Скачать книгу

Finally, on February 12, 2014, NIST issued the Framework for Improving Critical Infrastructure Cybersecurity.2 The Department of Homeland Security (DHS) currently considers 16 sectors to be critical infrastructure sectors, encompassing information technology, financial services, energy, communications, manufacturing, and many other central services.3 However, NIST hopes that the Framework will be helpful to all organizations and anticipates that its application will extend beyond critical infrastructure.

      In developing the Framework, NIST wanted to ensure maximum flexibility of application. The final document is industry- and technology-neutral. It encompasses hundreds of standards. It is also international in scope.

      FRAMEWORK BASED ON RISK MANAGEMENT

      The Framework consists of three parts: The Framework Core, the Framework Implementation, and the Framework Profile Tiers. The purpose of these three parts is to provide a “common language” that all organizations can use to understand, manage, and communicate their cybersecurity initiatives, both internally and externally, and can scale down or up to various parts of an organization as needed.

      THE FRAMEWORK CORE

      The Framework Core is a set of activities aimed at organizing cybersecurity initiatives to achieve specific outcomes. The Core has five functions: Identify, Protect, Detect, Respond, and Recover (Figure 0.1).

      Figure 0.2 NIST CATEGORIES, SUBCATEGORIES, AND INFORMATIVE REFERENCES.

      Figure 0.3 NIST FUNCTIONS AND CATEGORIES.

      FRAMEWORK IMPLEMENTATION TIERS

      The Framework Implementation Tiers consist of four levels of “how an organization views cybersecurity risk and the processes in place to manage that risk.” Although the levels are progressive in terms of rigor and sophistication from Tier 1 (partial) to Tier 4 (Adaptive), they are not “maturity” levels in terms of cybersecurity approaches. NIST based successful implementation on the outcomes described in the organization’s Target Profiles (see the next section) rather than a progression from Tier 1 to Tier 4.

       Tier 1: Partial – Risk is managed in an ad hoc and sometimes reactive manner. There is limited awareness of cybersecurity risk at the organizational level with no organization-wide approach to cybersecurity. The organization may not have the processes in place to participate in coordination or collaboration with other entities.

       Tier 2: Risk-Informed – Management approves risk management practices, but they may not be an organization-wide policy. There is awareness of cybersecurity risk at the organization level. Still, an organization-wide approach has not been established, and the organization understands the broader ecosystem but has not formalized its participation in it.

       Tier 3: Repeatable – The organization’s risk management practices are approved and formally adopted as policy. There is an organization-wide approach to risk management. The organization collaborates with and receives information from partners in the wider ecosystem.

       Tier 4: Adaptive – The organization adapts its cybersecurity practices from lessons learned. Cybersecurity risk management uses risk-informed policies, procedures, and processes and is part of the organizational culture and the organization actively shares information with partners.

      Figure 0.4 NIST IMPLEMENTATION TIERS.

      FRAMEWORK PROFILE

      The Framework Profile is a blueprint or map that considers the Framework’s functions, categories, and subcategories for a specific purpose tailored to the organization’s needs. Organizations should develop profiles for current or desired cybersecurity objectives, and some organizations can create multiple profiles for different segments or aspects of the organization.

      Figure 0.5 NIST FRAMEWORK RISK MANAGEMENT CYCLE.

Скачать книгу