

There are requirements that must be met to evaluate your program for the next tier. The criteria are mentioned in the following sub-categories.

The application of tiers

Let’s take a look at the four different tiers and how they reduce risk:

Tier 1 - partial:
- Cybersecurity risk governance: Risk strategy and prioritization of objectives and threats are ad hoc at best.
- Cybersecurity risk management: An organization does not have the necessary processes in place and handles risk on a case-by-case basis. The organization also has a lack of understanding of its role in the supply chain and how third parties can affect it. The organization also does not have a standardized method for sharing cyber risk-related information.
Tier 2 – risk-informed:
- Cybersecurity risk governance: The management of risk is approved by management; however, it may not be organizational-wide. The prioritization of cyber projects is directly related to the organization, policies, standards, or business requirements.
- Cybersecurity risk management: There is a departmental view of cyber risks, however, it is localized and not throughout the organization. Threat information is shared internally but not consistently. The organization is also aware of the cybersecurity risks associated with third parties but has an inconsistent workflow.
Tier 3 – repeatable:
- Cybersecurity risk governance: Risk management is approved by management but not necessarily for an entire organization. Prioritization of cyber needs is directly informed by external risk intel and business requirements.
- Cybersecurity risk management: There is an organizational understanding of cyber risks; however, there is no organizational-wide policy for how to deal with it. Cyber risk information is shared on an irregular basis, and an organization is aware of the third parties it does business with; however, there is not a consistent method for interaction.
Tier 4 – adaptive:
- Cybersecurity risk governance: There is an organizational-wide method to manage cyber risks. The relationships between policies and procedures that address cyber risk are implemented consistently. Cyber risk management is ingrained in the organizational culture.
- Cybersecurity risk management: An organization implements its cyber risk program in the current threat landscape. This allows an adaptive approach to managing cyber risk. Lessons-learned activities are performed consistently to ensure that the program is up to date and a team is adaptive to new threats.

As we can see, there are similarities between the framework tiers and the CMMI model. However, while there are similarities, there are also plenty of differences – take, for instance, the cybersecurity risk management scenarios. These relate to how an organization handles business with its upstream and downstream providers. It is just as critical to know and understand how the organization plays a bigger role in a sector’s ecosystem. This helps build resiliency in how the business operates.

The tiers will play a significant role in how you grade yourself when performing an assessment. This assessment is used to understand your current security posture and develop a future state or strategic roadmap. This roadmap is used to plan for future projects that will reduce cyber risk for an organization. Profiles are a way to understand the current state of risk and how you want to reduce it.

Next, we look at how to build profiles and learn how they reduce risk.

Continuous improvement

Continuous improvement is necessary for any cybersecurity program. As you can see from the tiers overview, to improve or advance in a tiering structure, you must also improve your organizational processes. To do this, we will review the Deming cycle.

In the 1950s, a quality control engineer by the name of William Deming created the concept of Plan, Do, Check, and Act (PDCA). Although PDCA was originally used to improve business processes, we can also use this philosophy to improve our cybersecurity program. In Figure 2.1, you can see the Deming cycle in a continuous loop. This cycle allows you to plan for upcoming projects, go through the implementation phase, and then gather information about what did and did not work. Once that information has been collected, we go through the planning phase again:

Figure 2.1 – The Deming cycle

This is what the stages in the Deming cycle consist of:

Plan: This is the planning phase of a new project. We gather the correct stakeholders together to design a solution intended to reduce cyber risk. We evaluate and discover discrepancies between the current and future states (more to come) and plan how we want to reduce cyber risk. During this phase, you may also want to begin the purchase of software and hardware or schedule the assistance of a trusted third party to assist in their implementation.
You should also document your test plans so that you and your team know what is in and out of scope for a project. This could also be used as a project charter to implement or modify a system resource.
Do: In this phase, you do the work. This is where you begin the implementation of new systems and processes or modify existing ones. We review the test plan to ensure that the controls that were laid out are installed and configured accordingly.
Check: We now must check whether the improvements or mitigations that were put in place work as intended. The team begins testing the new controls to ensure that the desired state is what was intended. We test Key Performance Indicators (KPIs) to ensure that the metrics produced are well within the operational and service level agreements.
While the check phase is performed during a given cycle, there should be ongoing checks of security controls to ensure that they meet specific metrics. You should continuously check the controls to ensure that they work properly and that they finish well within expected completion times.
Act: During the act phase, you collect all of the metrics and determine the next step. If the mitigations that were put in place work as intended, great! Move on to the next issue and run through the cycle again. If not, then we need to understand what was implemented, how it was implemented, and reevaluate our cyber risk posture.
This could mean that mitigation reduced the risk by, say, 75%, but you were aiming to reduce it by 85%, giving you a delta of 10%. You now review what was implemented and what didn’t work as intended, you devise a new mitigation plan, and the cycle starts all over again.

PDCA is used to improve many aspects of your program – from evaluating new IT systems and cybersecurity controls to developing policies, standards, and procedures. This method can be used anywhere within your program.