Deciphering the Cybersecurity Framework

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.claimsjournal.com/news/national/2014/04/15/247376.htm

Reading the National Institute of Standards and Technology’s “Framework for
Improving Critical Infrastructure Cybersecurity” is like being trapped in a
nonstop risk management meeting. Within the Framework, organizations
“dynamically select” improvements, functions “align with existing
methodologies for incident management,” and “interdependent stakeholders”
are “engaged.”

Published in response to President Obama’s Executive Order 13636, which
called for the development of industry standards and best practices to help
companies manage cyber risk, the Framework provides recommendations for
improving network security and responding to cyber threats.

To read the framework, see:
http://www.nist.gov/itl/upload/preliminary-cybersecurity-framework.pdf

Yet the Framework couches its suggestions in dense risk management speak
that makes concepts appear more complicated than they actually are. The
Framework’s reliance on buzzwords undermines its primary purpose – to
develop a common language that allows all corporate personnel to get more
involved in addressing data security.

Despite the document’s flaws, businesses will use it as a resource. And if
commentary is to be believed, companies can’t ignore the Framework’s
suggestions. Though designed for critical infrastructure sectors, many data
security experts believe that the Framework will be the key factor in
establishing best practices in almost all industries.

This includes insurers. Like all businesses, insurance companies should
have safeguards in place to minimize the risk of data loss. Underwriters
could use the Framework’s concepts when evaluating a company for cyber
insurance policies. For claims professionals, the Framework provides tools
for determining whether an insured took reasonable steps to maintain data
security or to mitigate losses after a data breach.

Because we are going to have to live with the Framework, it pays to get to
know the document a little better. For those not well versed in “cyber” or
“risk management” speak, this process is not easy.

The Basic Framework Principle – Everything is Interrelated and Dynamic

The Framework has three parts:  the Core, the Implementation Tiers, and the
Profile. The Framework’s drafters repeatedly emphasize that these
components are interrelated, with each part reinforcing the other. Yet
precisely how the different parts are supposed to interact is not always
clear.

The Framework is supposed to be “living document” that evolves over time.
Nothing is static – a company’s infrastructure must be flexible enough to
adapt to changed circumstances and threats. A company never reaches a cyber
plateau where it can rest on its laurels, but must “concurrently” and
“continuously” apply a variety of mechanisms to mitigate risk.

The Framework Core

The Core is a process to identify weaknesses in computer systems and
networks and respond to data breaches. Consistent with the theme that the
Framework is a living document, the Core is not a one-size-fits-all
process. Methodologies may vary depending upon the particular industry, a
company’s sophistication, and evolving cyber threats.

The Core consists of five “Functions”:  Identify, Protect, Detect, Respond
and Recover. Broadly speaking, the Identify function refers to the process
by which a company develops an understanding of its systems; Protect, the
implementation of safeguards; Detect, mechanisms for recognizing data
breaches; Respond, action plans for responding to data breaches; and
Recover, procedures for restoring systems to normal operations.

The Functions are broken down into different “Categories.”  The Categories
vary for each Function – thus, Identify includes such Categories as “Asset
Management” and “Risk Assessment,” while Protect includes “Access Control”
and “Data Security.”  Within each Category, there are “Subcategories”
comprising specific tasks, such as “Asset vulnerabilities are identified
and documented” and “Threats, both internal and external, are identified
and documented.”

The Framework provides “Informative References” corresponding to each
subcategory. These references cite specific sections of various industry
guidelines that might help businesses achieve the goals associated with the
subcategory.

The Framework assigns “Category Unique Identifiers” to individual
categories and subcategories. Thus, an astute practitioner of the Framework
would understand that “PR.AT-2” refers to Protect (Function), Awareness and
Training (Category), Subcategory 2:  “Privileged users understand roles &
responsibilities.” Expect terms like the “Function Core” and “PR.AT-2” to
find their way into IT and risk management reports.

The Core steps provide a roadmap for identifying weaknesses. But, as
always, the Framework’s recommendations come with caveats about the need
for flexibility. Companies should not apply the Core mechanistically from
Step A to Step Z with the goal of reaching a “static desired end state.”
Certain steps, such as testing a system for vulnerabilities, should always
be taking place. And companies should never get complacent but continuously
review procedures to improve safeguards and address new threats.

The Framework Implementation Tiers

The “Implementation Tiers” represent different sophistication levels with
respect to cyber risks. The Framework identifies four levels:  Partial,
Risk Informed, Repeatable, and Adaptive.

Companies in the Partial tier have “limited awareness” of cyber risks and
lack formalized procedures for addressing this risk. Risk Informed
organizations have an awareness of risks but have not established
formalized, organization-wide approaches to address cyber issues. Companies
at the Repeatable level apply organization-wide approaches, regularly
update their practices, and have “consistent methods” for responding to
changes in risk.

As the name suggests, Adaptive companies “actively adapt” through a
“process of continuous improvement incorporating advanced cybersecurity
technologies and practices.”  Cybersecurity is part of the organizational
culture. These companies “actively share information” and have “continuous
awareness of activities on their systems.

Those who have taken multiple choice tests immediately recognize the right
answer:  be Adaptive. But the Framework’s drafters suggest that there are
no correct answers. Achieving any tier is fine. A company may select the
“desired” tier based on that entity’s objectives and constraints.

The Framework should drop the pretence that it would be acceptable for
companies to aspire for Tier 1 or Tier 2. After all, the Framework is
designed for the nation’s “critical infrastructure” sectors. While Tier 3
may be passable, all companies within these important sectors should desire
to be Adaptive.

More importantly, the Framework never explains how the tier selection
process fits into overall strategies for managing cyber risks. There is no
discussion about how this ranking system helps companies implement “Core”
programs or develop cybersecurity “Profiles.”

The Framework Profile

The Implementation Tier ranking reflects a general assessment of
organizational culture with respect to security. By contrast, constructing
a Framework Profile requires detailed study of a company’s systems and
procedures to identify specific weaknesses.

This process involves not one but two profiles:  a Current Profile and a
Target Profile. An organization reviews the categories and subcategories in
the “Framework Core” to identify important procedures and safeguards
applicable to that company. The company then studies its systems to assess
its compliance with each category’s and subcategory’s requirements.

After generating a Current Profile, the company creates a “Target Profile”
that addresses gaps and weaknesses in the company’s systems. The company
then develops a plan to close those gaps.

The “Profile” concept is flexible. Companies might devise unique categories
and subcategories. An entity also might use multiple profiles since
different systems could require different protection levels.

The Need for Better Communication

The National Institute of Standards and Technology apparently intends the
Framework to provide a common language for understanding and managing cyber
risks. The document falls short of this goal. Although risk managers and
technology professionals might appreciate the Framework’s terminology,
those outside these narrow spheres probably won’t.

Business surveys show that senior executives don’t understand cyber risks
and rarely make decisions involving data security. As a result, many
companies do not make security a priority. This attitude will continue as
long as proponents talk about data security in terms of “implementation
scenarios.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!