Читать книгу Networking All-in-One For Dummies - Lowe Doug, Doug Lowe - Страница 70

The NIST Cybersecurity Framework

Оглавление

In 2014, NIST issued the first version of its cybersecurity framework, officially known as the Framework for Improving Critical Infrastructure Cybersecurity, but commonly referred to as the NIST Framework (and often when speaking in the context of cybersecurity simply NIST). I refer to it simply as the Framework throughout the rest of this chapter.

The Framework was originally intended to apply to critical infrastructure such as the power grid, transportation systems, dams, government agencies, and so on. But the Framework quickly became popular in the private sector as well and is now considered one of the best overall tools for planning cybersecurity for large and small organizations, public and private.

The Framework is useful for any organization large enough to have a dedicated IT staff, even if that staff consists of just one person. No organization can or should implement every detail that is spelled out in the Framework. Instead, the Framework invites you to develop a solid understanding of the cybersecurity risks your organization faces and to implement a risk management strategy based on informed decisions about which security practices make sense for your organization.

In 2018, NIST issued a new version of the Framework, known as Version 1.1. The new version includes a section on self assessment and greatly expanded its coverage of the cybersecurity risk associated with business supply chains.

You can find the complete documentation for the Cybersecurity Framework Version at https://nist.gov/cyberframework/framework. I strongly suggest you download the Framework document, print it out, and read it. It’s only about 50 pages.

The Framework consists of three basic components:

 Framework Core: This section identifies five basic functions of cybersecurity:Identify: You must know, in detail, exactly what parts of your organization are vulnerable to cyberattack.Protect: You should take specific steps to protect those parts of your organization that you’ve identified as being vulnerable.Detect: This function involves monitoring your systems and environment so that you know as soon as possible when a cyberattack occurs.Respond: This function helps you plan in advance how you’ll respond when a cybersecurity incident occurs.Recover: According to the Framework, you must “Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or servers that were impaired due to a cybersecurity incident.” For example, if data was lost, you may need to restore the lost data from backup copies.Within each of these five basic functions, best practices, guidelines, and standards are presented focusing on specific cybersecurity outcomes, such as “Remote access is managed” or “Removable media is protected and its use restricted according to policy.”I offer more detail on the Framework Core later in this section.

 Framework Implementation Tiers: This section describes four distinct tiers that represent an increasing level of sophistication in cybersecurity practices. As an organization invests more in cybersecurity, it moves up through the tier levels.

 Framework Profile: This section discusses the use of profiles to indicate which specific outcomes in the Framework Core are implemented. You can create a current profile, which documents the current cybersecurity practices at your organization, and then create a target profile to represent where you’d like to be. Then you can devise a plan to move from the current profile to the target profile.

Each of the five functions of the Framework Core (listed earlier) is divided into several categories, which are in turn divided into subcategories. A simple numbering scheme is used to track the functions, categories, and subcategories. For example, the Identify function is designated by the identifier ID. Its first category is Asset Management, which is designated by ID.AM. The first subcategory under Asset Management is “Physical devices and systems within the organization are inventoried,” and it’s designated ID.AM-1.

Table 4-1 lists the five functions along with each function’s categories and the identifier for each category.

TABLE 4-1 The Functions and Categories of the NIST Framework Core

Function Category Identifier
Identify Asset Management ID.AM
Business Environment ID.BE
Governance ID.GV
Risk Assessment ID.RA
Risk Management Strategy ID.RM
Supply Chain Risk Management ID.SC
Protect Identity Management and Access Control PR.AC
Awareness and Training PR.AT
Data Security PR.DS
Information Protection Processes and Procedures PR.IP
Maintenance PR.MA
Protective Technology PR.PT
Detect Anomalies and Events DE.AE
Security Continuous Monitoring DE.CM
Detection Processes DE.DP
Respond Response Planning RS.RP
Communications RS.CO
Analysis RS.AN
Mitigation RS.MI
Improvements RS.IM
Recover Recovery Planning RC.RP
Improvements RC.IM
Communications RC.CO

In all, there are 23 categories across the five functions. Each of these categories is broken down into from 2 to 12 subcategories, for a total of 106 subcategories altogether.

The Framework doesn’t prescribe specific solutions for each of the 106 subcategories; it merely states the outcome to be achieved by each subcategory and invites you to design a solution that produces the desired outcome.

For example, the first subcategory of Asset Management (ID.AM-1) is as follows:

Physical devices and systems within the organization are inventoried.

There are many ways to accomplish this goal. If your organization is small, you may just keep track of all your computer and network devices in a simple Microsoft Excel spreadsheet. If your organization is larger, you may utilize software that automatically scans your network to create a catalog of all attached devices, and you may want to use inventory tags with barcodes so you can track hardware assets. But one way or another, keeping an inventory of all your physical devices and systems is a vital element of cybersecurity.

Although the Framework doesn’t prescribe specific solutions, it does offer a set of links to other cybersecurity frameworks which it calls Informative References. For example, ID.AM-1 includes references to related information found in the CIS Controls, COBIT controls, ISA/IEC standards, and other NIST standards. You can cross-reference these Information References to gain additional insight into each of the subcategories.

Networking All-in-One For Dummies

Подняться наверх