Jump to content
Sign in to follow this  
Guest Alex Calis

Implementation Steps (1&2)

Recommended Posts

Guest Alex Calis

The Cybersecurity Framework identifies seven (7) steps for establishing or improving a cybersecurity program.  These seven steps help organizations receive full value from using the Framework.  It is important to note that the seven steps are provided as guidance for organizations.  Organizations can determine the best way to implement each step based on their current organizational practices.  Additionally, the Framework acknowledges that some organizations may choose to implement the steps in a different order than listed in the Framework.  This post focuses on Steps 1 & 2 of the Framework:  Prioritize and Scope & Orient.  Subsequent postings to the web series will provide additional information regarding the remaining steps over the next two weeks.

 

Step 1: Prioritize and Scope – This step is used to help organizations identify how they want to scope their cybersecurity programs.  To determine the scope, an organization must consider business objectives and priorities, risk architecture, and compliance requirements.  By gathering and discussing this information, an organization can begin to determine how to implement effective cybersecurity governance that focuses on achieving business goals and managing risk.  Several common methods include at the Enterprise level where guidance is provided to the organization’s entire enterprise and is applicable to all types of information systems, mission objectives, and a standard risk threshold exists.  The second most common type is for a Business Unit.  Business Units are lower levels within an organization.  Each business unit may have different business drivers, mission requirements and therefore risk tolerance thresholds.  For example, an organization that conducts online banking may determine their business unit that provides the web platform has different business objectives, mission goals, and risk tolerances from their human resources department.  The third most common way to scope an organization’s cybersecurity program is at the system level.  System level cybersecurity programs typically only encompass the assets, mission, and risk threshold for a single system within a Business Unit.  Once the organization scopes their cybersecurity program and understands how many separate programs are needed, the organization prioritizes the order they want to develop the programs.  The priority can be selected by any method the organization feels is appropriate to meet their mission goals and business objectives.

 

Step 2: Orient – Framework implementation teams use step 2 to define the cybersecurity program as scoped in step 1.  The Framework profile is used to capture the metadata about the cybersecurity program by identifying the People, Processes, and Technologies (PPTs), as well as any regulatory restrictions and compliance requirements allocated to the cybersecurity program scoped in step 1. During step 2, threats to the cybersecurity program being oriented are defined as well as any applicable vulnerability information. This information is used to inform the overall risk approach defined for the cybersecurity program being oriented.  Once the orient step is complete, anyone reviewing the metadata about the profile would understand the ‘box’ drawn around, or the organization context of, the cybersecurity program.  Additionally after completing step 2, the Framework profile for the cybersecurity program would define acceptable risk tolerance levels and approach for addressing risk within the cybersecurity program being defined.

Share this post


Link to post
Share on other sites

My only concern here is that we need to be "very careful" about the alignment of Business units' goals with the overall objectives of the enterprise. This is not a simple exercise. We can borrow the concepts from the DoD's Distributed Command and Control for coalition partners and non-governmental organizations for events -- e.g., humanitarian and disaster relieve efforts -- to address such an issue. Page 48, of "The Strategy Focused Organization, 2001", published by the Harvard Business School Press, gives a nice template that can be adapted to address the governance model for Step 1. Professor Robert S. Kaplan (from Harvard Business School) and Dr. David P. Norton (founder and director of the Palladium Group), are the authors of this book! 

 

Best Regards,

 

Kofi Nyamekye, Ph.D.   

Share this post


Link to post
Share on other sites
Sign in to follow this  

×