Indepth Analysis of NIST's CyberSecurity Framework

In this blog, I opted to look dipper into the Cybersecurity Framework and provide input on the underlying message not visible to the naked eye, those exposing key details of the framework that clearly denote the importance of an Enterprise Level Risk Management Framework.

As someone who has been analyzing data for years, specially NIST guidance since 2006 and an avid proposer of Enterprise Risk Management (ERM), I felt it was necessary to perform an in-depth analysis of the NIST References attached to the framework under each sub-category to extract the underlying message. This is key because the underlying message cannot be fully understood without grasping the items associated with the requirements. Let's start by saying that the framework incorporates requirements from 18 families. The number of controls required per family are noted in the graphic below:

NIST-Controls.png

Within the analysis, the following controls where predominant across the board and are meant to be applied at the Enterprise Level in order for the framework to function properly.

Control Requirement
PM-01 INFORMATION SECURITY PROGRAM PLAN

The organization:

  • Develops and disseminates an organization-wide information security program plan.
  • Reviews the organization-wide information security program plan [Assignment: organization-defined frequency]
  • Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and
  • Protects the information security program plan from unauthorized disclosure and modification.

PM-02 SENIOR INFORMATION SECURITY OFFICER

The organization appoints a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.

PM-03 INFORMATION SECURITY RESOURCES

The Organization:

  • Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement;
  • Employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and
  • Ensures that information security resources are available for expenditure as planned.

PM-04 PLAN OF ACTION AND MILESTONES PROCESS

The organization

  • Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information system; and
  • Reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

PM-05 INFORMATION SYSTEM INVENTORY

The organization develops and maintains an inventory of its information systems.

PM-06 INFORMATION SECURITY MEASURES OF PERFORMANCE

The organization develops, monitors, and reports on the results of information security measures of performance.

PM-07 ENTERPRISE ARCHITECTURE

The organization develops an enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation.

PM-08 CRITICAL INFRASTRUCTURE PLAN

The organization addresses information security issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.

PM-09 RISK MANAGEMENT STRATEGY

The organization:

  • Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems;
  • Implements the risk management strategy consistently across the organization; and
  • Reviews and updates the risk management strategy [Assignment: organization-defined frequency] or as required, to address organizational changes.

PM-10 SECURITY AUTHORIZATION PROCESS

The organization:

  • Manages (i.e., documents, tracks, and reports) the security state of organizational information systems and the environments in which those systems operate through security authorization processes;
  • Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and
  • Fully integrates the security authorization processes into an organization-wide risk management program.

PM-11 MISSION/BUSINESS PROCESS DEFINITION

The organization:

  • Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and
  • Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained.

PM-12 INSIDER THREAT PROGRAM

The organization implements an insider threat program that includes a cross-discipline insider threat incident handling team.

PM-13 INFORMATION SECURITY WORKFORCE

The organization establishes an information security workforce development and improvement program.

PM-14 TESTING, TRAINING, AND MONITORING

The organization:

  • Implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems; and
  • Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

PM-15 CONTACTS WITH SECURITY GROUPS AND ASSOCIATIONS

The organization establishes and institutionalizes contact with selected groups and associations within the security community:

  • To facilitate ongoing security education and training for organizational personnel;
  • To maintain currency with recommended security practices, techniques, and technologies; and
  • To share current security-related information including threats, vulnerabilities, and incidents.

PM-16 THREAT AWARENESS PROGRAM

The organization implements a threat awareness program that includes a cross-organization information-sharing capability.

Other Controls

In addition to the key controls above, the following controls are best applied at the Enterprise. The majority of the controls noted in this section are NOT SELECTED for any of the FIPS 199 Security Levels (i.e., LOW,MOD, HIGH), but they are now required as part of the Cybersecurity Framework.

Control Requirement
AC-24 Access Control Decisions

The organization establishes procedures to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement.

AU-13 Monitoring for Information Disclosure

The organization monitors [Assignment: organization-defined open source information and/or information sites] [Assignment: organization-defined frequency] for evidence of unauthorized disclosure of organizational information.

AU-16 Cross-Organizational Auditing

The organization employs [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries.

IR-09 INFORMATION SPILLAGE RESPONSE

The organization responds to information spills by:

  • Identifying the specific information involved in the information system contamination;
  • Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill;
  • Isolating the contaminated information system or system component;
  • Eradicating the information from the contaminated information system or component;
  • Identifying other information systems or system components that may have been subsequently contaminated; and
  • Performing other [Assignment: organization-defined actions]

MP-08 MEDIA DOWNGRADING

The organization:

  • Establishes [Assignment: organization-defined information system media downgrading process] that includes employing downgrading mechanisms with [Assignment: organization-defined strength and integrity];
  • Ensures that the information system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information;
  • Identifies[Assignment: organization-defined information system media requiring downgrading];
  • Downgrades the identified information system media using the established process.

PE-19 INFORMATION LEAKAGE

The organization protects the information system from information leakage due to electromagnetic signals emanations.

CA-09 INTERNAL SYSTEM CONNECTIONS

The organization:

  • Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and
  • Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.

Are there other controls impacting the Enterprise Level?

Yes. Outside of the controls noted in this blog, there are a number of other controls that must be implemented at the Enterprise Level; however, I only addressed those controls that clarify the need of an Enterprise Risk Management Framework and those controls not previously required, but are now required as part of the Cybersecurity Framework.

List of NIST Controls File

A breakdown of the NIST 800-53 controls applicable under the CyberSecurity Framework can be downloaded below:

File Type Link
Excel Download link

Interested on learning more? Contact US via our site form at https://www.cyberadeptness.com 

NOTE: Due to security concerns, we limit our web content to bare bones. Please note that you will receive a response within forty-eight (48) hours or less.

By Karen Baez | on Saturday, September 1 2018 17:29

Add a comment

HTML code is displayed as text and web addresses are automatically converted.

They posted on the same topic

Trackback URL : https://www.cyberadeptness.com/CA-BLG/index.php?trackback/25

This post's comments feed