NIST Cybersecurity Framework (CSF) PDF

**S1 M1 - National Institute of Standards and Technology Framework** **NIST** -National Institute of Standards and Technology\ -Established in 1901 to promote research capabilities\ - Improved in 1995 to include cybersecurity **Three Standardized Frameworks from NIST** 1\) NIST Cybersecurity Framework (CSF)\ 2) NIST Privacy Framework\ 3) NIST SP 800-53 - Security and Privacy Controls **NIST Cybersecurity Framework Components** a\) Framework Core\ b) Framework Implementation Tiers\ c) Framework Profile **a) Framework Core** -GOVERN -IDENTIFY: keep record of assets, system users, all systems\ -PROTECT: deploy safeguards, regular updates, backups\ -DETECT: detect active cyber security attacks, monitor network\ -RESPOND: contain cybersecurity event, react, notify affected parties\ -RECOVER: support restoration, restore files\ \ \*5 functions, 23 categories, 108 subcategories **b) Implementation Tiers** -benchmark identifying the degree to which information security practices are integrated throughout an organization\ \ -Tier 1: partial\ -Tier 2: risk-informed\ -Tier 3: repeatable\ -Tier 4: adaptive\ \ **Based On:**\ -RM Process\ -RM Program Integration\ -External Participation **Tier 1 - partial** -ad hoc, no formal process\ -inconsistent actions **Tier 2 - risk informed** -growing company, management approves cybersecurity efforts\ -cybersecurity is isolated from risk management\ -awareness, but no consistent response to risk **Tier 3 - repeatable** -formal, documented policies\ -cybersecurity integrated into planning and regularly communicated **Tier 4 - adaptive** -responsive to evolving threats\ -organization wide **c) Framework Profiles** -mechanisms by which NIST recommends companies measure cybersecurity risk and how to minimize risk\ -current profile: current state of organizational risk management\ -target profile: desired future state of organizational risk management\ \*gap analysis: differences between current and desired state **2. NIST Privacy Framework** -framework on data protection\ -developed to be industry agnostic\ -overlap with NIST Cybersecurity Framework **Components of NIST Privacy Framework** -Identify: privacy risks related to data processing\ -Govern: governance structure (new)\ -Control: management structure (new)\ -Communicate: dialogue around privacy risks (new)\ -Protect: safeguards\ -Detect: discovering privacy risks\ -Respond: reacting to privacy breach\ -Recover: continuing business after privacy breach **Privacy Framework Tiers** *identical to NIST CSF Tiers\ *-Tier 1: partial\ -Tier 2: risk-informed\ -Tier 3: repeatable\ -Tier 4: adaptive\ **\ Based On:**\ -RM Process\ -RM Program Integration\ -External Participation\ -Workforce **SP 800-53** -NIST Security and Privacy Controls\ -applicable to all information systems but STANDARD for federal information security systems\ -stricter standards and less cost effective\ -well defined security and privacy requirements\ -use of trustworthy information system components **SP 800-53: 20 Control Families (be familiar)** -AC: access and control\ -AT: awareness and training\ -AU: audit and accountability\ -CA: assessment, authorization, monitoring\ -CM: configuration management\ -CP: contingency planning\ -IA: identity and authentication\ -IR: incident response\ -MA: maintenance\ -MP: media protection\ -PE: physical and environmental protection\ -PL: planning\ -PM: program management\ -PS: personnel security\ -PT: PII processing and transparency\ -RA: risk assessment\ -SA: system and services acquisition\ -SC: systems and communication protection\ -SI: systems and information integrity\ -SR: supply chain risk management **SP 800-53: Control Implementation Approaches** -Common Control: Implemented at the organizational level\ -System Specific Control: implemented at information system level\ -Hybrid Control: combination of entity and system level controls **SP 800-53: Intended Audience** individuals with:\ -security and privacy assessment and monitoring responsibilities\ (auditors, inspectors general, system evaluators, control assessors, independent verifiers and validators, analysts)\ -logistical or disposition related responsibilities\ -system development responsibilities **SP 800-53 - Purpose and Applicability toward other security and privacy requirements** -Office of Management and Budget (OMB) Circular A -130: controls over federal information systems\ \ -Federal Information Security Modernization Act (FISMA): minimum controls over federal info and information systems **S1 M2 - Privacy and Data Security Standards** **Data Breach Consequences** -business disruptions\ -reputation harm\ -financial loss\ -data loss\ -legal and regulatory implications **Cost of a Data Breach** average cost of \$4 million\ \ -detection and escalation expenses: forensic and investigative efforts\ -notification: cost to notify consumers and regulators\ -post-breach response: paying fines, implementing credit monitoring, ongoing communication to consumers\ -loss of revenue **HIPAA** -Health Insurance Portability and Accountability Act\ -adopt national standards promoting health care privacy and security\ -PHI: protected health information **HIPAA Covered Entities** -health care providers that transmit PHI electronically\ -health plans\ -health care clearing houses (submit healthcare info to insurance carriers)\ -service providers who need access to PHI **HIPAA Security Rule** -confidentiality, integrity, and availability of all PHI\ -protect against reasonably anticipated threats\ -protect against reasonably anticipated impermissible uses or disclosures\ -ensure compliance by the covered entity\'s workforce. **HIPAA Safeguards** -administrative safeguards: security management, security training, information access management, contingency plans\ \ -physical safeguards: facility access, workstation security\ \ -technical safeguards: access controls, audit controls, data integrity controls, authentication **HITECH** -enacted in 2009 to promote transition from paper to electronic records\ -increased penalties for HIPAA violations\ -required that patients receive the option to obtain records in electronic form\ -added \"business associates\" as a covered entity\ -most significant change: required covered entities provide notice of breach to impacted individuals within 60 days of discovery **GDPR** -General Data Protection Regulation\ -European Unions general law regarding privacy of data\ -strictest privacy laws in the world, imposes steep penalties for violators **GDPR Scope Extended** even if not in the EU, GDPR can apply\ -data processors based in the EU\ -data processors not based in the EU if the processor is offering good or services to those in the EU or is monitoring\ -data processors not based in EU, but EU law applies **GDPR Six Principles** LPDALC\ 1) Lawfulness, Fairness, Transparency\ 2) Purpose Limitation (data is for legitimate purposes)\ 3) Data Minimization (only store what is needed)\ 4) Accuracy (accurate data, update)\ 5) Storage Limitation (only store data as long as necessary)\ 6) Integrity and Confidentiality (data is protected against accidental loss, destruction and damage) **Purpose Limitation versus Data Minimization** Purpose Limitation: data must be processed for Specified, Explicit, and Legitimate purposes (SEL)\ Data Minimization: data processing must be Relevant, Adequate, and limited to what is Necessary for purpose (RAN) **PCI DSS** -Payment Card Industry Data Security Standard\ -created for data security for cashless transactions\ -created by Payment Card Industry Security Standards Council **PCI DSS - 6 Goals** BPVSTP\ 1) Build and Maintain a Secure Network and Systems\ 2) Protect Cardholder Data\ 3) Maintain a Vulnerability Management Program\ 4) Implement Strong Access Control Measures\ 5) Regularly Monitor and Test Networks\ 6) Maintain an Information Security Policy **Build and Maintain a Secure Network and Systems - PCI DSS Requirements** 1\) install and maintain a firewall configuration to protect cardholder data\ 2) do not use vendor supplied default password **Protect Cardholder Data - PCI DSS Requirements** 3\) protect stored cardholder data\ 4) encrypt transmission of cardholder data accross open, public networks **Maintain a Vulnerability Management Program - PCI DSS Requirements** 5\) protect systems against malware, regularly update anti-virus software\ 6) develop and maintain secure systems and applications **Implement Strong Access Control Measures - PCI DSS Requirements** 7\) restrict access to cardholder data on a need to know basis\ 8) identify and authenticate access to system\ 9) restrict physical access to cardholder data **Regularly Monitor and Test Networks - PCI DSS Requirements** 10\) track and monitor all access to network and cardholder data\ 11) regularly test security systems and processes **Maintain an Information Security Policy - PCI DSS Requirements** 12\) maintain a policy that address information security for all employees **Outline of Payment Card Industry** 1\) customer: makes a purchase\ 2) retailer/merchant\ 3) merchant electronic gateway account: retailer submits transaction\ 4) merchant bank: acquiring bank submits payment request to 3rd party network\ 5) card network: 3rd party processes payment from issuing bank (customer) to acquiring bank (retailer) **S1 M3 - Center for Internet Security (CIS) Part I** **CIS** -Center for Internet Security\ -recommended set of actions, processes, and best practices that can be adopted and implemented by organizations to strengthen cybersecurity defenses\ -supported by the SANS institute **CIS Controls Version 8** -18 controls and 153 subcategories known as safeguards\ -controls used to organized by who manages a device\ -controls are now task-focused and organized by activities **CIS Controls - Design Principles** ***AMOFF***\ \ -Align: controls should map to other cybersecurity standards (NIST, COBIT, HIPAA, NIST 800-53, SOC2)\ -Measurable: controls are simple and measurable\ -Offense Informs Defense: controls are drafted based on cybersecurity attacker behavior\ -Focus: prioritize the most critical problems\ -Feasible: controls are practical **CIS Implementation Group - IG1** -limited cybersecurity defense mechanisms in place\ -cybersecurity expertise is limited\ -data is not sensitive (no PII or PHI)\ \ \*similar to NIST Tier 1 (Partial) or NISR Tier 2 (Risk-Informed) **CIS Implementation Group - IG2** -IT staff who support multiple departments\ -sensitive client data\ \ \*similar to NIST Tier 3 (Repeatable) **CIS Implementation Group - IG3** -security experts in all domains within cybersecurity\ -penetration testing, risk management, application security\ -sensitive data and likely subject to regulatory oversight\ -attack on these organization can cause significant damage\ \ \*similar to NIST Tier 4 (Adaptive) **CIS Control 1: Inventory and Control of Enterprise Assets** \*companies must know the totality of IT assets\ \ -use of an IT inventory list\ -understanding which devices contain sensitive information\ -potential for external devices to connect to a company\'s network **CIS Control 2: Inventory and Control of Software Assets** \*track and actively manage software applications\ \ -ensure only authorized software is installed\ -software inventory list\ -most current software patches are installed\ -software reaching end of life are renewed or transitioned out **CIS Control 3: Data Protection** \*securely manage the entire life cycle of data\ \ -identify, handle, classify, retain, and dispose data\ -classification categories: \"internal,\" \"public,\" \"sensitive,\" \"confidential\"\ -access control lists, access logging mechanisms, data disposal plans\ -encryption **CIS Control 4: Secure Configuration of Enterprise Assets and Software** \*many applications are sold with default configuration settings that present vulnerabilities\ \ -publicly available security standards (CIS Benchmarks or NIST National Checklist Program Repository) can be used for asset reconfiguration\ -remove unnecessary software\ -change default passwords\ -security tools such as firewalls, intrusion detection, data loss prevention (DLP), mobile device management (MDM) **CIS Control 5: Account Management** \*use processes and tools to assign and manage authorization\ \ -accounts should be inventoried and tracked\ -credentials are treated as highly sensitive information\ -single sign on (SSO) - one password to sign into all applications\ -multi factor authentication (MFA) **CIS Control 6: Access Control Management** \*processes and tools to create, assign, manage, and revoke access credentials/privileges\ \ -expands off control 5\ -\"least privilege\" and \"need to know\"\ -policies for granting access and revoking access based on job duties and responsibilities\ -role based access control, separation of duties\ -policies for hiring/firing access **CIS Control 7: Continuous Vulnerability Management** \*continuously identifying and tracking vulnerabilities within infrastructure\ \ -keep current on threats and vulnerability in order to defend against them\ -assess based on likelihood of exploitation\ -classification schemes such as Common Vulnerability Scoring System (CVSS) or Common Vulnerabilities and Exposures (CVE) **CIS Control 8: Audit Log Management** \*establish an enterprise log management process so that organizations can be alerted and recover from an attack in real time\ \ -system logs: provide a list of events such as start and end times, points of restoration, and system crashes\ -audit logs: tied to a specific user, recording when a person logs in or out, accesses a file, or opens an application **CIS Control 9: Email and Web Browser Protections** \*detect and protect against cybercrime attempted through email and web browsers\ \ -phishing scams and business email compromise\ -only updated versions of email should be used\ -URL filtering and blocking done through domain name system (DNS) **S1 M4 - Center for Internet Security (CIS) Part II** **CIS Control 10: Malware Defenses** \*preventing the installation and propagation of malware onto company assets and network\ \ -malware forms: viruses, worms, spyware, adware, key loggers, ransomware\ -software auto-run and auto-play should be DISABLED\ -close all ports to network\ -malware actors use LotL \"living off the land\" which means using our own tools against us **CIS Control 11: Data Recovery** \*establishes data backup, testing, and restoration\ \ -automated backup process\ -off-site store for backup\ -encryption of backup data **CIS Control 12: Network Infrastructure Management** \*establishes procedures and tools for managing and securing a company\'s network infrastructure and preventing attackers from exploiting vulnerable access points\ \ -physical and virtual devices: firewalls, gateways, routers, switches, and wireless access points\ -network architecture should have documentation and diagrams\ -sanity checks to ensure hardware or software work flawlessly **CIS Control 13: Network Monitoring and Defense** \*processes for monitoring and defending a company\'s network infrastructure against internal and external security threats\ \ -two common ways networks can be attacked include Denial of Service (DoS) and Ransomware\ -tools such as security information and event management (SIEM) help centralize and assist in log analysis\ -security or network operations center (SOC or NOC) **CIS Control 14: Security Awareness and Skills Training** \*establishing security awareness and training programs\ \ -regular training of unusual behavior, social engineering tactics, best practices, risks, and organization processes **CIS Control 15: Service Provider Management** \*develop processes to evaluate third-party service providers that have access to sensitive data or manage a company\'s IT functions\ \ -standards include the shared assessment program for the finance industry and Higher Education Community Vendor Assessment Toolkit (HECVAT)\ -system and organization controls (SOC) audit reports **CIS Control 16: Application Software Security** \*safeguards that manage the entire life cycle of software that is acquired, hosted, or developed in house\ \ -software development life cycles have shortened and become more complex\ -introduce security early in the software development lifecycle (SDLC)\ -vulnerabilities include : buffer overflows, cross-site scripting, SQL injections, and race conditions **CIS Control 17: Incident Response Management** \*establish an incident response management program to detect, respond, and prepare for potential cybersecurity attacks\ \ -program should include destination of key contact, establish incident response team, develop communication plans **CIS Control 18: Penetration Testing** \*test sophistication of cybersecurity defense system by simulating actual attacks to find and exploit weakness\ \ -goes beyond identifying weakness (control 7)\ -\"red team\" exercises focus on tactics, techniques, and procedures (TTPs) to see how an organization fares against certain attackers\ -begins with an observation of environment followed by a scan to locate vulnerabilities **S1 M5 - COBIT 2019 Framework** Control Objectives for Information and Related Technologies (COBIT) -developed by the Information Systems Audit and Control Association (ISACA) in 1996\ -originally developed as a set of standards for auditors that unified unrelated standards\ -NOW USED by organizations to implement best practices for IT governance and management **COBIT 2019 Overview** used existing COBIT 5 and added:\ \ 1) 6 Governance System Principles (VHDDTE)\ 2) 3 Governance Framework Principles (CFA)\ 3) Core Model (1 Governance and 4 Management Objectives)\ 4) 7 Components of Governance Systems (POPICPS)\ 5) 11 Design Factors\ \ 6) Other Focus Areas **1) Six Principles for a Governance System** Very Healthy Dieters Do Try Everything\ \ 1) provide shareholder VALUE: balance risk and return\ 2) HOLISTIC approach: IT can comprise diverse components\ 3) DYNAMIC Governance System: flexible and changing\ 4) governance DISTINCT From management\ 5) TAILORED to enterprise needs: \"No such one fits all\" governance systems\ 6) END-TO-END governance system: considering more than just the IT function **2) Three Principles for a Governance Framework** C - based on CONCEPTUAL MODEL: identify key components and the relationship between components\ \ F - open and FLEXIBLE: able to change. Add relevant content, remove irrelevant content that violates COBIT\ \ A - ALIGNED to major standards: framework aligns with other regulations, framework and standards **3) COBIT Core Model - 1 Governance Objective** EDM: Evaluate, Direct, and Monitor\ -evaluate strategic objectives, direct management, monitor if objectives are met **EDM Important Components** -risk optimization\ -stakeholder engagement **3) COBIT Core Model - 4 Management Objectives** APO: Align, Plan, and Organize\ -align IT\'s overall strategy, plan how to use technology, organize the resources for most effective use\ \ BAI: Build, Acquire, and Implement\ -build, acquire, and implement IT\ \ DSS: Deliver, Service, and Support\ -service requests, problems, continuity\ \ MEA: Monitor, Evaluate, Assess\ -continuous monitoring, evaluation, and assessment **APO Important Components** Align, Plan, Organize\ -managed data\ -managed security\ -managed risk **BAI Important Components** Build, Acquire, Implement\ -managed knowledge\ -managed change\ -managed availability and capacity\ -managed solutions and build **DSS Important Components** Deliver, Service, Support\ -managed problems\ -managed continuity\ -managed service requests and incidents **MEA Important Components** Monitor, Evaluate, Assess\ -managed assurance\ -managed compliance w/ external requirements\ -managed system of IC **COBIT 2019: 7 Components to Satisfy Management and Governance Objectives** POP ICPS\ 1) Processes\ 2) Organizational Structure\ 3) Principles, Policies, and Frameworks\ 4) Information\ 5) Culture, Ethics, and Behavior\ 6) People, Skills, and Competencies\ 7) Services, Infrastructure, and Applications **1) Processes - COBIT Governance System** -activities that help achieve IT goals **2) Organizational Structure - COBIT Governance System** -decision making entities within organization **3) Principles, Policies, and Framework - COBIT Governance System** -guidance for turning desired behavior into practice **4) Information - COBIT Governance System** -info needed for governance system to function properly **5) Culture, Ethics, Behavior - COBIT Governance System** -factors that influence success of management and governance **6) People, Skills, Competencies - COBIT Governance System** -people make sound decisions, corrective actions, complete critical objectives **7) Services, Infrastructure, Applications - COBIT Governance System** -governance system tools needed for IT processing **COBIT 2019: how to create a tailored enterprise governance system for IT?** -design factors\ -focus areas **COBIT 2019: 11 Design Factors** 1\) Enterprise Strategy\ 2) Enterprise Goals\ 3) Risk Profile\ 4) Information and Technology Issues\ 5) Threat Landscape\ 6) Compliance Requirements\ 7) Role of IT\ 8) Sourcing Model of IT\ 9) IT Implementation\ 10) Technology Adoption Strategy\ 11) Size of Company **COBIT Design Factor: Enterprise Strategy** -generally a primary and secondary strategy\ -ex. growth/acquisition, innovation/differentiation, cost leadership, client service **COBIT Design Factor: Enterprise Goals** -structured based on balanced scorecard\ \ Financial\ Customer\ Internal (efficiency)\ Growth (growth & innovation) **COBIT Design Factor: Risk Profile** -current risk exposure for the organization\ -risk appetite **COBIT Design Factor: Information and Technology** common issues:\ -insufficient IT resources\ -problems with data quality\ -noncompliance with IT regulations **COBIT Design Factor: Threat Landscape** -classified as normal or high\ -results from geopolitical threats or issues, industry sector, economic issues (out of a companies control) **COBIT Design Factor: Compliance Requirements** -classified as low, normal, high\ \ low example: mom and pop coffee shop\ normal example: advertising agency (some compliance)\ high example: bank (lots of compliance regulations) **COBIT Design Factor: Role of IT** it is categorized as\ -support: not critical for operations\ -factory: IT system will have an immediate impact in business operations if it fails\ -turnaround: IT system drives innovation but is not required for critical business operations\ -strategic: IT system is crucial for both innovation and business operations **COBIT Design Factor: Sourcing Model for IT** -IT procurement model the company adopts\ -cloud based, built in house, or hybrid **COBIT Design Factor: IT Implementation Methods** -Agile Development Method\ -DevOps method\ -traditional (waterfall) method\ -hyrid of these **COBIT Design Factor: Technology Adoption Strategy** -First Mover Strategy: adopt emerging technologies (risk takers)\ -Follower Strategy: emerging technologies are adopted after they are proven\ -Slow Adopter: late to adopt new technologies **COBIT Design Factor: Enterprise Size** Large: 250+ employees\ Small or Medium: 50-250 full-time employees **COBIT Focus Areas** -different types of governance issues, domains, topics that can be solved be a combination of management and governance objectives **COBIT Core Publications** 1\) COBIT 2019 Framework: Introduction and Methodology\ 2) COBIT 2019 Framework: Governance and Management Objectives (1 governance, 4 management)\ 3) COBIT 2019 Design Guide (11 design topics)\ 4) COBIT 2019 Implementation Guide (continuous improvement) **Who is responsible for carrying out and settling governance policies?** carrying out - middle management\ \ settling - BOD

NIST Cybersecurity Framework (CSF) PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue