Reference Industry Security Frameworks

There are many industry frameworks addressing security controls and practices at the operational and technology level. We didn’t cover these frameworks in details in the book as there are plenty of details available in the public domain. Check out the summary and links below.

 

 


NIST Cybersecurity Framework

National Institute of Standards and Technology (NIST) Cybersecurity Framework is positioned as a framework for “Improving Critical Infrastructure Cybersecurity.”  As stated in this framework, the national and economic security of the United States depends on the reliable functioning of critical infrastructure.  President Obama, issued an Executive Order on February 12, 2013 to strengthen the resilience of this InfrastructureFor further details, refers to this EO[1]

This focus of this framework is to use business drivers to guide cybersecurity activities and to consider cybersecurity risks as part of an Organization risk management processes.  This framework is technological neutral and leverages global standards, guidelines, and practices such that critical infrastructure providers can achieve the desired resilience.  This framework provides a common taxonomy and mechanism for organizations to:

  • Describe their current cybersecurity posture;
  • Describe their target state for cybersecurity;
  • Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
  • Assess progress toward the target state;
  • Communicate among internal and external stakeholders about cybersecurity risk.

This framework complements the organization’s existing risk management processes and cybersecurity program.  It provides the “how” response to achieve resilience against cybersecurity risks by an organization.  The framework addresses the practices for managing risk by identifying, protecting, detecting, responding and recovering from security vulnerabilities. For further details on the Framework Core, refer to NIST Cybersecurity Framework[2]

 

[1]http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf

 

[2]https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf

 

 

 

 


Cybersecurity Capability Maturity Model (C2M2)

The Department of Energy (DOE) in partnership with the Department of Homeland Security (DHS) developed the Cybersecurity Capability Maturity Model (C2M2) from the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2)[1]

Version 1.0 by removing sector-specific references and terminology.  To cover the energy sector, there is a model created for Oli & Natural Gas sector as well called as (ONG-C2M2)[2].  These models were developed in support of a White House initiative on addressing cyber threats. 

The C2M2 focuses on the management and implementation of the cybersecurity practices associated with the information technology (IT) and operations technology (OT) assets and the environments in which they operate.  The C2M2 provides descriptive rather than prescriptive guidance. This model can be used to:

  • Strengthen organizations’ cybersecurity capabilities
  • Enable organizations to effectively and consistently evaluate and benchmark cybersecurity capabilities
  • Share knowledge, best practices, and relevant references across organizations as a means to improve cybersecurity capabilities
  • Enable organizations to prioritize actions and investments to improve cybersecurity

For an organization to measure and improve its cybersecurity program, C2M2 included a toolkit[3]for self-evaluation. It includes a maturity model for evaluating current level of practices, processes and methods. There are 16 United States critical infrastructure sectors defined in Presidential Policy Directive 21, called as “Critical Infrastructure Security and Resilience.”  These are found in the sector-specific infrastructure plans[4].  The organizations that support nation’s critical infrastructure should reference these objectives for their cybersecurity objectives. For organizations that does not support nation’s critical infrastructure, these objectives can be interpreted for industry objectives, community objectives, or any other objectives that transform business or operational objectives. 

The C2M2 model uses the phrase “commensurate with risk to critical infrastructure and organizational objectives.”  This phrase reminds the organization to tailor its implementation of the model content to address its unique risk profile. Organizations have used C2M2 to evaluate a specific system or technology, such as, email, Internet connectivity, and Voice over Internet Protocol (VoIP) telecommunication, across ten domains.  The following table lists the ten domains addressed by C2M2.

C2M2 Domain

Risk Management

Asset, Change, Configuration Management

Identity and Access Management

Threat and Vulnerability Management

Situational Awareness

Information Sharing and Communications

Event and Incident Response, Continuity of Operations

Supply Chain and External Dependencies

Workforce Management

Cybersecurity Program Management

For further details of this model, refer to U.S. Department of Energy Cybersecurity Capability Maturity Model[5]

 

[1]http://energy.gov/oe/downloads/electricity-subsector-cybersecurity-capability-maturity-model-v-11-february-2014

 

[2]http://energy.gov/oe/downloads/oil-and-natural-gas-subsector-cybersecurity-capability-maturity-model-february-2014

 

[3]The C2M2 Toolkit may be obtained by sending a request to C2M2@doe.gov 

 

[4]http://www.dhs.gov/sector-specific-plans

 

[5]http://energy.gov/sites/prod/files/2014/03/f13/C2M2-v1-1_cor.pdf

 

 

 

 


Information Security Management System

Information Security Management System consists of policies and procedures for managing an organization’s information risk management processes. It includes all legal, physical, and technical controls involved.  The table below provides the list of ISO 2700x series of standards and guidelines:

ISMS

Description

ISO 27001

Provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system

ISO 27002

Describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls

ISO 27003

Implementation guidance

ISO 27004

An information security management measurement standard suggesting metrics to help improve the effectiveness of an ISMS

ISO 27005

An information security risk standard

ISO 27006

A guide to the certification or registration process for accredited ISMS certification or registration bodies

ISO 27007

ISMS auditing guideline

Refer to additional information available on ISMS[1]and ISO[2]standards.  

 

[1]https://en.wikipedia.org/wiki/Information_security_management_system

 

[2]www.iso.org

 

 


Center for Internet Security (CIS)

CIS is a non-profit organization with the purpose to enhance the cybersecurity readiness and response.  Center for Internet Security has defined 20 cybersecurity controls[1] using the Pareto 80/20 principle. These controls are provided in the priority list and Center for Internet Security claims that organizations can reduce their risk of cyber attacks by 85% adopting first 5 controls and by 94% by adopting all 20 controls.  

A crosswalk[2] document, produced by the Department of Homeland Security, maps NIST cybersecurity framework with HIPAA Security Rule, and in turn maps to Center for Internet Security 20 controls.

The Verizon 2015 Data Breach Investigation Report (DBIR)[3] analyzed 63,000 confirmed attacks on various industries. These threats are organized into attack patterns which are mapped to the Center of Internet Security 20 controls.

The table below provides the list of these 20 controls:

CIS Control
Top 5 Controls
1.    Inventory of Authorized and Unauthorized Devices
2.    Inventory of Authorized and Unauthorized Software
3.    Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
4.    Continuous Vulnerability Assessment and Remediation
5.    Controlled Use of Administrative Privileges
Remaining 15 Controls
6.    Maintenance, Monitoring, and Analysis of Audit Logs
7.    Email and Web Browser Protection
8.    Malware Defenses
9.    Limitation and Control of Network Ports, Protocols, and Services
10.  Data Recovery Capability
11.  Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
12.  Boundary Defense
13.  Data Protection
14.  Controlled Access Based on the Need to Know
15.  Wireless Access Control
16.  Account Monitoring and Control
17.  Security Skills Assessment and Appropriate Training to Fill Gaps
18.  Application Software Security
19.  Incident Response and Management
20.  Penetration Tests and Red Team Exercises

[1] http://www.cisecurity.org/critical-controls

[2] http://www.hhs.gov/sites/default/files/nist-csf-to-hipaa-security-rule-crosswalk-02-22-2016-final.pdf

[3] https://msisac.cisecurity.org/whitepaper/documents/1.pdf