Jump to content

Search the Community

Showing results for tags 'Webseries'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Founder
  • Platinum
  • Gold
  • Silver
  • Partners


  • Framework 101
    • Webseries
    • Tiers
    • Profiles
    • Framework Core
  • General
    • Implementation Guidance
    • Solutions
    • Framework in the News
    • Supply Chain Risk Management
    • Success Stories
    • General Discussion
  • Version 2.0
    • Governance
    • Technical Qualifications
    • Updates and Improvements
  • Workshop
    • Feedback
  • Members
    • Member's Lounge
  • BSI RFI Responses


  • Team CForum
  • Mike Brown's Blog
  • Tom.Conkle's Blog
  • Tony Sager's Blog
  • RonGula's Blog
  • Whitsitt on the NIST Framework
  • Frank Downs' Blog
  • Thoughts from Greg
  • matthew.smith's Blog


  • General
  • BSI RFI Responses
  • Guides
  • Templates
  • Example Profiles
  • Other Resources

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start














Company Name




Found 10 results

  1. The Framework Profiles, described in an earlier post, can be used to help communicate cyber requirement both internally and externally. The profiles can be used within an organization to communicate requirements to an implementation team. Because the Framework provides a common language for addressing cybersecurity concerns, any profile should be understood by any implementation team. Additionally, these profiles should be able to communicate to directors how business goals are being incorporated into the cybersecurity program. Outside of the organization, the Framework Profiles can be used to better understand the security of an organization’s supply chain. An organization may request a Framework Profile from an organization providing them with IT products or services. This allows an organization to determine if a supplier has proper security protections in place. Alternatively, the organization can create a Framework Profile with minimum security requirements that suppliers must meet in order to work with the organization. The Framework Profiles provide a number of opportunities for increased cybersecurity communication within the organization and among partner organizations.
  2. In creating a Target Profile and an Action Plan, prioritizing the Functions is important to an effective Framework implementation. Depending on the organization, it may make sense to define a Target State that is very thorough in one Function, but modest in another. Similarly, an organization may prioritize one Function over another when it comes to implementing an Action Plan. To help determine this priority, an organization should review the previously determined scope of the project, focusing on mission drivers and critical business functions. For organizations with a more developed cybersecurity program, prioritizing Functions should be based on risk. The organization should focus on developing the processes of governance and compliance, measuring implementation progress, and tracking. This helps ensure the appropriate infrastructure is in place to achieve continued security. For organizations with a less developed cybersecurity program, prioritizing Functions should be focused on quick ways to improve security, like implementing patching and password policies. This will allow the security program to grow and establish baselines to aid in a later implementation of more advanced concepts.
  3. Guest

    Implementation Steps (6&7)

    This article will complete the discussion of the seven Framework Implementation Steps, focusing on Steps 6 and 7: Determine, Analyze, and Prioritize Gaps & Implement Action Plan. Step 6: Determine, Analyze, and Prioritize Gaps – This step is performed by overlaying the Current Profile developed in Step 3 with the Target Profile created in Step 5 to identify gaps. Once an organization determines the gaps in its cybersecurity program based on review of a Current and Target Profile, the next step is to develop and issue an Action Plan. The Framework is not prescriptive on how organizations should close gaps; the priority that should be assigned for any gap; or how resources should be identified to close the gap. The organization is required to determine these factors, to include milestones, and determine how they want to close the gaps. The Action Plan considers those subcategories in the Target Profile that have been determined by the Risk Assessment to represent the highest risk, and also actions that can achieve results within available cost and resources. Prioritizing which gaps to address first will likely be driven by factors such as ease of mitigation and available resources. Organizations may choose to implement an action plan in a phased approach. This enables resources to be aligned to gap closing activities as they become available. It is important to remember the target state is the goal of the organization. Many organizations may not attain their target state in a given fiscal cycle due to resource constraints. The action plan helps an organization track milestones that can be accomplished with existing resources while maintaining an awareness of the intended target state. Step 7: Implement Action Plan – This one really is that straight forward. Organizations can use their existing processes for developing a road map, if necessary, and required status reporting metrics that helps them track gap closing activities. An action plan can be addressed in phases, such as near-term “quick fix” remediation and longer term remediation projects that may have to be phased in based on risk criticality, funding, and resources. The plan should be updated regularly to track and close gaps, address new gaps and risks, and support implementing a maintenance process to update profiles, risk assessments, asset lists, and other key cybersecurity artifacts. The seven steps identified in the Framework are not a ‘once and done’ process. Rather, organizations should repeat the steps as required. When the steps need to be repeated, whether it is time driven or event driven, are factors for the organization to decide; however with today’s changing threats and new attacks being developed daily, organizations may choose to repeat a select few steps, such as Step 4 (Conduct a Risk Assessment), more regularly than the other steps. As a reminder, this webseries identifies one interpretation for using the Cybersecurity Framework. Organizations may choose to tailor their implementation to meet their organizational needs. The overall goal for using the Cybersecurity framework remains unchanged: improve and implement a risk based cybersecurity program.
  4. Guest

    Implementation Steps (3-5)

    Continuing the discussion on the Cybersecurity Framework Steps, this article discusses steps 3, 4 and 5: Create a Current Profile, Conduct a Risk Assessment, and Create a Target Profile, respectively. As mentioned in previous articles, an organization can reorder these steps to best fit their organization. The most common of these changes is to transpose steps 3, Create a Current Profile, and 5, Create a Target Profile. The remainder of this post provides a summary of implementation steps 3 through 5 “in plain language” in the order as identified in the Framework v1.0 as released by NIST. Step 3: Create a Current Profile – This step is completed by walking though each of the subcategories and recording how the organization is currently achieving the outcome defined by the Framework Core. In some cases, organizations are differentiating their current state profile to record the organizations current policy for meeting the Core’s objective and the actual current implementation. Using PR.AT-1 as an example, an organization may state their policy is that “100% of all employees within the business unit receive quarterly security awareness training”. However, the actual state is that only 90% of the employees have received the training. Identifying both the current policy and actual implementation can assist organization in better identifying gap closing activities in the later implementation steps. Step 4: Conduct a Risk Assessment – This step is as straight forward as the title. The Framework does not identify a preferred or required risk assessment process. Organizations can conduct a Risk Assessment using their current process, or if a recent risk assessment is available it may be used for this step. Step 5: Create a Target Profile – During this step, organizations are encouraged to define the target, or desired, state for their cybersecurity program based on the risk assessment previously conducted. It is not feasible to expect all organizations to implement the highest level of security against all subcategories in the Framework Core on all systems and business units within an organization. For example, an organization that has a database that is used to schedule the organizations holiday party does not have the same risks and security concerns as a database used to store customer’s private data. Additionally, the Framework states that categories and subcategories may be added or removed from the profile to align with organizational goals and risk thresholds. (Categories and Subcategories can also be added and removed in Step 3 if appropriate.) It is also important to note that this step identifies the organizations target state goal based on the risk assessment and implementation tier previously selected. Understanding the desired implementation tier can assist organization completing a target state profile identify how (e.g automated or manual) the organization intends to implement the outcome of the subcategories. In many cases, organizations may not have the staff, time, or funding to obtain this target, but the end goal should still be defined to ensure all activities working towards improving the organizations cybersecurity program are working towards that goal. How the organization develops the action plan (Step 6) for getting to the target state will identify what can be done with available resources.
  5. Guest

    Implementation Steps (1&2)

    The Cybersecurity Framework identifies seven (7) steps for establishing or improving a cybersecurity program. These seven steps help organizations receive full value from using the Framework. It is important to note that the seven steps are provided as guidance for organizations. Organizations can determine the best way to implement each step based on their current organizational practices. Additionally, the Framework acknowledges that some organizations may choose to implement the steps in a different order than listed in the Framework. This post focuses on Steps 1 & 2 of the Framework: Prioritize and Scope & Orient. Subsequent postings to the web series will provide additional information regarding the remaining steps over the next two weeks. Step 1: Prioritize and Scope – This step is used to help organizations identify how they want to scope their cybersecurity programs. To determine the scope, an organization must consider business objectives and priorities, risk architecture, and compliance requirements. By gathering and discussing this information, an organization can begin to determine how to implement effective cybersecurity governance that focuses on achieving business goals and managing risk. Several common methods include at the Enterprise level where guidance is provided to the organization’s entire enterprise and is applicable to all types of information systems, mission objectives, and a standard risk threshold exists. The second most common type is for a Business Unit. Business Units are lower levels within an organization. Each business unit may have different business drivers, mission requirements and therefore risk tolerance thresholds. For example, an organization that conducts online banking may determine their business unit that provides the web platform has different business objectives, mission goals, and risk tolerances from their human resources department. The third most common way to scope an organization’s cybersecurity program is at the system level. System level cybersecurity programs typically only encompass the assets, mission, and risk threshold for a single system within a Business Unit. Once the organization scopes their cybersecurity program and understands how many separate programs are needed, the organization prioritizes the order they want to develop the programs. The priority can be selected by any method the organization feels is appropriate to meet their mission goals and business objectives. Step 2: Orient – Framework implementation teams use step 2 to define the cybersecurity program as scoped in step 1. The Framework profile is used to capture the metadata about the cybersecurity program by identifying the People, Processes, and Technologies (PPTs), as well as any regulatory restrictions and compliance requirements allocated to the cybersecurity program scoped in step 1. During step 2, threats to the cybersecurity program being oriented are defined as well as any applicable vulnerability information. This information is used to inform the overall risk approach defined for the cybersecurity program being oriented. Once the orient step is complete, anyone reviewing the metadata about the profile would understand the ‘box’ drawn around, or the organization context of, the cybersecurity program. Additionally after completing step 2, the Framework profile for the cybersecurity program would define acceptable risk tolerance levels and approach for addressing risk within the cybersecurity program being defined.
  6. Guest

    What is a Framework Profile

    A framework profile helps illustrate the cybersecurity program of an organization. A profile can be created by selecting the outcomes from the Framework Categories and Subcategories that are most important to the organization based on business drivers and risk. For those selected, information about organizational policy and practices can be captured, providing more details on how the organizations manages their cybersecurity program. This method allows an organization to clearly present their cybersecurity program through a Profile. Organizations can create both Target and Current Profiles. The Current Profile captures the cybersecurity program as it exists today, while the Target Profile captures the organizational goals for the cybersecurity program. These two can be compared to determine steps for meeting the Target Profile goals. Additionally, the Profiles serve as a way to communicate cybersecurity both internally and externally. Internally they can be used to articulate the cybersecurity practices to executives and directors, while externally they can be used communicate cybersecurity to partner organizations. In this way, creating profiles aids in meeting and communicating cybersecurity goals.
  7. Guest

    Selecting a Tier

    While Tier selection is based upon organizational goals as part of CSF Step 1 (The implementation steps will be discussed in the upcoming weeks), it should be informed by threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints. This is an area where the DHS Critical Infrastructure Cyber Community Voluntary Program can assist, as can other Federal government departments and agencies, Information Sharing and Analysis Centers (ISACs), and relevant business associations. Organizations should neither choose a higher tier nor a lower tier than will achieve the stakeholder goals defined in the first step for implementing the Framework. The table below describes the four Tiers as introduced in the Cybersecurity Framework 1.0. This table is a summary of Section 2.2 of the Framework v1.0. The table focuses on helping an organization consider three factors, and the level of proactivity/predictability desired. Those factors include: the organization’s risk management process, its integrated risk management program, and the extent to which the organization participates with external parties to manage risk. In general, the more formal the risk management processes are/should be, the higher the Tier level selected will be. Similarly, the more an organization receives and/or shares security information (e.g. threat warnings, vulnerability understanding, intelligence about how vendors/suppliers are managing risk) from outside sources, the higher the Tier level selected will be. This enables those applying the Framework to identify realistic and cost-effective approaches to achieving the Core outcomes in the way that best fulfills organizational goals.
  8. Kristen LeClere

    Understanding the Implementation Tiers

    One of the most challenging components of the Cybersecurity Framework to grasp is that of the Framework Implementation Tiers (“Tiers”). Last week, you heard about the Framework Core – “a set of activities to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes” [from the Cybersecurity Framework, Section 2.1]. If the Core indicates what to do, the Tiers influence how to do activities. In recording the current activities to achieve the outcomes described in the Core, and in planning how one will achieve those outcomes in the future, the tiers help organizations define how well they are/want to achieve those outcomes. It goes without saying that each organization has differing priorities and resources. Those resources need to support achievement of the risk management goals of the organization, and they need to do so in a cost-effective manner. Consider an illustrative example outcome of “local fires in data centers are extinguished quickly.” To protect a critical information system for a large corporation, a reasonable proactive approach might be to install Halon fire suppression equipment at a cost of tens of thousands of dollars. A smaller organization, however, might choose to take a reactive stance and provide a $20 fire extinguisher. Each solution is suitable depending upon the value of the resources being protected and depending upon the organization’s risk management criteria. While the example above may be somewhat extreme, it illustrates how the Framework Implementation Tiers (“Tiers”) “provide context on how an organization views cybersecurity risk and the processes in place to manage that risk.” As part of the implementation process, an organization selects the Tier level that is applicable, ranging from Partial (Tier 1) to Adaptive (Tier 4). Understanding the selected Tier, in turn, will help the implementer determine: · the current level of achievement to be recorded in Current Profile(s); · how target outcomes will be achieved, thereby informing the planned activities; and, · factors in the gap analysis between what’s currently happening and what should be happening to achieve Core outcomes. The following provides a general summary of the tiers. Next week we’ll discuss an approach for selecting the appropriate tier for your organization and each tier in more detail. Tier 1 - Partial: Organizations operating at Tier 1 typically swarm to cybersecurity incidents in an ad hoc manner. They address each incident as it occurs leveraging the experiences and lessons learned of the staff swarming to the challenge. Tier 2 - Risk Informed: Management within the organization approves risk management decisions. The organization understands the priorities for cybersecurity protections and reactions within the organization, but they may not be codified in organizational policies or procedures. Tier 3 - Repeatable: Management within the organizations has formally approved cybersecurity policy and procedures. The organization receives threat information for their sector from partners and others in their sector to make informed decisions. They typically work as an organization to address cybersecurity incidents ensuring the right staff and management are identified to correctly address an incident or attack. Tier 4 - Adaptive: Organizations update their formalized cybersecurity policy and procedures on an ongoing basis based on lessons learned and predictive threat indicators. Adaptive organizations are an active member in their sector collaborating with partners on best practices and potential threats to their industry. *This generalizes the tiers as defined in Section 2.2 of the Framework. More, specific, information is available in section 2.2.
  9. Kristen LeClere

    Understanding the Framework Core

    The Framework Core is the first of three parts identified within the Framework. The Framework Core provides a set of cybersecurity activities, desired outcomes, and applicable references. The Framework Core provides this information through a hierarchy that establishes a standard format for describing and implementing a cybersecurity program. The hierarchy starts by defining five (5) basic Functions of a cybersecurity program, the Functions are then broken into Categories that describe the outcomes for each function; the Categories are further broken into subcategories that provide specific outcomes of technical and/or management activities; Informative References complete the hierarchy. Where subcategories provide specific information on what needs to be done, the Informative References provide information on how it can be done relying on proven practices. Using ID.AM.1 as an example the Framework Core provides a breakdown of the Identify Function to the Asset Management (ID.AM) category. The Asset Management category describes the activities required to perform Asset Management (e.g. Identify and manage business purposes). The Asset Management Category is subdivided into six (6) unique subcategories. Each subcategory describes a specific outcome that can be achieved to address the activities identified in the Category. For ID.AM-1, the outcome states “Physical devices and systems within the organization are inventoried.” The subcategory does not describe how an organization should conduct a physical inventory (e.g. manual or automated), nor does it describe who should perform the inventory and how often. Organization can determine how to implement this outcome based on their business requirements, and risk tolerance. It is this flexibility within the core that enables organization the ability to implement the core based on their unique requirements. The Framework Core also provides Informative References to assist organizations in meeting the outcomes described in the subcategory. The Informative references were selected based on feedback received throughout the workshops and based on their adoption throughout industry. For example, ID.AM-1 lists CM-8 as a NIST SP800-53Rev4 Informative Reference. CM-8 provides two control objectives, supplemental guidance, and nine control enhancements that can determine how organizations obtain the outcome described in the subcategory. It is important to keep in mind the Informative References are simply that…References. They are not meant to provide additional rigor. Organizations should determine which, if any, informative references they want to use to help them determine how they should obtain the outcome described in the subcategory. While the Framework Core provides functions for addressing the breadth of concerns within a cybersecurity program, it is not all inclusive. Organizations may need to add new categories, and subcategories to ensure unique requirements, standards, audit controls, and/or applicable laws are addressed. Additionally, organization may choose to remove categories or subcategories that are not relevant based on their business drivers, requirements, or to achieve their risk threshold. How has your organization used the core to help improve, develop, or maintain your cybersecurity program? Next week’s post will discuss the Implementation Tiers.
  10. Kristen LeClere

    Why The Cybersecurity Framework was Created

    It is widely known that the risks of cybersecurity threats are ever increasing. When it comes to critical infrastructure, the effects of cybersecurity threats can be far reaching, impacting the fundamental lifeline of our nation such as water, power, energy. On February 12, 2013, the President of the United States issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” calling for the development of a voluntary, risk-based Cybersecurity Framework to improve the cybersecurity of the national critical infrastructure. In response to the President’s Executive Order, on February 12, 2014, the National Institute of Standards and Technology (NIST) issued the Framework for Improving Critical Infrastructure Cybersecurity (“the Framework”) based on extensive public input through a series of NIST-hosted workshops. The Framework provides a comprehensive while flexible approach that can be easily integrated with other recognized risk management frameworks. It is not intended as a “one-size-fits-all” framework but rather provides flexible components that an organization can adapt to their own existing cyber risk management program. Organizations with robust cybersecurity programs can easily fold in the use of the Framework while those organizations with inconsistent risk management practices or limited resources can take a step in the right direction. The issuance of the Cybersecurity Framework is truly groundbreaking; it is the first time guidance exists for leveraging industry and government recognized cybersecurity standards and best practices for improved cybersecurity posture. For the first time, the Framework: - Provides a common vocabulary for communicating cybersecurity risk management at all levels in an organizations - Provides cybersecurity guidance that can apply to organizations of every size (small, medium, and large) as well as international organizations - Is adaptable to organizational resource constraints since not all cybersecurity initiatives can be done at once - Can fold into existing risk managements practices and regulations, not creating the additional burden of complying to a new process Next week’s post will discuss the Framework Core