Jump to content

Search the Community

Showing results for tags 'Implementation'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Founder
  • Platinum
  • Gold
  • Silver
  • Partners


  • Framework 101
    • Webseries
    • Tiers
    • Profiles
    • Framework Core
  • General
    • Implementation Guidance
    • Solutions
    • Framework in the News
    • Supply Chain Risk Management
    • Success Stories
    • General Discussion
  • Version 2.0
    • Governance
    • Technical Qualifications
    • Updates and Improvements
  • Workshop
    • Feedback
  • Members
    • Member's Lounge
  • BSI RFI Responses


  • Team CForum
  • Mike Brown's Blog
  • Tom.Conkle's Blog
  • Tony Sager's Blog
  • RonGula's Blog
  • Whitsitt on the NIST Framework
  • Frank Downs' Blog
  • Thoughts from Greg
  • matthew.smith's Blog


  • General
  • BSI RFI Responses
  • Guides
  • Templates
  • Example Profiles
  • Other Resources

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start














Company Name




Found 7 results

  1. We received the following question during the webinar yesterday - Do you have any thoughts around how culture within organizations affect not only CSF but information security overall? I personally think culture has a significant impact. During the workshops, we used the example of how a culture of safety affects that area of influence. If managers are lax about safety, people can get hurt badly and overall quality of company efforts will suffer. If, on the other hand, safety becomes institutionalized, it can become an enabler that brings the team together and creates an advantage. When a culture of common sense risk management becomes institutionalized, I think that security improves throughout. Social engineering attempts work fewer times, phishing emails work less frequently, and the ISSO is called in at the design phase rather than a week before a project goes live. Lastly, some of the information security awareness activities can be a lot of fun. That in itself can benefit the organization. Other thoughts? (Note: We have about a dozen questions that I'll post here for discussion.) Greg
  2. As G2's engineers help to implement the Cybersecurity Framework around the world, we often find that clients are using (or plan to use) the ISO/IEC 27000 family of standards to help establish, implement, maintain, and continually improve their Information Security Management Systems. These organization currently receive recognition for their work in implementing ISO; however, their use of the Framework is not acknowledged or readily recognizable by other organizations. If a Framework "certification" was established, would companies use and/or trust the “certification”? The very use of and model for Framework is voluntary, and Framework isn’t set up to be a conformance standard, yet it’s well-structured and interchangeable. Many Framework users are already working toward formal assessment of their conformance to ISO/IEC 27001 procedures and controls. If an accredited assessor is already assessing the implementation of those ISO procedures and controls (which align with many of the Framework outcomes), would it be valuable to assess the reasonableness of how the organization has implemented the Framework itself? It might be – that’s what we’re looking to find out. BSI has released an RFI to determine if such a "certification" would provide value to the community and how organizations could leverage the "certification" to help them make business decisions. The RFI is available at BSI via this link – pro or con, we’d welcome your input at http://pages.bsigroup.com/l/73472/2016-08-11/61k6wf.
  3. https://msisac.cisecurity.org/webcast/2016-06/index.cfm This week's featured webcast from the MS-ISAC (Multi-State Information Sharing and Analysis Center) shows how the City of Portland prioritized their NIST CSF implementation using the CIS Critical Security Controls. The recording should be available shortly (the same link).
  4. Greg Witte

    How far is up?

    Yesterday, I watched with interest as several senators asked about the success criteria for the Framework. Some were a little more snarkey than others, but it's a valid question. U.S. academic, industrial, and governmental orgs have invested millions of dollars - how do we calculate the return on that investment? It seems like it needs to go beyond the talking phase - one could simply declare that they've selected a Tier to shoot for and say they're using the Framework. To run through the full cycle, while it could be done in days, is more likely to take several years. Certainly we wouldn't measure only those who have completed all the steps in a comprehensive way. So, how will we know if/when the Framework has achieved its goals? Greg
  5. FCW posted a decent article recently that provides a high level of the Framework and suggests that "Regardless of how you adopt the framework (or any other standard), the important thing is to begin now." What is your organization doing to get started with the Framework? Please share your experiences here at CForum to get the dialog flowing and help to improve cyber security across all of our organizations. The full article is found at http://fcw.com/Articles/2014/07/03/The-cybersecurity-framework-and-you.aspx?Page=1
  6. Tom.Conkle

    Profile Design

    There has been a lot of discussion regarding the Cybersecurity Framework Profiles; what they mean; and how they should be represented. The Framework[1] document itself defines profiles as the mechanism for representing the outcomes of the selected Framework Core categories/subcategories. Therefore, organizations can use the Framework Core as a template for either recording their current cybersecurity state (e.g. Current-State Profile) or defining their intended cybersecurity posture (e.g. Target-State Profile). But how? While there are many thoughts for how a Framework Profile can be recorded, one of the prevailing thoughts is a simple matrix. The matrix should start from the Framework Core, capturing Functions as well as the categories and subcategories selected by the organization. To create a current-state profile, the matrix is extended to include additional columns of information such as: The organization’s current policy as it relates to the applicable category/subcategory, Technologies used to implement the policy Assignees for implementing and managing the capability The level of detail captured for each of these data points is relevant to the ‘type’ of profile being developed. For larger organizations using the Framework to provide enterprise level guidance, the ‘outcomes’ captured in the profile would be high-level making them applicable to the entire organization. Each sub-organization within the enterprise can then, in turn, use the enterprise profile to develop a profile for their organization that demonstrates how they are meeting the enterprise goals. For example PR.DS-1 (Protect.Data Security-1) at an enterprise level could state, all customer data will be encrypted at rest. The sales organization would use the guidance provided in the enterprise profile to identify the location within their organization where customer data is stored. The sales team would then update their profile for PR.DS-1 to state the customer data stored in the Contacts Database are encrypted at rest using AES encryption. This provides enterprises the ability to create a profile with the data required to define their cybersecurity program that can flow through all the sub-organizations. How is your organization developing profiles? [1] Framework for Improving Critical Infrastructure Cybersecurity, version 1.0, Feb 12, 2014, http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf
  7. On June 20, 2014, The Energy Department released a public notice for stakeholder participation in the development of the "Energy Sector Framework Implementation Guidance." The DOE is inviting participation in bi-weekly conference calls being held jointly by the Electricity Subsector Coordinating Council (ESCC) and the Oil & Natural Gas (ONG) Subsector Coordinating Council (SCC). The bi-weekly calls provide opportunities for participants to comment on the Draft Framework Implementation Guidance document. Requests for participation and additional information can be directed to Cyber.Framework@hq.doe.gov. The full notice is located at https://www.federalregister.gov/articles/2014/06/20/2014-14453/energy-sector-framework-implementation-guidance. Tom Conkle