A presentation given to the Central Texas chapter of the ISSA. We introduce the Cybersecurity Framework, compare it to an existing standard defining information security controls and management system requirements (ISO/IEC 27001), and provide some thoughts on what's next and where to find accompanying resources.
The 7 Things I Know About Cyber Security After 25 Years | April 2024
NISTs Cybersecurity Framework -- Comparison with Best Practice
1. Comparing
NIST's
Cybersecurity
Framework
with
Best
Prac3ce
David
Ochel
email:
david@secuilibrium.com
Twi?er:
@lostgravity
2014-‐03-‐31
This
work
is
licensed
under
a
Crea3ve
Commons
A?ribu3on
4.0
Interna3onal
License.
2. Agenda
• Introduc3on
to
the
Cybersecurity
Framework
(CSF)
– Mo3va3on
– Organiza3on
– Major
elements
and
core
principles
• CSF
and
Best
Prac3ce
– What
is
Best
Prac3ce?
– Comparing
CSF
with
ISO/IEC
27001
– Par3culari3es
of
cri3cal
infrastructure
protec3on
• Some
Musings
– Future
of
the
CSF
– Resources
– Texas
– Informa3on
Security
Management
Maturity
Page
2
Cybersecurity
Framework
/
Best
Prac3ce
4. Mo3va3on
• Cri3cal
Infrastructure
– Vital
infrastructure
–
private
and
public
operators
– Lack
of
availability
would
have
“debilita3ng
impact”
on
the
na3on’s
security,
economy,
public
health,
safety…
• Execu3ve
Order
13636;
February
12,
2013
– Threat
informa3on
sharing
– NIST:
Baseline
Framework
to
reduce
cyber
risk
• “Standards,
methodologies,
procedures
and
processes
that
align
policy,
business,
and
technological
approaches…”
– Voluntary
Cri3cal
Infrastructure
Cybersecurity
Program
– …
CSF
/
Best
Prac3ce
4
8. Framework
Profiles
• Describe
current
or
desired
state
of
“cybersecurity
ac3vi3es”
• Align
controls
with
“business
requirements,
risk
tolerance,
and
resources”
• No
templates
or
format
provided
CSF
/
Best
Prac3ce
Page
8
9. Framework
Tiers
• Tiers
indicate
maturity
of:
– Risk
management
process
– Integrated
Risk
Management
Program
– External
Par3cipa3on
• “do
not
represent
maturity
levels”!?
• Tiers
(defined
on
1/3
of
a
page
each)
– 1:
Par3al
– 2:
Risk
Informed
– 3:
Repeatable
– 4:
Adap3ve
CSF
/
Best
Prac3ce
Page
9
10. CSF
AND
BEST
PRACTICE
Page
10
CSF
/
Best
Prac3ce
11. Informa3on
Security
Controls
–
A?ributes
of
Best
Prac3ce?!
• Benchmark
• Requirements
catalog
• Comprehensive
• Accepted
• Industry
standard
• But
not
cujng
edge
/
best
in
class?
• Auditable
• …?
CSF
/
Best
Prac3ce
Page
11
12. IT
Security:
Control
Frameworks
Regulatory
(mostly
industry-‐specific?)
“Pseudo
Regulatory”
(contractually
enforced)
Voluntary
• HIPAA
• SOX
(arguably)
• NERC
CIP
• …
• PCI
DSS
(etc.)
• SSAE
16
• …
• NIST
Cybersecurity
Framework
• Texas
Cybersecurity
Framework*
• NIST
SP
800-‐53*
• ISO/IEC
27001
• ISF
Standard
of
Good
Prac3ce
• …
CSF
/
Best
Prac3ce
Page
12
*
Mandatory
for
certain
government
agencies.
14. CSF
and
27001
–
Commonali3es
• Voluntary
• Catalog
of
informa3on
security
controls
– Small
differences
in
emphasis
– Method
to
document
control
selec3on
(“profile”
vs.
“statement
of
applicability”)
• No
built-‐in
risk
assessment
methodology
• Scope
defini3on
expected/required
CSF
/
Best
Prac3ce
Page
14
15. CSF
and
27001
–
Differences
Cybersecurity
Framework
ü Rudimentary
maturity
3ers
ü Even
basic
requirements
are
op3onal
ü Poten3al
for
agility
ISO/IEC
27001
ü Clear
documenta3on
requirements
ü Mandatory
management
system
requirements
ü Exclusion
of
controls
requires
jus3fica3on
ü Established
cer3fica3on
schemes
ü Well-‐defined
terminology
CSF
/
Best
Prac3ce
Page
15
16. Which
parts
of
the
CSF
are
unique
to
ICS
environments?
• Tiers?
– Nope.
(Generic
descrip,on
of
risk
management
and
informa,on
sharing
“maturity”.)
• Core?
– Nope.
(Introduc,on
acknowledges
that
IT
and
ICS
environments
and
considera,ons
differ.
But
the
(sub-‐)categories
do
not
specifically
address
this.)
• Profiles?
– Nope.
(Just
a
way
to
catalog
current
and
desired
selec,on
of
controls.)
CSF
/
Best
Prac3ce
Page
16
17. Which
parts
of
the
CSF
are
unique
to
ICS
environments?
• Tiers?
– Nope.
(Generic
descrip,on
of
risk
management
and
informa,on
sharing
“maturity”.)
• Core?
– Nope.
(Introduc,on
acknowledges
that
IT
and
ICS
environments
and
considera,ons
differ.
But
the
(sub-‐)categories
do
not
specifically
address
this.)
• Profiles?
– Nope.
(Just
a
way
to
catalog
current
and
desired
selec,on
of
controls.)
CSF
/
Best
Prac3ce
Page
17
19. The
Future
of
the
CSF…
• …might
be
bright?
– Just
another
controls
framework
– But
with
poten3al!
• Incen3ves
– So
far
DHS
offers
managed
services
to
local/state
governments
– Private
industry…
yet
to
come?
• NIST
Roadmap
for
framework
development
– Areas
for
development,
alignment,
and
collabora3on
CSF
/
Best
Prac3ce
Page
19
20. Resources
• Informa3on
Sharing
– Informa3on
Sharing
and
Analysis
Centers
(ISACs)
– InfraGard
partnership
• US-‐CERT’s
Cri3cal
Infrastructure
Cyber
Community
(C3)
Voluntary
Program
– Tools
and
resources
– (self)
assessment,
(ICS-‐)CERTs,
training/educa3on,
…
• Sector-‐specific
resources!
CSF
/
Best
Prac3ce
Page
20
21. Texas…
Since
We
Are
Here
• Texas
Cybersecurity
Framework
– Requirements
for
security
governance
and
management
– Mandatory
for
state
agencies
– Controls
based
on
800-‐53
controls
• DIR
Resources
– h?p://www2.dir.state.tx.us/security/Pages/
security.aspx
CSF
/
Best
Prac3ce
Page
21
22. Security
Management
–
Compliance
Is
a
Start,
But…
CSF
/
Best
Prac3ce
Page
22
Negligence?
Controls-‐Focused
(Due
Diligence?)
Risk-‐Informed
(Good
Prac3ce)
Risk-‐
Governed
Where
compliance
with
most
control
frameworks
might
get
you…
(Technology
/
IT)
Risk
is
organiza3on-‐specific;
compliance
with
control
frameworks
rarely
is!
Compare
to
SSE-‐CMM
(or
others)?
• Con3nuously
Improving
• Quan3ta3vely
Controlled
• Well
Defined
• Planned
and
Tracked
• Performed
Informally
23. Resources
• NIST
Cybersecurity
Framework
– h?p://www.nist.gov/cyberframework/
• US-‐CERT
C3
Voluntary
Program
– h?p://www.us-‐cert.gov/ccubedvp
• Mapping
of
27001
to
the
CSF
– h?p://www.secuilibrium.com/1/post/2014/02/
comparing-‐isoiec-‐27001-‐with-‐nists-‐cybersecurity-‐
framework.html
• Contact:
– David
Ochel
<david@secuilibrium.com>
CSF
/
Best
Prac3ce
Page
23