NIST Cyber Security Framework Part - 1

NIST Cyber Security Framework Part - 1

Cross post - https://kantikalyan.medium.com/nist-cyber-security-framework-part-1-b9bd659ab094

As mentioned in a previous blog post - Moved to India and Cyber Security, I have started studying the Cybersecurity Risk Management Framework Specialization on Coursera. This specialization has 3 courses:

1) NIST CSF - 4 Hours

2) NIST DoD RMF - 4 Hours

3) NIST 800-171 - 6 Hours

I am I.T business owner, I have worked as lead full stack .Net web developer in the past and have aspirations of software architect. Security awareness and expertise is very helpful in my journey towards software architect or even software security architect (fighting the bad guys - hackers). And in general cyber security awareness is a good thing, so I thought I would briefly summarize what I have learnt, this is in a certain way Tier-4 of NIST Cyber Security Framework i.e actively communicating with stake holders (here I am communicating with general public), proactively learning and benefitting the community (raising cyber security awareness for the general public can be considered as benefitting the community). I would say ALight Technology And Services Limited is at Tier-2 and transitioning towards Tier-3, by the end of Q3 2023, ALight Technology And Services Limited would be at Tier-4. I know I am very ambitious, I have been like that since childhood. One ambitious man's company - ALight Technology And Services Limited.

This is a series of blog posts, when I post more blog articles in this series, I would be updating the links in this blog.

"Cybersecurity" is defined as: 

- the protection of information assets by addressing threats to information processed, stored and transported by inter-networked information systems 

- measures taken to protect the integrity of networks, programs and data against "unauthorized" access, damage or attack 

- the state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this 

Computer security entails: 

- Cybersecurity 

- Physical security 

Cybersecurity vs. information security 

- Information security deals with information 

○ Paper documents 

○ Digital and intellectual property 

○ Verbal or visual files 

○ Communications (regardless of media) 

- Cybersecurity is concerned with protecting the confidentiality, integrity and availability of digital assets 

○ Networks, hardware or software 

○ Information that is processed, stored or transported by networked information systems 

Cybersecurity consists of the triad known as CIA - Confidentiality, Integrity, Availability

Confidentiality: Different information requires different levels of confidentiality. Personal, financial, and medical information requires higher confidentiality.

Integrity: Integrity is about preventing unauthorized modifications / deletion. Preventing authorized subjects from making unauthorized modifications.

Availability: The assurance that authorized subjects can interact with resources.

Terms & Concepts:

Confidentiality: Prevention of unintentional disclosure 

Integrity: Preventing unauthorized modification 

Availability: Accessible to authorized users 

Auditability: Ability to track and reconstruct events from logs 

Identification: Verification of authorized person or process 

Authentication: Proof Of identification 

Authorization: What can you do 

Nonrepudiation: Cannot deny 

Layered security: Defense in depth 

Access control: Limiting access to authorized users or processes 

Security metrics, monitoring: Measuring security activities 

Governance: Providing control and direction 

Strategy: Method of achieving objectives 

Architecture: Used to define the information security strategy. Some examples are:

- Zachman 

- TOGAF (The Open Group Architecture Framework) 

- DODAF (U.S. Department Of Defense architecture framework) 

- MODAF (The British Ministry Of Defense Architecture Framework) 

- SABSA (Sherwood Applied Business Security Architecture)

Management: Overseeing activities 

Risk: The likelihood that a threat source will exploit one or more vulnerabilities 

             - Acceptable level of risk (aka risk appetite) 

Exposure: Being susceptible to asset loss because of a threat exploiting a vulnerability or 

flaw 

Vulnerabilities: NIST Special Publication 800-30 defines vulnerability as "an inherent weakness 

in an information system, security procedures, internal controls, or implementation that could 

be exploited by a threat source." 

Threats: A threat is any person, event or environmental factor that could affect or harm a protected asset.

Residual risk: The risk remaining after controls are put in place 

Impact: The results and consequences of a risk materializing 

Criticality: The higher the value, the more protection it needs. 

Sensitivity: Based on the classification and categorization  

Business impact analysis (BIA): Evaluating the results and consequences of compromise 

Business dependency analysis: An analysis of business resource dependencies, like a supply 

chain review 

Gap analysis: The difference between "what is" and the stated objective 

Controls: Actions to mitigate or reduce risk 

Countermeasures: Actions or process (controls) used to reduce vulnerabilities 

Policies: Management's interpretation of requirements 

Standards: Supports a policy by setting the boundaries 

Attacks: Types of compromises 

Data classification: Determining the sensitivity and criticality of information 

Technologies used in cyber security:

- Firewalls 

- User account administration 

- Intrusion detection and intrusion prevention 

- Antivirus 

- Public key infrastructure (PKI) 

- Secure Sockets Layer (SSL) 

- Single sign-on (SSO) 

- Biometrics 

- Encryption 

- Privacy compliance 

- Remote access 

- Digital signature 

- Electronic data Interchange (EDI) and electronic funds transfer (EFT) 

- Virtual private networks (VPNs) 

- Forensics 

- Monitoring technologies

Key CSF (Cyber Security Framework) attributes: 

It's a framework, NOT a prescriptive standard! 

- Provides a common language and systematic methodology for managing cyber-risk 

- Is meant to be adapted 

- Does not tell an organization how much cyber-risk is tolerable 

- Enable best practices 

- It's voluntary, except for federal agencies (it's mandatory for them) 

- It's a living document 

- It is intended to be updated as technology and risks change  

The Framework consists of 3 main components:

      - The framework core

      - The framework implementation tiers

      - The framework profiles

The framework consists of 5 functions, 23 categories and 98 sub categories.

Functions (IPDRR):

1) Identify - Develop an organizational understanding to manage cybersecurity risk to

systems, people, assets, data, and capabilities.

2) Protect - Develop and implement appropriate safeguards to ensure delivery of critical

services.

3) Detect - Develop and implement appropriate activities to identify the occurrence of a

cybersecurity event.

4) Respond - Develop and implement appropriate activities to take action regarding a

detected cybersecurity incident

5) Recover - Develop and implement appropriate activities to maintain plans for resilience

and to restore any capabilities or services that were impaired due to a cybersecurity

incident.

Framework Implementation Tiers:

Framework implementation tiers are divided into 4 tiers. Companies adopting Cyber security framework would progress from Tier 1 to Tier 4.

Tier 1: Partial

Risk Management Process – Organizational cybersecurity risk management practices are

not formalized, and risk is managed in an ad hoc and sometimes reactive manner.

Prioritization of cybersecurity activities may not be directly informed by organizational

risk objectives, the threat environment, or business/mission requirements.

Integrated Risk Management Program – There is limited awareness of cybersecurity risk

at the organizational level. The organization implements cybersecurity risk management

on an irregular, case-by-case basis due to varied experience or information gained from

outside sources. The organization may not have processes that enable cybersecurity

information to be shared within the organization.

External Participation – The organization does not understand its role in the larger

ecosystem with respect to either its dependencies or dependents. The organization does

not collaborate with or receive information (e.g., threat intelligence, best practices,

technologies) from other entities (e.g., buyers, suppliers, dependencies, dependents,

ISAOs, researchers, governments), nor does it share information. The organization is

generally unaware of the cyber supply chain risks of the products and services it provides

and that it uses.

Tier 2: Risk Informed

Risk Management Process – Risk management practices are approved by management

but may not be established as organizational-wide policy. Prioritization of cybersecurity

activities and protection needs is directly informed by organizational risk objectives, the

threat environment, or business/mission requirements.

Integrated Risk Management Program – There is an awareness of cybersecurity risk at

the organizational level, but an organization-wide approach to managing cybersecurity

risk has not been established. Cybersecurity information is shared within the organization

on an informal basis. Consideration of cybersecurity in organizational objectives and

programs may occur at some but not all levels of the organization. Cyber risk assessment

of organizational and external assets occurs, but is not typically repeatable or reoccurring.

External Participation – Generally, the organization understands its role in the larger

ecosystem with respect to either its own dependencies or dependents, but not both. The

organization collaborates with and receives some information from other entities and

generates some of its own information, but may not share information with others.

Additionally, the organization is aware of the cyber supply chain risks associated with

the products and services it provides and uses, but does not act consistently or formally

upon those risks. 

Tier 3: Repeatable

Risk Management Process – The organization’s risk management practices are formally

approved and expressed as policy. Organizational cybersecurity practices are regularly

updated based on the application of risk management processes to changes in

business/mission requirements and a changing threat and technology landscape.

Integrated Risk Management Program – There is an organization-wide approach to

manage cybersecurity risk. Risk-informed policies, processes, and procedures are

defined, implemented as intended, and reviewed. Consistent methods are in place to

respond effectively to changes in risk. Personnel possess the knowledge and skills to

perform their appointed roles and responsibilities. The organization consistently and

accurately monitors cybersecurity risk of organizational assets. Senior cybersecurity and

non-cybersecurity executives communicate regularly regarding cybersecurity risk.

Senior executives ensure consideration of cybersecurity through all lines of operation in

the organization.

External Participation - The organization understands its role, dependencies, and

dependents in the larger ecosystem and may contribute to the community’s broader

understanding of risks. It collaborates with and receives information from other entities

regularly that complements internally generated information, and shares information

with other entities. The organization is aware of the cyber supply chain risks associated

with the products and services it provides and that it uses. Additionally, it usually acts

formally upon those risks, including mechanisms such as written agreements to

communicate baseline requirements, governance structures (e.g., risk councils), and

policy implementation and monitoring.

Tier 4: Adaptive

Risk Management Process – The organization adapts its cybersecurity practices based on

previous and current cybersecurity activities, including lessons learned and predictive

indicators. Through a process of continuous improvement incorporating advanced

cybersecurity technologies and practices, the organization actively adapts to a changing

threat and technology landscape and responds in a timely and effective manner to

evolving, sophisticated threats.

Integrated Risk Management Program – There is an organization-wide approach to

managing cybersecurity risk that uses risk-informed policies, processes, and procedures

to address potential cybersecurity events. The relationship between cybersecurity risk and

organizational objectives is clearly understood and considered when making decisions.

Senior executives monitor cybersecurity risk in the same context as financial risk and

other organizational risks. The organizational budget is based on an understanding of the

current and predicted risk environment and risk tolerance. Business units implement

executive vision and analyze system-level risks in the context of the organizational risk

tolerances. Cybersecurity risk management is part of the organizational culture and

evolves from an awareness of previous activities and continuous awareness of activities

on their systems and networks. The organization can quickly and efficiently account for

changes to business/mission objectives in how risk is approached and communicated.

External Participation - The organization understands its role, dependencies, and

dependents in the larger ecosystem and contributes to the community’s broader

understanding of risks. It receives, generates, and reviews prioritized information that

informs continuous analysis of its risks as the threat and technology landscapes evolve.

The organization shares that information internally and externally with other

collaborators. The organization uses real-time or near real-time information to understand

and consistently act upon cyber supply chain risks associated with the products and

services it provides and that it uses. Additionally, it communicates proactively, using

formal (e.g. agreements) and informal mechanisms to develop and maintain strong supply

chain relationships.

NIST Cyber Security Framework Part - 1