NIST Cybersecurity Framework - SANS Internet Storm Center

NIST Cybersecurity Framework
The NIST has published a voluntary framework to reduce cyber risk to critical infrastructure as a result of a directive inside the President's execute order for improving critical infrastructure cybersecurity. The core of this framework is composed of a function matrix and a framework implementation level matrix. The function matrix contains the five top-level cybersecurity functions, which are: Know: Gaining the institutional understanding to identify what systems need to be protected, assess priority in light of organizational mission, and manage processes to achieve cost effective risk management goals Prevent: Categories of management, technical, and operational activities that enable the organization to decide on the appropriate outcome-based actions to ensure adequate protection against threats to business systems that support critical infrastructure components. Detect: Activities that identify (through ongoing monitoring or other means of observation) the presence of undesirable cyber risk events, and the processes to assess the potential impact of those events. Respond: Specific risk management decisions and activities enacted based upon previously implemented planning (from the Prevent function) relative to estimated impact. Recover: Categories of management, technical, and operational activities that restore services that have previously been impaired through an undesirable cybersecurity risk event. The function matrix becomes part of the critical operations manual, as it contains detailed functions pertaining to each organization on how to increase security levels, making all of them part of the business day-to-day tasks. The framework implementation level defines three implementation levels from three perspectives: the senior executive role, the business process manager and the operational managers. The goal of this matrix is to reflect the cybersecurity state of the critical infrastructure from the previous role perspectives. While this framework is still in draft state, I consider it a breakthrough in increasing the level of security of critical infrastructure, as critical infrastructure officers of the companies have always been reluctant to implement security measures as in the IT normal world because it goes against the way their operating processes work and because managers of these areas see no value added in these tasks. This framework shows them information security as part of their function and shows a way to integrate seamless to the normal business operation, as they work same process to prevent operation risks to the critical infrastructure, like power disruption, pipe explosion, transformer damage an many others. You can find the framework core at http://www.nist.gov/itl/upload/draft_framework_core.pdf. Manuel Humberto Santander Peláez SANS Internet Storm Center - Handler Twitter:@manuelsantander Web:http://manuel.santander.name e-mail: msantand at isc dot sans dot org	Manuel Humberto Santander Pelaacuteez 195 Posts ISC Handler Jun 30th 2013
Thread locked Subscribe	Jun 30th 2013 9 years ago
Hi, Do you have more information on the 3 Framework Implementation levels ? Each level corresponds to one function, one categorie and one sub-categorie ? It's not crystal clear for me. Thanks in advance !	Anonymous
Quote	Jul 1st 2013 9 years ago
Actually, It may just mean that there are 3 levels of maturity and you write down your comment on the column that seems appropriate.	Anonymous
Quote	Jul 1st 2013 9 years ago
I believe Manuel explained the levels in his posting, "The framework implementation level defines three implementation levels from three perspectives: the senior executive role, the business process manager and the operational managers. The goal of this matrix is to reflect the cybersecurity state of the critical infrastructure from the previous role perspectives." So the levels correspond with organizational roles, 1) Senior Executives 2) Business Process Managers 3) Operational Managers Hope this helps.	Skid 3 Posts
Quote	Jul 2nd 2013 9 years ago

The NIST has published a voluntary framework to reduce cyber risk to critical infrastructure as a result of a directive inside the President's execute order for improving critical infrastructure cybersecurity.

The core of this framework is composed of a function matrix and a framework implementation level matrix. The function matrix contains the five top-level cybersecurity functions, which are:

Know: Gaining the institutional understanding to identify what systems need to be protected, assess priority in light of organizational mission, and manage processes to achieve cost effective risk management goals
Prevent: Categories of management, technical, and operational activities that enable the organization to decide on the appropriate outcome-based actions to ensure adequate protection against threats to business systems that support critical infrastructure components.
Detect: Activities that identify (through ongoing monitoring or other means of observation) the presence of undesirable cyber risk events, and the processes to assess the potential impact of those events.
Respond: Specific risk management decisions and activities enacted based upon previously implemented planning (from the Prevent function) relative to estimated impact.
Recover: Categories of management, technical, and operational activities that restore services that have previously been impaired through an undesirable cybersecurity risk event.

The function matrix becomes part of the critical operations manual, as it contains detailed functions pertaining to each organization on how to increase security levels, making all of them part of the business day-to-day tasks.

The framework implementation level defines three implementation levels from three perspectives: the senior executive role, the business process manager and the operational managers. The goal of this matrix is to reflect the cybersecurity state of the critical infrastructure from the previous role perspectives.

While this framework is still in draft state, I consider it a breakthrough in increasing the level of security of critical infrastructure, as critical infrastructure officers of the companies have always been reluctant to implement security measures as in the IT normal world because it goes against the way their operating processes work and because managers of these areas see no value added in these tasks. This framework shows them information security as part of their function and shows a way to integrate seamless to the normal business operation, as they work same process to prevent operation risks to the critical infrastructure, like power disruption, pipe explosion, transformer damage an many others.

You can find the framework core at http://www.nist.gov/itl/upload/draft_framework_core.pdf.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org

Manuel Humberto Santander Pelaacuteez

195 Posts
ISC Handler

Jun 30th 2013

Hi,

Do you have more information on the 3 Framework Implementation levels ? Each level corresponds to one function, one categorie and one sub-categorie ? It's not crystal clear for me.
Thanks in advance !

Anonymous

Actually, It may just mean that there are 3 levels of maturity and you write down your comment on the column that seems appropriate.

Anonymous

I believe Manuel explained the levels in his posting, "The framework implementation level defines three implementation levels from three perspectives: the senior executive role, the business process manager and the operational managers. The goal of this matrix is to reflect the cybersecurity state of the critical infrastructure from the previous role perspectives."

So the levels correspond with organizational roles,
1) Senior Executives
2) Business Process Managers
3) Operational Managers

Hope this helps.

Skid

3 Posts