SlideShare uma empresa Scribd logo

NIST Cybersecurity Framework Cross Reference

J
Jim Meyer

Consider a logical cross reference or grouping for Cybersecurity Framework subcategories. This could make an assessment easier and more meaningful. The Cybersecurity Framework identifies categories and subcategories of practice, processes, and activities to be used in a cyber security assessment. But, categories often house unrelated subcategories and subcategories are dependent on other subcategories across various categories.

Tecnologia
1 de 16
Baixar para ler offline
NIST Cybersecurity Framework Cross Referenced April, 2016 Prepared by: Jim Bothe & Jim Meyer © Copyright 2016 J2 Coordinated Response, LLC All rights Reserved.
NIST Cybersecurity Framework Cross Reference  Objective – To produce a meaningful cybersecurity assessment; and – In a reasonable amount of time.  But, the NIST subcategories need to be cross referenced – Many are related and – Many are interdependent.  Logical groupings should make the assessment easier. LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 2
Functions / Categories / Subcategories 5 6 3 5 3 Categories Identify Protect Detect Respond Recover © 2016 J2 Coordinated Response, LLC. All Rights Reserved. 24 35 18 15 6 Subcategories ISACA CMC April 13, 2016 Page: 3 NIST Cybersecurity Framework
Dependencies / Other Relationships  Identify relationships between Groups – One Group provides input to another. – The second Group is possibly constrained by the first. – Or the other Gambit is dependent on the first – In either case, weakness in the first limits strength in the second  A subcategory in 1 Group – May have interdependencies with another subcategory in the Group. – May have interdependencies with a subcategory in another. – These details are left to the assessor to recognize (at least for now). LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 4
Establish Risk Tolerance / Prioritize Assets LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 5 NOTE: Operational drivers inform risk tolerance and the identification of CRITICAL IT assets.
Risk – Assess, Address, Manage LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 6
Roles and Responsibilities LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 7
Access Control & Data Protection LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 8
Configuration Management LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 9
An Observation The groups identified thus far form the foundation of an effective cybersecurity architecture.  Establish Risk Tolerance, Prioritize Assets.  Risk – Address, Assess, Manage.  Roles and Responsibilities – well defined or not.  Configuration Management – defines what you are protecting. Recognize what is important and protect it – 53 subcategories. The remaining groups are:  Detect, Respond, Recover, Improve – 45 subcategories. NOTE: key dependencies are identified in these groups. © 2016 J2 Coordinated Response, LLC. All Rights Reserved. ISACA CMC April 13, 2016 Page: 10
Monitor & Detect Events LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 11
Respond LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 12
Recover LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 13
Improve LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 14
Risk – Assess, Address, Manage LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 15
Summary  Logical groups provide improve efficiency and meaning.  Categories often contain activities performed in different ways, by different individuals.  Organizations should create their sense of logical groups. LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 16

Recomendados

How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationExigent Technologies LLC
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainSuwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligenceseadeloitte
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by FortinetAtlantic Training, LLC.
 
Building the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAseBuilding the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAseDon Murdoch GSE CyberGuardian CISSP
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 

Recomendados

How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationExigent Technologies LLC
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainSuwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligenceseadeloitte
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by FortinetAtlantic Training, LLC.
 
Building the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAseBuilding the Security Operations and SIEM Use CAse
Building the Security Operations and SIEM Use CAseDon Murdoch GSE CyberGuardian CISSP
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatSurachai Chatchalermpun
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitectureKris Kimmerle
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
Cybersecurity Framework - Introduction
Cybersecurity Framework - IntroductionCybersecurity Framework - Introduction
Cybersecurity Framework - IntroductionMuhammad Akbar Yasin
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Proactive incident response
Proactive incident responseProactive incident response
Proactive incident responseBrian Honan
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligencePrachi Mishra
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 
INCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWINCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWSylvain Martinez
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?rbrockway
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Threat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsThreat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsRahul Neel Mani
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to securityDhani Ahmad
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptxSandeshUprety4
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
NIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartNIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartJames W. De Rienzo
 
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkMapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkAndrew Gerber
 
NYC Workshop: Improving the Business Value of your Service Management Program
NYC Workshop: Improving the Business Value of your Service Management ProgramNYC Workshop: Improving the Business Value of your Service Management Program
NYC Workshop: Improving the Business Value of your Service Management ProgramNavvia
 

Mais conteúdo relacionado

Mais procurados

Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitectureKris Kimmerle
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
Cybersecurity Framework - Introduction
Cybersecurity Framework - IntroductionCybersecurity Framework - Introduction
Cybersecurity Framework - IntroductionMuhammad Akbar Yasin
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Proactive incident response
Proactive incident responseProactive incident response
Proactive incident responseBrian Honan
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligencePrachi Mishra
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chainSymantec Brasil
 
INCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWINCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWSylvain Martinez
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?rbrockway
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Threat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsThreat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsRahul Neel Mani
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to securityDhani Ahmad
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 

Mais procurados (20)

CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoat
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
Cybersecurity Framework - Introduction
Cybersecurity Framework - IntroductionCybersecurity Framework - Introduction
Cybersecurity Framework - Introduction
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Proactive incident response
Proactive incident responseProactive incident response
Proactive incident response
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
 
INCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWINCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEW
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence ppt
 
Threat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsThreat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk Programs
 
Chapter2 the need to security
Chapter2 the need to securityChapter2 the need to security
Chapter2 the need to security
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
NIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartNIST SP 800 30 Flow Chart
NIST SP 800 30 Flow Chart
 

Destaque

Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkMapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkAndrew Gerber
 
NYC Workshop: Improving the Business Value of your Service Management Program
NYC Workshop: Improving the Business Value of your Service Management ProgramNYC Workshop: Improving the Business Value of your Service Management Program
NYC Workshop: Improving the Business Value of your Service Management ProgramNavvia
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & ForensicsPriyanka Aash
 
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...Skybox Security
 
Measuring method complexity of the case management modeling and notation (CMMN)
Measuring method complexity of the case management modeling and notation (CMMN)Measuring method complexity of the case management modeling and notation (CMMN)
Measuring method complexity of the case management modeling and notation (CMMN)Mike Marin
 
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow AnalyzerIT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow AnalyzerManageEngine, Zoho Corporation
 
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2Kyle Lai
 
Threat Based Risk Assessment
Threat Based Risk AssessmentThreat Based Risk Assessment
Threat Based Risk AssessmentMichael Lines
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk M sharifi
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with DataSeth Familian
 

Destaque (12)

Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkMapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
 
NYC Workshop: Improving the Business Value of your Service Management Program
NYC Workshop: Improving the Business Value of your Service Management ProgramNYC Workshop: Improving the Business Value of your Service Management Program
NYC Workshop: Improving the Business Value of your Service Management Program
 
ETIS Information Security Benchmark Successful Practices in telco security
ETIS Information Security Benchmark Successful Practices in telco securityETIS Information Security Benchmark Successful Practices in telco security
ETIS Information Security Benchmark Successful Practices in telco security
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics
 
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
 
Measuring method complexity of the case management modeling and notation (CMMN)
Measuring method complexity of the case management modeling and notation (CMMN)Measuring method complexity of the case management modeling and notation (CMMN)
Measuring method complexity of the case management modeling and notation (CMMN)
 
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow AnalyzerIT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
 
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
 
Threat Based Risk Assessment
Threat Based Risk AssessmentThreat Based Risk Assessment
Threat Based Risk Assessment
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with Data
 

Semelhante a NIST Cybersecurity Framework Cross Reference

Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?Jim Meyer
 
insert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student Nainsert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student NaTatianaMajor22
 
insert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student Nainsert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student NaLaticiaGrissomzz
 
TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...
TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...
TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...WCapra
 
Building Risk Management into Enterprise Architecture
Building Risk Management into Enterprise ArchitectureBuilding Risk Management into Enterprise Architecture
Building Risk Management into Enterprise Architectureiasaglobal
 
Please don’t give me a two to three sentence replies. It has to lo.docx
Please don’t give me a two to three sentence replies. It has to lo.docxPlease don’t give me a two to three sentence replies. It has to lo.docx
Please don’t give me a two to three sentence replies. It has to lo.docxmattjtoni51554
 
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber AttackWebinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber AttackAujas
 
Deliverables Step-12 SLA 3-5 pages
Deliverables Step-12 SLA 3-5 pages Deliverables Step-12 SLA 3-5 pages
Deliverables Step-12 SLA 3-5 pages LinaCovington707
 
Akamai 2018 Spring state of the Internet security report
Akamai 2018 Spring state of the Internet security reportAkamai 2018 Spring state of the Internet security report
Akamai 2018 Spring state of the Internet security reportYuriy Yuzifovich
 
A recommendation for software development responses for future
A recommendation for software development responses for futureA recommendation for software development responses for future
A recommendation for software development responses for futureMax Justice
 
D e c e m b e r 2 0 1 4 J O U R N A L O F I N T E R N E T
D e c e m b e r 2 0 1 4 J O U R N A L O F I N T E R N E T D e c e m b e r 2 0 1 4 J O U R N A L O F I N T E R N E T
D e c e m b e r 2 0 1 4 J O U R N A L O F I N T E R N E T OllieShoresna
 
BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)
BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)
BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)Steve Springett
 
10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber RiskMark Gibson
 
McAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMcAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMatthew Rosenquist
 
Module 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfModule 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfHumphrey Humphrey
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
 
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...Investorideas.com
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementMighty Guides, Inc.
 

Semelhante a NIST Cybersecurity Framework Cross Reference (20)

Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?Cybersecurity Framework - What are Pundits Saying?
Cybersecurity Framework - What are Pundits Saying?
 
insert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student Nainsert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student Na
 
insert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student Nainsert narrationTitleCMIT 421 Section #Student Na
insert narrationTitleCMIT 421 Section #Student Na
 
TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...
TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...
TEC/W. Capra Cyber Security and Risk Management Roundtable - January 2016 Sum...
 
Building Risk Management into Enterprise Architecture
Building Risk Management into Enterprise ArchitectureBuilding Risk Management into Enterprise Architecture
Building Risk Management into Enterprise Architecture
 
Please don’t give me a two to three sentence replies. It has to lo.docx
Please don’t give me a two to three sentence replies. It has to lo.docxPlease don’t give me a two to three sentence replies. It has to lo.docx
Please don’t give me a two to three sentence replies. It has to lo.docx
 
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber AttackWebinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
Webinar: Get Ready to Detect, Respond & Recover from a Cyber Attack
 
Deliverables Step-12 SLA 3-5 pages
Deliverables Step-12 SLA 3-5 pages Deliverables Step-12 SLA 3-5 pages
Deliverables Step-12 SLA 3-5 pages
 
Akamai 2018 Spring state of the Internet security report
Akamai 2018 Spring state of the Internet security reportAkamai 2018 Spring state of the Internet security report
Akamai 2018 Spring state of the Internet security report
 
A recommendation for software development responses for future
A recommendation for software development responses for futureA recommendation for software development responses for future
A recommendation for software development responses for future
 
D e c e m b e r 2 0 1 4 J O U R N A L O F I N T E R N E T
D e c e m b e r 2 0 1 4 J O U R N A L O F I N T E R N E T D e c e m b e r 2 0 1 4 J O U R N A L O F I N T E R N E T
D e c e m b e r 2 0 1 4 J O U R N A L O F I N T E R N E T
 
BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)
BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)
BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)
 
10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk
 
McAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMcAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats Predictions
 
Isaca journal volume-2-2017_AgileAudit
Isaca journal volume-2-2017_AgileAuditIsaca journal volume-2-2017_AgileAudit
Isaca journal volume-2-2017_AgileAudit
 
Module 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfModule 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdf
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
Speaker Kiersten E. Todt, President and Managing Partner, Liberty Group Ventu...
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability Management
 
ISACA 2016 Application Security RGJ
ISACA 2016 Application Security RGJISACA 2016 Application Security RGJ
ISACA 2016 Application Security RGJ
 

Último

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 

Último (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 

NIST Cybersecurity Framework Cross Reference

  • 1. NIST Cybersecurity Framework Cross Referenced April, 2016 Prepared by: Jim Bothe & Jim Meyer © Copyright 2016 J2 Coordinated Response, LLC All rights Reserved.
  • 2. NIST Cybersecurity Framework Cross Reference  Objective – To produce a meaningful cybersecurity assessment; and – In a reasonable amount of time.  But, the NIST subcategories need to be cross referenced – Many are related and – Many are interdependent.  Logical groupings should make the assessment easier. LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 2
  • 3. Functions / Categories / Subcategories 5 6 3 5 3 Categories Identify Protect Detect Respond Recover © 2016 J2 Coordinated Response, LLC. All Rights Reserved. 24 35 18 15 6 Subcategories ISACA CMC April 13, 2016 Page: 3 NIST Cybersecurity Framework
  • 4. Dependencies / Other Relationships  Identify relationships between Groups – One Group provides input to another. – The second Group is possibly constrained by the first. – Or the other Gambit is dependent on the first – In either case, weakness in the first limits strength in the second  A subcategory in 1 Group – May have interdependencies with another subcategory in the Group. – May have interdependencies with a subcategory in another. – These details are left to the assessor to recognize (at least for now). LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 4
  • 5. Establish Risk Tolerance / Prioritize Assets LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 5 NOTE: Operational drivers inform risk tolerance and the identification of CRITICAL IT assets.
  • 6. Risk – Assess, Address, Manage LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 6
  • 7. Roles and Responsibilities LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 7
  • 8. Access Control & Data Protection LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 8
  • 9. Configuration Management LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 9
  • 10. An Observation The groups identified thus far form the foundation of an effective cybersecurity architecture.  Establish Risk Tolerance, Prioritize Assets.  Risk – Address, Assess, Manage.  Roles and Responsibilities – well defined or not.  Configuration Management – defines what you are protecting. Recognize what is important and protect it – 53 subcategories. The remaining groups are:  Detect, Respond, Recover, Improve – 45 subcategories. NOTE: key dependencies are identified in these groups. © 2016 J2 Coordinated Response, LLC. All Rights Reserved. ISACA CMC April 13, 2016 Page: 10
  • 11. Monitor & Detect Events LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 11
  • 12. Respond LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 12
  • 13. Recover LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 13
  • 14. Improve LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 14
  • 15. Risk – Assess, Address, Manage LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 15
  • 16. Summary  Logical groups provide improve efficiency and meaning.  Categories often contain activities performed in different ways, by different individuals.  Organizations should create their sense of logical groups. LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All Rights Reserved. Page: 16