SECOP Unit 0 - Introduction PDF

Summary

This document is an introduction to cybersecurity architecture and operations, and examines the NIST Cybersecurity Framework, frameworks, and risk management. It contains information on the functions of the framework such as govern, identify, protect, detect, respond, and recover.

Full Transcript

CYS645X - Cybersecurity Architecture and Operations Nicos Tsalis Table of contents Unit 0 – Introduction Unit 1 – Govern Unit 2 – Identify Unit 3 – Protect Unit 4 – Detect Unit 5 – Respond Unit 6 – Recover 2 Assessment Assignment(s): 50% Final-term examination: 50% _________ 100% Important note: Any overall grade below 70% will be considered as FAIL. Thus: Attend to all lecture deliveries Attend both examinations Submit your assignments 3 Unit 0 - Introduction Framework components Framework core Implementation tiers Profiles Appendix 4 NIST Framework for Improving Critical Infrastructure Cybersecurity The NIST Cybersecurity Framework (NIST CSF) provides a policy framework of computer security guidance for how private sector organizations in the United States can assess and improve their ability to prevent, detect, and respond to cyber attacks. It "provides a high-level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes." Version 1.0 was published by the US National Institute of Standards and Technology in 2014, originally aimed at operators of critical infrastructure. Is being used by a wide range of businesses and organizations and helps shift organizations to be proactive about risk management. In 2017, a draft version of the framework, version 1.1, was circulated for public comment, and the new draft 2.0 is scheduled to be published within February 2024. A security framework adoption study reported that 70% of the surveyed organizations see NIST's framework as a popular best practice for computer security, but many note that it requires significant investment. It includes guidance on relevant protections for privacy and civil liberties. 5 Framework components The Cybersecurity Framework consists of three main components: Framework Core – The Framework Core is designed to be intuitive and to act as a translation layer to enable communication between multi-disciplinary teams by using simplistic and non-technical language. The Core consists of three parts: Functions, Categories, and Subcategories. The Core includes five high level functions: Govern, Identify, Protect, Detect, Respond, and Recover. These 6 functions are not only applicable to cybersecurity risk management, but also to risk management at large. Implementation Tiers – Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework. The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor, and how well integrated cybersecurity risk decisions are into broader risk decisions, and the degree to which the organization shares and receives cybersecurity info from external parties. Profiles – Profiles are an organization's unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a “Current” Profile with a “Target” Profile. 6 Cybersecurity framework Core framework 7 Available functions They aid an organization in expressing its management of cybersecurity risk by organizing information, enabling risk management decisions, addressing threats, and improving by learning from previous activities. The Functions also align with existing methodologies for incident management and help show the impact of investments in cybersecurity. For example, investments in planning and exercises support timely response and recovery actions, resulting in reduced impact to the delivery of services. – Govern – Identify – Protect – Detect – Respond – Recover 8 The Identify Function The Identify Function assists in developing an organizational understanding of managing cybersecurity risk to systems, people, assets, data, and capabilities. Example Outcomes: Identifying physical and software assets to establish an Asset Management program Identifying cybersecurity policies to define a Governance program Identifying a Risk Management Strategy for the organization 9 The Identify Function Identify critical enterprise processes and assets – What are your enterprise’s activities that absolutely must continue in order to be viable? For example, this could be maintaining a website to retrieve payments, protecting customer/patient information securely, or ensuring that the information your enterprise collects remains accessible and accurate. Document information flows – It’s important to not only understand what type of information your enterprise collects and uses, but also to understand where the data is located and how it is used, especially where contracts and external partners are engaged. Maintain hardware and software inventory – It’s important to have an understanding of the computers and software in your enterprise because these are frequently the entry points of malicious actors. This inventory could be as simple as a spreadsheet. Establish policies for cybersecurity that include roles and responsibilities – These policies and procedures should clearly describe your expectations for how cybersecurity activities will protect your information and systems, and how they support critical enterprise processes. Cybersecurity policies should be integrated with other enterprise risk considerations (e.g., financial, reputational). Identify threats, vulnerabilities, and risk to assets – Ensure risk management processes are established and managed to ensure internal and external threats are identified, assessed, and documented in risk registers. Ensure risk responses are identified and prioritized, executed, and results monitored. 10 The Protect Function The Protect Function supports the ability to limit or contain the impact of potential cybersecurity events and outlines safeguards for delivery of critical services Example Outcomes: Establishing Data Security protection to protect the confidentiality, integrity, and availability Managing Protective Technology to ensure the security and resilience of systems and assists Empowering staff within the organization through Awareness and Training 11 The Protect Function Manage access to assets and information – Create unique accounts for each employee and ensure that users only have access to information, computers, and applications that are needed for their jobs. Authenticate users (e.g., passwords, multi-factor techniques) before they are granted access to information, computers, and applications. Tightly manage and track physical access to devices. Protect sensitive data – If your enterprise stores or transmits sensitive data, make sure that this data is protected by encryption both while it’s stored on computers as well as when it’s transmitted to other parties. Consider utilizing integrity checking to ensure only approved changes to the data have been made. Securely delete and/or destroy data when it’s no longer needed or required for compliance purposes. Conduct regular backups – Many operating systems have built-in backup capabilities; software and cloud solutions are also available that can automate the backup process. A good practice is to keep one frequently backed up set of data offline to protect it against ransomware. Protect your devices – Consider installing host-based firewalls and other protections such as endpoint security products. Apply uniform configurations to devices and control changes to device configurations. Disable device services or features that are not necessary to support mission functions. Ensure that there is a policy and that devices are disposed of securely. 12 The Protect Function Manage device vulnerabilities – Regularly update both the operating system and applications that are installed on your computers and other devices to protect them from attack. If possible, enable automatic updates. Consider using software tools to scan devices for additional vulnerabilities; remediate vulnerabilities with high likelihood and/or impact. Train users – Regularly train and retrain all users to be sure that they are aware of enterprise cybersecurity policies and procedures and their specific roles and responsibilities as a condition of employment. 13 The Detect Function The Detect Function defines the appropriate activities to identify the occurrence of a cybersecurity event in a timely manner. Example Outcomes: Implementing Security Monitoring capabilities cybersecurity events Continuous to monitor Ensuring Anomalies and Events are detected, and their potential impact is understood Verifying the effectiveness of protective measures 14 The Detect Function Test and update detection processes – Develop and test processes and procedures for detecting unauthorized entities and actions on the networks and in the physical environment, including personnel activity. Staff should be aware of their roles and responsibilities for detection and related reporting both within your organization and to external governance and legal authorities. Maintain and monitor logs – Logs are crucial in order to identify anomalies in your enterprise’s computers and applications. These logs record events such as changes to systems or accounts as well as the initiation of communication channels. Consider using software tools that can aggregate these logs and look for patterns or anomalies from expected network behavior Know the expected data flows for your enterprise – If you know what and how data is expected to be used for your enterprise, you are much more likely to notice when the unexpected happens – and unexpected is never a good thing when it comes to cybersecurity. Unexpected data flows might include customer information being exported from an internal database and exiting the network. If you have contracted work to a cloud or managed service provider, discuss with them how they track data flows and report, including unexpected events. Understand the impact of cybersecurity events – If a cybersecurity event is detected, your enterprise should work quickly and thoroughly to understand the breadth and depth of the impact. Seek help. Communicating information on the event with appropriate stakeholders will help keep you in good stead in terms of partners, oversight bodies, and others (potentially including investors) and improve policies and processes. 15 The Respond Function The Respond Function includes appropriate activities to take action regarding a detected cybersecurity incident to minimize impact. Example Outcomes: Ensuring Response Planning processes are executed during and after an incident Managing Communications during and after an event Analyzing activities effectiveness of response 16 The Respond Function Ensure response plans are tested – It’s even more important to test response plans to make sure each person knows their responsibilities in executing the plan. The better prepared your organization is, the more effective the response is likely to be. This includes knowing any legal reporting requirements or required information sharing. Ensure response plans are updated – Testing the plan (and execution during an incident) inevitably will reveal needed improvements. Be sure to update response plans with lessons learned. Coordinate with internal and external stakeholders – It’s important to make sure that your enterprise’s response plans and updates include all key stakeholders and external service providers. They can contribute to improvements in planning and execution. 17 The Recover Function The Recover Function identifies appropriate activities to maintain plans for resilience and to restore services impaired during cybersecurity incidents. Example Outcomes: Ensuring the organization implements Recovery Planning processes and procedures Implementing improvements lessons learned Coordinating communications recovery activities based on during 18 The Recover Function Communicate with internal and external stakeholders – Part of recovery depends upon effective communication. Your recovery plans need to carefully account for what, how, and when information will be shared with various stakeholders so that all interested parties receive the information they need but no inappropriate information is shared. Ensure recovery plans are updated – As with response plans, testing execution will improve employee and partner awareness and highlight areas for improvement. Be sure to update Recovery plans with lessons learned. Manage public relations and company reputation – One of the key aspects of recovery is managing the enterprise’s reputation. When developing a recovery plan, consider how you will manage public relations so that your information sharing is accurate, complete, and timely – and not reactionary. 19 Indicative example Function What processes and assets need protection? What safeguards are available? Identify Protect What techniques can identify incidents? Detect What techniques can contain impacts of incidents? Respond What techniques can restore capabilities? Recover Category Asset Management Business Environment Governance Risk Assessment Risk Management Strategy ID ID.AM ID.BE ID.GV ID.RA ID.RM Supply Chain Risk Management ID.SC Identity Management & Access Control Awareness and Training Data Security PR.AC PR.AT PR.DS Information Protection Processes & Procedures PR.IP Maintenance Protective Technology Anomalies and Events Security Continuous Monitoring Detection Processes Response Planning Communications Analysis Mitigation Improvements Recovery Planning Improvements Communications PR.MA PR.PT DE.AE DE.CM DE.DP RS.RP RS.CO RS.AN RS.MI RS.IM RC.RP RC.IM RC.CO 20 Indicative example 21 Cybersecurity framework Implementation tiers 22 Implementation tiers Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework. The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor, and how well integrated cybersecurity risk decisions are into broader risk decisions, and the degree to which the organization shares and receives cybersecurity info from external parties. Tiers do not necessarily represent maturity levels. Organizations should determine the desired Tier, ensuring that the selected level meets organizational goals, reduces cybersecurity risk to levels acceptable to the organization, and is feasible to implement, fiscally and otherwise. 23 Tier 1: Partial Risk Management Process – Organizational cybersecurity risk management practices are not formalized. – Risk is managed in an ad-hoc and sometimes reactive manner. – Prioritization of cybersecurity activities may not be directly informed by risk objectives, the threat environment, or business/mission requirements. Integrated Risk Management Program – Limited awareness of cybersecurity risk. – Approach to managing cybersecurity risk has not been established. – Cybersecurity risk management is implemented on an irregular, case-by-case basis. – The organization may not have processes that enable cybersecurity information to be shared. External Participation – No understanding of the role in the larger ecosystem with respect to either the dependencies or dependents. – No collaboration with external entities (e.g., buyers, suppliers). – No receive of information (e.g., threat intelligence, best practices, technologies). – No sharing of information. – Unaware of the cyber supply chain risks of the products and services provided. 24 Tier 2: Risk Informed Risk Management Process – Approved by management but may not be established as organizational-wide policy. – Prioritization of cybersecurity activities is directly informed by risk objectives, the threat environment, or business/mission requirements. Integrated Risk Management Program – There is an awareness of cybersecurity risk at the organizational level. – An organization-wide approach to managing cybersecurity risk has not been established. – Cybersecurity information is shared within the organization on an informal basis. – Consideration of cybersecurity in organizational objectives and programs may occur at some but not all levels of the organization. – Cyber risk assessment of organizational and external assets occurs but is not typically repeatable or reoccurring. External Participation – Understands its role in the larger ecosystem with respect to either its own dependencies or dependents, but not both. – Collaborates with and receives some information from other entities and generates some of its own information. – May not share information with others. – Is aware of the cyber supply chain risks associated with the products/services it provides and uses but does not act consistently or formally upon those risks. 25 Tier 3: Repeatable Risk Management Process – Formally approved and expressed as policy. – Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape. Integrated Risk Management Program – Organization-wide approach to manage cybersecurity risk. – Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. – Consistent methods are in place to respond effectively to changes in risk. – Personnel possess the knowledge and skills to perform their appointed roles and responsibilities. – The organization consistently and accurately monitors cybersecurity risk of organizational assets. Senior cybersecurity and non-cybersecurity executives communicate regularly regarding cybersecurity risk. – Senior executives ensure consideration of cybersecurity through all lines of operation in the organization. External Participation – Understands its role, dependencies, and dependents in the larger ecosystem and may contribute to the community’s broader understanding of risks. – Collaborates with and receives information from other entities regularly that complements internally generated information, and shares information with other entities. – Is aware of the cyber supply chain risks associated with the products and services it provides and that it uses. Additionally, it usually acts formally upon those risks, including mechanisms such as written agreements to communicate baseline requirements, governance structures (e.g., risk councils), and policy implementation and monitoring. 26 Tier 4: Adaptive Risk Management Process – Adapts its cybersecurity practices based on previous and current cybersecurity activities, including lessons learned and predictive indicators. – Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organization actively adapts to a changing threat and technology landscape and responds in a timely and effective manner to evolving, sophisticated threats. Integrated Risk Management Program – Organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address cybersecurity events. – The relationship between cybersecurity risk and organizational objectives is clearly understood and considered when making decisions. – Senior executives monitor cybersecurity risk in the same context as financial risk and other organizational risks. – The organizational budget is based on an understanding of the current and predicted risk environment and risk tolerance. – Business units implement executive vision and analyze system-level risks in the context of the organizational risk tolerances. – Cybersecurity risk management is part of the organizational culture and evolves from an awareness of previous activities and continuous awareness of activities on their systems and networks. – The organization can quickly and efficiently account for changes to business/mission objectives in how risk is approached and communicated. External Participation – Understands its role, dependencies, and dependents in the larger ecosystem and contributes to the community’s broader understanding of risks. – Receives, generates, and reviews prioritized information that informs continuous analysis of its risks as the threat and technology landscapes evolve. – Shares that information internally and externally with other collaborators. – Uses real-time or near real-time information to understand and consistently act upon cyber supply chain risks associated with the products and services it provides and that it uses. – Communicates proactively, using formal (e.g., agreements) and informal mechanisms to develop and maintain strong supply chain relationships. 27 Indicative example 28 Cybersecurity framework Profiles 29 Introduction A Framework Profile (“Profile”) represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories. The Profile can be characterized as the alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a “Current” Profile (the “as is” state) with a “Target” Profile (the “to be” state). To develop a Profile, an organization can review all of the Categories and Subcategories and based on business/mission drivers and a risk assessment, determine which are most important; it can add Categories and Subcategories as needed to address the organization’s risks. The Current Profile can then be used to support prioritization and measurement of progress toward the Target Profile, while factoring in other business needs including cost effectiveness and innovation. Profiles can be used to conduct self-assessments and communicate within an organization or between organizations. 30 Building a profile Profiles are about optimizing the Cybersecurity framework to best serve the organization. It is voluntary, so there is no ‘right’ or ‘wrong’ way to do it. This is just one way of approaching profiles. An organization can map their cybersecurity requirements, mission objectives, and operating methodologies, along with current practices against the subcategories of the Framework Core. These requirements and objectives can be compared against the current operating state of the organization to gain an understanding of the gaps between the two. 31 Cybersecurity framework Appendix 32 IDENTIFY (ID) Function Category Subcategory Category ID.AM-1: Physical devices and systems within the organization are inventoried Asset Management (ID.AM): The ID.AM-2: Software platforms and applications within the Risk Assessment (ID.RA): The data, personnel, devices, systems, and organization are inventoried organization understands the facilities that enable the organization ID.AM-3: Organizational communication and data flows are mapped cybersecurity risk to organizational to achieve business purposes are ID.AM-4: External information systems are catalogued identified and managed consistent ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, operations (including mission, with their relative importance to and software) are prioritized based on their classification, criticality, functions, image, or reputation), organizational assets, and individuals. organizational objectives and the and business value organization’s risk strategy. ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established ID.BE-1: The organization’s role in the supply chain is identified and communicated Business Environment (ID.BE): The ID.BE-2: The organization’s place in critical infrastructure and its Risk Management Strategy organization’s mission, objectives, industry sector is identified and communicated (ID.RM): The organization’s stakeholders, and activities are ID.BE-3: Priorities for organizational mission, objectives, and priorities, constraints, risk tolerances, activities are established and communicated understood and prioritized; this and assumptions are established and ID.BE-4: Dependencies and critical functions for delivery of critical information is used to inform used to support operational risk cybersecurity roles, responsibilities, services are established decisions. and risk management decisions. ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations) Subcategory ID.RA-1: Asset vulnerabilities are identified and documented ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources ID.RA-3: Threats, both internal and external, are identified and documented ID.RA-4: Potential business impacts and likelihoods are identified ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk ID.RA-6: Risk responses are identified and prioritized ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders ID.RM-2: Organizational risk tolerance is determined and clearly expressed ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, Supply Chain Risk Management ID.GV-1: Organizational cybersecurity policy is established and managed, and agreed to by organizational stakeholders (ID.SC): Governance (ID.GV): The policies, communicated ID.SC-2: Suppliers and third-party partners of information systems, components, and services The organization’s priorities, procedures, and processes to manage ID.GV-2: Cybersecurity roles and responsibilities are coordinated and are identified, prioritized, and assessed using a cyber supply chain risk assessment process constraints, risk tolerances, and and monitor the organization’s aligned with internal roles and external partners ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate assumptions are established and used measures designed to meet the objectives of an organization’s cybersecurity program and regulatory, legal, risk, environmental, ID.GV-3: Legal and regulatory requirements regarding cybersecurity, to support risk decisions associated Cyber Supply Chain Risk Management Plan. and operational requirements are including privacy and civil liberties obligations, are understood and with managing supply chain risk. The understood and inform the managed ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or organization has established and management of cybersecurity risk. ID.GV-4: Governance and risk management processes address other forms of evaluations to confirm they are meeting their contractual obligations. implemented the processes to identify, cybersecurity risks ID.SC-5: Response and recovery planning and testing are conducted with suppliers and thirdassess and manage supply chain risks. party providers 33 Function Category PROTECT (PR) Identity Management, Authentication and Access Control (PR.AC): Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions. Subcategory Category Subcategory PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality) PR.AC-1: Identities and credentials are issued, managed, verified, revoked, PR.IP-2: A System Development Life Cycle to manage systems is and audited for authorized devices, users and processes implemented Information Protection Processes PR.IP-3: Configuration change control processes are in place PR.AC-2: Physical access to assets is managed and protected and Procedures (PR.IP): Security PR.IP-4: Backups of information are conducted, maintained, and tested PR.AC-3: Remote access is managed PR.AC-4: Access permissions and authorizations are managed, incorporating policies (that address purpose, scope, PR.IP-5: Policy and regulations regarding the physical operating the principles of least privilege and separation of duties roles, responsibilities, management environment for organizational assets are met PR.AC-5: Network integrity is protected (e.g., network segregation, network commitment, and coordination among PR.IP-6: Data is destroyed according to policy organizational entities), processes, and PR.IP-7: Protection processes are improved segmentation) procedures are maintained and used to PR.IP-8: Effectiveness of protection technologies is shared PR.AC-6: Identities are proofed and bound to credentials and asserted in manage protection of information PR.IP-9: Response plans (Incident Response and Business Continuity) and interactions PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, systems and assets. recovery plans (Incident Recovery and Disaster Recovery) are in place and multi-factor) commensurate with the risk of the transaction (e.g., individuals’ managed PR.IP-10: Response and recovery plans are tested security and privacy risks and other organizational risks) PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening) PR.IP-12: A vulnerability management plan is developed and implemented Awareness and Training (PR.AT): PR.AT-1: All users are informed and trained The organization’s personnel and Maintenance (PR.MA): Maintenance PR.AT-2: Privileged users understand their roles and responsibilities PR.MA-1: Maintenance and repair of organizational assets are performed and partners are provided cybersecurity and repairs of industrial control and PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) logged, with approved and controlled tools awareness education and are trained to information system components are understand their roles and responsibilities PR.MA-2: Remote maintenance of organizational assets is approved, logged, perform their cybersecurity-related performed consistent with policies and PR.AT-4: Senior executives understand their roles and responsibilities duties and responsibilities consistent and performed in a manner that prevents unauthorized access PR.AT-5: Physical and cybersecurity personnel understand their roles and procedures. with related policies, procedures, and responsibilities agreements. PR.DS-1: Data-at-rest is protected PR.PT-1: Audit/log records are determined, documented, implemented, and PR.DS-2: Data-in-transit is protected reviewed in accordance with policy PR.DS-3: Assets are formally managed throughout removal, transfers, and Data Security (PR.DS): Information Protective Technology (PR.PT): PR.PT-2: Removable media is protected, and its use restricted according to disposition and records (data) are managed Technical security solutions are policy PR.DS-4: Adequate capacity to ensure availability is maintained consistent with the organization’s risk managed to ensure the security and PR.PT-3: The principle of least functionality is incorporated by configuring PR.DS-5: Protections against data leaks are implemented strategy to protect the confidentiality, resilience of systems and assets, systems to provide only essential capabilities PR.DS-6: Integrity checking mechanisms are used to verify software, PR.PT-4: Communications and control networks are protected integrity, and availability of consistent with related policies, firmware, and information integrity information. procedures, and agreements. PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are PR.DS-7: The development and testing environment(s) are separate from the implemented to achieve resilience requirements in normal and adverse production environment situations PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity 34 Function Category DETECT (DE) Anomalies and Events (DE.AE): Anomalous activity is detected, and the potential impact of events is understood. Subcategory DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed DE.AE-2: Detected events are analyzed to understand attack targets and methods DE.AE-3: Event data are collected and correlated from multiple sources and sensors DE.AE-4: Impact of events is determined DE.AE-5: Incident alert thresholds are established DE.CM-1: The network is monitored to detect potential cybersecurity events DE.CM-2: The physical environment is monitored to detect potential cybersecurity events DE.CM-3: Personnel activity is monitored to detect Security Continuous Monitoring (DE.CM): The potential cybersecurity events information system and assets are monitored to DE.CM-4: Malicious code is detected identify cybersecurity events and verify the DE.CM-5: Unauthorized mobile code is detected effectiveness of protective measures. DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed DE.CM-8: Vulnerability scans are performed Category Subcategory DE.DP-1: Roles and responsibilities for detection are well defined to ensure accountability DE.DP-2: Detection activities comply with all Detection Processes (DE.DP): Detection processes applicable requirements and procedures are maintained and tested to ensure DE.DP-3: Detection processes are tested awareness of anomalous events. DE.DP-4: Event detection information is communicated DE.DP-5: Detection processes are continuously improved Anomalies and Events (DE.AE): Anomalous activity is detected and the potential impact of events is understood. DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed DE.AE-2: Detected events are analyzed to understand attack targets and methods 35 Function Category Subcategory RESPOND (RS) Response Planning (RS.RP): Response processes RS.RP-1: Response plan is executed during or after and procedures are executed and maintained, to an incident ensure response to detected cybersecurity incidents. RS.CO-1: Personnel know their roles and order of operations when a response is needed RS.CO-2: Incidents are reported consistent with established criteria Communications (RS.CO): Response activities are RS.CO-3: Information is shared consistent with coordinated with internal and external stakeholders response plans (e.g. external support from law enforcement RS.CO-4: Coordination with stakeholders occurs agencies). consistent with response plans RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness RS.AN-1: Notifications from detection systems are investigated RS.AN-2: The impact of the incident is understood RS.AN-3: Forensics are performed RS.AN-4: Incidents are categorized consistent with Analysis (RS.AN): Analysis is conducted to ensure response plans effective response and support recovery activities. RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers) Category Subcategory RS.MI-1: Incidents are contained Mitigation (RS.MI): Activities are performed to RS.MI-2: Incidents are mitigated prevent expansion of an event, mitigate its effects, RS.MI-3: Newly identified vulnerabilities are and resolve the incident. mitigated or documented as accepted risks Improvements (RS.IM): Organizational response RS.IM-1: Response plans incorporate lessons activities are improved by incorporating lessons learned learned from current and previous RS.IM-2: Response strategies are updated detection/response activities. 36 Function Category Subcategory RECOVER (RC) Recovery Planning (RC.RP): Recovery processes and procedures are executed and maintained to ensure restoration of systems or assets affected RC.RP-1: Recovery plan is executed during or after a cybersecurity incident by cybersecurity incidents. Improvements (RC.IM): Recovery planning and processes are improved by RC.IM-1: Recovery plans incorporate lessons learned incorporating lessons learned into future activities. RC.IM-2: Recovery strategies are updated Communications (RC.CO): Restoration activities are coordinated with internal and external parties (e.g. coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors). RC.CO-1: Public relations are managed RC.CO-2: Reputation is repaired after an incident RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams 37