29 October 2013

Cybersecurity and NIST Framework

The US National Institute of Standards and Technology (NIST) has released a Preliminary Cybersecurity Framework: a set of best practices to help owners and operators of critical infrastructure reduce cybersecurity risks [PDF].

The NIST framework is voluntary. After finalisation it is expected to  provide US private and public-sector organizations with "a common language for understanding and managing cybersecurity risks internally and externally".

The framework reflects President Obama's February 2013 Executive Order (No 13636) on cybersecurity. The Final Framework is due to be released in February 2014, following comment on the Preliminary Framework. Appendix B provides "a methodology to protect privacy and civil liberties for a cybersecurity program".

NIST seeks feedback around the following questions
Does the Preliminary Framework:
  • adequately define outcomes that strengthen cybersecurity and support business  objectives? 
  • enable cost-effective implementation? 
  • appropriately integrate cybersecurity risk into business risk? 
  • provide the tools for senior executives and boards of directors to understand risks and  mitigations at the appropriate level of detail? 
  • provide sufficient guidance and resources to aid businesses of all sizes while maintaining flexibility? 
  • provide the right level of specificity and guidance for mitigating the impact of   cybersecurity measures on privacy and civil liberties? 
  • express existing practices in a manner that allows for effective use?
Will the Preliminary Framework, as presented:
  • be inclusive of, and not disruptive to, effective cybersecurity practices in use today, including widely-used voluntary consensus standards that are not yet final? 
  • enable organizations to incorporate threat information?
Is the Preliminary Framework:
  • presented at the right level of specificity? 
  • sufficiently clear on how the privacy and civil liberties methodology is integrated with the Framework Core?
NIST indicates that
To manage cybersecurity risks, a clear 80 understanding of the security challenges and considerations specific to IT and ICS is required. 81 Because each organization’s risk is unique, along with its use of IT and ICS, the implementation of the Framework will vary.
The Framework, developed in collaboration with industry, provides guidance to an organization on managing cybersecurity risk. A key objective of the Framework is to encourage organizations to consider cybersecurity risk as a priority similar to financial, safety, and operational risk while factoring in larger systemic risks inherent to critical infrastructure.
The Framework relies on existing standards, guidance, and best practices to achieve outcomes that can assist organizations in managing their cybersecurity risk. By relying on those practices  developed, managed, and updated by industry, the Framework will evolve with technological  advances and business requirements. The use of standards will enable economies of scale to drive innovation and development of effective products and services that meet identified market needs. Market competition also promotes faster diffusion of these technologies and realization of many benefits by the stakeholders in these sectors.
Building off those standards, guidelines, and practices, the Framework provides a common language and mechanism for organizations to: 1) describe their current cybersecurity posture; 2) describe their target state for cybersecurity; 3) identify and prioritize opportunities for improvement within the context of risk management; 4) assess progress toward the target state; 5) foster communications among internal and external stakeholders.
The Framework complements, and does not replace, an organization’s existing business or cybersecurity risk management process and cybersecurity program. Rather, the organization can use its current processes and leverage the Framework to identify opportunities to improve an organization’s management of cybersecurity risk. Alternatively, an organization without an existing cybersecurity program can use the Framework as a reference to establish one.
The goal of the open process in developing the Preliminary Framework was to develop a robust technical basis to allow organizations to align this guidance with their organizational practices. This Preliminary Framework is being issued for public comment for stakeholders to inform the next version of the Framework that will be completed in February 2014, as required in EO 13636. ....
The Framework is a risk-based approach composed of three parts: the Framework Core, the  Framework Profile, and the Framework Implementation Tiers. These components are detailed  below.
 The Framework Core is a set of cybersecurity activities and references that are common  across critical infrastructure sectors organized around particular outcomes. The Core   presents standards and best practices in a manner that allows for communication of   cybersecurity risk across the organization from the senior executive level to the   implementation/operations level. The Framework Core consists of five Functions—  Identify, Protect, Detect, Respond, Recover—which can provide a high-level, strategic  view of an organization’s management of cybersecurity risk. The Framework Core then  identifies underlying key Categories and Subcategories for each of these Functions, and  matches them with example Informative References such as existing standards,   guidelines, and practices for each Subcategory. This structure ties the high level strategic  view, outcomes and standards based actions together for a cross-organization view of  cybersecurity activities. For instance, for the “Protect” Function, categories include: Data  Security; Access Control; Awareness and Training; and Protective Technology. ISO/IEC  27001 Control A.10.8.3 is an informative reference which supports the “Data during  transportation/transmission is protected to achieve confidentiality, integrity, and  availability goals” Subcategory of the “Data Security” Category in the “Protect”   Function.
Appendix B contains a methodology to protect privacy and civil liberties for a 131 cybersecurity program as required under the Executive Order. Organizations may already  have processes for addressing privacy risks such as a process for conducting privacy  impact assessments. The privacy methodology is designed to complement such processes  by highlighting privacy considerations and risks that organizations should be aware of  when using cybersecurity measures or controls. As organizations review and select  relevant categories from the Framework Core, they should review the corresponding  category section in the privacy methodology. These considerations provide organizations  with flexibility in determining how to manage privacy risk.
A Framework Profile (“Profile”) represents the outcomes that a particular system or   organization has achieved or is expected to achieve as specified in the Framework   Categories and Subcategories. The Profile can be characterized as the alignment of industry standards and best practices to the Framework Core in a particular   implementation scenario. Profiles are also used to identify opportunities for improving  cybersecurity by comparing a “Current” Profile with a “Target” Profile. The Profile can then be used to support prioritization and measurement of progress toward the Target Profile, while factoring in other business needs including cost-effectiveness and   innovation. In this sense, Profiles can be used to conduct self-assessments and   communicate within an organization or between organizations.
 Framework Implementation Tiers (“Tiers”) describe how cybersecurity risk is managed by an organization. The Tier selection process considers an organization’s current risk management practices, threat environment, legal and regulatory requirements,  business/mission objectives, and organizational constraints. Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the  characteristics (e.g., risk and threat aware, repeatable, and adaptive) defined in Section 2.3. The Tiers characterize an organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4), progressing from informal, reactive implementations to approaches that are agile and risk-informed.