Reference Industry Security Frameworks
There are many industry frameworks addressing security controls and practices at the operational and technology level. We didn’t cover these frameworks in details in the book as there are plenty of details available in the public domain. Check out the summary and links below.
NIST Cybersecurity Framework
National Institute of Standards and Technology (NIST) Cybersecurity Framework is positioned as a framework for “Improving Critical Infrastructure Cybersecurity.” As stated in this framework, the national and economic security of the United States depends on the reliable functioning of critical infrastructure. President Obama, issued an Executive Order on February 12, 2013 to strengthen the resilience of this Infrastructure. For further details, refers to this EO[1].
This focus of this framework is to use business drivers to guide cybersecurity activities and to consider cybersecurity risks as part of an Organization risk management processes. This framework is technological neutral and leverages global standards, guidelines, and practices such that critical infrastructure providers can achieve the desired resilience. This framework provides a common taxonomy and mechanism for organizations to:
- Describe their current cybersecurity posture;
- Describe their target state for cybersecurity;
- Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
- Assess progress toward the target state;
- Communicate among internal and external stakeholders about cybersecurity risk.
This framework complements the organization’s existing risk management processes and cybersecurity program. It provides the “how” response to achieve resilience against cybersecurity risks by an organization. The framework addresses the practices for managing risk by identifying, protecting, detecting, responding and recovering from security vulnerabilities. For further details on the Framework Core, refer to NIST Cybersecurity Framework[2].
[1]http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf
[2]https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf
Cybersecurity Capability Maturity Model (C2M2)
The Department of Energy (DOE) in partnership with the Department of Homeland Security (DHS) developed the Cybersecurity Capability Maturity Model (C2M2) from the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2)[1]
Version 1.0 by removing sector-specific references and terminology. To cover the energy sector, there is a model created for Oli & Natural Gas sector as well called as (ONG-C2M2)[2]. These models were developed in support of a White House initiative on addressing cyber threats.
The C2M2 focuses on the management and implementation of the cybersecurity practices associated with the information technology (IT) and operations technology (OT) assets and the environments in which they operate. The C2M2 provides descriptive rather than prescriptive guidance. This model can be used to:
- Strengthen organizations’ cybersecurity capabilities
- Enable organizations to effectively and consistently evaluate and benchmark cybersecurity capabilities
- Share knowledge, best practices, and relevant references across organizations as a means to improve cybersecurity capabilities
- Enable organizations to prioritize actions and investments to improve cybersecurity
For an organization to measure and improve its cybersecurity program, C2M2 included a toolkit[3]for self-evaluation. It includes a maturity model for evaluating current level of practices, processes and methods. There are 16 United States critical infrastructure sectors defined in Presidential Policy Directive 21, called as “Critical Infrastructure Security and Resilience.” These are found in the sector-specific infrastructure plans[4]. The organizations that support nation’s critical infrastructure should reference these objectives for their cybersecurity objectives. For organizations that does not support nation’s critical infrastructure, these objectives can be interpreted for industry objectives, community objectives, or any other objectives that transform business or operational objectives.
The C2M2 model uses the phrase “commensurate with risk to critical infrastructure and organizational objectives.” This phrase reminds the organization to tailor its implementation of the model content to address its unique risk profile. Organizations have used C2M2 to evaluate a specific system or technology, such as, email, Internet connectivity, and Voice over Internet Protocol (VoIP) telecommunication, across ten domains. The following table lists the ten domains addressed by C2M2.
C2M2 Domain |
Risk Management |
Asset, Change, Configuration Management |
Identity and Access Management |
Threat and Vulnerability Management |
Situational Awareness |
Information Sharing and Communications |
Event and Incident Response, Continuity of Operations |
Supply Chain and External Dependencies |
Workforce Management |
Cybersecurity Program Management |
For further details of this model, refer to U.S. Department of Energy Cybersecurity Capability Maturity Model[5].
[1]http://energy.gov/oe/downloads/electricity-subsector-cybersecurity-capability-maturity-model-v-11-february-2014
[2]http://energy.gov/oe/downloads/oil-and-natural-gas-subsector-cybersecurity-capability-maturity-model-february-2014
[3]The C2M2 Toolkit may be obtained by sending a request to C2M2@doe.gov
[4]http://www.dhs.gov/sector-specific-plans
[5]http://energy.gov/sites/prod/files/2014/03/f13/C2M2-v1-1_cor.pdf
Information Security Management System
Information Security Management System consists of policies and procedures for managing an organization’s information risk management processes. It includes all legal, physical, and technical controls involved. The table below provides the list of ISO 2700x series of standards and guidelines:
ISMS |
Description |
ISO 27001 |
Provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system |
ISO 27002 |
Describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls |
ISO 27003 |
Implementation guidance |
ISO 27004 |
An information security management measurement standard suggesting metrics to help improve the effectiveness of an ISMS |
ISO 27005 |
An information security risk standard |
ISO 27006 |
A guide to the certification or registration process for accredited ISMS certification or registration bodies |
ISO 27007 |
ISMS auditing guideline |
Refer to additional information available on ISMS[1]and ISO[2]standards.
[1]https://en.wikipedia.org/wiki/Information_security_management_system
Center for Internet Security (CIS)
CIS is a non-profit organization with the purpose to enhance the cybersecurity readiness and response. Center for Internet Security has defined 20 cybersecurity controls[1] using the Pareto 80/20 principle. These controls are provided in the priority list and Center for Internet Security claims that organizations can reduce their risk of cyber attacks by 85% adopting first 5 controls and by 94% by adopting all 20 controls.
A crosswalk[2] document, produced by the Department of Homeland Security, maps NIST cybersecurity framework with HIPAA Security Rule, and in turn maps to Center for Internet Security 20 controls.
The Verizon 2015 Data Breach Investigation Report (DBIR)[3] analyzed 63,000 confirmed attacks on various industries. These threats are organized into attack patterns which are mapped to the Center of Internet Security 20 controls.
The table below provides the list of these 20 controls:
CIS Control |
Top 5 Controls |
1. Inventory of Authorized and Unauthorized Devices |
2. Inventory of Authorized and Unauthorized Software |
3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers |
4. Continuous Vulnerability Assessment and Remediation |
5. Controlled Use of Administrative Privileges |
Remaining 15 Controls |
6. Maintenance, Monitoring, and Analysis of Audit Logs |
7. Email and Web Browser Protection |
8. Malware Defenses |
9. Limitation and Control of Network Ports, Protocols, and Services |
10. Data Recovery Capability |
11. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches |
12. Boundary Defense |
13. Data Protection |
14. Controlled Access Based on the Need to Know |
15. Wireless Access Control |
16. Account Monitoring and Control |
17. Security Skills Assessment and Appropriate Training to Fill Gaps |
18. Application Software Security |
19. Incident Response and Management |
20. Penetration Tests and Red Team Exercises |
[1] http://www.cisecurity.org/critical-controls
[2] http://www.hhs.gov/sites/default/files/nist-csf-to-hipaa-security-rule-crosswalk-02-22-2016-final.pdf
[3] https://msisac.cisecurity.org/whitepaper/documents/1.pdf