nist NIST CSF: Translated into Plain English

[cwade12c]

I am actively using the NIST Cybersecurity Framework and 800 series special publications to define policies and establish security systems within my place of work. While I do recommend actually reading the 800 series, it is extremely dry. Here is a quick guide that "translates" the NIST policy families.

Source: https://www.praxiom.com/nist-cybersecurity-framework.htm

ID. Identify your context

Spoiler

ID.AM Identify all relevant assets.

• Identify the assets that enable you to achieve your business purposes.

• Manage your assets in a way that is consistent with their relative importance.

ID.AM-1 Identify your physical devices and systems.

• Inventory the devices that enable you to achieve your business purposes.

• Inventory the systems that enable you to achieve your business purposes.

ID.AM-2 Identify your software platforms and apps.

• Identify the software platforms that enable you to achieve your business purposes.

• Identify the software applications that enable you to achieve your business purposes.

ID.AM-3 Identify your communication and data flows.

• Identify the communications that enable you to achieve your business purposes.

• Identify the data flows that enable you to achieve your business purposes.

ID.AM-4 Identify your external information systems.

• Identify the external systems that enable you to achieve business purposes.

ID.AM-5 Identify your high priority security resources.

• Identify high priority security facilities that support your organization’s purpose.

• Identify high priority security hardware that supports your organization’s purpose.

• Identify high priority security software that supports your organization’s purpose.

• Identify high priority security devices that support your organization’s purpose.

• Identify high priority security data that support your organization’s purpose.

• Identify high priority security personnel that support your organization’s purpose.

ID.AM-6 Identify your security roles and responsibilities.

• Identify the cybersecurity jobs that enable you to achieve your business purposes.

• Establish the cybersecurity jobs that enable you to achieve business purposes.

• Manage the cybersecurity jobs that enable you to achieve business purposes.

ID.BE Identify business environment.

• Identify and understand your mission, objectives, activities, and stakeholders.

• Use your cybersecurity priorities to help define your approach to cybersecurity.

ID.BE-1 Clarify your organization’s role in overall supply chain.

• Identify your organization’s role in the supply chain.

• Understand your organization’s role in the supply chain.

ID.BE-2 Clarify how you fit into your infrastructure environment.

• Identify how your organization’s infrastructure fits into your area’s infrastructure.

• Understand the role that your infrastructure plays in your area’s infrastructure.

ID.BE-3 Clarify your organization’s general cybersecurity priorities.

• Communicate your organization’s infrastructure cybersecurity priorities.

ID.BE-4 Clarify your critical functions, services, and dependencies.

• Identify your organization’s critical functions, services, and dependencies.

• Communicate your organization’s critical functions, services, and dependencies.

ID.BE-5 Clarify your organization’s general resilience requirements.

• Identify your organization’s critical service delivery resilience requirements.

• Prioritize your organization’s critical service delivery resilience requirements.

• Communicate your organization’s critical service delivery resilience requirements.

ID.GV Identify governance framework.

• Identify and understand your organization’s approach to governance.

• Use your approach to governance to guide cybersecurity risk management.

ID.GV-1 Formulate your organization’s cybersecurity policy.

• Establish a cybersecurity policy for your organization.

• Communicate your organization’s cybersecurity policy.

ID.GV-2 Align your cybersecurity roles and responsibilities.

• Align internal cybersecurity roles and responsibilities with other functions.

• Coordinate internal cybersecurity roles and responsibilities with other functions.

ID.GV-3 Understand your legal and regulatory requirements.

• Understand your organization’s legal and regulatory cybersecurity requirements.

• Manage your organization’s legal and regulatory cybersecurity requirements.

ID.GV-4 Define processes to address your cybersecurity risks.

• Define a governance process to address your organization’s cybersecurity risks.

• Define a management process to address your organization’s cybersecurity risks.

ID.RA Identify threats and vulnerabilities.

• Identify and understand your organization’s cybersecurity risks.

ID.RA-1 Identify and document your asset vulnerabilities.

• Establish a corporate asset vulnerability assessment process.

• Assign asset vulnerability assessment roles and responsibilities.

• Evaluate how vulnerable your organization’s assets actually are.

• Identify and document your organization’s asset vulnerabilities.

ID.RA-2 Gather threat intelligence from external sources.

• Join information sharing forums that discuss cyber security risks and threats.

• Gather cyber threat intelligence from information sharing forums and sources.

• Generate and disseminate internal security alerts, advisories, and directives.

ID.RA-3 Define and document your cybersecurity threats.

• Identify and document your organization’s cybersecurity threats.

• Consider establishing an insider cybersecurity threat program.

ID.RA-4 Clarify potential business impacts and likelihoods.

• Consider potential security threats and identify potential business impacts.

• Assess the likelihood that infrastructure security incidents will actually occur.

ID.RA-5 Use threats and vulnerabilities to determine risk.

• Consider your organization’s security threats and vulnerabilities.

• Consider information about likelihoods and potential impacts.

ID.RA-6 Specify and prioritize treatments and responses.

• Specify your organization’s risk treatment options and responses.

• Prioritize your organization’s risk treatment options and responses.

ID.RM Identify risk management strategy.

• Establish your organization’s risk management strategy.

• Implement your organization’s risk management strategy.

ID.RM-1 Establish your risk management processes.

• Develop your organization’s risk management processes.

• Establish your organization’s risk management processes.

• Manage your organization’s risk management processes.

ID.RM-2 Determine your organization’s risk tolerances.

• Determine how much risk your organization is willing to take.

• Document your organization’s risk tolerance for each type of risk.

• Implement and apply risk tolerance levels for each type of risk.

ID.RM-3 Use your infrastructure’s role to guide decisions.

• Consider how your infrastructure fits into your region’s critical infrastructure.

• Consider how your infrastructure fits into your organization’s industrial sector.

ID.SC Identify strategy for supply chains.

• Use your risk management strategy to help manage your supply chains.

ID.SC-1 Develop supply chain risk management processes.

• Develop your organization’s cyber supply chain risk management processes.

• Establish your organization’s cyber supply chain risk management processes.

• Manage your organization’s cyber supply chain risk management processes.

ID.SC-2 Identify suppliers and assess your supply chain risks.

• Identify providers of information systems, services, and components.

• Prioritize providers of information systems, services, and components.

• Assess providers of information systems, services, and components.

ID.SC-3 Use security contracts to control supply chain risks.

• Establish cybersecurity contracts with suppliers and third-party partners.

• Use contracts to implement measures to control your cybersecurity risks.

ID.SC-4 Evaluate the performance of suppliers and partners.

• Confirm that your suppliers are meeting their contractual obligations.

• Confirm that third-party partners are meeting their contractual obligations.

ID.SC-5 Conduct response and recovery planning and testing.

• Carry out suitable incident response and recovery planning activities.

• Carry out suitable incident response and recovery testing activities.

 

PR. Protect your assets

Spoiler

PR.AC Protect assets by managing access.

• Limit access to your assets and facilities.

• Manage access to your assets and facilities.

PR.AC-1 Control identity of users, devices, and processes.

• Control identities and credentials for authorized users.

• Control identities and credentials for authorized devices.

• Control identities and credentials for authorized processes.

PR.AC-2 Control physical access to organization’s assets.

• Control physical access to your organization’s assets and associated facilities.

• Protect physical assets that contain either sensitive or critical information.

PR.AC-3 Control remote access to organization’s assets.

• Control remote access to your organization’s assets and associated facilities.

• Establish remote access control policies and procedures for your organization.

PR.AC-4 Control access permissions and authorizations.

• Control how access permissions and authorizations are managed.

• Incorporate "separation of duties" and "least privilege" principles.

PR.AC-5 Control access to networks by separating them.

• Protect and control the integrity of your organization's networks.

• Consider using network segregation to control network access and integrity.

• Consider using network segmentation to control network access and integrity.

PR.AC-6 Control how identities are proofed and asserted.

• Control the unique identities of your users, devices, and processes.

PR.AC-7 Control authentication commensurate with risk.

• Control authentication of users that have access to physical and logical assets.

• Control authentication of devices that have access to physical and logical assets.

• Control authentication of processes that have access to physical and logical assets.

PR.AT Protect assets by managing awareness.

• Provide cybersecurity awareness services to personnel and partners.

• Provide cybersecurity training services to personnel and partners.

PR.AT-1 Make users aware of their security duties.

• Provide cybersecurity awareness services to your organization’s users.

• Provide cybersecurity training services to your organization’s users.

PR.AT-2 Make privileged users aware of their duties.

• Provide cybersecurity awareness services to all privileged users.

• Provide cybersecurity training services to all privileged users.

PR.AT-3 Make your stakeholders aware of their duties.

• Make sure that third-party stakeholders understand their cybersecurity obligations.

PR.AT-4 Make senior executives aware of their duties.

• Make sure that your senior executives understand their cybersecurity functions.

PR.AT-5 Make security people aware of their duties.

• Make sure that physical security personnel understand their roles and responsibilities.

•Make sure that cybersecurity personnel understand their roles and responsibilities.

PR.DS Protect assets by managing data security.

• Protect the confidentiality, integrity, and availability of your organization’s data.

PR.DS-1 Protect and preserve data-at-rest.

• Protect the confidentiality, integrity, and availability of your data-at-rest.

PR.DS-2 Secure and preserve data-in-transit.

• Protect the confidentiality, integrity, and availability of your data-in-transit.

PR.DS-3 Manage asset transfers and disposals.

• Manage assets throughout transfer, removal, and disposition.

PR.DS-4 Ensure data is available when needed.

• Protect the availability of your data by maintaining adequate capacity.

PR.DS-5 Prevent data leaks, spills, and breaches.

• Protect the availability of data by preventing data leaks.

PR.DS-6 Verify the integrity of data and software.

• Use integrity checking mechanisms to verify the integrity of software.

• Use integrity checking mechanisms to verify the integrity of firmware.

• Use integrity checking mechanisms to verify the integrity of information.

PR.DS-7 Compartmentalize development activities.

• Keep development environments separate from production environments.

• Control access to development, testing, and production environments.

PR.DS-8 Check the integrity of all hardware systems.

• Establish hardware maintenance and repair policies and guidelines.

• Control and restrict access to hardware and integrity verification tools.

PR.IP Protect assets by managing information.

• Establish security policies to protect information systems and assets.

• Implement information security policies, processes, and procedures.

PR.IP-1 Adopt security principles and create baselines.

• Incorporate generally accepted security principles into your systems.

• Establish baseline configurations of industrial control systems and technologies.

PR.IP-2 Use life cycle models to manage your systems.

• Use System Development Life Cycle Models to manage your systems.

PR.IP-3 Create configuration change control processes.

• Establish configuration change control processes and procedures.

• Use these processes and procedures to control systemic change.

PR.IP-4 Conduct regular backups of your information.

• Establish a policy to control how backups are handled.

• Make regular backup copies in accordance with your policy.

• Maintain your organization’s backups in a secure location.

PR.IP-5 Control your physical operating environment.

• Comply with policies that affect your physical operating environment.

• Comply with regulations that affect your physical operating environment.

PR.IP-6 Develop an appropriate data destruction policy.

• Establish a policy to manage and control data destruction.

• Comply with your organization’s data destruction policy.

• Verify that all data has been destroyed before you reuse media.

PR.IP-7 Improve your information protection processes.

• Improve your organization's information protection processes.

PR.IP-8 Share information about protection technologies.

• Share information about the effectiveness of your protection technologies.

PR.IP-9 Establish incident response and recovery plans.

• Establish incident response and business continuity plan.

• Establish incident recovery and business restoration plan.

PR.IP-10 Evaluate incident response and recovery plans.

• Test your incident response and business continuity plans.

• Test your incident recovery and business restoration plans.

PR.IP-11 Build security into human resource practices.

• Build cybersecurity duties into personnel recruitment practices.

• Build cybersecurity duties into personnel management practices.

• Build cybersecurity duties into personnel termination practices.

PR.IP-12 Formulate vulnerability management plan.

• Develop a cybersecurity vulnerability management plan.

• Implement cybersecurity vulnerability management plan.

PR.MA Protect assets by managing maintenance.

• Maintain and repair your organization’s industrial control systems.

• Maintain and repair your organization’s information system components.

PR.MA-1 Control repair and maintenance of your assets.

• Control the maintenance and repair of your organizational assets.

• Control your repair and maintenance tools and technologies.

PR.MA-2 Control remote repair and maintenance activities.

• Establish remote maintenance and repair policies, plans, and procedures.

PR.PT Protect assets by managing technologies.

• Use technologies to protect the security and resilience of your systems and assets.

PR.PT-1 Establish audit logs to record user events and faults.

• Formulate a policy to control the use of audit logs and records.

• Establish controls to protect audit log information and facilities.

• Review your organization’s system of audit logs and records.

PR.PT-2 Protect removable media and restrict how it is used.

• Prevent the unauthorized and uncontrolled use of removable media.

PR.PT-3 Configure systems to provide only essential capabilities.

• Configure your systems so that only essential capabilities are provided.

PR.PT-4 Safeguard your communications and control networks.

• Protect your organization’s communications and control networks.

PR.PT-5 Implement measures to meet resilience requirements.

• Implement measures to meet resilience requirements in normal situations.

• Implement measures to meet resilience requirements in adverse situations.

 

DE. Detect your anomalies

Spoiler

DE.AE Detect anomalies by analyzing events.

• Use detection technologies to identify anomalies and events.

• Understand the impact that anomalies and events could have.

DE.AE-1 Establish baselines for network users and systems.

• Establish baselines of network operations and expected data flows.

• Manage baselines of network operations and expected data flows.

DE.AE-2 Analyze events to understand targets and methods.

• Allocate responsibility for analyzing malicious cybersecurity events.

DE.AE-3 Collect and correlate event data from many sources.

• Allocate responsibility for collecting and correlating event data.

DE.AE-4 Determine the impact malicious events could have.

• Allocate responsibility for determining the impact malicious events could have.

DE.AE-5 Configure cybersecurity incident alert thresholds.

• Establish incident alert thresholds for all relevant sources and sensors.

DE.CM Detect anomalies by monitoring systems.

• Establish ways of monitoring your assets and information systems.

• Continuously monitor your organization’s assets and information systems.

DE.CM-1 Detect events and anomalies by monitoring networks.

• Establish your organization’s network monitoring strategy and program.

• Implement your organization’s network monitoring strategy and program.

DE.CM-2 Detect events and anomalies by monitoring environment.

• Detect cybersecurity events and anomalies by monitoring your physical environment.

DE.CM-3 Detect events and anomalies by monitoring all personnel.

• Detect internal cybersecurity events by monitoring personnel activity.

• Detect external cybersecurity events by monitoring personnel activity.

DE.CM-4 Detect and contain malicious code by monitoring systems.

• Detect malicious code by continuously monitoring your information systems and assets.

• Update malicious code protection software when new releases and updates are available.

DE.CM-5 Detect unauthorized mobile code by monitoring activities.

• Define acceptable and unacceptable mobile code and related technologies.

• Detect unauthorized mobile code by continuously monitoring your systems.

DE.CM-6 Detect cybersecurity events by monitoring your suppliers.

• Develop a continuous monitoring strategy and program for external service providers.

• Establish cybersecurity responsibilities and requirements for external service providers.

• Detect potential cybersecurity events by monitoring external service provider activity.

DE.CM-7 Detect unauthorized devices, software, and connections.

• Develop a continuous monitoring strategy and program to detect unauthorized activity.

• Detect potential cybersecurity events and anomalies by monitoring internal activity.

DE.CM-8 Detect weaknesses by performing vulnerability scans.

• Develop a continuous monitoring strategy and programs to detect vulnerabilities.

• Detect cybersecurity vulnerabilities and weaknesses by monitoring your systems.

DE.DP Detect anomalies by maintaining processes.

• Establish anomalous event detection and awareness processes.

• Maintain anomalous event detection and awareness processes.

DE.DP-1 Define clear detection roles and responsibilities.

• Establish accountability for detecting anomalous cybersecurity events.

DE.DP-2 Establish detection activities that meet requirements.

• Establish anomalous event detection activities that comply with requirements.

DE.DP-3 Test your anomaly detection processes and procedures.

• Establish and maintain processes to detect anomalies and events.

• Establish and maintain procedures to detect anomalous events.

DE.DP-4 Communicate anomalous event detection information.

• Communicate information about your anomaly detection activities and events.

DE.DP-5 Improve your detection processes and procedures.

• Evaluate your organization’s anomaly detection processes and procedures.

• Use what you learn to improve anomaly detection methods and activities.

 

RS. Respond to incidents

Spoiler

RS.RP Respond to incidents by controlling steps.

• Establish your organization’s incident response processes and procedures.

• Establish your organization’s business continuity processes and procedures.

RS.RP-1 Execute your organization’s incident response plans.

• Execute your organization’s response plans while incidents are happening.

• Execute your organization’s continuity plans after incidents have occurred.

RS.CO Respond to incidents by coordinating action.

• Respond to incidents by communicating with your stakeholders.

RS.CO-1 Confirm that incident responders know their roles.

• Confirm that responders know what to do when a timely response is needed.

RS.CO-2 Report incidents in accordance with reporting criteria.

• Establish criteria to control how cybersecurity incidents are reported.

• Follow established criteria when you report cybersecurity incidents.

RS.CO-3 Comply with response plans when sharing information.

• Follow established incident response plans when sharing information internally.

• Follow established incident response plans when sharing information externally.

RS.CO-4 Coordinate all response activities with your stakeholders.

• Follow incident response plans when coordinating response with internal stakeholders.

• Follow incident response plans when coordinating response with external stakeholders.

RS.CO-5 Raise awareness by sharing information with stakeholders.

• Raise cybersecurity awareness by voluntarily sharing information about incidents.

RS.AN Respond to incidents by analyzing the situation.

• Assign responsibility for analyzing cybersecurity events and incidents.

• Analyze the cybersecurity events and incidents that are being detected.

• Use your analytical results to facilitate incident management activities.

RS.AN-1 Investigate notifications received from detection systems.

• Assign responsibility for investigating notifications received from all detection systems.

• Investigate and analyze incidents and events that have an impact on your organization.

RS.AN-2 Review and understand the impact of cybersecurity incidents.

• Assign responsibility for reviewing the impact that cybersecurity incidents could have.

• Review and understand the potential impact that cybersecurity incidents could have.

RS.AN-3 Examine cybersecurity incidents and gather forensic evidence.

• Assign responsibility for examining incidents and gathering related forensic evidence.

• Examine cybersecurity incidents and events and carry out forensic investigations.

RS.AN-4 Classify cybersecurity incidents consistent with response plan.

• Assign responsibility for using incident response plans to categorize incidents.

• Create a scheme for recognizing, differentiating, and categorizing your incidents.

• Use categorization scheme and incident response plans to classify your incidents.

RS.AN-5 Set up processes to handle information about vulnerabilities.

• Assign responsibility for managing information about cybersecurity vulnerabilities.

• Establish processes to manage information about cybersecurity vulnerabilities.

RS.MI Respond to incidents by mitigating the damage.

• Assign responsibility for containing, mitigating, and resolving cybersecurity incidents.

• Prevent the expansion of cybersecurity events and contain cybersecurity incidents.

• Mitigate the harm cybersecurity events cause and resolve cybersecurity incidents.

RS.MI-1 Carry out activities to contain your cybersecurity incidents.

• Assign responsibility for containing the harm that cybersecurity incidents can cause.

• Carry out activities to contain cybersecurity incidents and limit the harm they cause.

RS.MI-2 Mitigate the damage that cybersecurity incidents can cause.

• Assign responsibility for mitigating the damage that incidents can cause.

• Carry out activities to mitigate incidents and limit the damage they cause.

RS.MI-3 Assess new vulnerabilities and decide how to handle them.

• Assign responsibility for investigating and mitigating new vulnerabilities.

• Take steps to investigate new vulnerabilities and mitigate your security risk.

RS.IM Respond to incidents by making improvements.

• Respond to cybersecurity incidents by improving response activities.

• Respond to cybersecurity incidents by improving business continuity activities.

RS.IM-1 Use lessons to improve response and continuity plans.

• Use lessons learned to improve your organization’s incident response plans.

• Use lessons learned to improve your organization’s business continuity plans.

RS.IM-2 Use lessons to update response and continuity strategies.

• Use lessons learned to improve your organization’s incident response strategies.

• Use lessons learned to improve your organization’s business continuity strategies.

 

RC. Recover from incidents

Spoiler

RC.RP Recover from incidents by controlling steps.

• Establish your organization’s incident recovery processes and procedures.

• Establish your organization’s business restoration processes and procedures.

RC.RP-1 Execute recovery plans whenever incidents occur.

• Execute your organization’s recovery plan while incidents are happening.

• Execute your organization’s restoration plan after incidents have occurred.

RC.IM Recover from incidents by making improvements.

• Recover from cybersecurity incidents by improving recovery activities.

• Recover from cybersecurity incidents by improving restoration activities.

RC.IM-1 Use lessons to improve recovery and restoration plans.

• Use lessons learned to improve your organization’s incident recovery plans.

• Use lessons learned to improve your organization’s business restoration plans.

RC.IM-2 Use lessons to update recovery and restoration strategies.

• Use lessons learned to improve your organization’s incident recovery strategies.

• Use lessons learned to improve your organization’s business restoration strategies.

RC.CO Recover from incidents by coordinating activities.

• Coordinate your organization’s recovery activities with interested parties.

• Coordinate your organization’s restoration activities with interested parties.

RC.CO-1 Manage public relations and communicate externally.

• Assign responsibility for managing your organization’s cybersecurity public relations.

• Manage and control your organization’s cybersecurity public relations program.

RC.CO-2 Repair your organization’s reputation after incidents.

• Repair your organization’s reputation after incidents have occurred.

RC.CO-3 Share information about your recovery activities.

• Share information about recovery activities with your stakeholders.

 

Edited August 24, 2021 by cwade12c

[WarFox]

We covered some of this in my Secure Software Engineering class. Lots of great info and lots of great tools out there. NIST is pretty awesome. SEI is also pretty amazing for looking up things dealing with code. For those unfamiliar, SEI has documentation for each language on common unsecure code snippets, why it is unsecure and better ways to write the code while achieving the same result.

 

SEI for C as an example: https://wiki.sei.cmu.edu/confluence/display/c

[cwade12c]

Thanks, I will definitely check that out! Securing coding is so important, and I am surprised it is not emphasized more frequently or highlighted along the way when teaching new programmers the building blocks. (At least from what I've seen, anyways). That SEI reference looks great.

[WarFox]

They also cover a lot of industry standard languages. I just pulled the C one because it’s the easiest to find, but they cover Java and a bunch of others commonly seen on job postings.

[killab]

Examples of IT security frameworks

COBIT

Control Objectives for Information and Related Technology (COBIT) is a framework developed in the mid-90s by ISACA, an independent organization of IT governance professionals. ISACA currently offers the well-known Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) certifications. This framework started out primarily focused on reducing technical risks in organizations, but has evolved recently with COBIT 5 to also include alignment of IT with business-strategic goals. It is the most commonly used framework to achieve compliance with Sarbanes-Oxley rules.

ISO 27000 series

The ISO 27000 series was developed by the International Standards Organization. It provides a very broad information security framework that can be applied to all types and sizes of organizations. It can be thought of as the information security equivalent of ISO 9000 quality standards for manufacturing, and even includes a similar certification process. It is broken up into different substandards based on the content. For example, ISO 27000 consists of an overview and vocabulary, while ISO 27001 defines the requirements for the program. ISO 27002, which was evolved from the British standard BS 7799, defines the operational steps necessary in an information security program.

Many more standards and best practices are documented in the ISO 27000 series. ISO 27799, for example, defines information security in healthcare, which could be useful for those companies requiring HIPAA compliance. New ISO 27000 standards are in the works to offer specific advice on cloud computing, storage security and digital evidence collection. ISO 27000 is broad and can be used for any industry, but the certification lends itself to cloud providers looking to demonstrate an active security program.

NIST Special Publication 800-53

The U.S. National Institute of Standards and Technology (NIST) has been building an extensive collection of information security standards and best practices documentation. The NIST Special Publication 800 series was first published in 1990 and has grown to provide advice on just about every aspect of information security. Although not specifically an information security framework, other frameworks have evolved from the NIST SP 800-53 model. U.S. government agencies utilize NIST SP 800-53 to comply with the Federal Information Processing Standards' (FIPS) 200 requirements. Even though it is specific to government agencies, the NIST framework could be applied in any other industry and should not be overlooked by companies looking to build an information security program.

NIST Special Publication 800-171

NIST SP 800-171 has gained in popularity in recent years due to the requirements set by the U.S. Department of Defense that mandated contractor compliance with the security framework by December 2017. Cyberattacks are occurring throughout the supply chain, and government contractors will find their systems and intellectual property a frequent target used to gain access into federal information systems. For the first time, manufacturers and their subcontractors now have to implement an IT security framework in order to bid on new business opportunities.

NIST SP 800-171 was a good choice for this requirement as the framework applies to smaller organizations as well. It is focused on the protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations, which aligns well with manufacturing or other industries not dealing with information systems or bound by other types of compliance. It may not be a good fit by itself for industries dealing with more sensitive information such as credit cards or Social Security data, but it is freely available and allows for the organization to self-certify using readily available documentation from NIST.

The controls included in the NIST SP 800-171 framework are directly related to NIST SP 800-53, but they are less detailed and more generalized. It is still possible to build a crosswalk between the two standards if an organization has to show compliance with NIST SP 800-53 using NIST SP 800-171 as the base. This allows a level of flexibility for smaller organizations that may grow over time as they need to show compliance with the additional controls included in NIST SP 800-53.  

NIST Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity

The NIST Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity is yet another framework option from NIST. It was recently developed under Executive Order (EO) 13636, "Improving Critical Infrastructure Cybersecurity" that was released in February 2013. This standard is different in that it was specifically developed to address U.S. critical infrastructure, including energy production, water supplies, food supplies, communications, healthcare delivery and transportation. These industries have all found themselves targeted by nation-state actors due to their strategic importance to the U.S. and must maintain a higher level of preparedness.

The NIST Cybersecurity Framework differs from the other NIST frameworks in that it focuses on risk analysis and risk management. The security controls included in this framework are based on the defined phases of risk management: identify, protect, detect, respond and recovery. These phases include the involvement of management, which is key to the success of any information security program. This structured process allows the NIST Cybersecurity Framework to be useful to a wider set of organizations with varying types of security requirements.

CIS Controls (formerly the SANS Top 20)

The CIS Controls exist on the opposite spectrum from the NIST Cybersecurity Framework. This framework is a long listing of technical controls and best practice configurations that can be applied to any environment. It does not address risk analysis or risk management like the NIST Cybersecurity Framework, and is solely focused on hardening technical infrastructure to reduce risk and increase resiliency.

The CIS Controls are a welcome addition to the growing list of security frameworks because they provide direct operational advice. Information security frameworks can sometimes get caught up on the risk analysis treadmill but don't reduce overall organizational risk. The CIS Controls pair well with these existing risk management frameworks to help remediate identified risks. They are also a highly useful resource in IT departments that lack technical information security experience.

HITRUST CSF

It is well known that the HITECH/HIPAA Security Rule has not been successful in preventing data breaches in healthcare. The original HIPAA compliance requirements were written in 1996 and set to apply to a broad set of technologies and organizations. More than 230 million people in the U.S. have had their data breached by a healthcare organization, according to the Department of Health and Human Services. The overly general requirements included HIPAA and the lack of operational direction as partly to blame for this situation. HITRUST CSF is attempting to pick up where HIPAA left off and improve security for healthcare providers and technology vendors. It combines requirements from almost every compliance regulation in existence, including the EU's GDPR. It includes both risk analysis and risk management frameworks, along with operational requirements to create a massive homogenous framework that could apply to almost any organization and not just those in healthcare.

    The only bad choice among these frameworks is not choosing any of them.

HITRUST is a massive undertaking for any organization due to the heavy weighting given to documentation and processes. Many organizations end up scoping smaller areas of focus for HITRUST compliance as a result. The costs of obtaining and maintaining HITRUST certification adds to the level of effort required to adopt this framework as well. However, the fact that the certification is audited by a third party adds a level of validity similar to an ISO 27000 certification. Organizations that require this level of validation may be interested in the HITRUST CSF.

The beauty of any of these frameworks is that there is overlap between them so "crosswalks" can be built to show compliance with different regulatory standards. For example, ISO 27002 defines information security policy in section 5; COBIT defines it in the section "Plan and Organize;" Sarbanes-Oxley defines it as "Internal Environment;" HIPAA defines it as "Assigned Security Responsibility;" and PCI DSS defines it as "Maintain an Information Security Policy." By using a common framework like ISO 27000, a company can then use this crosswalk process to show compliance with multiple regulations such as HIPAA, Sarbanes-Oxley, PCI DSS and GLBA, to name a few.
IT security framework advice

The choice to use a particular IT security framework can be driven by multiple factors. The type of industry or compliance requirements could be deciding factors. Publicly traded companies will probably want to stick with COBIT in order to more readily comply with Sarbanes-Oxley. The ISO 27000 series is the magnum opus of information security frameworks with applicability in any industry, although the implementation process is long and involved. It is best used, however, where the company needs to market information security capabilities through the ISO 27000 certification. NIST SP 800-53 is the standard required by U.S. federal agencies but could also be used by any company to build a technology-specific information security plan. The HITRUST CSF integrates well with healthcare software or hardware vendors looking to provide validation of the security of their products. Any of them will help a security professional organize and manage an information security program. The only bad choice among these frameworks is not choosing any of them.

 

Source