Professional Documents
Culture Documents
Copyright © 2018 Deloitte Development LLC. All rights reserved. Physical Security Services 2
Today’s Agenda
• Baselining terminology
• Development of NIST’s CSF
• CSF components
− Framework core
− Framework implementation tiers
− Framework profile
• How to use the repeatable assessment framework
• Questions / answers
Copyright © 2018 Deloitte Development LLC. All rights reserved. Physical Security Services 3
Baselining terminology
For today’s discussion, we will refer to the below diagram that
visualizes risk as a function of threat, vulnerability and consequence.
Likelihood Likelihood
of the Threat of the
Adversary’s Adversary’s
capability intent
Vulnerability Consequence
Likelihood
of impact
Copyright © 2018 Deloitte Development LLC. All rights reserved. Physical Security Services 4
Development of NIST’s CSF
The CSF development process initiated with Executive Order 13636, which was released on
February 12, 2013. The Executive Order introduced efforts on the sharing of cybersecurity
threat information, and on building a set of current and successful approaches - a framework -
for reducing risks to critical infrastructure. Executive Order 13800, released on May 11, 2017,
requires all Federal agencies to utilize the CSF to manage the agency’s cybersecurity risk.
Through this Executive Order, NIST was tasked with the development of a "Cybersecurity
Framework"
National Institute of Standards & Technology (NIST) was selected for the task of
developing the Framework because they are a non-regulatory Federal agency that acts as
an unbiased source of scientific data and practices, including cybersecurity practices.
NIST published the Cybersecurity Framework (CSF) version 1.0 on February 12, 2014 after
a year-long collaborative effort with stakeholders in the critical infrastructure1 sector. The
latest version (version 1.1) was released on April 16, 2018.
1 Critical infrastructure is defined in the U.S. Patriot Act of 2001 as, “Systems and assets, whether physical or virtual,
so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating
impact on security, national economic security, national public health or safety, or any combination of those
matters.”
Copyright © 2018 Deloitte Development LLC. All rights reserved. Physical Security Services 5
CSF components
The CSF is a risk-based approach to managing cybersecurity risk, and is
composed of three parts as shown below. The components reinforce the
connection between business/mission drivers and cybersecurity activities.
Copyright © 2018 Deloitte Development LLC. All rights reserved. Physical Security Services 6
Framework core
The core provides a set of activities to achieve specific cybersecurity outcomes, and
references examples of guidance to achieve those outcomes. It comprises four
elements: Functions, Categories, Subcategories, and Informative References.
1
What processes and assets need protection?
3
What techniques can identify security incidents?
Copyright © 2018 Deloitte Development LLC. All rights reserved. Physical Security Services 8
Framework core
Functions are to be performed concurrently and continuously to form an
operational culture that addresses the dynamic cybersecurity risk.
Physical Cyber
Function Category The Challenge
Controls Controls
Asset Management
Business Environment
Governance
Risk Assessment What processes and
Identify
assets need protection?
Risk Management Strategy
Access Control
Awareness and Training
Data Security What safeguards or
Protect countermeasures are
Info Protection Process & Procedure available?
Maintenance
Protective Technology
Anomalies and Events What techniques can
Detect Security Continuous Monitoring identify cybersecurity
Detection Processes incidents?
Response Planning
Communications What activities can
Respond Analysis contain impacts of
Mitigation incidents?
Improvements
Recovery Planning What activities are
Recover Improvements required to restore
Communications capabilities?
Copyright © 2018 Deloitte Development LLC. All rights reserved. Physical Security Services 9
Framework core (cont’d)
Physical Cyber
Function Category The Challenge
Controls Controls
Asset Management
Business Environment
Governance
What
Identify
processes and
Risk Assessment
assets need
protection?
Risk Management Strategy
Copyright © 2018 Deloitte Development LLC. All rights reserved. Physical Security Services 10
Framework core (cont’d)
Access Control
What
Data Security safeguards or
Protect counter-
Info Protection Process & Procedure measures are
available?
Maintenance
Protective Technology
Copyright © 2018 Deloitte Development LLC. All rights reserved. Physical Security Services 11
Framework core (cont’d)
Physical Cyber
Function Category The Challenge
Controls Controls
What
techniques can
Detect Security Continuous Monitoring identify
cybersecurity
incidents?
Detection Processes
Copyright © 2018 Deloitte Development LLC. All rights reserved. Physical Security Services 12
Framework core (cont’d)
Physical Cyber
Function Category The Challenge
Controls Controls
Response Planning
Communications
What activities
Respond Analysis
can contain
impacts of
Mitigation
incidents?
Improvements
Copyright © 2018 Deloitte Development LLC. All rights reserved. Physical Security Services 13
Framework core (cont’d)
Physical Cyber
Function Category The Challenge
Controls Controls
Recovery Planning
What activities
Recover Improvements
are required to
restore
capabilities?
Communications
Copyright © 2018 Deloitte Development LLC. All rights reserved. Physical Security Services 14
Framework implementation tiers
Implementation Tiers provide context on how an organization views cybersecurity risk and
the processes in place to manage that risk. An organization’s current risk management
practices, threat environment, legal and regulatory requirements, information sharing
practices, business/mission objectives, and supply chain cybersecurity requirements are
considered while determining the tiers.
Tier 1: Tier 2: Tier 3: Tier 4:
Partial Risk Informed Repeatable Adaptable
Current Profile
indicates the
1
cybersecurity
outcomes from the Gaps are
3
framework categories identified by
and sub-categories comparing
that are currently Profiles (e.g.,
being achieved. the Current
Target Profile A roadmap is
indicates the Profile and
established for
2
outcomes Target Profile)
reducing cybersecurity
needed to
4
risk aligned with
achieve the organizational and
desired sector goals,
cybersecurity risk legal/regulatory
management requirements and
goals. industry best practices,
and reflects risk
management
priorities
Copyright © 2018 Deloitte Development LLC. All rights reserved. Physical Security Services 16
David Feeney Andrea LeStarge
Manager Senior Manager
Risk & Financial Advisory Risk & Financial Advisory
Deloitte Deloitte
484.535.2543 414.530-1834
dafeeney@deloitte.com alestarge@deloitte.com
Copyright © 2018 Deloitte Development LLC. All rights reserved. Physical Security Services 17
As used in this document, “Deloitte Advisory” means Deloitte & Touche LLP, which provides audit and enterprise risk services; Deloitte Financial Advisory Services LLP, which provides
forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. Deloitte
Transactions and Business Analytics LLP is not a certified public accounting firm. These entities are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a
detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other
professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect
your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and
their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not
provide services to clients. Please see www.deloitte.com/about for a detailed description of DTTL and its member firms. Please see
www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest
clients under the rules and regulations of public accounting.
www.pecb.com/en/education-and-certification-for-
individuals/iso-31000
www.pecb.com/events
Copyright © 2018 Deloitte Development LLC. All rights reserved. Physical Security Services 19
?
THANK YOU
https://www.linkedin.com/in/davidfeeney/ www.deloitte.com
https://www.linkedin.com/in/andrea-lestarge-1b64a7a9/
Copyright © 2018 Deloitte Development LLC. All rights reserved. Physical Security Services 20