NIST Cybersecurity Framework

National Institute of Standards and Technology (NIST) Cybersecurity Framework is positioned as a framework for “Improving Critical Infrastructure Cybersecurity.”  As stated in this framework, the national and economic security of the United States depends on the reliable functioning of critical infrastructure.  President Obama, issued an Executive Order on February 12, 2013 to strengthen the resilience of this Infrastructure^.  For further details, refers to this EO[1]. 

This focus of this framework is to use business drivers to guide cybersecurity activities and to consider cybersecurity risks as part of an Organization risk management processes.  This framework is technological neutral and leverages global standards, guidelines, and practices such that critical infrastructure providers can achieve the desired resilience.  This framework provides a common taxonomy and mechanism for organizations to:

• Describe their current cybersecurity posture;
• Describe their target state for cybersecurity;
• Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
• Assess progress toward the target state;
• Communicate among internal and external stakeholders about cybersecurity risk.

This framework complements the organization’s existing risk management processes and cybersecurity program.  It provides the “how” response to achieve resilience against cybersecurity risks by an organization.  The framework addresses the practices for managing risk by identifying, protecting, detecting, responding and recovering from security vulnerabilities. For further details on the Framework Core, refer to NIST Cybersecurity Framework[2]. 

 

[1]http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf

 

[2]https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf

 

 

Cybersecurity Capability Maturity Model (C2M2)

The Department of Energy (DOE) in partnership with the Department of Homeland Security (DHS) developed the Cybersecurity Capability Maturity Model (C2M2) from the Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2)[1]

Version 1.0 by removing sector-specific references and terminology.  To cover the energy sector, there is a model created for Oli & Natural Gas sector as well called as (ONG-C2M2)[2].  These models were developed in support of a White House initiative on addressing cyber threats. 

The C2M2 focuses on the management and implementation of the cybersecurity practices associated with the information technology (IT) and operations technology (OT) assets and the environments in which they operate.  The C2M2 provides descriptive rather than prescriptive guidance. This model can be used to:

• Strengthen organizations’ cybersecurity capabilities
• Enable organizations to effectively and consistently evaluate and benchmark cybersecurity capabilities
• Share knowledge, best practices, and relevant references across organizations as a means to improve cybersecurity capabilities
• Enable organizations to prioritize actions and investments to improve cybersecurity

For an organization to measure and improve its cybersecurity program, C2M2 included a toolkit[3]for self-evaluation. It includes a maturity model for evaluating current level of practices, processes and methods. There are 16 United States critical infrastructure sectors defined in Presidential Policy Directive 21, called as “Critical Infrastructure Security and Resilience.”  These are found in the sector-specific infrastructure plans[4].  The organizations that support nation’s critical infrastructure should reference these objectives for their cybersecurity objectives. For organizations that does not support nation’s critical infrastructure, these objectives can be interpreted for industry objectives, community objectives, or any other objectives that transform business or operational objectives. 

The C2M2 model uses the phrase “commensurate with risk to critical infrastructure and organizational objectives.”  This phrase reminds the organization to tailor its implementation of the model content to address its unique risk profile. Organizations have used C2M2 to evaluate a specific system or technology, such as, email, Internet connectivity, and Voice over Internet Protocol (VoIP) telecommunication, across ten domains.  The following table lists the ten domains addressed by C2M2.

C2M2 Domain
Risk Management
Asset, Change, Configuration Management
Identity and Access Management
Threat and Vulnerability Management
Situational Awareness
Information Sharing and Communications
Event and Incident Response, Continuity of Operations
Supply Chain and External Dependencies
Workforce Management
Cybersecurity Program Management

For further details of this model, refer to U.S. Department of Energy Cybersecurity Capability Maturity Model[5]. 

 

[1]http://energy.gov/oe/downloads/electricity-subsector-cybersecurity-capability-maturity-model-v-11-february-2014

 

[2]http://energy.gov/oe/downloads/oil-and-natural-gas-subsector-cybersecurity-capability-maturity-model-february-2014

 

[3]The C2M2 Toolkit may be obtained by sending a request to C2M2@doe.gov 

 

[4]http://www.dhs.gov/sector-specific-plans

 

[5]http://energy.gov/sites/prod/files/2014/03/f13/C2M2-v1-1_cor.pdf

 

 

Information Security Management System

Information Security Management System consists of policies and procedures for managing an organization’s information risk management processes. It includes all legal, physical, and technical controls involved.  The table below provides the list of ISO 2700x series of standards and guidelines:

ISMS	Description
ISO 27001	Provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system
ISO 27002	Describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls
ISO 27003	Implementation guidance
ISO 27004	An information security management measurement standard suggesting metrics to help improve the effectiveness of an ISMS
ISO 27005	An information security risk standard
ISO 27006	A guide to the certification or registration process for accredited ISMS certification or registration bodies
ISO 27007	ISMS auditing guideline

Refer to additional information available on ISMS[1]and ISO[2]standards.  

 

[1]https://en.wikipedia.org/wiki/Information_security_management_system

 

[2]www.iso.org