Читать книгу Cybersecurity and Third-Party Risk - Gregory C. Rasner - Страница 27

The information security field has been around long enough for more than a few standards to be written. Security frameworks are a collection of government cybersecurity policies and guidelines, and best practices set in place protect information systems. They often have specific instructions for organizations to handle PII to lower the risk of a breach or damage. Dozens of them exist globally, but you must be aware of a few top useful ones to understand their scope and focus. Cybersecurity frameworks provide defined structures for people, process, and technology that a company uses as a reference to secure their networks, data, and systems from cyber threats. Some are regulatory guidance (e.g., New York Department of Financial Services [NYDFS] or the Health Insurance Portability and Accountability Act [HIPAA]), which provide a framework's structure. Some companies adopt a framework that is aligned with their industry (e.g., Control Objectives for Information and Related Technologies [COBIT] and Finance, or HIPPA and healthcare providers).

National Institute of Standards and Technology Cybersecurity Framework (NIST‐CSF) was created in response to the U.S. Presidential Executive Order 13636, whose purpose was to enhance the security of the country's critical infrastructure. While aimed at critical infrastructure such as power and water delivery, many private companies have adopted it. NIST‐CSF contains the following five functions that manage the risk to data and systems security: Identify, Protect, Detect, Respond, and Recover. This is shown in Figure 2.2.

The Identify function focuses on identifying physical and software assets as a basis for managing assets. It defines what an organization's supply chain risk management strategy is, according to its priorities, constraints, risk tolerance, and assumptions that support the risk‐based decisions managing their supply chain risks.

The Protect function provides security controls to ensure the security and integrity of an organization's infrastructure systems. Through identity and access management (IAM), an organization seeks to limit and contain any possible damage, thus protecting both its physical and logical access. A data protection program must be aligned with the organization's risk strategy and appetite, and its data protection must align with the cybersecurity core principles of Confidentiality, Integrity and Availability. Its goals are to defend the organization's resources with a patch and vulnerability management programs, and to assist the staff in safeguarding its data and assets with awareness and training in best practices on the safe handling of protected information.

FIGURE 2.2 The NIST Cybersecurity Framework

The Detect function is as it sounds—it refers to the activity taken to discover indications of a security incident. This detection must be timely. Monitoring capabilities must be continuously implemented in order to find and identify anomalous events to catch malicious or suspicious behavior. When we think of an organization's cyber operations teams defending against hackers, we typically think of them as being in detection mode. Some of the capabilities used to detect are Security Information and Event Management (SIEM), Data Loss Prevention (DLP), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and the other tools, which are focused on this detection activity.

The Respond function ensures that correct actions are taken when a cybersecurity event is detected. Such activity ensures that cyber Incident Response plans are executed according to an organization's previously established processes. All work done to analyze and support recovery work is performed in a timely manner, and corrective activities are carried out to contain the incident and close the issue.

The Recover function acknowledges any impact, then prioritizes the restoration of services or capabilities in a timely manner to further reduce the event's impact. The execution of a recovery plan as it's designed and implemented ensures the restoration of an organization's systems. A “lessons learned” meeting, or what may be known as a post‐mortem on the incident, must occur to determine if any changes are required in the organization's existing plans. Communications—both inbound and outbound—are coordinated during and post recovery from the event.

What is important about this framework is that it prepares a cybersecurity organization for the inevitable: the breach. Risk is never a zero game, and eventually the vulnerability and threat actors align perfectly. The adoption of this cybersecurity framework forces an organization to best prepare to protect its data, but also for when an event does occur. An organization must have recognized plans in order to limit an attack's impact.

The ISO 27001 cybersecurity framework is an international standard that states a risk‐based process requires an adopting organization to incorporate measures for detecting security threats to information systems. ISO 27001 has a total of 114 controls that are categorized into 14 categories (with the number of controls):

 Information Security Policies (2 controls)

 Information Security Organization (7 controls)

 Human Resources Security (6 controls)

 Asset Management (10 controls)

 Access Controls (14 controls)

 Cryptography (2 controls)

 Physical and Environmental Security (15 controls)

 Operations Security (14 controls)

 Communications Security (7 controls)

 Systems Acquisition, Development, and Maintenance (13 controls)

 Supplier Relationships (5 controls)

 Information Security Incident Management (7 controls)

 Business Continuity Management (4 controls)

 Compliance (8 controls)

Organizations are not required to implement all 114 controls listed. The framework provides an outline for the controls that can be referred back to when performing a gap analysis and risk assessment compared to the ISO 27001. The downside is that the controls are not described in depth. To compensate for this lack of detail, organizations turn to the supplementary ISO 27002, which provides a lot of specificity to the cybersecurity controls. In ISO 27002, each control is given a page to explain how it operates and how to carry out the control.

NIST 800‐53 was created to enable government agencies to have effective cybersecurity controls. This framework specifically describes the requirements for federal government agencies to protect data and information systems. It has over 900 security requirements, which makes it very complex for an organization to implement. The number of requirements and the mandates required to enforce the compliance are focused primarily on any company whose systems interact with a federal agency information system. Also because of this complexity, unless the company is required to follow NIST 800‐53, most private companies will adhere to NIST‐CSF.

The New York Department of Financial Services (NYDFS) framework is a cybersecurity framework that covers nearly any entity performing financial services through the state of New York. The framework originates from NYDFS Cybersecurity Regulation (23 NYCRR 500) and “is designed to promote the protection of customer information as well as the information technology systems or regulated entities.” It requires companies to conduct risk assessments and to implement a program with security controls that detects and responds to cyber events.

The covered entity, a financial institution, must implement the following six items:

1 A risk assessment must be conducted periodically to assess the Confidentiality, Integrity and Availability of information systems and protected data.

2 An audit trail must record and respond to security incidents and be maintained for five years.

3 Limits on data retention must be set in place to ensure that data is disposed of properly when no longer needed.

4 Access Privileges must be implemented and limited to protected data, and access records must be periodically reviewed.

5 An Incident Response plan must be published to ensure that cybersecurity events are clearly communicated, roles and responsibilities are clear, and remediation takes place.

6 Notices to the superintendent (the superintendent is the organization that oversees the regulation) must be provided within 72 hours after a “material” cybersecurity event is detected.

NYDFS is similar to the General Data Protection Regulation (GDPR) and the California Privacy Protection, which have outsized power due to their economic size. Much of the world's finance flows through New York, and so many world finance companies are subjected to this framework. More importantly for this book, the NYDFS has a part that requires covered entities (i.e., those subject to the regulation) to perform due diligence on their third parties at regular intervals.

The Federal Information Systems Management Act (FISMA) is a framework for federal agencies. This standard defines a set of security requirements that the agencies use to improve their cybersecurity. The benchmark requires that third parties to an agency conform to their information security requirements. It contains nine steps for securing government data, operations, and assets:

1 Defining the information categories for security levels

2 Understanding the minimum security controls for protecting data

3 Refining controls through risk assessments

4 Documenting controls and developing security plans

5 Implementing the required security controls

6 Evaluating the effectiveness of implemented controls

7 Establishing security risks for federal resources and data

8 Authorizing the use of secure information systems

9 Continuously monitoring the implemented controls

Several other frameworks are worth describing in high‐level detail. The Australian Signals Directorate (ASD) Essential 8 contains controls and strategies that are a part of the ASD Strategies to Mitigate Cyber Security Incidents. Based upon experience of the Australian government, these controls are considered by them to be the cybersecurity baseline in that country. If implemented correctly, the country reports it can mitigate up to 85 percent of most common cyberattacks.

The Control Objectives for Information and Related Technology (COBIT) framework is a high‐level framework for identifying and mitigating risk. COBIT is primarily used in the finance space to adhere to Sarbanes‐Oxley (SOX). SOX is also known as the Public Company Accounting Reform and Investor Protection Act. Developed by information technology (IT) governance professionals to lower risk, it has evolved to align to business goals.

The Ten Steps to Cybersecurity framework is an initiative of the United Kingdom's Department of Business to provide senior leaders with a cybersecurity overview. This framework acknowledges the urgency of giving executives knowledge about information security issues and risks that impact businesses, along with controls to mitigate them. It provides in business English (i.e., non‐technical, non‐jargon) an explanation in wider terms of the numerous cybersecurity risks, defenses, mitigations, and resolutions.

The Technical Committee on Cyber Security (TC CYBER) framework was developed to improve the telecommunication security in the European Union (EU). It contains a series of requirements for improving privacy for companies and individuals. The focus is to confirm that EU residents and citizens have a high level of privacy protection when communicating on all the various mediums in the zone. Although it's focused on the EU, it has been adopted by other countries worldwide.

These cybersecurity frameworks are important in third‐party risk due diligence work. When engaging with vendors about security due diligence, one of the first questions to ask is what cybersecurity framework they adhere to. Their answer will provide valuable information about how their organization performs its own security activities. Many of the frameworks or standards have similar themes and controls because cybersecurity does not vary industry to industry. However, what is often different is its focus or scope. Understanding which industry a vendor is in or the one you are subject to, can establish which framework is best used or a required fit.