Jump to content

Kristen LeClere

  • Content Count

  • Joined

  • Last visited

About Kristen LeClere

  • Rank

Profile Information

  • Gender
    Not Telling
  1. Kristen LeClere

    Understanding the Implementation Tiers

    One of the most challenging components of the Cybersecurity Framework to grasp is that of the Framework Implementation Tiers (“Tiers”). Last week, you heard about the Framework Core – “a set of activities to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes” [from the Cybersecurity Framework, Section 2.1]. If the Core indicates what to do, the Tiers influence how to do activities. In recording the current activities to achieve the outcomes described in the Core, and in planning how one will achieve those outcomes in the future, the tiers help organizations define how well they are/want to achieve those outcomes. It goes without saying that each organization has differing priorities and resources. Those resources need to support achievement of the risk management goals of the organization, and they need to do so in a cost-effective manner. Consider an illustrative example outcome of “local fires in data centers are extinguished quickly.” To protect a critical information system for a large corporation, a reasonable proactive approach might be to install Halon fire suppression equipment at a cost of tens of thousands of dollars. A smaller organization, however, might choose to take a reactive stance and provide a $20 fire extinguisher. Each solution is suitable depending upon the value of the resources being protected and depending upon the organization’s risk management criteria. While the example above may be somewhat extreme, it illustrates how the Framework Implementation Tiers (“Tiers”) “provide context on how an organization views cybersecurity risk and the processes in place to manage that risk.” As part of the implementation process, an organization selects the Tier level that is applicable, ranging from Partial (Tier 1) to Adaptive (Tier 4). Understanding the selected Tier, in turn, will help the implementer determine: · the current level of achievement to be recorded in Current Profile(s); · how target outcomes will be achieved, thereby informing the planned activities; and, · factors in the gap analysis between what’s currently happening and what should be happening to achieve Core outcomes. The following provides a general summary of the tiers. Next week we’ll discuss an approach for selecting the appropriate tier for your organization and each tier in more detail. Tier 1 - Partial: Organizations operating at Tier 1 typically swarm to cybersecurity incidents in an ad hoc manner. They address each incident as it occurs leveraging the experiences and lessons learned of the staff swarming to the challenge. Tier 2 - Risk Informed: Management within the organization approves risk management decisions. The organization understands the priorities for cybersecurity protections and reactions within the organization, but they may not be codified in organizational policies or procedures. Tier 3 - Repeatable: Management within the organizations has formally approved cybersecurity policy and procedures. The organization receives threat information for their sector from partners and others in their sector to make informed decisions. They typically work as an organization to address cybersecurity incidents ensuring the right staff and management are identified to correctly address an incident or attack. Tier 4 - Adaptive: Organizations update their formalized cybersecurity policy and procedures on an ongoing basis based on lessons learned and predictive threat indicators. Adaptive organizations are an active member in their sector collaborating with partners on best practices and potential threats to their industry. *This generalizes the tiers as defined in Section 2.2 of the Framework. More, specific, information is available in section 2.2.
  2. Kristen LeClere

    Understanding the Framework Core

    The Framework Core is the first of three parts identified within the Framework. The Framework Core provides a set of cybersecurity activities, desired outcomes, and applicable references. The Framework Core provides this information through a hierarchy that establishes a standard format for describing and implementing a cybersecurity program. The hierarchy starts by defining five (5) basic Functions of a cybersecurity program, the Functions are then broken into Categories that describe the outcomes for each function; the Categories are further broken into subcategories that provide specific outcomes of technical and/or management activities; Informative References complete the hierarchy. Where subcategories provide specific information on what needs to be done, the Informative References provide information on how it can be done relying on proven practices. Using ID.AM.1 as an example the Framework Core provides a breakdown of the Identify Function to the Asset Management (ID.AM) category. The Asset Management category describes the activities required to perform Asset Management (e.g. Identify and manage business purposes). The Asset Management Category is subdivided into six (6) unique subcategories. Each subcategory describes a specific outcome that can be achieved to address the activities identified in the Category. For ID.AM-1, the outcome states “Physical devices and systems within the organization are inventoried.” The subcategory does not describe how an organization should conduct a physical inventory (e.g. manual or automated), nor does it describe who should perform the inventory and how often. Organization can determine how to implement this outcome based on their business requirements, and risk tolerance. It is this flexibility within the core that enables organization the ability to implement the core based on their unique requirements. The Framework Core also provides Informative References to assist organizations in meeting the outcomes described in the subcategory. The Informative references were selected based on feedback received throughout the workshops and based on their adoption throughout industry. For example, ID.AM-1 lists CM-8 as a NIST SP800-53Rev4 Informative Reference. CM-8 provides two control objectives, supplemental guidance, and nine control enhancements that can determine how organizations obtain the outcome described in the subcategory. It is important to keep in mind the Informative References are simply that…References. They are not meant to provide additional rigor. Organizations should determine which, if any, informative references they want to use to help them determine how they should obtain the outcome described in the subcategory. While the Framework Core provides functions for addressing the breadth of concerns within a cybersecurity program, it is not all inclusive. Organizations may need to add new categories, and subcategories to ensure unique requirements, standards, audit controls, and/or applicable laws are addressed. Additionally, organization may choose to remove categories or subcategories that are not relevant based on their business drivers, requirements, or to achieve their risk threshold. How has your organization used the core to help improve, develop, or maintain your cybersecurity program? Next week’s post will discuss the Implementation Tiers.
  3. Kristen LeClere

    Why The Cybersecurity Framework was Created

    It is widely known that the risks of cybersecurity threats are ever increasing. When it comes to critical infrastructure, the effects of cybersecurity threats can be far reaching, impacting the fundamental lifeline of our nation such as water, power, energy. On February 12, 2013, the President of the United States issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” calling for the development of a voluntary, risk-based Cybersecurity Framework to improve the cybersecurity of the national critical infrastructure. In response to the President’s Executive Order, on February 12, 2014, the National Institute of Standards and Technology (NIST) issued the Framework for Improving Critical Infrastructure Cybersecurity (“the Framework”) based on extensive public input through a series of NIST-hosted workshops. The Framework provides a comprehensive while flexible approach that can be easily integrated with other recognized risk management frameworks. It is not intended as a “one-size-fits-all” framework but rather provides flexible components that an organization can adapt to their own existing cyber risk management program. Organizations with robust cybersecurity programs can easily fold in the use of the Framework while those organizations with inconsistent risk management practices or limited resources can take a step in the right direction. The issuance of the Cybersecurity Framework is truly groundbreaking; it is the first time guidance exists for leveraging industry and government recognized cybersecurity standards and best practices for improved cybersecurity posture. For the first time, the Framework: - Provides a common vocabulary for communicating cybersecurity risk management at all levels in an organizations - Provides cybersecurity guidance that can apply to organizations of every size (small, medium, and large) as well as international organizations - Is adaptable to organizational resource constraints since not all cybersecurity initiatives can be done at once - Can fold into existing risk managements practices and regulations, not creating the additional burden of complying to a new process Next week’s post will discuss the Framework Core