Physical Security Services 1

Copyright © 2018 Deloitte Development LLC. All rights reserved.
Physical Security Services 1

Today’s objectives
Introduce the components of the National Institute of Standards and

1 Technology’s (NIST) Cybersecurity Framework (CSF)
• Core
• Implementation Tiers
• Profile
Highlight specific categories within the core functions that may
2 include assessment activities where physical-cyber convergence
occurs
Copyright © 2018 Deloitte Development LLC. All rights reserved. Physical Security Services 2
Today’s Agenda
• Baselining terminology
• Development of NIST’s CSF
• CSF components
− Framework core
− Framework implementation tiers
− Framework profile
• How to use the repeatable assessment framework
• Questions / answers
Baselining terminology
For today’s discussion, we will refer to the below diagram that
visualizes risk as a function of threat, vulnerability and consequence.
Likelihood Likelihood
of the Threat of the
Adversary’s Adversary’s
capability intent
Vulnerability Consequence
Likelihood
of impact
Development of NIST’s CSF
The CSF development process initiated with Executive Order 13636, which was released on
February 12, 2013. The Executive Order introduced efforts on the sharing of cybersecurity
threat information, and on building a set of current and successful approaches - a framework -
for reducing risks to critical infrastructure. Executive Order 13800, released on May 11, 2017,
requires all Federal agencies to utilize the CSF to manage the agency’s cybersecurity risk.
Through this Executive Order, NIST was tasked with the development of a "Cybersecurity
Framework"
National Institute of Standards & Technology (NIST) was selected for the task of
developing the Framework because they are a non-regulatory Federal agency that acts as
an unbiased source of scientific data and practices, including cybersecurity practices.
NIST published the Cybersecurity Framework (CSF) version 1.0 on February 12, 2014 after
a year-long collaborative effort with stakeholders in the critical infrastructure1 sector. The
latest version (version 1.1) was released on April 16, 2018.
CSF leverages elements of existing well-known risk management frameworks, processes,

and guidelines (i.e., COBIT, ISA, ISO 27001 and NIST SP800/53).
1 Critical infrastructure is defined in the U.S. Patriot Act of 2001 as, “Systems and assets, whether physical or virtual,
so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating
impact on security, national economic security, national public health or safety, or any combination of those
matters.”
CSF components
The CSF is a risk-based approach to managing cybersecurity risk, and is
composed of three parts as shown below. The components reinforce the
connection between business/mission drivers and cybersecurity activities.
• Cybersecurity activities and informative references,

organized around particular outcomes
Core • Enables communication of cybersecurity risks across
an organization
• Describes the degree to which an organization’s

Implementation cybersecurity risk management practices exhibit the
characteristics defined in the Framework (e.g., risk
Tiers
and threat aware, repeatable, and adaptive)
• Aligns industry standards and best practices to the

Framework Core in a particular implementation
Profile scenario
• Supports prioritization and measurement while
factoring in business needs
Framework core
The core provides a set of activities to achieve specific cybersecurity outcomes, and
references examples of guidance to achieve those outcomes. It comprises four
elements: Functions, Categories, Subcategories, and Informative References.
Aids an organization Subdivisions of a Specific sections of

Divides a category
in expressing its function into groups standards, guidelines,
into specific
management of of cybersecurity and practices
outcomes of technical
cybersecurity risk by outcomes closely tied common among
and/or management
organizing to programs and critical infrastructure
activities
information particular activities sectors
Activity
How would you answer each of the five questions below?
1
What processes and assets need protection?
What safeguards or countermeasures are

2 available?
3
What techniques can identify security incidents?
What activities can help contain the impacts of

4 incidents?
What activities are required to restore

5 capabilities?
Framework core
Functions are to be performed concurrently and continuously to form an
operational culture that addresses the dynamic cybersecurity risk.
Physical Cyber
Function Category The Challenge
Controls Controls
Asset Management
Business Environment
Governance
Risk Assessment What processes and
Identify
assets need protection?
Risk Management Strategy
Supply Chain Management
Access Control
Awareness and Training
Data Security What safeguards or
Protect countermeasures are
Info Protection Process & Procedure available?
Maintenance
Protective Technology
Anomalies and Events What techniques can
Detect Security Continuous Monitoring identify cybersecurity
Detection Processes incidents?
Response Planning
Communications What activities can
Respond Analysis contain impacts of
Mitigation incidents?
Improvements
Recovery Planning What activities are
Recover Improvements required to restore
Communications capabilities?
Framework core (cont’d)

Physical Cyber
Controls Controls
Asset Management
Business Environment
Governance
What
Identify
processes and
Risk Assessment
assets need
protection?
Risk Management Strategy
Supply Chain Management

Physical Cyber
Controls Controls
Access Control
Awareness and Training
What
Data Security safeguards or
Protect counter-
Info Protection Process & Procedure measures are
available?
Maintenance
Protective Technology

Physical Cyber
Controls Controls
Anomalies and Events
What
techniques can
Detect Security Continuous Monitoring identify
cybersecurity
incidents?
Detection Processes

Physical Cyber
Controls Controls
Response Planning
Communications
What activities
Respond Analysis
can contain
impacts of
Mitigation
incidents?
Improvements

Physical Cyber
Controls Controls
Recovery Planning
What activities
Recover Improvements
are required to
restore
capabilities?
Communications
Framework implementation tiers
Implementation Tiers provide context on how an organization views cybersecurity risk and
the processes in place to manage that risk. An organization’s current risk management
practices, threat environment, legal and regulatory requirements, information sharing
practices, business/mission objectives, and supply chain cybersecurity requirements are
considered while determining the tiers.
Tier 1: Tier 2: Tier 3: Tier 4:
Partial Risk Informed Repeatable Adaptable
Risk Management Process • Not formalized • Formalized, but • Formal • Incorporates:

The degree to which risk • Ad hoc no • Regularly o Predictive
management processes are applied • Prioritization is organizational- updated indicators
in alignment with organizational risk not informed wide policy o Lessons
objectives, changes in • Directly Learned
business/mission requirements and informed
a changing threat and technology
landscape.
Integrated Risk Management • Irregular, case- • Regular, but no • Consistent, • Cybersecurity
Program by-case basis organizational- organization risk
Definition and implementation of wide approach -wide management is
risk-informed policies, processes, approach part of the
and procedures to enable personnel organization’s
to possess the knowledge and skill culture
to perform their appointed
cybersecurity roles and
responsibilities.
External Participation • Lack of: • Dependencies or • Both • Generates
Understanding of an organization’s o Ecosystem dependents dependencie prioritized
role, dependencies, and dependents understanding known, but not s and information
in the larger ecosystem by o Collaboration both dependents • Communicates
collaborating with and receiving • Internal informal are known proactively
information from other entities sharing • Internal and
regularly that complements external
internally generated information, information
and sharing
Copyright information
© 2018 Deloitte Developmentwith
LLC. Allother
rights reserved. sharing Physical Security Services 15
entities
Framework profile
The Framework Profile is the alignment of the functions, categories, and subcategories with
the business requirements, risk tolerance, and resources of the organization. They can be
used to describe the current state or the desired target state of specific cybersecurity
activities.
Current Profile
indicates the
1
cybersecurity
outcomes from the Gaps are
3
framework categories identified by
and sub-categories comparing
that are currently Profiles (e.g.,
being achieved. the Current
Target Profile A roadmap is
indicates the Profile and
established for
2
outcomes Target Profile)
reducing cybersecurity
needed to
4
risk aligned with
achieve the organizational and
desired sector goals,
cybersecurity risk legal/regulatory
management requirements and
goals. industry best practices,
and reflects risk
management
priorities
David Feeney Andrea LeStarge
Manager Senior Manager
Risk & Financial Advisory Risk & Financial Advisory
Deloitte Deloitte
484.535.2543 414.530-1834
dafeeney@deloitte.com alestarge@deloitte.com
As used in this document, “Deloitte Advisory” means Deloitte & Touche LLP, which provides audit and enterprise risk services; Deloitte Financial Advisory Services LLP, which provides
forensic, dispute, and other consulting services; and its affiliate, Deloitte Transactions and Business Analytics LLP, which provides a wide range of advisory and analytics services. Deloitte
Transactions and Business Analytics LLP is not a certified public accounting firm. These entities are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a
detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other
professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect
your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and
their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not
provide services to clients. Please see www.deloitte.com/about for a detailed description of DTTL and its member firms. Please see
www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest
clients under the rules and regulations of public accounting.
Copyright © 2018 Deloitte Development LLC. All rights reserved.

ISO 31000
Training Courses
ISO 31000 Introduction

1 Day Course
ISO 31000 Foundation

2 Days Course
ISO 31000 Risk Manager

3 Days Course
ISO 31000 Lead Risk Manager

5 Days Course
Exam and certification fees are included in the training price.
www.pecb.com/en/education-and-certification-for-
individuals/iso-31000
www.pecb.com/events
?
THANK YOU
https://www.linkedin.com/in/davidfeeney/ www.deloitte.com
https://www.linkedin.com/in/andrea-lestarge-1b64a7a9/

Physical Security Services 1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Physical Security Services 1

Uploaded by

Copyright:

Available Formats

Copyright © 2018 Deloitte Development LLC. All rights reserved.

Physical Security Services 1

Introduce the components of the National Institute of Standards and

CSF leverages elements of existing well-known risk management frameworks, processes,

• Cybersecurity activities and informative references,

• Describes the degree to which an organization’s

• Aligns industry standards and best practices to the

Aids an organization Subdivisions of a Specific sections of

How would you answer each of the five questions below?

What safeguards or countermeasures are

What activities can help contain the impacts of

What activities are required to restore

Supply Chain Management

Functions are to be performed concurrently and continuously to form an

Supply Chain Management

Functions are to be performed concurrently and continuously to form an

Awareness and Training

Functions are to be performed concurrently and continuously to form an

Anomalies and Events

Functions are to be performed concurrently and continuously to form an

Functions are to be performed concurrently and continuously to form an

Risk Management Process • Not formalized • Formalized, but • Formal • Incorporates:

Copyright © 2018 Deloitte Development LLC. All rights reserved.

ISO 31000 Introduction

ISO 31000 Foundation

ISO 31000 Risk Manager

ISO 31000 Lead Risk Manager

Exam and certification fees are included in the training price.

You might also like