Doug Lowe - Networking All-in-One For Dummies

NIST: The NIST Cybersecurity Framework is probably the most commonly used framework in the United States. It’s governed by the National Institute of Standards and Technology (NIST). (For more information about this popular framework, refer to “ The NIST Cybersecurity Framework,” later in this chapter.)

ISO/IEC 270: This is the most popular international cybersecurity framework. For more information, browse to https://iso.org/isoiec-27001-information-security.html .

ISA 62443: The International Society of Automation ( https://isa.org ) sponsors a series of standards known as ISA 62443, which comprise a flexible framework for managing security. For more information, see www.isa.org/technical-topics/cybersecurity/cybersecurity-resources .

CIS-20: The Center for Internet Security (CIS) is an organization that provides a list of 20 cybersecurity controls that can be used as a framework for organizing your cybersecurity measures. For more information, see www.cisecurity.org/controls/cis-controls-list .

COBIT: Sponsored by the Information Systems Audit and Control Association (ISACA), COBIT (which stands for Control Objectives for Information and Related Technologies) is one of the more popular cybersecurity frameworks. For more information, head to www.isaca.org/resources/cobit .

In 2014, NIST issued the first version of its cybersecurity framework, officially known as the Framework for Improving Critical Infrastructure Cybersecurity, but commonly referred to as the NIST Framework (and often when speaking in the context of cybersecurity simply NIST). I refer to it simply as the Framework throughout the rest of this chapter.

The Framework was originally intended to apply to critical infrastructure such as the power grid, transportation systems, dams, government agencies, and so on. But the Framework quickly became popular in the private sector as well and is now considered one of the best overall tools for planning cybersecurity for large and small organizations, public and private.

The Framework is useful for any organization large enough to have a dedicated IT staff, even if that staff consists of just one person. No organization can or should implement every detail that is spelled out in the Framework. Instead, the Framework invites you to develop a solid understanding of the cybersecurity risks your organization faces and to implement a risk management strategy based on informed decisions about which security practices make sense for your organization.

In 2018, NIST issued a new version of the Framework, known as Version 1.1. The new version includes a section on self assessment and greatly expanded its coverage of the cybersecurity risk associated with business supply chains.

You can find the complete documentation for the Cybersecurity Framework Version at https://nist.gov/cyberframework/framework . I strongly suggest you download the Framework document, print it out, and read it. It’s only about 50 pages.

The Framework consists of three basic components:

Framework Core: This section identifies five basic functions of cybersecurity:Identify: You must know, in detail, exactly what parts of your organization are vulnerable to cyberattack.Protect: You should take specific steps to protect those parts of your organization that you’ve identified as being vulnerable.Detect: This function involves monitoring your systems and environment so that you know as soon as possible when a cyberattack occurs.Respond: This function helps you plan in advance how you’ll respond when a cybersecurity incident occurs.Recover: According to the Framework, you must “Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or servers that were impaired due to a cybersecurity incident.” For example, if data was lost, you may need to restore the lost data from backup copies.Within each of these five basic functions, best practices, guidelines, and standards are presented focusing on specific cybersecurity outcomes, such as “Remote access is managed” or “Removable media is protected and its use restricted according to policy.”I offer more detail on the Framework Core later in this section.

Framework Implementation Tiers: This section describes four distinct tiers that represent an increasing level of sophistication in cybersecurity practices. As an organization invests more in cybersecurity, it moves up through the tier levels.

Framework Profile: This section discusses the use of profiles to indicate which specific outcomes in the Framework Core are implemented. You can create a current profile, which documents the current cybersecurity practices at your organization, and then create a target profile to represent where you’d like to be. Then you can devise a plan to move from the current profile to the target profile.

Each of the five functions of the Framework Core (listed earlier) is divided into several categories, which are in turn divided into subcategories. A simple numbering scheme is used to track the functions, categories, and subcategories. For example, the Identify function is designated by the identifier ID. Its first category is Asset Management, which is designated by ID.AM. The first subcategory under Asset Management is “Physical devices and systems within the organization are inventoried,” and it’s designated ID.AM-1.

Table 4-1lists the five functions along with each function’s categories and the identifier for each category.

TABLE 4-1The Functions and Categories of the NIST Framework Core

In all, there are 23 categories across the five functions. Each of these categories is broken down into from 2 to 12 subcategories, for a total of 106 subcategories altogether.

The Framework doesn’t prescribe specific solutions for each of the 106 subcategories; it merely states the outcome to be achieved by each subcategory and invites you to design a solution that produces the desired outcome.

For example, the first subcategory of Asset Management (ID.AM-1) is as follows:

Physical devices and systems within the organization are inventoried.

There are many ways to accomplish this goal. If your organization is small, you may just keep track of all your computer and network devices in a simple Microsoft Excel spreadsheet. If your organization is larger, you may utilize software that automatically scans your network to create a catalog of all attached devices, and you may want to use inventory tags with barcodes so you can track hardware assets. But one way or another, keeping an inventory of all your physical devices and systems is a vital element of cybersecurity.