Doug Lowe

Networking All-in-One For Dummies


Скачать книгу

href="https://www.isaca.org/resources/cobit">www.isaca.org/resources/cobit.

      In 2014, NIST issued the first version of its cybersecurity framework, officially known as the Framework for Improving Critical Infrastructure Cybersecurity, but commonly referred to as the NIST Framework (and often when speaking in the context of cybersecurity simply NIST). I refer to it simply as the Framework throughout the rest of this chapter.

      The Framework was originally intended to apply to critical infrastructure such as the power grid, transportation systems, dams, government agencies, and so on. But the Framework quickly became popular in the private sector as well and is now considered one of the best overall tools for planning cybersecurity for large and small organizations, public and private.

      In 2018, NIST issued a new version of the Framework, known as Version 1.1. The new version includes a section on self assessment and greatly expanded its coverage of the cybersecurity risk associated with business supply chains.

      You can find the complete documentation for the Cybersecurity Framework Version at https://nist.gov/cyberframework/framework. I strongly suggest you download the Framework document, print it out, and read it. It’s only about 50 pages.

      The Framework consists of three basic components:

       Framework Core: This section identifies five basic functions of cybersecurity:Identify: You must know, in detail, exactly what parts of your organization are vulnerable to cyberattack.Protect: You should take specific steps to protect those parts of your organization that you’ve identified as being vulnerable.Detect: This function involves monitoring your systems and environment so that you know as soon as possible when a cyberattack occurs.Respond: This function helps you plan in advance how you’ll respond when a cybersecurity incident occurs.Recover: According to the Framework, you must “Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or servers that were impaired due to a cybersecurity incident.” For example, if data was lost, you may need to restore the lost data from backup copies.Within each of these five basic functions, best practices, guidelines, and standards are presented focusing on specific cybersecurity outcomes, such as “Remote access is managed” or “Removable media is protected and its use restricted according to policy.”I offer more detail on the Framework Core later in this section.

       Framework Implementation Tiers: This section describes four distinct tiers that represent an increasing level of sophistication in cybersecurity practices. As an organization invests more in cybersecurity, it moves up through the tier levels.

       Framework Profile: This section discusses the use of profiles to indicate which specific outcomes in the Framework Core are implemented. You can create a current profile, which documents the current cybersecurity practices at your organization, and then create a target profile to represent where you’d like to be. Then you can devise a plan to move from the current profile to the target profile.

      Each of the five functions of the Framework Core (listed earlier) is divided into several categories, which are in turn divided into subcategories. A simple numbering scheme is used to track the functions, categories, and subcategories. For example, the Identify function is designated by the identifier ID. Its first category is Asset Management, which is designated by ID.AM. The first subcategory under Asset Management is “Physical devices and systems within the organization are inventoried,” and it’s designated ID.AM-1.

Function Category Identifier
Identify Asset Management ID.AM
Business Environment ID.BE
Governance ID.GV
Risk Assessment ID.RA
Risk Management Strategy ID.RM
Supply Chain Risk Management ID.SC
Protect Identity Management and Access Control PR.AC
Awareness and Training PR.AT
Data Security PR.DS
Information Protection Processes and Procedures PR.IP
Maintenance PR.MA
Protective Technology PR.PT
Detect Anomalies and Events DE.AE
Security Continuous Monitoring DE.CM
Detection Processes DE.DP
Respond Response Planning RS.RP
Communications RS.CO
Analysis RS.AN
Mitigation RS.MI
Improvements RS.IM
Recover Recovery Planning RC.RP
Improvements RC.IM
Communications RC.CO

      The Framework doesn’t prescribe specific solutions for each of the 106 subcategories; it merely states the outcome to be achieved by each subcategory and invites you to design a solution that produces the desired outcome.

      For