In the United States, the National Institute of Standards and Technology (NIST) has a number of responsibilities, but for our purposes the area of interest is in information technology and security. And the part I want to look at here is the NIST Cybersecurity Framework. This sets standards for best practices that private companies are urged to adopt, but Federal government agencies are also directed to follow these guidelines, though actual compliance is spotty in all cases. As we have discussed previously in looking at security, there is always a conflict at the individual level between security and ease of use. When you get to the organizational level, you can add in cost and other resources (staff resources, for instance) as reasons why compliance might be less than desired. This is not necessarily a bad thing, since resources are not infinite and you need to choose priorities. I simply note that the full list of recommendations in the Cybersecurity Framework are not likely to be met by many (any?) organizations. Still, they are a useful look at one group’s take on what the best practices are. And in a period where most critical infrastructure is controlled by computers, security of those devices becomes pretty important.
If you want to read the document for yourself, it is at https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
The key term in understanding this approach is risk management. This does not always mean adopting strict measures. Conceptually, the responses to risk are 1. Mitigation; 2. Insurance; or 3. Accepting. Mitigation is what we normally think of as a response to risk, but insuring against the outcome or simply accepting that something may happen are valid as well. And deciding which way to approach the risk usually start with calculation involving both the probability of an occurence and the cost if it happens. If a risk has a low probability of occuring and a low cost if it does occur, it is entirely rational to just accept the risk.
The organizations that are the target here are “critical infrastructure, which can be both public and private in the U.S. Private organizations are encouraged to follow these recommendations, but a Presidential Order in 2017 directed all Federal agencies to follow them.
The Framework has three major components:
- The Framework Core, which defines a common set of practices and outcomes for security.
- Framework Implementation Tiers, which focuses on risk management practices.
- A Framework Profile, which lets organizations assess current state , compare it to a desired future state, and identify opportunities for improvement.
The Framework Core
“The Framework provides a common language for understanding, managing, and expressing cybersecurity risk to internal and external stakeholders. It can be used to help identify and prioritize actions for reducing cybersecurity risk, and it is a tool for aligning policy, business, and technological approaches to managing that risk. It can be used to manage cybersecurity risk across entire organizations or it can be focused on the delivery of critical services within an organization. Different types of entities – including sector coordinating structures, associations, and organizations – can use the Framework for different purposes, including the creation of common Profiles” – Framework, p.13
The Framework Core has 5 core functions:
- Identify – This covers both the identification of risks and the identification of the resources available to deal with them.
- Protect – This means to put safeguards in place to limit or contain the impact of a cybersecurity event.
- Detect – these activities involve security monitoring, detecting anomalies, and so on.
- Respond – Take appropriate action to contain the impact of a potential cybersecurity incident.
- Recover – This is the resilience part. You need to be able to restore normal operations and capabilities as quickly as possible.
Framework Implementation Tiers
These are all about the degree of sophistication in cybersecurity risk management practices. The document states that these tiers do not represent maturity levels, but I have to admit I am not sure where the distinction lies, since it sure sounds to me like they are maturity levels.
Tier 1 – Partial
At this level, risk management practices or not formalized, and risk are managed in an ad hoc or reactive manner. Cybersecurity practices are not guided by risk objectives, the threat environment, or business requirements. There is limited awareness of cybersecurity risk at the organization level, and events are handled on a case-by-case basis. Information may not be shared within the organization. The organization views its risks in isolation, and does not share information or collaborate with other entities. It does not see itself as part of an ecosystem.
Tier 2 – Risk Informed
There are formal risk management policies that are approved by management, and prioritization of cybersecurity activities is informed by organizational risk objectives and the threat environment. There is an awareness of cybersecurity risk but no organization-wide program. Cybersecurity information is shared within the organization, but informally. There is some level of awareness of other organizations in the ecosystem, and some information sharing going on, but not in any formal way.
Tier 3 – Repeatable
Risk management is expressed as formal policies. Cybersecurity practices are regularly updated in response to changing business needs, a changing threat environment, and changing technology. There is an organization-wide approach to manage cybersecurity risk, and policies are regularly reviewed and consistently applied. The organization collaborates with other organizations in the ecosystem, upstream, downstream, and horizontally. Information is shared with all of these entities.
Tier 4 – Adaptive
Cybersecurity practices undergo continuous improvement in response to lessons learned and predictive indicators. There is a formal, organization-wide approach to managing cybersecurity risk, and senior management monitors this just as they monitor financial risks and other organizational risks. The organization is part of a larger community, and contributes to that community to help everyone understand the risks.
The Framework Profile aligns the Functions (Identify, Protect, Detect, Respond, Recover) with the business requirements, risk tolerance, and resources of the organization. By analyzing the present state in comparison to the desired future state, a roadmap can be developed for making improvements to achieve that desired state. A comparison of the Current profile with the Target profile will reveal gaps that would suggest a way to move forward. Again, the overall approach is based on risk management, so it is expected that some degree prioritization will occur, and some risks may be simply accepted or insured rather than mitigated. The point is to have formal, evidence-based approach to building the roadmap.
Using the Framework
The Framework can be employed in a number of ways.
- Basic review of cybersecurity practices: By comparing an organization’s practices with those in the Framework Core can identify areas for improvement
- Establish or improve a cybersecurity program:
- Prioritize and Scope – Assess business objectives and organizational priorities
- Orient – Identify related systems and assets, regulatory requirements, and overall risk approach
- Create a Current Profile – This is the beginning, where are we starting from?
- Conduct a risk assessment – Analyze both the probability and the cost of possible cybersecurity events.
- Create a Target Profile – Where do we want to be in the future?
- Determine, Analyze, and Prioritize Gaps – Create a plan to move from where we are now to where we want be in the future.
- Implement Action Plan – So get on with it!
- Repeat for continuous improvement!
- Communicating Cybersecurity Requirements with Stakeholders:
- Current Profiles are useful for reporting to management, for example.
- Target Profiles can function as requirements documents for dealing with business partners, suppliers, etc. Supply Chain Risk Management (SCRM) has become a critical organizational function.
- Target profiles can also help align activities within an organization.
- Buying Decisions – Your Target Profile can help you make the right purchasing decisions.
- Identifying Opportunities for New or Revised Informative References – If an organization has identified a priority for action but finds few or inadequate informational references. It can collaborate with other organizations in the ecosystem to develop better reference materials.
- Methodology to Protect Privacy and Civil Liberties – Cybersecurity can sometimes involve the collection of information from individuals, and that can mean privacy and civil liberty concerns. Since these can turn into liabilities for the organization, a formal approach to guarding privacy is important
Self-Assessing Cybersecurity Risk with the Framework
The idea of this Framework is not to be prescriptive, but rather to provide a way for organizations to self-improve in whatever ways are most appropriate for them. The specific constellation of threats and risks faced by each organization can be different. So the idea is to use the Framework to move towards a desired future state that you determine.
Listen to the audio version of this post on Hacker Public Radio!