BRKSEC-1021 - Introduction To NIST Cybersecurity Framework

Introduction to NIST
Cybersecurity Framework
for Your Security
Architecture & Plan
Michael Lin, Systems Engineering Manager
BRKSEC-1021
Agenda
• Risk Management
• NIST Cybersecurity Framework
• Using the NIST CSF
• Baldrige Cybersecurity
Excellence Builder (CEB)
• Cisco’s Alignment to NIST CSF
Cisco Spark
Questions?
Use Cisco Spark to chat with the
speaker after the session
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
Cisco Spark spaces will be cs.co/ciscolivebot#BRKSEC-1021

available until July 3, 2017.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Achieving Cybersecurity Excellence
• Planning & risk management

• People, process, & technology
• Restore operations ASAP
• Plan review & improvement
• Security as an architecture
BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Risk
Management
What Plan Would You Choose?
Your Car: 2006 Acura TL Book Value: $6500
Plan
Collision $600/Year
3
Plan
Comprehensive $300/Year
2
Plan
Liability $200/Year
1
The Cyber Question
Unacceptable Risk Level

How can we
efficiently
and
effectively
manage our
cyber risks? Acceptable Risk Level
Risk Management 101
Potential
Loss
Protection
Costs
Risk Management Basics- F-A-R-M
Impossible to eliminate all risks
Assess
Assess
Frame: Establish a risk context...
Security Category
Assess: Threats, Vulnerabilities, Harm,
and Likelihood Frame
Frame
Respond: Accept, Avoid, Mitigate,
Transfer, or Share
Monitor
Monitor Respond
Respond
Monitor: The threat landscape changes
constantly!
Source: NIST SP 800-39, “Managing Information Security Risk”
Key Things About Cybersecurity
• Business operations
• Resources your business use
• Information reside
• Access to info/systems
• What to protect
NIST CSF
Improving Critical Infrastructure Cybersecurity
Executive Order 13636
February 2013
“It is the policy of the United States to enhance the security

and resilience of the Nation’s critical infrastructure and to
maintain a cyber environment that encourages efficiency,
innovation, and economic prosperity while promoting safety,
security, business confidentiality, privacy, and civil liberties.”
Who Is NIST???
• Standards & Technology

• Cloud Computing
• Smart Grid
• Cyberspace
• Cybersecurity Framework
STRENGTHENING THE CYBERSECURITY OF FEDERAL
NETWORKS AND CRITICAL INFRASTRUCTURE
Executive Order
May 2017
“Effective immediately, each agency head shall use The

Framework for Improving Critical Infrastructure Cybersecurity
(the Framework) developed by the National Institute of
Standards and Technology, or any successor document, to
manage the agency's cybersecurity risk.”
NIST CSF Gaining Momentum
Identify 1 Common cybersecurity language
2 Risk-based investment decisions
Recover Protect
3 Leverages existing best practices
4 Simple, flexible, and global
5 Freely available to everyone

Respond Detect
6 Supply chain risk management
NIST CSF Gaining Momentum
“The NIST Cybersecurity Framework is now used by 30% of U.S.
organizations, and is projected to reach 50% percent by 2020.”
50%
0% 30%
2014 2016 2020
Source: Cybersecurity "Rosetta Stone" Celebrates Two Years of Success

https://www.nist.gov/news-events/news/2016/02/cybersecurity-rosetta-stone-celebrates-two-years-success
Promotes Cybersecurity Best Practices
People Process Technology
NIST CSF covers all three
Framework
Basics
NIST CSF Components
Framework Framework
Core Profiles
Framework
Tiers
Core
NIST CSF Core
Informative
Functions Categories Subcategories
Resources
Identify
1
Protect 2 3 4
Detect Subdivide Subdivide Standards
High-level
Functions into Categories into references to
cybersecurity
Respond specific desired achieve the
goals
activities outcomes outcomes
Recover
High Level Core View
Know what you have
Secure what you have
Spot threats quickly
Take action immediately
Restore operations
Importance of People and Process
Only half of the
Framework’s
Categories are
addressed by
technology
Highlights the
importance of both
people and
process in
cybersecurity
Core
Informative Resources
Function Category Subcategory Informative Resources
• CIS Control 1
• COBIT 5 BAI09.01, BAI09.02
Asset Physical device • ISA 62443-2-1:2009 4.2.3.4
Identify
Management inventories
(ID) (ID.AM) (ID.AM-1) • ISA 62443-3-3:2013 SR 7.8
• ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
• NIST SP 800-53 Rev. 4 CM-8
CIS Control 1
Inventory of Authorized and Unauthorized Devices
Tiers Tiers
Reflect how an organization views cybersecurity risk and the processes in place
to manage that risk
Tier 4 Adaptive: Practices fully established and continuously improved
Tier 3 Repeatable: Practices approved and established by organizational policy
Tier 2 Risk Informed: Practices approved but not completely established by policy
Tier 1 Partial: Informal, ad hoc, reactive responses
Profiles
Profiles
The alignment of the Framework core with an organizations business
requirements, risk tolerance, and resources
• Describes the current state and desired

future state
• Reveals gaps that can flow into action
plan development
• Facilitates a roadmap for reducing
cybersecurity risk
Using the
Framework
NIST CSF Use Cases
Basic Establishing Communicating Identifying Methodology

Review of or Improving a Cybersecurity Opportunities to Protect
Cybersecurity Cybersecurity Requirements for Updated Privacy and
with
Practices Program Stakeholders
Informative Civil Liberties
References
“How well are “Can we “Can we speak “What else “Can we

we doing assess and the same should we protect data
today?” improve?” language?” consider?” better?”
Let’s focus here

Improving a Program
Implement Action Plan Start Prioritize and Scope

7 1
Analyze Gaps 6 2 Orient
5 3
Create Target Profile 4 Create Current Profile
Conduct Risk Assessment

1
Prioritize and Scope
Identify business/mission objectives and high-level organizational priorities
• Make strategic decisions on cybersecurity

• Determine scope of systems and assets that
support the mission
• Assess risk tolerance
2
Orient
Identify related systems, regulatory requirements, and overall risk approach
• Identify threats to systems and assets

• Identify vulnerabilities associated with systems
and assets
Current Profile (example) 3
Function Category Subcategory Current Profile

Physical device Manual, spreadsheet-based system is
Tier 1
inventories (ID.AM-1) insufficient and lacks network visibility.
Software inventories Tier 1 Asset management system cannot detect

(ID.AM-2) new software applications being deployed.
Communication/data Flow maps are documented and approved

Asset Tier 2
Identify flow maps (ID.AM-3) but needs to be formalized by policy.
Management
(ID) (ID.AM) External system Current business model does not require
catalogs (ID.AM-4) Unused external system catalogs.
Resource prioritization Prioritization system is working well for our

Tier 4
(ID.AM-5) needs today.
Roles/responsibilities New cybersecurity responsibilities need to

clarification (ID.AM-6) Tier 3 be formalized by policy.
Risk Assessment 4
Fxn. Cat. Sub. Current Profile Risk Assessment
ID.AM-1 Tier 1
Unacceptably high risks
ID.AM-2 Tier 1
ID.AM-3 Tier 2
ID ID.AM
ID.AM-4 Unused
Acceptable risks at this time
ID.AM-5 Tier 4
ID.AM-6 Tier 3
Target Profile
5
Fxn. Cat. Sub. Target Profile
ID.AM-1 Tier 4
This is where we want to be
ID.AM-2 Tier 4
• Physical device and software
ID.AM-3 Tier 2
inventories at Tier 4, “Adaptive”
ID ID.AM
• Practices fully established, ID.AM-4 Unused
continuously improved, and built
ID.AM-5 Tier 4
into our overall risk management
program
ID.AM-6 Tier 3
6
Gap Analysis
Fxn. Cat. Sub. Current Profile Fxn. Cat. Sub. Target Profile
ID.AM-1 Tier 1 ID.AM-1 Tier 4
ID.AM-3 Tier 2 Enables a ID.AM-3 Tier 2

ID ID.AM ID ID.AM
ID.AM-4 Unused prioritized ID.AM-4 Unused
action plan
7
Action Plan
Fxn. Cat. Sub. Informative Resources NIST SP 800-53 Revision 4
• CIS Control 1 CM-8 / Information System Component Inventory
• COBIT 5 BAI09.01, BAI09.02
Control: The organization:
• ISA 62443-2-1:2009 4.2.3.4 a. Develops and documents an inventory of
ID.AM-1
• ISA 62443-3-3:2013 SR 7.8 information system components that:
1. Accurately reflects the current information
• ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 system;
• NIST SP 800-53 Rev. 4 CM-8 2. Includes all components within the authorization
ID ID.AM boundary of the information system;
• CIS Control 2
3. Is at the level of granularity deemed necessary
• COBIT 5 BAI09.01, BAI09.02, BAI09.05 for tracking and reporting; and
• ISA 62443-2-1:2009 4.2.3.4 4. Includes [Assignment: organization-defined
ID.AM-2 information deemed necessary to achieve
• ISA 62443-3-3:2013 SR 7.8 effective information system component
• ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 accountability]
• NIST SP 800-53 Rev. 4 CM-8
7
Develop Action Plan- Inventory
?
?
We need an accurate ...but we don’t even

device inventory... know what’s
on our network!
7
Implement Action Plan- Discovery/Profiling
ISE Cisco Identity Services Engine
Discovers and accurately identifies

devices connected to wired,
wireless, and VPN
Continuous Improvement- Not Once & Done
Implement Action Plan Prioritize and Scope

7 1
Analyze Gaps 6 2 Orient
5 3
Create Target Profile 4 Create Current Profile
Conduct Risk Assessment

Implementation Coordination
Risk Management
Senior Executive
Changes in Current Mission Priority, Risk

and Future Risk Appetite, and Budget
Business/Process
Implementation Progress,
Changes in Assets, Framework Profiles
Vulnerabilities, and Threats
Operations
Implementation
How Do You Discuss This?
Senior Executive
Changes in Current Mission Priority, Risk

and Future Risk Appetite, and Budget
Business/Process
Implementation Progress,
Changes in Assets, Framework Profiles
Vulnerabilities, and Threats
Operations
NIST CSF
1 Determine the cyber activities that are essential to your strategy and service delivery
2 Prioritize your investments in managing cybersecurity risk
3 Determine how best to enable people to be risk conscious and security aware
4 Assess the efficiency and effectiveness of your use of cyber standards and practices
5 Assess the cybersecurity results you achieve
6 Identify strengths to leverage and priorities for improvement
Baldrige Cybersecurity
Excellence Builder
About Baldrige- Quality & Performance Excellence
Supports Leadership & Performance

Excellence
Public-private partnership dedicated

to Performance Excellence
Provides organization assessment

tools- measure & evaluate
Government Education Healthcare
Baldrige Cybersecurity Excellence Builder “CEB”
New self-assessment tool to improve your

organization’s cybersecurity performance
Asks the key cybersecurity assessment questions
Identify areas for improvement
Adapts and scales to your organization
Baldrige CEB & NIST CSF Relationship
Leading Edge of Validated Leadership Cybersecurity Standards, Guidelines,

and Performance Practice Practices, and References
Self-Assessment Tool
Baldrige CEB
Organizational Context The Baldrige
Cybersecurity
Excellence Builder
Strategy Workforce
helps you
Leadership Integration Results understand
and improve
Customers Operations what is critical to
your organization’s
Measurement, Analysis, and Knowledge Management
cybersecurity risk
Core Values and Concepts
management
Baldrige CEB- Improve Your Cyber Performance
Start
Measure and evaluate
7 1 Decide on the scope
your progress
Prioritize your actions, and develop Complete the

6 2
your action plan organizational context
Assess your answers

5 3 Answer the process questions
using the rubric
4
Answer the results questions
Baldrige CEB- Sample Process & Results Questions
Process
Questions
Results
Questions
Baldrige CEB- Assessment Rubric
1
Reactive
2
Early
3
Developing
4
Mature
5
Leading
6
Exemplary
Baldrige CEB- Assessment Rubric
Assess your answers using the

5
assessment rubric
Baldrige CEB- Self Analysis Worksheet
6 5 3 4 H
Exemplary Leading Developing Mature
3 2 2 1
Developing Early Early Reactive H
Baldrige CEB- Benefits by Organizational Roles
Baldrige CEB- Crosswalk of CSF & CEB
Cisco Supports
NIST CSF
Cybersecurity Excellence = Effective Security
Simple Open Automated
Effective Security
Technology
Cisco Security & NIST CSF Matrix- Identify
Asset Management
Business Environment Non-technical control area
ID Governance Non-technical control area
Risk Assessment
Risk Mgmt. Strategy Non-technical control area
Technology
Cisco Security & NIST CSF Matrix- Protect
Access Control
Awareness/Training Non-technical control area
Data Security
PR
Info Protection Process Non-technical control area
Maintenance
Protective Technology
Technology
Cisco Security & NIST CSF Matrix- Detect
Anomalies and Events

DE Continuous Monitoring
Detection Processes Non-technical control area
Technology
Cisco Security & NIST CSF Matrix- Restore
Response Planning Non-technical control area

Communications Non-technical control area
RS Analysis
Mitigation
Improvements Non-technical control area
Technology
Cisco Security & NIST CSF Matrix- Recover
Recovery Planning Non-technical control area

RC Improvements Non-technical control area
Cisco IT Aligns to NIST
“To me the most important thing is not which, but to pick one,
and align it to your own needs, threats and risk tolerance.”
Steve Martino
Cisco IT- VP CISO
Successful Adoption
• Know the NIST CSF & Baldrige CEB
• Leadership buy in- sell it
• Form team/committee
• Follow the 7 steps
• Adopt elements and make it your own
• Contact Cisco
Pitfalls to Avoid
• Don’t do it alone
• Never think it’s done
• Don’t adopt controls just to have
• Don’t think just “Critical Infrastructure”
• Not one size fits all
Summary
The Problem
Cybersecurity Risk Management
The Solution
NIST Cybersecurity Framework (CSF) + Baldrige CEB
Alignment with NIST

Our strategy, products, and services enable CSF adoption
Next Steps
CSF Reference Tool
FileMaker runtime database version of CSF

Core
Search and customize the CSF Core to your

needs
Export into different file types (CSV, XML, etc.)
References
NIST Cybersecurity Framework (CSF)

http://www.nist.gov/cyberframework
Baldrige Cybersecurity Excellence Builder (CEB)

http://www.nist.gov/baldrige
Cybersecurity Executive Order

http://cisco.com/go/cyberEO
Cisco Trust and Transparency Center

http://www.cisco.com/go/trust
Cisco Cybersecurity Reports

http://www.cisco.com/go/securityreport
Cisco Security Products and Services

http://www.cisco.com/go/security
Complete Your Online
Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 gift card.
• Complete your session surveys
through the Cisco Live mobile
app or on www.CiscoLive.com/us.
Don’t forget: Cisco Live sessions will be

available for viewing on demand after the
event at www.CiscoLive.com/Online.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
Thank you
Appendix
Technology
Cisco Security & NIST CSF Matrix
Asset Management
Business Environment Non-technical control area
ID Governance Non-technical control area
Risk Assessment
Risk Mgmt. Strategy Non-technical control area
Access Control
Awareness/Training Non-technical control area
Data Security
PR
Info Protection Process Non-technical control area
Maintenance
Protective Technology
Anomalies and Events
DE Continuous Monitoring
Detection Processes Non-technical control area
Response Planning Non-technical control area
RS Analysis
Mitigation
Improvements Non-technical control area
Recovery Planning Non-technical control area
RC Improvements Non-technical control area

BRKSEC-1021 - Introduction To NIST Cybersecurity Framework

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKSEC-1021 - Introduction To NIST Cybersecurity Framework

Uploaded by

Copyright:

Available Formats

Introduction to NIST

Cisco Spark spaces will be cs.co/ciscolivebot#BRKSEC-1021

• Planning & risk management

Unacceptable Risk Level

“It is the policy of the United States to enhance the security

• Standards & Technology

“Effective immediately, each agency head shall use The

Identify 1 Common cybersecurity language

2 Risk-based investment decisions

4 Simple, flexible, and global

5 Freely available to everyone

2014 2016 2020

Source: Cybersecurity "Rosetta Stone" Celebrates Two Years of Success

NIST CSF covers all three

Know what you have

Secure what you have

Spot threats quickly

Take action immediately

Tier 4 Adaptive: Practices fully established and continuously improved

Tier 3 Repeatable: Practices approved and established by organizational policy

Tier 1 Partial: Informal, ad hoc, reactive responses

• Describes the current state and desired

Basic Establishing Communicating Identifying Methodology

“How well are “Can we “Can we speak “What else “Can we

Let’s focus here

Implement Action Plan Start Prioritize and Scope

Analyze Gaps 6 2 Orient

Conduct Risk Assessment

Prioritize and Scope

Identify business/mission objectives and high-level organizational priorities

• Make strategic decisions on cybersecurity

• Identify threats to systems and assets

Function Category Subcategory Current Profile

Software inventories Tier 1 Asset management system cannot detect

Communication/data Flow maps are documented and approved

Resource prioritization Prioritization system is working well for our

Roles/responsibilities New cybersecurity responsibilities need to

Fxn. Cat. Sub. Current Profile Risk Assessment

Fxn. Cat. Sub. Target Profile

ID.AM-1 Tier 1 ID.AM-1 Tier 4

ID.AM-2 Tier 1 ID.AM-2 Tier 4

ID.AM-3 Tier 2 Enables a ID.AM-3 Tier 2

ID.AM-6 Tier 3 ID.AM-6 Tier 3

Develop Action Plan- Inventory

We need an accurate ...but we don’t even

Implement Action Plan- Discovery/Profiling

ISE Cisco Identity Services Engine

Discovers and accurately identifies

Implement Action Plan Prioritize and Scope

Analyze Gaps 6 2 Orient

Conduct Risk Assessment

Changes in Current Mission Priority, Risk

Changes in Current Mission Priority, Risk

Supports Leadership & Performance

Public-private partnership dedicated

Provides organization assessment

New self-assessment tool to improve your

Asks the key cybersecurity assessment questions

Identify areas for improvement

Adapts and scales to your organization

Leading Edge of Validated Leadership Cybersecurity Standards, Guidelines,

Prioritize your actions, and develop Complete the

Assess your answers