PDF -cyber security policies and critical infrastructure protection - Implementing the NIST Cybersecurity Framework Res Eng 0814
Wait Loading...


PDF :1 PDF :2 PDF :3 PDF :4 PDF :5 PDF :6 PDF :7 PDF :8 PDF :9


Like and share and download

Implementing the NIST Cybersecurity Framework Res Eng 0814

cyber security policies and critical infrastructure protection

PDF Implementing The Nist Cybersecurity Framework home Homeapi aerofit dk implementing the nist cybersecurity framework pdf PDF Implementing The Nist Cybersecurity Defaultkampanje gromstad auto no implementing the nist cybersecurity pdf pdf PDF Implementing The Nist Cybersecurity Frameworkcometogether buerosuche de implementing

Related PDF

Implementing The Nist Cybersecurity Framework - home Home

[PDF] Implementing The Nist Cybersecurity Framework home Homeapi aerofit dk implementing the nist cybersecurity framework pdf
PDF

Implementing The Nist Cybersecurity - Default

[PDF] Implementing The Nist Cybersecurity Defaultkampanje gromstad auto no implementing the nist cybersecurity pdf pdf
PDF

Implementing The Nist Cybersecurity Framework

[PDF] Implementing The Nist Cybersecurity Frameworkcometogether buerosuche de implementing the nist cybersecurity framework pdf
PDF

Implementing Nist Cybersecurity Framework Using Cobit 5

[PDF] Implementing Nist Cybersecurity Framework Using Cobit 5cometogether buerosuche de implementing nist cybersecurity framework using cobit 5 pdf
PDF

Cybersecurity Framework National Restaurant Association - NIST

[PDF] Cybersecurity Framework National Restaurant Association NIST nist gov cyberframework cybersecurity framework national restaurant association webinar 2015 02 19 pdf
PDF

Mapping to NIST Cybersecurity Framework - ffiec

[PDF] Mapping to NIST Cybersecurity Framework ffiec ffiec gov cybersecurity FFIEC CAT App B Map to NIST CSF June 2015 PDF4 pdf
PDF

ITU Cybersecurity Frameworkpdf

[PDF] ITU Cybersecurity Framework pdf itu int cybersecurity itu draft cybersecurity framework pdf
PDF

Cybersecurity Best Practices Guide - IIROC

[PDF] Cybersecurity Best Practices Guide IIROC iiroc ca industry CybersecurityBestPracticesGuide en pdf
PDF

cyber security policies and critical infrastructure protection

17 Sep 2018 Implementing Cyber Security According to National Regulations 321 nist gov cyberframework upload cybersecurity framework 021214 The prime responsibility for safety must rest with the person or
PDF

implementing_interest_rate_models.pdf

Calibration of Interest Rate Models - UnRisk

PDF Interest Rate Models Semantic Scholar pdf s semanticscholar 6bb7a2c2ba8710c29aeeac02859b138edfb5 pdf PDF Affine Term Structure Models Theory and Implementation bankofcanada ca wp content uploads wp01 15a pdf PDF

  1. affine term structure model
  2. interest rate models theory and practice pdf
  3. term structure model of interest rates
  4. cheyette model
  5. affine term structure models matlab
  6. vasicek model
  7. term structure models a graduate course pdf
  8. essentially affine term structure model

IMPLICACIONES ETICAS EN EL DESARROLLO Y APLICACION DE LA TECNOLOGIA

Implicaciones éticas del uso de la información y - E-LIS repository

PDF Las implicaciones éticas y bioéticas en la investigación científica scielo co pdf cmvz v11n2 v11n2a10 pdf PDF Opinión número 29 sobre las implicaciones éticas de las nuevas bioeticayderecho ub edu archivos pdf EGE opinion 29 pdf

Implications of Globalisation for TVET Curriculum

Revisiting Global Trends in TVET - UNESCO-UNEVOC

PDF The role of vocational education and training curricula in economic cyberleninka article n 1191088 pdf PDF Implications of globalization and economic restructuring for ILO oit wcmsp5 groups public wcms 079126

  1. implications of globalization
  2. curriculum development in vocational and technical education pdf
  3. impact of globalization on developing countries pdf

Implikasi peristiwa 13 mei 1969

prinsip hubungan sosial bagi menangani konflik dalam - umexpert

PDF Untitled ResearchGate researchgate Peristiwa 13 Mei 1969 57c3dd5d08aeb95224dbea92 pdf PDF kajian mengenalpasti isu dan punca konflik yang mempengaruhi etd uum edu my 4399 7 s803087 abstract pdf PDF ANALISIS PENGARUH PERISTIWA POLITIK (TURUNNYA

  1. assignment peristiwa 13 mei 1969
  2. cara mengatasi peristiwa 13 mei 1969
  3. peristiwa 13 mei 1969 secara ringkas
  4. 13 mei 1969 punca
  5. artikel tentang peristiwa 13 mei 1969
  6. artikel hubungan etnik di malaysia
  7. pengenalan peristiwa 13 mei 1969

Import Barang Dari China

PINDAAN SENARAI BARANG BERCUKAI DAN BARANG TIDAK BERCUKAI

app leadlock pro temp 57cd5c1f4bab1 pdf 2 3 tata cara import barang dari china ebook premium bab 3 tehnik rahasia sukses impor barang china 3 1 apa yang harus & jangan dilakukan 3 2 tehnik berbahasa dalam komunikasi 3 3 tehnik membuat

Import Export Control Act Tamil

Handbook on Foreign Trade Policy and Guide to Export & Import

PDF tamilnadu molasses control and reguation Tamil Nadu Government tn gov in miscellaneous important molasses rules 1958 pdf PDF Tamilnadu Pollution Control Board tnpcb gov in tnpcb gov in pdf tnpcb you2013 pdf

  1. tamil nadu pollution control board norms
  2. tnpcb forms
  3. the tamil nadu air (prevention and control of pollution) rules 1983 pdf
  4. list of red category industries in tamilnadu
  5. tamil nadu water prevention and control of pollution rules 1983 pdf
  6. the tamil nadu water (p&cp) rules
  7. tamil nadu pollution control board red category
  8. tnpcb norms for stp treated water

PDF Import and Export Documents and Procedures hrodc hrodc Import Export Documentations Procedures International Trade Standards Regulations Compliance Postgradu PDF Import and Export Documents and Procedures International hrodc hrodc

  1. export import procedures and documentation in india pdf
  2. export import procedures and documentation khushpat s jain pdf
  3. export/import procedures and documentation 5th edition pdf
  4. export import books pdf free in hindi
  5. export import procedures and documentation book pdf
  6. export import procedures and documentation ppt
  7. import export procedure pdf
  8. import export project pdf

Import Export

Guidance on the Import and Export of Radioactive Sources

PDF import export AMDL amdl gov ma amdl wp content brochure import export pdf PDF presentation de l'entreprise cfcim cfcim 13639 BALDE 20GLOBAL 2017 04 06 14 20 38 pdf PDF financement des operations d'import

Import of Chinese Products in India

india and china in wto - of Planning Commission

PDF "Made in China" A Threat for Indiaoaji pdf ?n=2016 1201 1482658156 pdf PDF Ban on Chinese Goods in India insights insightsonindia Ban on Chinese Goods in India pdf

Home back Next

nting the NIST Cybersecurity Framework Res Eng 0814

Description

Implementing the NIST

Cybersecurity Framework

Implementing the NIST Cybersecurity Framework

About ISACA® With more than 115,000 constituents in 180 countries,

ISACA (www

org) helps business and IT leaders build trust in,

information and information systems

Established in 1969,

ISACA is the trusted source of knowledge,

and career development for information systems audit,

privacy and governance professionals

ISACA offers the Cybersecurity NexusTM,

a comprehensive set of resources for cybersecurity professionals,

a business framework that helps enterprises govern and manage their information and technology

ISACA also advances and validates business-critical skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®),

Certified Information Security Manager® (CISM®),

Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems ControlTM (CRISCTM) credentials

The association has more than 200 chapters worldwide

Disclaimer ISACA has designed and created Implementing the NIST Cybersecurity Framework (“the Work”) primarily as an educational resource for assurance,

risk and security professionals

ISACA makes no claim that use of any of the Work will assure a successful outcome

The Work should not be considered inclusive of all proper information,

procedures and tests or exclusive of other information,

procedures and tests that are reasonably directed to obtaining the same results

In determining the propriety of any specific information,

risk and security professionals should apply their own professional judgment to the specific circumstances presented by the particular systems or information technology environment

Reservation of Rights © 2014 ISACA

All rights reserved

ISACA 3701 Algonquin Road,

Suite 1010 Rolling Meadows,

IL 60008 USA Phone: +1

org/US-cyber-implementation Participate in the ISACA Knowledge Center: www

org/knowledge-center Follow ISACA on Twitter: https://twitter

com/ISACANews Join ISACA on LinkedIn: ISACA (Official),

in/ISACAOfficial Like ISACA on Facebook: www

Implementing the NIST Cybersecurity Framework ISBN 978-1-60420-358-5

Acknowledgments

Acknowledgments Development Team Greg Witte,

CISSP-ISSEP,

USA Tom Conkle,

USA Workshop Participants Louis Aponte,

Weber State University,

USA Raymond R

Las Vegas Sands Corp

USA Christopher J

USA Meenu Gupta,

Mittal Technologies,

USA Carlo Morgano,

EQT Corporation,

USA Tim Virtue,

USA Ernest W

Wohnig III,

System 1 Inc

USA Expert Reviewers Jim W

Gearhart,

Federal Reserve Bank of Richmond,

USA Norman Kromberg,

ACI Worldwide,

USA Theodore Lloyd,

NTT Com Security,

USA Jeff Lukins,

CIPP/IT,

Dynetics,

USA Vincent Orrico,

C|CISO,

Teachers College,

Columbia University,

Global Cash Access,

USA ISACA Board of Directors Robert E Stroud,

International President Steven A

Vodafone,

Vice President Garry J

Barnes,

BAE Systems Detica,

Australia,

Vice President Robert A

Adaptive Computing,

Vice President Ramses Gallego,

Six Sigma Black Belt,

Vice President Theresa Grafenstine,

US House of Representatives,

Vice President Vittal R

Kumar & Raj,

Vice President Tony Hayes,

AFCHSE,

Queensland Government,

Australia,

Past International President Gregory T

Grocholski,

The Dow Chemical Co

Past International President Debbie A

Ernst & Young LLP,

Director Frank K

FHKIoD,

Focus Strategic Group Inc

Hong Kong,

Director Alexander Zapata Lenis,

Grupo Cynthus S

Mexico,

Director Knowledge Board Steven A

Vodafone,

Chairman Rosemary M

Deloitte Touche Tohmatsu Ltd

The Netherlands Neil Patrick Barlow,

IntercontinentalExchange,

UK Charlie Blanchard,

CIPP/E,

CIPP/US,

Amgen Inc

USA Sushil Chatterji,

Edutech Enterprises,

Singapore Phil J

Lageschulte,

KPMG LLP,

USA Anthony P

Viacom,

USA Jamie Pasfield,

ITIL V3,

PRINCE2,

Pfizer,

UK Ivan Sanchez Lopez,

ISO 27001 LA,

DHL Global Forwarding & Freight,

Germany

Implementing the NIST Cybersecurity Framework

Acknowledgments (cont

) Cybersecurity Task Force Eddie Schwartz,

Chairman Manuel Aceves,

FCITSM,

Cerberian Consulting,

SA de CV,

Mexico Sanjay Bahl,

India Neil Patrick Barlow,

IntercontinentalExchange,

UK Brent Conran,

USA Derek Grocke,

Australia Samuel Linares,

Industrial Cybersecurity Center (CCI),

Spain Marc Sachs,

Verizon,

Table of Contents

Contents

Executive Summary

Introduction

Introduction to NIST Cybersecurity Framework 1

Framework Implementation

and Step 3: Create a Current Profile

and Step 5: Create a Target Profile

Analyze,

Communicating Cybersecurity Requirements With Stakeholders

Implementing the NIST Cybersecurity Framework

Appendix A: Framework Core

List of Figures

List of Figures Figure 1—CSF Implementation—Target Audience and Benefits

Implementing the NIST Cybersecurity Framework

Page intentionally left blank

Executive Summary

Executive Summary Information is a key resource for all organizations

The operational technology (OT) and information technology (IT) that support information are increasingly advanced,

They are also under increasing attack

Destructive assaults against financial,

retail and energy providers indicate a need for renewed dedication to management of technology-related risk at an acceptable level

Many organizations recognize this challenge,

but need help charting a road map to protect valuable business assets

They need an approach that draws on the success of others through manageable processes and measurable improvement

This document describes proven practices to exploit opportunity through a better understanding of organizational risk and active management processes

This guide enables the reader to implement ISACA methods as an effective way to use the Cybersecurity Framework (described in the following paragraph)

Application of these components enables communication about priorities and activities in business terms,

turning potential organizational risk into competitive advantage

In 2013,

US President Obama issued Executive Order (EO) 13636,

Improving Critical Infrastructure Cybersecurity

The EO called for the development of a voluntary risk-based cybersecurity framework (the Cybersecurity Framework,

or CSF) that is “prioritized,

” The CSF was developed through an international partnership of small and large organizations,

including owners and operators of the nation’s critical infrastructure,

with leadership by the National Institute of Standards and Technology (NIST)

The CSF provides a risk-based approach that enables rapid success and steps to increasingly improve cybersecurity maturity

Because these values closely mirror the governance and management principles that ISACA has fostered for many years,

ISACA practices were a natural fit as an implementation road map

ISACA participated in the CSF’s development and helped embed key principles from the COBIT framework into the industry-led effort

Because of this harmony,

implementation of the CSF using ISACA processes is seamless and enables the results promised by the Cybersecurity Framework while leveraging the lessons learned over fifty years of ISACA success

This guide maps to each of the CSF steps and activities,

extending the CSF guidance with practical and measurable activities

Achieving CSF objectives using ISACA methods helps to leverage operational risk understanding in a business context,

enabling the organization to be proactive and competitive

This approach,

enables proactive value to the organization’s stakeholders,

translating high-level enterprise goals into manageable,

specific goals rather than a disconnected checklist model

Implementing the NIST Cybersecurity Framework

While the CSF was originally intended to support critical infrastructure providers,

it is applicable to any organization that wishes to better manage and reduce cybersecurity risk

Nearly all organizations,

are part of critical infrastructure

Each is connected to critical functions as a consumer through the global economy,

through telecommunication services and in many other ways

Improved risk management by each member of this ecosystem will,

reduce cybersecurity risk globally

As key participants in the CSF development,

including an active role in national workshops,

ISACA brings a unique and valuable understanding of how to implement the Cybersecurity Framework

This understanding is presented through the guidance and templates provided in this document

For example,

while the CSF provides references to important security controls,

ISACA processes help to apply them through concepts such as the COBIT goals cascade

The goals cascade supports identification of stakeholder needs and enterprise goals,

achieved by technical outcomes,

support successful use of enabling processes and organizational structures

Through provision of practical processes,

guided to attain CSF outcomes in a more measurable way than without these underlying processes

This application will result in an organization that understands potential risk (and associated potential impacts) and is prepared to deal with unforeseen circumstances,

helping to minimize losses and gain a business advantage

Chapter 1

Introduction

Chapter 1

Introduction Background Threats to information security systems are not new

ISACA was incorporated nearly fifty years ago to address the need for a centralized source of information and guidance for securing computer systems

Today’s cybersecurity attacks portend more threatening ones ahead,

as evidenced by recent disruptive denial-of-service attacks against the US financial industry that hampered 15 of the largest US banks for hundreds of hours

leveraging sophisticated methods that dwarf the hacker assaults of the early 21st century

At the same time,

society is highly dependent on technology,

and connectivity and information sharing are increasingly vital

As mobile devices continue to proliferate,

and as the Internet of Things continues to evolve,

the need to protect against cybersecurity attacks is increasingly important

To help address these needs,

ISACA has developed a new security knowledge platform and cybersecurity professional program

The Cybersecurity Nexus (CSX),

developed in collaboration with cybersecurity experts from leading companies around the world,

supplies cutting-edge thought leadership,

training and certification programs for professionals who are leading cybersecurity to the future

As part of the knowledge,

tools and guidance provided by CSX,

ISACA has developed this guide for implementing the NIST Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework,

While the CSF was originally created in support of critical infrastructure providers,

it is applicable to any organization that wishes to better manage and reduce cybersecurity risk

Nearly all organizations,

support critical infrastructure

Each is connected to critical functions and services as a consumer,

through telecommunication services and in many other ways

Improved risk management by each implementer will,

reduce global cybersecurity risk

This implementation guide addresses business and technical requirements to apply the CSF,

leveraging selected documents,

principles and practices such as those developed by the IT Governance Institute2 (ITGI)

The anticipated audience ranges from board and executive management to technical operators and maintenance personnel

Figure 1 identifies several of the key roles/functions and the benefit each receives from the CSF

While these key roles are applicable across all sectors and industry,

specific tailoring may be required to align with specific organizational roles and functions

 ecent attacks against US banking infrastructure are described,

com/video/nightlyR news/51435096 and www

com/Advocacy/Testimonies/Documents/Johnson%20Senate%20Testimony

ITGI was formed by ISACA in 1998 to advance international thinking on Governance of Enterprise IT

More information is available at www

Implementing the NIST Cybersecurity Framework

Figure 1—CSF Implementation—Target Audience and Benefits Framework Role

Role/Function

Benefit of/Reason for Applying the Framework

Executive

Board and Executive Management

• Understanding of their responsibilities and roles in cybersecurity within the organization • Better understanding of current cybersecurity posture • Better understanding of cybersecurity risk to the organization • Better understanding of cybersecurity target state • Understanding of actions required to close gaps between current cybersecurity posture and target state

Business/Process

IT Management

• Awareness of business impacts • Understanding relationship of business systems and their associated risk appetite

Business/Process

IT Process Management

• U nderstanding of business requirements and mission objectives and their priorities

Business/Process

Risk Management

• Enhanced view of the operational environment to discern the likelihood of a cybersecurity event

Business/Process

Legal Experts

• Understanding of cyberthreats to the business units and their mission objectives • Understanding of all compliance requirements for each business unit

Implementation/ Operator

Implementation Team

• U nderstanding of security controls and their importance in managing operational security risk •D  etailed understanding of required actions to close gaps in cybersecurity requirements

Implementation/ Operator

Employees

• Understanding of cybersecurity requirements for their associated business systems

Governance and Management of Enterprise Information Technology ISACA is dedicated to supporting the knowledge and skills to help practitioners determine and achieve strategic goals and realize business benefits through the effective and innovative use of technology

In the context of this document,

we will use the following terms to describe the plans,

processes and activities: • Enterprise—A group of individuals working together for a common purpose,

typically within the context of an organizational form such as a corporation,

charity or trust • Organization—The structure or arrangement of related or connected components of an enterprise defined by a particular scope

Chapter 1

Introduction

• Governance—Ensures that stakeholder needs,

conditions and options are evaluated to determine balanced,

agreed-on enterprise objectives to be achieved

setting direction through prioritization and decision making

and monitoring performance and compliance against agreed-on direction and objectives • Management—Planning,

operating and monitoring activities,

in alignment with the direction set by the governance body,

to achieve the enterprise objectives The ISACA documents referenced in this guide regularly reference “information technology,” or IT

In the context of this guide,

IT refers to the technical processes and solutions (hardware and software) that enable the business functions to achieve the enterprise objectives

It is important to note that,

technology includes operational technology (OT) (e

automated machinery control systems) and traditional information technology (IT) (e

Technical systems are converging,

and the systems that enable enterprise value are becoming increasingly connected

The programmable logic controllers that support a manufacturing process,

use similar computing devices to those that support office printing needs,

and both have a need for effective cybersecurity governance and management processes

Planning and management processes described in this implementation guide may be helpful to organizations in evaluating and supporting convergence of OT and IT

Throughout each of the steps in this guide,

the reader is encouraged to adopt a comprehensive view of technology

For example,

determining critical organizational assets uses COBIT 5 practice APO07

This activity often includes consideration of an important database administrator or data center operator,

but should also include consideration of those who maintain important industrial control system (ICS) components,

or facility operations (phone,

HVAC [heating,

ventilation and air conditioning],

A broad view of enterprise technology will help support effective cybersecurity management in all planning,

operating and monitoring activities

Introduction to the Framework for Improving Critical Infrastructure Cybersecurity Recognizing the need for broad safeguards to protect the United States from cybersecurity attacks that could disrupt power,

communication and other critical systems,

US President Obama issued Executive Order (EO) 13636

• Promote and incentivize the adoption of cybersecurity practices

 xecutive Order (EO) 13636 is available from the US Government Printing Office at www

gov/fdsys/pkg/FR-2013-02E 19/pdf/2013-03915

pdf Some of the EO 13636 information listed is drawn from the Department of Homeland Security’s fact sheet for EO 13636 and PPD-21,

gov/sites/default/files/publications/EO-PPD%20Fact%20Sheet%2012March13

Implementing the NIST Cybersecurity Framework

timeliness and quality of cyberthreat information sharing

• Incorporate strong privacy and civil liberties protections into every initiative to secure our critical infrastructure

• Explore the use of existing regulation to promote cybersecurity

President Obama also created Presidential Policy Directive (PPD)-21: Critical Infrastructure Security and Resilience replacing Homeland Security Presidential Directive 7

It directs the executive branch of the US government to take the following actions for US critical infrastructure (listed in figure 2): • Develop a situational awareness capability that addresses both physical and cyber aspects of how infrastructure is functioning in near-real time

• Understand the cascading consequences of infrastructure failures

• Evaluate and mature the public-private partnership

• Update the National Infrastructure Protection Plan

• Develop a comprehensive research and development plan

Figure 2—Sector-specific Agencies as Described in PPD-21 Sector

Sector Specific Agency or Agencies

Chemical

Department of Homeland Security

Commercial Facilities

Department of Homeland Security

Communications

Department of Homeland Security

Critical Manufacturing

Department of Homeland Security

Department of Homeland Security

Defense Industrial Base

Department of Defense

Emergency Services

Department of Homeland Security

Department of Energy

Financial Services

Department of the Treasury

Food and Agriculture

Departments of Agriculture and Health and Human Services

Government Facilities

Dept of Homeland Security and General Services Administration

Health Care and Public Health

Department of Health and Human Services

Information Technology

Department of Homeland Security

Nuclear Reactors,

Materials and Waste

Department of Homeland Security

Transportation Systems

Departments of Homeland Security and Transportation

Water and Wastewater Systems

Environmental Protection Agency

Chapter 1

Introduction

Section 7 of EO 13636 directed the Secretary of Commerce to task NIST with leading development of a framework (the Cybersecurity Framework) to reduce cyberrisk to critical infrastructure

The CSF includes a set of standards,

procedures and processes that align policy,

business and technological approaches to address cyberrisk

The EO directs NIST to incorporate voluntary consensus standards and industry best practices,

and to be consistent with voluntary international standards when such international standards will advance the objectives of the EO

The success criteria for the CSF were provided in section 7 of EO 13636

It requires that the CSF: • Provide a prioritized,

performance-based and cost-effective approach,

including information security measures and controls,

to help owners and operators of critical infrastructure identify,

• Focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure

• Identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations

• Provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards,

procedures and processes developed to address cyberrisk

• Include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework

In answer to this directive,

NIST issued a request for information (RFI) in February 2013,

asking a broad array of questions to gather relevant input from industry,

academia and other stakeholders

NIST solicited information on how organizations assess risk

how cybersecurity factors into that risk assessment

the current usage of existing cybersecurity frameworks,

and other management practices related to cybersecurity

In addition,

NIST asked about legal/regulatory aspects of particular frameworks,

guidelines and/or best practices and the challenges organizations perceive in meeting such requirements

NIST subsequently conducted five workshops throughout the United States to further refine industry feedback,

including significant assistance from ISACA and its membership

Based on the responses to the RFI and results from the workshops,

NIST provided a Cybersecurity Framework that identifies existing practices to inform an organization’s risk management decisions related to the prevention and detection of,

and recovery from cybersecurity issues

NIST released version 1

Framework Implementation Tiers and Framework Profiles

These three CSF elements are discussed in further detail in chapter 2

The NIST Framework for Improving Critical Infrastructure Cybersecurity may be downloaded at www

gov/cyberframework/upload/cybersecurity-framework-021214

Implementing the NIST Cybersecurity Framework

Introduction to COBIT 5 COBIT 5 provides a comprehensive framework that assists enterprises in achieving their objectives for the governance and management of enterprise IT (GEIT)

It may be implemented in a gradual approach,

starting small and building on initial success,

or managed in a holistic manner for the entire enterprise,

taking in the full end-to-end business and IT functional areas of responsibility

In either approach,

COBIT helps enterprises create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use

COBIT 5 is generic and useful for enterprises of all sizes: commercial,

not-for-profit or public sector

The COBIT 5 product family is shown in figure 3

Figure 3—COBIT 5 Product Family

COBIT® 5 COBIT 5 Enabler Guides COBIT® 5: Enabling Processes

COBIT® 5: Enabling Information

Other Enabler Guides

COBIT 5 Professional Guides COBIT® 5 Implementation

COBIT® 5 for Information Security

COBIT® 5 for Assurance

COBIT® 5 for Risk

Other Professional Guides

COBIT 5 Online Collaborative Environment Source: COBIT® 5,

The COBIT 5 product family includes the following products: • COBIT 5 (the framework) • COBIT 5 enabler guides,

in which governance and management enablers are discussed in detail

These include: COBIT® 5: Enabling Processes

COBIT® 5: Enabling Information

and other related enabling guides

• COBIT 5 professional guides,

which include: – COBIT® 5 Implementation – COBIT® 5 for Information Security – COBIT® 5 for Assurance – COBIT® 5 for Risk – Other professional guides The COBIT 5 framework is based on five key principles for GEIT: • Principle 1: Meeting Stakeholder Needs • Principle 2: Covering the Enterprise End-to-end • Principle 3: Applying a Single,

Integrated Framework 16

Chapter 1

Introduction

• Principle 4: Enabling a Holistic Approach • Principle 5: Separating Governance From Management Together,

these five principles enable the enterprise to build an effective governance and management framework that optimizes information and technology investment and use for the benefit of stakeholders

Enterprises exist to create value for their stakeholders

Consequently,

any enterprise will have value creation as a governance objective

Value creation means realizing benefits at an optimal resource cost while optimizing risk

Benefits can take many forms,

financial for commercial enterprises or taxpayer benefits and improved public service for government entities

COBIT 5 Governance and Management The COBIT 5 framework makes a clear distinction between governance and management

These two disciplines encompass different types of activities,

require different organizational structures and serve different purposes

The COBIT 5 view on this key distinction between governance and management is: • Governance—Governance ensures that stakeholder needs,

conditions and options are evaluated to determine balanced,

agreed-on enterprise objectives to be achieved

setting direction through prioritization and decision making

and monitoring performance and compliance against agreed-on direction and objectives

• Management—Management plans,

runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives

COBIT 5 Goals Cascade Stakeholder needs have to be transformed into an enterprise’s actionable strategy

The COBIT 5 goals cascade is the mechanism to translate stakeholder needs into specific,

actionable and customized enterprise goals,

IT-related goals and enabler goals

This translation allows setting specific goals at every level and in every area of the enterprise in support of the overall goals and stakeholder requirements,

and thus effectively supports alignment between enterprise needs and IT solutions and services

COBIT 5 Enablers COBIT 5 provides a holistic and systemic view on GEIT,

Enablers are factors that,

individually and collectively,

influence whether something will work—in this case,

governance and management over enterprise IT

Enablers are driven by the goals cascade,

higher-level IT-related goals define what the different enablers should achieve

The COBIT 5 framework describes seven categories of enablers: • Principles,

policies and frameworks • Processes

Implementing the NIST Cybersecurity Framework

• Organizational structures • Culture,

ethics and behavior • Information • Services,

infrastructure and applications • People,

skills and competencies Any enterprise must always consider an interconnected set of enablers

Each enabler: • Needs the input of other enablers to be fully effective,

organizational structures need skills and behavior • Delivers output to the benefit of other enablers,

processes deliver information,

skills and behavior make processes efficient COBIT 5 Process Reference Model Processes are one of the seven enabler categories for GEIT

COBIT 5 includes a process reference model,

defining and describing in detail a number of governance and management processes

It provides a process reference model that represents all of the processes that relate to IT activities normally found in an enterprise,

offering a common reference model understandable to operational IT and business managers

The proposed process model is a complete,

but it is not the only possible process model

Each enterprise must define its own process set,

taking into account the specific situation

Incorporating an operational model and a common language for all parts of the enterprise involved in IT activities is one of the most important and critical steps toward good governance

It also provides a framework for measuring and monitoring IT performance,

communicating with service providers,

and integrating best management practices

COBIT 5 advocates that the enterprise implement governance and management processes such that the key areas are covered,

Figure 5 shows the complete set of 37 governance and management processes within COBIT 5

The details of all processes are included in COBIT 5: Enabling Processes

Chapter 1

Introduction

Figure 4—COBIT 5 Governance and Management Key Areas Business Needs

Governance Evaluate

Management Feedback

Monitor

Management Plan (APO)

Build (BAI)

Run (DSS)

Monitor (MEA)

Source: COBIT® 5: Enabling Processes,

Figure 5—COBIT 5 Process Reference Model Processes for Governance of Enterprise IT Evaluate,

Direct and Monitor EDM01 Ensure Governance Framework Setting and Maintenance

EDM02 Ensure Benefits Delivery

EDM03 Ensure Risk Optimisation

EDM04 Ensure Resource Optimisation

EDM05 Ensure Stakeholder Transparency

Plan and Organise

Monitor,

Evaluate and Assess

APO01 Manage the IT Management Framework

APO02 Manage Strategy

APO03 Manage Enterprise Architecture

APO04 Manage Innovation

APO05 Manage Portfolio

APO06 Manage Budget and Costs

APO08 Manage Relationships

APO09 Manage Service Agreements

APO10 Manage Suppliers

APO11 Manage Quality

APO12 Manage Risk

APO13 Manage Security

BAI04 Manage Availability and Capacity

BAI05 Manage Organisational Change Enablement

BAI06 Manage Changes

DSS04 Manage Continuity

DSS05 Manage Security Services

DSS06 Manage Business Process Controls

APO07 Manage Human Resources MEA01 Monitor,

Evaluate and Assess Performance and Conformance

Acquire and Implement BAI01 Manage Programmes and Projects

BAI02 Manage Requirements Definition

BAI03 Manage Solutions Identification and Build

BAI08 Manage Knowledge

BAI09 Manage Assets

BAI10 Manage Configuration

BAI07 Manage Change Acceptance and Transitioning

MEA02 Monitor,

Evaluate and Assess the System of Internal Control

Deliver,

Service and Support DSS01 Manage Operations

DSS02 Manage Service Requests and Incidents

DSS03 Manage Problems

MEA03 Monitor,

Evaluate and Assess Compliance With External Requirements

Processes for Management of Enterprise IT

Source: COBIT® 5: Enabling Processes,

Implementing the NIST Cybersecurity Framework

COBIT 5 Implementation Guidance Optimal value can be realized from leveraging COBIT only if it is effectively adopted and adapted to suit each enterprise’s unique environment

Each implementation approach will also need to address specific challenges,

including managing changes to culture and behavior

ISACA provides practical and extensive implementation guidance in its publication COBIT 5 Implementation,

which is based on a continual improvement life cycle

It is not intended to be a prescriptive approach nor a complete solution,

but rather a guide to avoid commonly encountered pitfalls,

leverage good practices and assist in the creation of successful outcomes

The guide is also supported by an implementation tool kit containing a variety of resources that will be continually enhanced

Its content includes: • Self-assessment,

measurement and diagnostic tools • Presentations aimed at various audiences • Related articles and further explanations The following are important topics covered in COBIT 5 Implementation: • Making a business case for the implementation and improvement of the governance and management of IT • Recognizing typical pain points and trigger events • Creating the appropriate environment for implementation • Leveraging COBIT to identify gaps and guide the development of enablers such as policies,

and roles and responsibilities

Scope and Approach The guidance in this publication is intended to assist organizations with understanding steps for CSF implementation using ISACA methods and approach

The guide provides processes,

example templates and guidance for using CSF to identify and achieve enterprise and organizational objectives for the governance and management of IT

The information is organized as follows: • Chapter 2—Provides a detailed introduction into the NIST Cybersecurity Framework 1

Implementation Tiers and Profiles • Chapter 3—Describes approach,

for implementing the CSF to holistically improve GEIT • Chapter 4—Illustrates the use of the CSF to communicate cybersecurity requirements among internal and external stakeholders • Appendix A: Framework Core—Provides a copy of the Framework Core for quick reference

Chapter 1

Introduction

• Appendix B: Profile Template—Provides an overview of the profile template used to collect information regarding the current state and target state of the organizations cybersecurity program • Appendix C: Framework Cover Letter—Provides a copy of the initial message released to senior executives to outline the goals and intent of the CSF • Appendix D: Action Planning—Provides considerations for developing an action plan for tracking gap closing actions • Appendix E: Considerations for Critical Infrastructure Sectors—Provides considerations and priorities for tailoring CSF implementation Figure 6 provides an overview of this document and the location of information to answer common questions regarding the implementation of the CSF

Figure 6—COBIT 5 Cybersecurity Framework Implementation Overview

Questions

Where to Find Guidance

What is Executive Order (EO) 13636

Chapter 1 defines the purpose and intent of the EO as well as NIST responsibilities for developing the Cybersecurity Framework

What are the core components of the Cybersecurity Framework

Chapter 2 provides an overview of the three primary parts of the CSF

How do COBIT 5 principles align to the CSF

Figure 8 provides a summary of the COBIT 5 principles aligned to the CSF

Chapter 3 provides specific implementation guidance for aligning to the CSF using COBIT 5 principles

Should I align to the CSF

Chapter 2 provides an overview of the CSF and the benefits of aligning to the CSF

How do I create a profile for my organization

Chapter 3 provides an overview of the CSF as it aligns to the COBIT 5 implementation process

Appendix B provides an overview of the profile and links for profile templates

What are the CSF Categories

Chapter 2 defines the Functions and Categories outlined in the CSF,

Where can I find sector-specific implementation information

Appendix E defines sector-specific implementation considerations aligned to the Information Sharing and Analysis Centers (ISACs)

Whare can I find templates to help me implement the CSF

A supplementary tool kit is available online and contains profiles and action plans for implementing the CSF

Implementing the NIST Cybersecurity Framework

Page intentionally left blank

Chapter 2

Introduction to NIST Cybersecurity Framework 1

Chapter 2

Introduction to NIST Cybersecurity Framework 1

“Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity

The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront

” The goals of the EO align well with the COBIT 5 framework,

which recognizes that “information is a key resource for all enterprises,” and “information technology is increasingly advanced and has become pervasive in enterprises and in social,

public and business environments

” The ISACA publication points out that “COBIT 5 helps enterprises to create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use

COBIT 5 enables IT to be governed and managed in a holistic manner for the entire enterprise,

taking into account the full end-to-end business and IT functional areas of responsibility and considering the IT-related interests of internal and external stakeholders

staff from NIST met with industry partners to consider responses to the February 2013 RFI,

and further refined guidance to create a risk-based framework for reducing risk

Workshop participation and comment submissions included significant contribution from small- and medium-sized businesses (SMBs),

and from the international business community

This diversity of input greatly improved the understanding of the challenges and root causes underlying modern cybersecurity risk

The diverse support from SMBs contributed to a broad and flexible framework

Each RFI response and each subsequent workshop comment was reviewed and analyzed by NIST

Through analysis of response coverage across critical infrastructure sectors and organization types and consideration of terms and phrases that identified key response points,

NIST identified commonalities and recurring themes (described in figure 7)

These themes were leveraged and incorporated through the CSF during its development

Implementing the NIST Cybersecurity Framework

Figure 7—NIST Initial Framework Considerations

Categories

Framework Principles • Flexibility • Impact on global operations • Risk management approaches • Leverage existing approaches,

Common Points • Senior management engagement • Understanding threat environment • Business risk/risk assessment • Separation of business and operational systems • Models/levels of maturity • Incident response • Cybersecurity workforce

Initial Gaps • Metrics • Privacy/civil liberties • Tools • Dependencies • Industry best practices • Resiliency • Critical infrastructure cybersecurity nomenclature

Source: NIST,

gov/cyberframework/nist-initial-analysis-of-rfi-responses

The CSF is a risk-based approach to managing cybersecurity risk and is comprised of three parts: the Framework Core,

the Framework Implementation Tiers and the Framework Profiles

Each CSF component reinforces the connection between business drivers and cybersecurity activities

desired outcomes and applicable references that are common across critical infrastructure sectors

The Framework Implementation Tiers provide context on how an organization views cybersecurity risk and the processes in place to manage that risk

Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework (e

The Tiers characterize an organization’s practices over a range,

from Partial (Tier 1) to Adaptive (Tier 4)

A Framework Profile represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories

The Profile can be characterized as the alignment of standards,

guidelines and practices to the Framework Core in a particular implementation scenario

Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a Current Profile (the “as is” state) with a Target Profile (the “to be” state)

In addition to providing a Cybersecurity Framework,

the Framework for Improving Critical Infrastructure Cybersecurity also provides basic implementation guidance through a seven-step process

Framework for Improving Critical Infrastructure Cybersecurity,

gov/cyberframework/upload/cybersecurityframework-021214

Chapter 2

Introduction to NIST Cybersecurity Framework 1

• Step 1: Prioritize and Scope—Requests that organizations scope and prioritize business/mission objectives and high-level organizational priorities

This information allows organizations to make strategic decisions regarding the scope of systems and assets that support the selected business lines or processes within the organization

• Step 2: Orient—Provides organizations an opportunity to identify threats to,

systems identified in the Prioritize and Scope step

• Step 3: Create a Current Profile—Identifies the requirement to define the current state of the organization’s cybersecurity program by establishing a current state profile

• Step 4: Conduct a Risk Assessment—Allows organizations to conduct a risk assessment using their currently accepted methodology

The information used from this step in the process is used in Step 5

• Step 5: Create a Target Profile—Allows organizations to develop a risk-informed target state profile

The target state profile focuses on the assessment of the Framework Categories and Subcategories describing the organization’s desired cybersecurity outcomes

Analyze,

and Prioritize Gaps—Organizations conduct a gap analysis to determine opportunities for improving the current state

The gaps are identified by overlaying the current state profile with the target state profile

• Step 7: Implement Action Plan—After the gaps are identified and prioritized,

the required actions are taken to close the gaps and work toward obtaining the target state

While hundreds of organizations provided input into the design of the Cybersecurity Framework,

ISACA was deeply engaged in the CSF development at each stage

Many ISACA principles are visible in the CSF implementation steps

Figure 8 illustrates some parallels between CSF implementation steps and COBIT 5 framework principles

Figure 8—Comparison of CSF Implementation Steps With COBIT 5 Principles CSF Implementation Steps Step 1: Prioritize and Scope—Directs implementers to identify business/mission objectives and high-level organizational priorities

This mission understanding is critical to ensure that resulting risk decisions are prioritized and aligned with stakeholder goals,

ensuring effective risk management and optimizing investment

COBIT 5 Principles Principle 1: Meeting Stakeholder Needs— Enterprises exist to create value for their stakeholders by maintaining a balance between the realization of benefits and the optimization of risk and use of resources

An enterprise can customize COBIT 5 to suit its own context through the goals cascade,

translating high-level enterprise goals into manageable,

specific goals and map these to specific processes and practices

Implementing the NIST Cybersecurity Framework

Figure 8—Comparison of CSF Implementation Steps With COBIT 5 Principles (cont

) CSF Implementation Steps Step 2: Orient—The organization identifies an overall risk approach,

considering enterprise people,

processes and technology along with external drivers such as regulatory requirements

It identifies threats to,

Step 3: Create a Current Profile—Through use of a Profile template (example provided later in this publication) the organization determines the current state of Category and Subcategory outcomes from the Framework Core (analogous to COBIT 5 governance and management enablers) and how each is currently being achieved

Step 4: Conduct a Risk Assessment—The organization,

guided by its risk management process,

analyzes the operational environment to discern the likelihood of a cybersecurity event and the impact that the event could have

Incorporate emerging risk,

and vulnerability data to facilitate a robust understanding of the likelihood and impact of cybersecurity events

Step 5: Create a Target Profile—The organization creates a Target Profile that focuses on the assessment of the Framework Categories and Subcategories describing the organization’s desired cybersecurity outcomes

The organizations may develop additional Categories and Subcategories to account for unique organizational risk

It may also consider influences and requirements of external stakeholders such as sector entities,

customers and business partners when creating a Target Profile

Step 6: Determine,

Analyze,

and Prioritize Gaps—The organization compares Current and Target Profiles to determine gaps

It creates a prioritized action plan to address those gaps,

and risk understanding to achieve the target outcomes

The organization determines the resources necessary to address the gaps

COBIT 5 Principles Principle 2: Covering the Enterprise End-to-end—COBIT 5 integrates governance of enterprise IT into enterprise governance: • It covers all functions and processes within the enterprise

COBIT 5 does not focus only on the “IT function,” but treats information and related technologies as assets that need to be dealt with just like any other asset by everyone in the enterprise

• It considers all IT-related governance and management enablers to be enterprisewide and end-to-end,

inclusive of everything and everyone—internal and external—that is relevant to governance and management of enterprise information and related IT

Principle 3: Applying a Single,

Integrated Framework—There are many IT-related standards and good practices,

each providing guidance on a subset of IT activities

COBIT 5 aligns with other relevant standards and frameworks at a high level,

and thus can serve as the overarching framework for governance and management of enterprise IT

Chapter 2

Introduction to NIST Cybersecurity Framework 1

Figure 8—Comparison of CSF Implementation Steps With COBIT 5 Principles (cont

COBIT 5 Principles

Step 7: Implement Action Plan—The organization determines which actions to take in regard to the gaps,

identified in the previous step

It then monitors its current cybersecurity practices against the Target Profile

For further guidance,

the CSF identifies example Informative References regarding the Categories and Subcategories,

but organizations should determine which standards,

including those that are sector-specific,

Principle 4: Enabling a Holistic Approach— Efficient and effective governance and management of enterprise IT require a holistic approach,

taking into account several interacting components

COBIT 5 defines a set of enablers to support the implementation of a comprehensive governance and management system for enterprise IT

Enablers are broadly defined as anything that can help to achieve the objectives of the enterprise

The COBIT 5 framework defines seven categories of enablers: 1

Principles,

Policies and Frameworks 2

Processes 3

Organizational Structures 4

Culture,

Ethics and Behavior 5

Information 6

Services,

Infrastructure and Applications 7

People,

Skills and Competencies

An organization may repeat the steps as needed to continuously assess and improve its cybersecurity

For instance,

organizations may find that more frequent repetition of the Orient step improves the quality of risk assessments

Furthermore,

organizations may monitor progress through iterative updates to the current profile,

subsequently comparing the Current Profile to the Target Profile

Organizations may utilize this process to align their cybersecurity program with their desired Implementation Tier

COBIT 5 Principle 5 is not directly embedded and may represent an opportunity for improvement for the CSF

Principle 5: Separating Governance From Management—The COBIT 5 framework makes a clear distinction between governance and management

These two disciplines encompass different types of activities,

require different organizational structures and serve different purposes

Coordination of Framework Implementation Another important aspect of the CSF is its guidance regarding stakeholder communications

NIST’s analysis of industry feedback during the development period indicated that risk decisions,

were not well aligned with enterprise drivers and goals

As COBIT 5 for Risk points out,

when risk capacity and risk appetite are defined by board and executive management at the enterprise level (see COBIT 5 process EDM03 Ensure risk optimization),

the prioritization and approval process of risk response actions are improved

Implementing the NIST Cybersecurity Framework

The CSF common flow of information and decisions at the following levels within an organization are similar to those described in COBIT 5’s stakeholder roles,

Figure 9—Comparison of CSF and COBIT Roles CSF Role

COBIT 5 Role

Executive Level

Board of directors and executive management

Business/Process

Business management and business process owners

Implementation/Operations

IT management and IT process owners (e

IT security manager,

business continuity management specialist) and other implementation team members

The executive level communicates information about enterprise goals and mission priorities,

approaches and communications that are meaningful to executive management

This activity is comparable to the COBIT implementation phase “Phase 1—What Are the Drivers

?” Dialogue with business management and business process owners includes definition of appropriate risk tolerances and available resources

The business/process level,

uses the information as inputs into the risk management process,

and then collaborates with the IT management and IT process owners to communicate business needs

These two levels of management determine the current cybersecurity state using a Framework Profile template (described later in this document

) The Current Profile and Target Profile provide considerations comparable to COBIT’s next two implementation phases,

?” and “Phase 3—Where Do We Want To Be

?” Through comparison of the target with the current state,

the implementation team is able to recommend specific and prioritized actions to achieve stakeholder goals,

aligned with the phase 1 business drivers,

resource requirements and organizational risk appetite

This action plan,

comparable to COBIT implementation phases 4 and 5,

“Phase 4—What Needs To Be Done

?” and “Phase 5—“How Do We Get There

agile governance of enterprise IT approach that is scalable to any size organization

As figure 10 illustrates,

the information flow is cyclical,

with ongoing monitoring as a critical step

The COBIT implementation phases “Phase 6—Did We Get There

?” and “Phase 7—How Do We Keep the Momentum Going

?” provide important considerations to ensure ongoing,

cost-effective governance and management

For example,

discovered or remediated vulnerabilities),

the implementation/operations level communicates the Profile implementation progress to the business/process level

Chapter 2

Introduction to NIST Cybersecurity Framework 1

The business/process level uses this information to perform an impact assessment in consideration of the business drivers

Business/process level management reports the outcomes of that impact assessment to the executive level,

using language and methods appropriate for the board of directors/executive management communications,

to inform the organization’s overall risk management process

Figure 10—CSF Information and Decision Flows Within an Organization

Risk Management Senior Executive Level Focus: Organizational Risk Actions: Risk Decision and Priorities

Changes in Current and Future Risk

Business/ Process Level

Focus: Critical Infrastructure Risk Management

Mission Priority and Risk Appetite and Budget

Actions: Selects Profile,

Allocates Budget Implementation Progress Changes in Assets,

Vulnerability and Threat

Implementation/ Operations Level

Framework Profile

Focus: Securing Critical Infrastructure Actions: Implements Profile

Implementation Source: Framework for Improving Critical Infrastructure Cybersecurity,

Framework Core The Framework Core is a set of cybersecurity activities,

desired outcomes and applicable references that are common across critical infrastructure sectors

The Core presents industry standards,

guidelines and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level

The Framework Core consists of five concurrent and continuous Functions—Identify,

Protect,

Detect,

Respond,

Recover

When considered together,

these Functions provide a high-level,

strategic view of the life cycle of an organization’s management of cybersecurity risk

The Framework Core then identifies underlying key Categories and Subcategories for each Function,

and matches them with example Informative References such as existing standards,

guidelines and practices for each Subcategory,

Implementing the NIST Cybersecurity Framework

The outcomes in the Core help the reader to answer the following questions: • What people,

processes and technologies are essential to provide the right services to the right stakeholders

? • What do we need to do to protect those assets from the risk discovered in the Identify function

? • What detection capability can we implement to recognize potential or realized risk to organizational assets from identified risk

? • What response and recovery activities are appropriate and necessary to continue operations (albeit diminished) or restore services described above

? Figure 11—Components of the Framework Core Functions

Categories

Subcategories

Informative References

IDENTIFY

PROTECT

RESPOND

RECOVER

Source: Framework for Improving Critical Infrastructure Cybersecurity,