|
|
| Line 1: |
Line 1: |
| What are cybersecurity standards? CGI, Inc. calls them "critical means by which the direction described in an enterprise’s cybersecurity strategy and policies are translated into actionable and measurable criteria." They contain a set of statements about what processes must be followed to achieve the security outcomes expected by the organization.<ref name="CGIUnderstand19">{{cite web |url=https://www.cgi.com/sites/default/files/2019-08/cgi-understanding-cybersecurity-standards-white-paper.pdf |format=PDF |title=Understanding Cybersecurity Standards |publisher=CGI, Inc |date=April 2019 |accessdate=23 July 2020}}</ref> Sometimes those standards get placed within a framework, which adds additional policy, procedure, and process to the set of statements laid out in the standards. This resulting cybersecurity standards framework acts as a defined, collective approach to how the information system, data, and services are managed within the organization.
| | [File:Cybersecurity training (37345726182).jpg|right|450px]]In the introductory section, a cybersecurity plan was defined as a developed, distributed, reviewed, updated, and protected collection of policy and other types of components that shapes how an organization protects against and responds to cybersecurity threats. One of the more significant activities of plan development includes applying the security controls, program development, and risk management aspects of one or more cybersecurity standards frameworks for the identification of, protection from, detection of, response to, and recovery from cybersecurity threats and incidents. |
|
| |
|
| Some experts further differentiate between frameworks. Frank Kim, founder of security consulting firm ThinkSec and curriculum director at the SANS Institute, splits frameworks into three categories: control, program, and risk frameworks. Control frameworks provide a baseline set of controls for assessing technical capability, prioritizing implementation, and developing a cybersecurity plan. Program frameworks offer a more program-based approach, allowing organizations to broadly assess the current state of their cybersecurity program and further develop it. Risk frameworks "allow cybersecurity professionals to ensure they are managing their program in a way that is useful to stakeholders throughout the organization, and help determine how to prioritize security activities."<ref name="RayomeHowTo19">{{cite web |url=https://www.techrepublic.com/article/how-to-choose-the-right-cybersecurity-framework/ |title=How to choose the right cybersecurity framework |author=Rayome, A.D. |work=TechRepublic |publisher=CBS Interactive |date=07 March 2019 |accessdate=23 July 2020}}</ref> Data communications and security specialist Robert Slade does something similar using slightly different terminology. Checklist frameworks are the equivalent of Kim's control frameworks, governance frameworks appear to be Kim's program frameworks, and risk management frameworks represent Kim's risk frameworks. Slade adds a fourth category, however: audit and assurance.<ref name="SladeSecurity11">{{cite web |url=http://itm.iit.edu/netsecure11/RobertSlade_SecFrameworks.pdf |format=PDF |title=Security Frameworks |author=Slade, R.M. |publisher=Illinois Institute of Technology |date=2011 |accessdate=23 July 2020}}</ref>
| | The National Institute of Standards and Technology (NIST) defines a security control as "a safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements."<ref name="NISTSecurity19">{{cite web |url=https://csrc.nist.gov/glossary/term/security_control |title=security control |work=Computer Security Resource Center |publisher=National Institute of Standards and Technology |date=2019 |accessdate=23 July 2020}}</ref> Many, but not all, cybersecurity frameworks include a catalog of such controls, which give the implementing organization a concrete set of configurable goals to apply to their overall cybersecurity strategy. However, as mentioned in the previous section, some frameworks exist to provide a more program-based or risk-based approach to plan development. Choosing the best frameworks will likely depend on multiple factors, including the organization's industry type, the amount of technical expertise within the organization, the budget, the organizational goals, the amount of buy-in from key organizational stakeholders, and those stakeholders' preferred approach. |
|
| |
|
| Numerous cybersecurity standards frameworks exist, some based in specific countries, others based on specific industries. According to at least one authority, the top four cybersecurity standards frameworks being leveraged by organizations are the Payment Card Industry Data Security Standards (PCI DSS), ISO/IEC 27001:2013, Center for Internet Security (CIS) Controls, and the NIST Cybersecurity Framework.<ref name="WatsonTopFour19">{{cite web |url=https://www.itgovernanceusa.com/blog/top-4-cybersecurity-frameworks |title=Top 4 cybersecurity frameworks |author=Watson, M. |work=IT Governance USA Blog |publisher=GRC International Group plc |date=17 January 2019 |accessdate=23 July 2020}}</ref> These and a selection of additional cybersecurity standards frameworks and standards are shown in Table 2:
| | Let's take a look at one NIST control in particular, from their SP 800-53 framework, which will be discussed further in the next section. Their "PL-2 System security plan" control recommends the organization develop, distribute, review, update, and protect a cybersecurity plan for its information system. Its supplemental guidance reads as follows: |
|
| |
|
| {|
| | <blockquote>Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended.</blockquote> |
| | STYLE="vertical-align:top;"|
| |
| {| class="wikitable" border="1" cellpadding="5" cellspacing="0" width="85%"
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;" colspan="4"|'''Table 2.''' Examples of cybersecurity standards frameworks and standards
| |
| |-
| |
| |-
| |
| ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Name
| |
| ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Developer
| |
| ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Framework type
| |
| ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Industry
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|ANSI/ISA 62443 Standards<ref name="ISAThe62443_16">{{cite web |url=https://cdn2.hubspot.net/hubfs/3415072/Resources/The%2062443%20Series%20of%20Standards.pdf |format=PDF |title=The 62443 series of standards |publisher=ISA |date=December 2016 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|ISA
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control and Program
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industrial automation and control systems
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Baseline Cyber Security Controls for Small and Medium Organizations<ref name="CCCSBaseline19">{{cite web |url=https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations |title=Baseline Cyber Security Controls for Small and Medium Organizations |publisher=Canadian Centre for Cyber Security |date=20 November 2019 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Canadian Centre for Cyber Security
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral; small and medium organizations
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Center for Internet Security (CIS) Controls<ref name="CISThe20_19">{{cite web |url=https://www.cisecurity.org/controls/cis-controls-list/ |title=The 20 CIS Controls & Resources |work=CIS Controls |date=2019 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Center for Internet Security
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Cloud Controls Matrix<ref name="CSA_CSM19">{{cite web |url=https://cloudsecurityalliance.org/research/cloud-controls-matrix/ |title=Cloud Controls Matrix (CCM) |publisher=Cloud Security Alliance |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Cloud Security Alliance
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Cloud services and implementation
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Code Quality Standards<ref name="CISQCode19">{{cite web |url=https://www.it-cisq.org/standards/code-quality-standards/index.htm |title=Code Quality Standards |publisher=Consortium for Information & Software Quality |date=2019 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Consortium for Information & Software Quality
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Software development
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control Objectives for Information and Related Technologies (COBIT)<ref name="ISACA_COBIT19">{{cite web |url=http://www.isaca.org/knowledge-center/cobit/Pages/Overview.aspx |archiveurl=https://web.archive.org/web/20200121085305/http://www.isaca.org/knowledge-center/cobit/Pages/Overview.aspx |title=COBIT 4.1: Framework for IT Governance and Control |publisher=Information Systems Audit and Control Association |date=2019 |archivedate=21 January 2020 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Information Systems Audit and Control Association
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Program
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Critical Infrastructure Protection (CIP) Standards<ref name="NERC_CIP17">{{cite web |url=https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx |title=CIP Standards |publisher=North American Electric Reliability Corporation |date=2017 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|North American Electric Reliability Corporation
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Utilities
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Cybersecurity Assessment Tool<ref name="FFIECCyber17">{{cite web |url=https://www.ffiec.gov/cyberassessmenttool.htm |title=Cybersecurity Assessment Tool |publisher=Federal Financial Institutions Examination Council |date=May 2017 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Federal Financial Institutions Examination Council
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Financial services
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Essential Cybersecurity Controls (ECC - 1: 2018)<ref name="NCAEssential18">{{cite web |url=https://itig-iraq.iq/wp-content/uploads/2019/08/Essential-Cybersecurity-Controls-2018.pdf |format=PDF |title=Essential Cybersecurity Controls (ECC - 1: 2018) |publisher=National Cybersecurity Authority of Saudi Arabia |date=2018 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|National Cybersecurity Authority of Saudi Arabia
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|ETSI TR 103 305 V1.1.1<ref name="ETSICritical15">{{cite web |url=https://www.etsi.org/deliver/etsi_tr/103300_103399/103305/01.01.01_60/tr_103305v010101p.pdf |format=PDF |title=Critical Security Controls for Effective Cyber Defence |publisher=European Telecommunications Standards Institute |date=May 2015 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|European Telecommunications Standards Institute
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Telecommunications
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Federal Information Processing Standards (FIPS)<ref name="NISTCompli19">{{cite web |url=https://www.nist.gov/standardsgov/compliance-faqs-federal-information-processing-standards-fips |title=Compliance FAQs: Federal Information Processing Standards (FIPS) |work=Standards.gov |publisher=National Institute of Standards and Technology |date=15 November 2019 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|National Institute of Standards and Technology
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|HISO 10029:2015 Health Information Security Framework<ref name="MoH_HISO19">{{cite web |url=https://www.health.govt.nz/publication/hiso-100292015-health-information-security-framework |title=HISO 10029:2015 Health Information Security Framework |publisher=New Zealand Ministry of Health |date=21 June 2019 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|New Zealand Ministry of Health
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Healthcare
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|HITRUST CSF<ref name="HITRUSTCSF19">{{cite web |url=https://hitrustalliance.net/hitrust-csf/ |title=HITRUST CSF |publisher=HITRUST Alliance |date=2019 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|HITRUST Alliance
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Risk
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|ISO/IEC 15408-1:2009<ref name="ISO15408_14">{{cite web |url=https://www.iso.org/standard/50341.html |title=ISO/IEC 15408-1:2009 Information technology — Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model |publisher=International Organization for Standardization |date=January 2014 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|International Organization for Standardization
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Program
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|ISO/IEC 27001:2013<ref name="ISO27001_19">{{cite web |url=https://www.iso.org/standard/54534.html |title=ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements |publisher=International Organization for Standardization |date=03 June 2019 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|International Organization for Standardization
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Program
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|NIST Cybersecurity Framework<ref name=NISTCyber19">{{cite web |url=https://www.nist.gov/cyberframework |title=Cybersecurity Framework |work=Cybersecurity Framework |publisher=National Institute of Standards and Technology |date=2019 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|National Institute of Standards and Technology
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Program
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|NIST SP 800-53, Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations<ref name=NISTSP800-53_18">{{cite web |url=https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final |title=NIST SP 800-53, Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations |work=Computer Security Resource Center |publisher=National Institute of Standards and Technology |date=22 January 2015 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|National Institute of Standards and Technology
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral; U.S. federal information systems and organizations
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|NIST SP 800-171, Rev. 2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations<ref name=NISTSP800-171_18">{{cite web |url=https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final |title=NIST SP 800-171, Rev. 2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations |work=Computer Security Resource Center |publisher=National Institute of Standards and Technology |date=February 2020 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|National Institute of Standards and Technology
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral; U.S. non-federal information systems and organizations
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|OCTAVE Allegro<ref name="CaralliIntro07">{{cite web |url=https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=8419 |title=Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process |author=Caralli, R.A.; Stevens, J.F.; Young, L.R. et al. |publisher=Software Engineering Institute |date=2007 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Software Engineering Institute
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Risk
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-Neutral
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Payment Card Industry Data Security Standards (PCI DSS) V3.2.1<ref name="PCIData18">{{cite web |url=https://www.pcisecuritystandards.org/document_library |title=Payment Card Industry Data Security Standard - Requirements and Security Assessment Procedures |publisher=PCI Security Standards Council, LLC |date=May 2018 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|PCI Security Standards Council, LLC
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|"All entities involved in payment card processing"
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Protective Security Requirements<ref name="NZProtect19">{{cite web |url=https://www.protectivesecurity.govt.nz/ |title=Protective Security Requirements |publisher=New Zealand Security Intelligence Service |date=August 2019 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|New Zealand Security Intelligence Service
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Program
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Secure Controls Framework<ref name="SCFSecure19">{{cite web |url=https://www.securecontrolsframework.com/secure-controls-framework |title=Secure Controls Framework (SCF) |publisher=Secure Controls Framework Council, LLC |date=2019 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Secure Controls Framework Council, LLC
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Sherwood Applied Business Security Architecture (SABSA)<ref name="SABSAExec18">{{cite web |url=https://sabsa.org/sabsa-executive-summary/ |title=SABSA Executive Summary |publisher=The SABSA Institute C.I.C |date=2018 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|The SABSA Institute C.I.C.
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Program and Risk
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Enterprise-level business
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Standard of Good Practice for Information Security 2018<ref name="ISFTheISF18">{{cite web |url=https://www.securityforum.org/tool/the-isf-standard-good-practice-information-security-2018/ |title=The ISF Standard of Good Practice for Information Security 2018 |publisher=Information Security Forum Ltd |date=2018 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Information Security Forum Ltd.
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|System and Organization Controls for Cybersecurity (SOC-C)<ref name="AICPA_SOC19">{{cite web |url=https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/aicpacybersecurityinitiative.html |title=SOC for Cybersecurity |publisher=Association of International Certified Professional Accountants |date=2019 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Association of International Certified Professional Accountants
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Control
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Industry-neutral
| |
| |-
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Water Sector Cybersecurity Risk Management Guidance v3.0<ref name="AWWACyber19">{{cite web |url=https://www.awwa.org/Resources-Tools/Resource-Topics/Risk-Resilience/Cybersecurity-Guidance |title=Water Sector Cybersecurity Risk Management Guidance |author=West Yost Associates |publisher=American Water Works Association |date=04 September 2019 |accessdate=23 July 2020}}</ref>
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|American Water Works Association
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Risk
| |
| | style="background-color:white; padding-left:10px; padding-right:10px;"|Water and wastewater
| |
| |-
| |
| |}
| |
| |}
| |
|
| |
|
| Choosing the appropriate frameworks requires consideration and research. For the purposes of this guide, NIST SP 800-53, Rev. 4 and, to a lesser degree, the NIST Cybersecurity Framework receive the most focus. That is not meant to dissuade organizations from using other frameworks. For example, the PCI DSS is heavily geared to the financial services industry and is industry-appropriate for those working with credit card transactions. However, additional controls from other frameworks may also be of use. In fact, more than 40 percent of organizations work with more than one set of cybersecurity controls when developing their cybersecurity plan.<ref name="WatsonTopFour19" /> NIST SP 800-53, Rev. 4 and the NIST Cybersecurity Framework are particularly appealing though, having been developed with thousands of stakeholders giving feedback, and in such a way that the controls remain "intuitive and accessible to a wide range of practitioners."<ref name="NISTNIST19">{{cite web |url=https://www.nist.gov/news-events/news/2019/02/nist-marks-fifth-anniversary-popular-cybersecurity-framework |title=NIST Marks Fifth Anniversary of Popular Cybersecurity Framework |publisher=National Institute of Standards and Technology |date=12 February 2019 |accessdate=23 July 2020}}</ref><ref name="PerryExplain19">{{cite web |url=https://www.infosecurity-magazine.com/opinions/breakout-nist-cybersecurity-1-1/ |title=Explaining the Breakout Success of the NIST Cybersecurity Framework |author=Perry, J. |work=Infosecurity Magazine |publisher=Reed Exhibitions Limited |date=16 April 2019 |accessdate=23 July 2020}}</ref>
| | This wording essentially indicates that when you make your plan, there should be a high-level connection between what the organization needs to implement in regards to cybersecurity and how to go about doing it using best practices (e.g., using framework controls and guidance). It also means that, if developed, implemented, and maintained correctly, the plan should empower the organization to have an information system that is clearly compliant with the intent and purpose of the organization's goals, operations, and risk determinations. In other words, the organization first needs a clear picture of what it wants to achieve and the risks associated with operating an information system to meet those goals before it can develop its cybersecurity plan; afterwards, cybersecurity standards frameworks and controls can assist with plan development. |
| | |
| | <blockquote>Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans.</blockquote> |
| | |
| | The rest of NIST's wording indicates that a plan isn't necessarily a single, comprehensive document that attacks everything. Rather, it will make reference to other important policies and procedures that will further drive the overall success of your cybersecurity plan. You may even choose to have a separate document dedicated to the security controls you select for your organization. (Note that in the actual plan development section of this guide, recommendations for creating the additional "policies, procedures, and additional documents" you'll need will be given. Despite those recommendations, NIST's guidance still holds true: your actual plan document should make reference to them and provide sufficient description of what those external plans intend to accomplish within the scope of the cybersecurity plan. In the end, though, this decision to have one lengthy document or branched documents linked to the overall plan is a matter of organizational choice.) |
| | |
| | The takeaway from this analysis of NIST's language is that the while any standards framework you use can guide the development of a cybersecurity plan, it can't be done in a vacuum that doesn't take into account organizational goals, system and data aspects, and risk assessments. Additionally, while driven by the framework, the cybersecurity plan also doesn't need to contain every detail recommended by the framework; sometimes it's easier to have policy external to but referenced within the plan. |
| | |
| | Some additional considerations and tips concerning the blending of a cybersecurity standards framework with your organization's cybersecurity plan include<ref name="NiliUnderstand14">{{cite web |url=https://corpgov.law.harvard.edu/2014/08/25/understanding-and-implementing-the-nist-cybersecurity-framework/ |title=Understanding and Implementing the NIST Cybersecurity Framework |author=Nili, T. |work=Harvard Law School Forum on Corporate Governance and Financial Regulation |publisher=Harvard |date=25 August 2014 |accessdate=23 July 2020}}</ref><ref name="NISTAnIntro19">{{cite web |url=https://www.nist.gov/cyberframework/online-learning/components-framework |title=An Introduction to the Components of the Framework |publisher=National Institute of Standards and Technology |date=08 October 2019 |accessdate=23 July 2020}}</ref><ref name="MorganHowToUse18">{{cite web |url=https://www.securitymagazine.com/blogs/14-security-blog/post/88890-how-to-use-the-nist-cybersecurity-framework |title=How to Use the NIST Cybersecurity Framework: A Conversation with NIST’s Matthew Barrett |author=Morgan, J. |work=Security |publisher=BNP Media |date=04 April 2018 |accessdate=23 July 2020}}</ref><ref name="CorneliusUnder18">{{cite web |url=https://www.linkedin.com/pulse/understanding-cybersecurity-privacy-best-practices-tom-cornelius/ |title=Understanding Cybersecurity & Privacy Best Practices |author=Cornelius, T. |work=LinkedIn Pulse |date=31 July 2018 |accessdate=23 July 2020}}</ref>: |
| | |
| | * After selecting one or more frameworks, ensure at a minimum that key stakeholders and related personnel are given a chance to become more familiar with the frameworks before continuing with extensive plan development. |
| | * Map cybersecurity requirements, organizational objectives, and planned process and procedure to security controls, and then compare the results to your current operating state to understand what gaps exist, if any. |
| | * Don't be afraid to customize controls and other framework elements in order for your organization to get the maximum benefit out of them. Do keep relevant regulations affecting your organization in mind, however, when customizing. |
| | * Think of the framework as the defining sauce or crust base of a pizza: it allows you to bake security and privacy principles into your overall cybersecurity strategy, with an end result of being more naturally prepared to address regulatory and contractual obligations. |
| | * Don't forget to look for additional implementation resources created by the developer of the framework, e.g., from [https://www.isa.org/technical-topics/cybersecurity/cybersecurity-resources/ ISA], [https://www.sans.org/critical-security-controls/ SANS], and [https://www.cisecurity.org/controls/cis-controls-list/ CIS]. |
| | * If expertise isn't available in-house, you may want to turn to a cybersecurity services provider to assist with integrating a framework into your plan. |
|
| |
|
| ==References== | | ==References== |
| {{Reflist|colwidth=30em}} | | {{Reflist|colwidth=30em}} |
[File:Cybersecurity training (37345726182).jpg|right|450px]]In the introductory section, a cybersecurity plan was defined as a developed, distributed, reviewed, updated, and protected collection of policy and other types of components that shapes how an organization protects against and responds to cybersecurity threats. One of the more significant activities of plan development includes applying the security controls, program development, and risk management aspects of one or more cybersecurity standards frameworks for the identification of, protection from, detection of, response to, and recovery from cybersecurity threats and incidents.
The National Institute of Standards and Technology (NIST) defines a security control as "a safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements."[1] Many, but not all, cybersecurity frameworks include a catalog of such controls, which give the implementing organization a concrete set of configurable goals to apply to their overall cybersecurity strategy. However, as mentioned in the previous section, some frameworks exist to provide a more program-based or risk-based approach to plan development. Choosing the best frameworks will likely depend on multiple factors, including the organization's industry type, the amount of technical expertise within the organization, the budget, the organizational goals, the amount of buy-in from key organizational stakeholders, and those stakeholders' preferred approach.
Let's take a look at one NIST control in particular, from their SP 800-53 framework, which will be discussed further in the next section. Their "PL-2 System security plan" control recommends the organization develop, distribute, review, update, and protect a cybersecurity plan for its information system. Its supplemental guidance reads as follows:
Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended.
This wording essentially indicates that when you make your plan, there should be a high-level connection between what the organization needs to implement in regards to cybersecurity and how to go about doing it using best practices (e.g., using framework controls and guidance). It also means that, if developed, implemented, and maintained correctly, the plan should empower the organization to have an information system that is clearly compliant with the intent and purpose of the organization's goals, operations, and risk determinations. In other words, the organization first needs a clear picture of what it wants to achieve and the risks associated with operating an information system to meet those goals before it can develop its cybersecurity plan; afterwards, cybersecurity standards frameworks and controls can assist with plan development.
Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans.
The rest of NIST's wording indicates that a plan isn't necessarily a single, comprehensive document that attacks everything. Rather, it will make reference to other important policies and procedures that will further drive the overall success of your cybersecurity plan. You may even choose to have a separate document dedicated to the security controls you select for your organization. (Note that in the actual plan development section of this guide, recommendations for creating the additional "policies, procedures, and additional documents" you'll need will be given. Despite those recommendations, NIST's guidance still holds true: your actual plan document should make reference to them and provide sufficient description of what those external plans intend to accomplish within the scope of the cybersecurity plan. In the end, though, this decision to have one lengthy document or branched documents linked to the overall plan is a matter of organizational choice.)
The takeaway from this analysis of NIST's language is that the while any standards framework you use can guide the development of a cybersecurity plan, it can't be done in a vacuum that doesn't take into account organizational goals, system and data aspects, and risk assessments. Additionally, while driven by the framework, the cybersecurity plan also doesn't need to contain every detail recommended by the framework; sometimes it's easier to have policy external to but referenced within the plan.
Some additional considerations and tips concerning the blending of a cybersecurity standards framework with your organization's cybersecurity plan include[2][3][4][5]:
- After selecting one or more frameworks, ensure at a minimum that key stakeholders and related personnel are given a chance to become more familiar with the frameworks before continuing with extensive plan development.
- Map cybersecurity requirements, organizational objectives, and planned process and procedure to security controls, and then compare the results to your current operating state to understand what gaps exist, if any.
- Don't be afraid to customize controls and other framework elements in order for your organization to get the maximum benefit out of them. Do keep relevant regulations affecting your organization in mind, however, when customizing.
- Think of the framework as the defining sauce or crust base of a pizza: it allows you to bake security and privacy principles into your overall cybersecurity strategy, with an end result of being more naturally prepared to address regulatory and contractual obligations.
- Don't forget to look for additional implementation resources created by the developer of the framework, e.g., from ISA, SANS, and CIS.
- If expertise isn't available in-house, you may want to turn to a cybersecurity services provider to assist with integrating a framework into your plan.
References
