Post on 10-Apr-2017
NIST Cybersecurity Framework Cross Referenced
April, 2016
Prepared by: Jim Bothe & Jim Meyer
© Copyright 2016 J2 Coordinated Response, LLC All rights Reserved.
NIST Cybersecurity Framework Cross Reference
Objective – To produce a meaningful cybersecurity assessment; and
– In a reasonable amount of time.
But, the NIST subcategories need to be cross referenced – Many are related and
– Many are interdependent.
Logical groupings should make the assessment easier.
LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All
Rights Reserved. Page: 2
Functions / Categories / Subcategories
5
6 3
5
3
Categories
Identify
Protect
Detect
Respond
Recover
© 2016 J2 Coordinated Response, LLC. All Rights Reserved.
24
35
18
15
6
Subcategories
ISACA CMC April 13, 2016 Page: 3
NIST Cybersecurity Framework
Dependencies / Other Relationships
Identify relationships between Groups – One Group provides input to another.
– The second Group is possibly constrained by the first.
– Or the other Gambit is dependent on the first
– In either case, weakness in the first limits strength in the second
A subcategory in 1 Group – May have interdependencies with another subcategory in the Group.
– May have interdependencies with a subcategory in another.
– These details are left to the assessor to recognize (at least for now).
LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All
Rights Reserved. Page: 4
Establish Risk Tolerance / Prioritize Assets
LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All
Rights Reserved. Page: 5
NOTE: Operational drivers inform risk tolerance and the identification of CRITICAL IT assets.
Risk – Assess, Address, Manage
LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All
Rights Reserved. Page: 6
Roles and Responsibilities
LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All
Rights Reserved. Page: 7
Access Control & Data Protection
LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All
Rights Reserved. Page: 8
Configuration Management
LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All
Rights Reserved. Page: 9
An Observation
The groups identified thus far form the foundation of an effective cybersecurity architecture.
Establish Risk Tolerance, Prioritize Assets.
Risk – Address, Assess, Manage.
Roles and Responsibilities – well defined or not.
Configuration Management – defines what you are protecting.
Recognize what is important and protect it – 53 subcategories. The remaining groups are:
Detect, Respond, Recover, Improve – 45 subcategories. NOTE: key dependencies are identified in these groups.
© 2016 J2 Coordinated Response, LLC. All Rights Reserved.
ISACA CMC April 13, 2016 Page: 10
Monitor & Detect Events
LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All
Rights Reserved. Page: 11
Risk – Assess, Address, Manage
LinkedIn 4/16/2016 © 2016 J2 Coordinated Response, LLC. All
Rights Reserved. Page: 15