Cybersecurity Framework – Cutting Through the Complexity
by Brian Berger, EVP of Commercial Cybersecurity
Hopefully you spent the holidays with family and friends instead of reading the latest publication “Framework for Improving Critical Infrastructure Cybersecurity” Version 1.1 Draft 2 published by National Institute of Standards and Technology (NIST) on December 5, 2017. If you read it, like I did, kudos! I am not saying it was riveting and should be an episodic series based subscription on Amazon or Netflix, but, there are a few areas that should have every business paying attention.
I am a standards fanboy, as they are public and fair for all. Typically they are measurable and help keep the playing field for enforcement fair. The framework here lets the business take some liberties with aligning processes and technologies to meet conformance and compliance. As industries continue to adopt the cybersecurity framework for compliance, reporting and awareness, businesses are the beneficiary for mitigating risk by implementation. Why? As an example, if your business knows its cyber posture today, it can plan to improve using defined objectives, and implement security policies and controls based upon both business objectives, risks, budgets and needs. The benefit to the business is both reduced cyber risk and improved employee productivity. A single breach, malware infection, ransomware event, or patching lapse can cause significant business impacts including loss of revenues, increased expenses and countless hours of productivity that can never be recovered. Using the framework model of “Identify, Protect, Detect, Respond and Recover” helps your organization complete a comprehensive, unbiased, cyber program. Again, as a fan, this is a non-vendor specific framework that is neutral on what technology may or will be required.
Let’s take a short journey through the framework and its applicability.
Perform a Cybersecurity Assessment to understand assets, roles and responsibilities, policies, procedure, risk management monitoring, gaps and people.
Implement and manage access to assets and infrastructure. Verify that all security and integrity can be measured across networks, identities, devices, data and systems based upon user profiles and permissions. Deploy training and awareness internally and externally. Align and test all security policies and procedure with practice.
Continuous monitoring and management for cyber events is enabled; Detection of events, 3rd party connections, unauthorized connections, vulnerability scanning, awareness of cyber events and ownership, and incident response plans and procedure.
Develop a communication and response plan to a cyber event. Understand the cyber event impact and develop recovery plans based on severity.
Recovery implementations and improvement plans are maintained and updated using lessons learned. Make sure all needed stakeholders are available to engage in recovery efforts and they are in constant communication.
Within the framework an organization will develop both knowledge and skills to become cyber aware, prepared and proactive to cyber events. The tactical process to prepare for the framework includes specific tactics that are outlined below.
Assessments vary by type, providers and can be either outsourced or completed internally. The main objective of the assessment is a true, unbiased view of the actual state of cyber controls within an organization. Many of the controls cannot be assessed by just subject matter expertise, but require tools and technology to identify vulnerabilities, cyber gaps and process concerns. The assessment should cover all aspects of physical, logical and digital security.
Gap Analysis and System Security Plans
Every assessment should include both a written summary and a detailed analysis including identification of high, medium and low priority vulnerabilities. Also included in the assessment is a network diagram of the current configuration of the organization’s infrastructure. It is important to understand and isolate vulnerabilities in the infrastructure. In addition to these, digitally collected vulnerabilities need to be identified and classified by their importance for remediation.
Plan of Action and Milestones (POAM)
Once the assessment is completed, a task oriented plan is needed. Each gap identified in the assessment needs a logical identifier, owner, solution and alignment with any compliance reference. In addition to the above, adding completion dates, 3rd party technology and dependencies will help drive a budget and/or resource conversation. A high quality POAM will help identify internal or external resources, timeframes and project owners making the progress through the cyber framework a systematic approach.
Vulnerability Scanning and Continuous Monitoring
There are specialty tools used to capture and maintain a continuous improvement model for cyber preparedness. A cyber assessment and completion of the POAM or progression through the cyber framework is a continuous effort. Cyber is NOT a one and done event in terms of awareness and continuous understanding of cyber events. Vulnerability scanning should be periodic and scheduled; monthly and quarterly works well for most organizations. Cyber monitoring differs from firewall settings, network monitoring and end-point technology services. The difference is in knowledge and awareness of changes in networks, devices and connections. All digital assets, known and unknown, need to be monitored in real-time with the ability to see alerts/changes in real-time that can be acted upon before they manifest into significant cyber events.
The framework model does define the stages needed to improve an organization’s cyber posture. Without awareness and a plan, including proactive knowledge of cyber events, it’s a roll of the dice and my money is with the house- it’s a loser roll!