Penetration Testing Services Cloud Pentesting Penetration Network Pentesting Application Pentesting Web Application Pentesting Social Engineering October 9, 2019 NIST Cybersecurity Framework Compliance The first version of the NIST Cybersecurity Framework was published in 2014, and it was updated for the first time in April 2018. Although there have not been any substantial changes, however, there are a few new additions and clarifications. Appendix A of this framework is often called the Framework Core, and it is a twenty-page document that lists five functions – Identify, Protect, Detect, Respond, and Recover. They consist of various categories and sub-categories. Here, it must be noted that Appendix A is a knight in shining armor if utilized correctly while implementing this framework. As per NIST, this framework guides the decision-makers to take the lead on cybersecurity activities and consider cybersecurity risks as a part of their organization’s overall risk management process. It is clear that NIST does not expect all the organizations to comply with all the contents of the framework. Instead, it expects that organizations will consider their business requirements and material risks before taking a well-informed and reasonable decision. One of the most significant additions in version 1.1 of the NIST Cybersecurity Framework is a section titled “Self-assessing Cybersecurity Risk with the Framework.” Under this section, the organizations are encouraged to perform either internal or external risk assessments using the framework. To lead this exercise, the individuals responsible must possess sufficient expertise so that they can inform the decision-makers of the organization’s existing risk profile, initiate vital discussions, and agree on a targeted risk profile. These activities must drive an organization’s adoption, implementation, and execution of a remediation plan for addressing the gaps between what an organization has and what it needs to improve its security posture. Cybersecurity Process The process diagram given below illustrates how the NIST Cybersecurity Framework is implemented as a cybersecurity process. Figure 1: Process diagram for the implementation of the NIST Cybersecurity Framework (Source: NIST) Core Controls Apart from the five functions of this framework stated previously, the controls given in this framework are classified into the following categories – Category Explanation Asset Management (ID.AM) Inventory of devices, systems, software, applications, and external information systems Mapping data flows and communications within the organization Resource prioritization Defining cybersecurity roles and responsibilities Business Environment (ID.BE) Role in critical infrastructure and supply chain management Defining mission priorities and resilience requirements Dependencies on other services Understanding and managing legal and regulatory requirements Implementing processes for governance and risk management Risk Assessment (ID.RA) Identifying vulnerabilities and threats Documenting, communicating, and evaluating the impact and likelihood of vulnerabilities Identifying and prioritizing responses Risk Management Strategy (ID.RM) Identifying processes and their risk tolerance Considering critical infrastructure Access Control (PR.AC) Managing identities and credentials for authorized devices and users Controlling physical access Managing remote access Managing permissions and exceptions Protecting network integrity Awareness and Training (PR.AT) Awareness and training Privileged user awareness Third-party awareness Executive awareness Physical and information security roles training and awareness Data Security (PR.DS) Protecting data-at-rest Protecting data-in-transit Formal asset management and disposal Capacity and availability management Protection against data leaks Integrity checking Separating development and testing from production Information Protection Processes and Procedures (PR.IP) Complying with policy and regulations Data destruction Continuous improvement Information sharing Resource planning Response and recovery testing HR processes including deprovisioning and personnel screening Vulnerability management Maintenance (PR.MA) Timely maintenance Control and monitor remote maintenance activities Protective Technology (PR.PT) Log collection and analytics Remove media usage and controls Controlled access to systems and assets Protecting communications and control networks Anomalies and Events (DE.AE) Establishing baselines Analyzing detected events Aggregating and correlating data from multiple sources Impact determination Defining incident alert thresholds Security Continuous Monitoring (DE.CM) Roles and responsibilities Activities, testing, dissemination, and continuous improvement Resource Planning (RS.RP) Response plan maintenance and execution Communications (RS.CO) Personnel roles Event reporting Information sharing Coordinating with stakeholders Voluntary information sharing for situational awareness Analysis (RS.AN) Investigation of notifications Impact analysis Forensics investigations Incident categorization Mitigation (RS.MI) Containment, mitigation, and documentation of acceptable risks Improvements (RS.IM) Incorporating lessons learned into response strategy Updating response strategies Recovery Planning (RC.RP) Execution of the recovery plan Improvements (RC.IM) Incorporating lessons learned into recovery plans and recovery strategies Communications (RC.CO) Public relations management Reputation repair Communication of recovery activities to internal stakeholders, executives, and management teams Why should an organization adopt the NIST Cybersecurity Framework? The first version of the NIST Cybersecurity Framework was published in 2014, and it was updated for the first time in April 2018. Although there have not been any substantial changes, however, there are a few new additions and clarifications. Appendix A of this framework is often called the Framework Core, and it is a twenty-page document that lists five functions – Identify, Protect, Detect, Respond, and Recover. They consist of various categories and sub-categories. Here, it must be noted that Appendix A is a knight in shining armor if utilized correctly while implementing this framework. As per NIST, this framework guides the decision-makers to take the lead on cybersecurity activities and consider cybersecurity risks as a part of their organization’s overall risk management process. It is clear that NIST does not expect all the organizations to comply with all the contents of the framework. Instead, it expects that organizations will consider their business requirements and material risks before taking a well-informed and reasonable decision. One of the most significant additions in version 1.1 of the NIST Cybersecurity Framework is a section titled “Self-assessing Cybersecurity Risk with the Framework.” Under this section, the organizations are encouraged to perform either internal or external risk assessments using the framework. To lead this exercise, the individuals responsible must possess sufficient expertise so that they can inform the decision-makers of the organization’s existing risk profile, initiate vital discussions, and agree on a targeted risk profile. These activities must drive an organization’s adoption, implementation, and execution of a remediation plan for addressing the gaps between what an organization has and what it needs to improve its security posture. Cybersecurity Process The process diagram given below illustrates how the NIST Cybersecurity Framework is implemented as a cybersecurity process. Industry recognitions we have earned Tell us about your requirements and we will respond within 24 hours. Fill out the form below to let us know your requirements. We will contact you to determine if BreachLock is right for your business or organization.