Program Management

Designing & Building a Cybersecurity Program
Based on the NIST Cybersecurity Framework (CSF)
Larry Wilson
Lesson 2
June, 2015 1
Lesson 2: Controls Factory Components
Part 1: The Controls Factory
Part 2: The Threat Office Deliverables
Part 3: The Controls Office Deliverables
Part 4: The Technology Center Deliverables
Part 5: The Operations Center Deliverables
Part 6: The Testing Center Deliverables
Part 7: The Program Office Deliverables
Part 8: The GRC Office Deliverables
2
Part 1: The Controls Factory Components
3
The Factory Components
The Current Profile

The Target Profile
(Before the Factory)
(After the Factory)
Design Area Build & Run Area Management Area
Threats, Cybersecurity
Controls Technology Threat Organizational
Vulnerabilities, Operations The WISP
Definition Architecture Modeling Model
IOCs Center
Input Output
Security Controls & Program
Threat Controls Technology Assurance &
Administration Technology Deliverables
Intelligence Framework Design Audit
Center Testing Managed
Unmanaged
Assets Assets
Resilience, Operations &

The Cyber Controls Technology Program Compliance
Response, Incident
Attack Chain Standards Build & Run Roadmap Initiatives
Forensics Testing
F1 F2 F3 F4 F5 F6 F7
Threat Control Technology Operations Testing Program GRC

Office Office Center Center Center Office Office
4
Part 2: The Threat Office Deliverables
5
Cyber Threats
6
Cyber Threats
7
Software Vulnerabilities
Secunia Presentation
8
9
10
Indicators of Compromise (IOCs)
RSA Security Presentation
11
Indicators of Compromise (IOCs)
RSA Security Presentation
(Cyber Observable eXpression)

(Incident Object Description Exchange Format)
12
Threat Intelligence – Industry Sector
13
Threat Intelligence – Cross Sector
14
The Cyber Attack Chain
Pre-exploit Exploit Data exfiltration

(Before the Attack) (During the Attack) (After the Attack)
Delivery of Exploitation Malware Malware Execution and malicious Establish communication Data
weaponized content of app vulnerability delivery persistency access to content channels exfiltration
00111
00101
11010
00010
11110
00110
00110
01101
Endless Endless Endless
Many Many
Weaponized Malicious Destinations
content Unpatched files Malicious (C&C traffic
(IPS, sandbox) and zero-day (antivirus, behavior detection)
vulnerabilities (patching) whitelisting) activities
(HIPs)
Vulnerability
No. of Types
Credential Strategic File

assessment Strategic Strategic
protection Chokepoint inspection
& reporting Chokepoint Chokepoint
Ways to infect: Java Ways to communicate

deliver  persist execution out
Attack Progression
15
Stages of the Attack Chain
Understanding the cyber attack kill chain STAGE 01: RECON
 Advanced threats occur in “kill chains” of up to seven  In the RECON stage, cybercriminals research their
stages. intended victims using personal, professional and social
media websites.
 Not all threats need to use every stage, giving
cybercriminals hundreds or even thousands of ways  They’re looking for information to help them create
to create and execute data-stealing attacks. seemingly trustworthy “lures” that contain links to
compromised websites under their control.
 The term “kill chain” refers to the ability to stop an
attack at any of these discrete stages — if the right  Some lures use recent disasters, social drama or
defenses are deployed. celebrity deaths to draw on human curiosity.
STAGE 02: LURE STAGE 03: REDIRECT
 Using information collected in the RECON stage,

cybercriminals create innocuous-looking “lures” that  In their lures, cybercriminals may use links that point
can fool users into clicking links to compromised users to safe-looking or hidden web pages that then
websites. “redirect” users to sites containing exploit kits, exploit
code, obfuscated scripts or other malicious content.
 The lures are dangled via email, social media posts or
other content that appear to come from trustworthy
sources.
16
Stages of the Attack Chain
STAGE 04: EXPLOIT KIT STAGE 05: DROPPER FILE
 Once a user has clicked on a link to a compromised  Once the exploit kit has found a path for delivering malware, the
website, software known as an exploit kit scans the cybercriminal delivers a “dropper file,” typically from another
victim’s system to find open vulnerabilities or zero day compromised server, to infect the victim’s system.
threats.  The dropper file may contain software that executes on the
victim’s system to begin the process of finding and extracting
 These weaknesses can become open doors for valuable data.
delivering malware, key loggers or other advanced
tools that enable cybercriminals to further infiltrate  Some dropper files remain dormant for a predetermined period
networks. of time to avoid detection, and may include additional
executables to deliver malware in the future.
STAGE 06: CALL HOME STAGE 07: DATA THEFT
 Once the dropper file infects the target system, it “calls  The end-game of most modern cyber attacks, the data
home” to a command-and-control server to download theft stage completes the threat kill chain.
additional programs, tools or instructions.
 Cybercriminals steal intellectual property, personally
 This is the first point at which a direct connection is identifiable information or other valuable data for
made between the attacker and the infected system. financial gain or for use in other attacks.
17
Part 3: The Cybersecurity Controls Office
18
Security Controls
Control Objectives
Controls Definition (COBIT)
The policies, procedures, practices and organizational

structures designed to provide reasonable assurance
that business objectives will be achieved and that
undesired events will be prevented or detected and
corrected.
Control Types Controls Lifecycle
19
Controls Implementation
20
Controls Framework
NIST Framework Components NIST Framework Core
NIST Framework Profile & Tiers Cyber Resilience Approach
21
NIST Framework Overview
Framework Controls Checklist
Subcategory Function
Function Category Subcategory
Requirements Requirements
Asset Management (AM) ID.AM-1 to ID.AM-6 6
Business Environment (BE) ID.BE-1 to ID.BE-5 5
Identify Governance (GV) ID.GV-1 to ID.GV-4 4 24
Risk Assessment (RA) ID.RA-1 to ID.RA-6 6
Risk Management (RM) ID.RM-1 to ID.RM-3 3
Protect Access Control (AC) PR.AC-1 to PR.AC-5 5
Awareness and Training (AT) PR.AT-1 to PR.AT-5 5
Data Security (DS) PR.DS-1 to PR.DS-9 9
37
Information Protection Procedures (IP) PR.IP-1 to PR.IP-11 11
Maintenance (MA) PR.MA-1 to PR.MA-2 2
Protective Technology (PT) PR.PT-1 to PR.PT-5 5
Detect Anomalies and Events (AE) DE.AE-1 to DE.AE-5 5
Security Continuous Monitoring (CM) DE.CM-1 to DE.CM-8 8 18
Detection Processes (DP) DE.DP-1 to DE.DP-5 5
Respond Response Planning (RP) RS.RP-1 1
Communications (CO) RS.CO-1 to RS.CO-5 5
Analysis (AN) RS.AN-1 to RS.AN-4 4 14
Mitigation (MI) RS.MI-1 to RS.MI-3 2
Improvements (IM) RS.IM-1 to RS.IM-2 2
Recover Recovery Planning (RP) RC.RP-1 1
Improvements (IM) RC.IM-1 to RC.IM-2 2 5
Communications (CO) RC.CO-1 to RC.CO-2 2
Total = 98
22
NIST Framework Function: Identify
Function Category Subcategory Informative References
ISA 99.02.01 4.2.3.4
COBIT BAI03.04, BAI09.01, BAI09, BAI09.05
ID.AM-1: Physical devices and systems ISO/IEC 27001 A.7.1.1, A.7.1.2
within the organization are inventoried. NIST SP 800-53 Rev. 4 CM-8
CCS CSC1
ISA 99.02.01 4.2.3.4

COBIT BAI03.04, BAI09.01, BAI09, BAI09.05
ID.AM-2: Software platforms and ISO/IEC 27001 A.7.1.1, A.7.1.2
applications within the organization are NIST SP 800-53 Rev. 4 CM-8
inventoried. CCS CSC 2
Asset Management (AM): The personnel, ISA 99.02.01 4.2.3.4

devices, systems, and facilities that COBIT DSS05.02
enable the organization to achieve ID.AM-3: The organizational communication and ISO/IEC 27001 A.7.1.1
business purposes are identified and data flow is mapped. NIST SP 800-53 Rev. 4 CA-3, CM-8, CA-9
ID.AM Asset
managed consistent with their relative CCS CSC 1
Management
importance to business objectives and
the organization’s risk strategy. NIST SP 500-291 3, 4
ID.AM-4: External information systems are
NIST SP 800-53 Rev. 4 AC-20, SA-9
mapped and cataloged.
ISA 99.02.01 4.2.3.6
COBIT APO03.03, APO03.04, BAI09.02
ID.AM-5: Resources are prioritized based on the
NIST SP 800-53 Rev. 4 RA-2, CP-2
classification/criticality/business value of hardware, NIST SP 800-34 Rev 1
devices, data and software. ISO/IEC 27001 A.7.2.1
ISA 99.02.01 4.3.2.3.3

ID.AM-6: Workforce roles and responsibilities for COBIT APO01.02, BAI01.12, DSS06.03
ISO/IEC 27001 A.8.1.1
business functions, including cyber security, are
NIST SP 800-53 Rev. 4 CP-2, PM-11
established. NIST SP 800-34 Rev 1
23
COBIT APO08.01, APO08.02, APO08.03, APO08.04,

ID.BE-1: The organization’s role in the supply chain is APO08.05, APO10.03, DSS01.02
identified and communicated. ISO/IEC 27001 A.10.2
NIST SP 800-53 Rev. 4 CP-2
ID.BE-2: The organization’s place in critical

COBIT APO02.06, APO03.01
infrastructure and their industry ecosystem is
Business Environment (BE): NIST SP 800-53 Rev. 4 PM-8
The organization’s mission, identified and communicated.
objectives, stakeholders, and
activities are understood and
ID.BE Business prioritized, and inform ISA 99.02.01 4.2.2.1, 4.2.3.6
ID.BE-3: Priorities for organizational mission,
Environment cybersecurity roles, COBIT APO02.01, APO02.06, APO03.01
objectives and activities are established. NIST SP 800-53 Rev. 4 PM-11
responsibilities, and risk
decisions.
COBIT DSS01.03
ID.BE-4: Dependencies and critical functions for delivery of ISO/IEC 27001 9.2.2
critical services are established. NIST SP 800-53 Rev 4 CP-8, PE-9, PE-10, PE-11, PE-
12, PE-14, PM-8
ID.BE-5: Resilience requirements to support delivery of

NIST SP 800-53 Rev. 4 CP-2, SA-14
critical services are established.
24
ISA 99.02.01 4.3.2.6

ID.GV-1: Organizational information COBIT APO01.03, EA01.01
security policy is established. ISO/IEC 27001 A.6.1.1
NIST SP 800-53 Rev. 4 -1 controls from all families (except PM-1)
Governance (GV): The policies,

procedures, and processes to ID.GV-2: Information security roles and ISA 99.02.01 4.3.2.3.3
manage and monitor the responsibility are coordinated and ISO/IEC 27001 A.6.1.3
organization’s regulatory, legal, aligned. NIST SP 800-53 Rev. 4 AC-21, PM-1, PS-7
risk, environmental, and
ID.GV Governance operational requirements are ID.GV-3: Legal and regulatory
understood and inform the requirements regarding cyber security, ISA 99.02.01 4.4.3.7
management of cybersecurity COBIT MEA03.01, MEA03.04
including privacy and civil liberties
risk. ISO/IEC 27001 A.15.1.1
obligations, are understood and NIST SP 800-53 Rev. 4 -1 controls from all families (except PM-1)
managed.
ID.GV-4: Governance and risk

management processes address cyber- NIST SP 800-53 Rev. 4 PM-9, PM-11
security risks.
25
ISA 99.02.01 4.2.3, 4.2.3.7, 4.2.3.9, 4.2.3.12

COBIT APO12.01, APO12.02, APO12.03, APO12.04
ID.RA-1: Asset vulnerabilities are
ISO/IEC 27001 A.6.2.1, A.6.2.2, A.6.2.3
identified and documented. CCS CSC 4
NIST SP 800-53 Rev. 4 CA-2, RA-3, RA-5, SI-5
ID.RA-2: Threat and vulnerability information ISA 99.02.01 4.2.3, 4.2.3.9, 4.2.3.12
Risk Assessment (RA): The is received from information-sharing forums ISO/IEC 27001 A.13.1.2
organization understands the and sources. NIST SP 800-53 Rev. 4 PM-15, PM-16, SI-5
cybersecurity risk to
organizational operations
ID.RA Risk Assessment (including mission, functions, ISA 99.02.01 4.2.3, 4.2.3.9, 4.2.3.12
ID.RA-3: Threats to organizational assets are
image, or reputation), COBIT APO12.01, APO12.02, APO12.03, APO12.04
identified and documented. NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-16
organizational assets, and
individuals.
ISA 99.02.01 4.2.3, 4.2.3.9, 4.2.3.12

ID.RA-4: Potential impacts are analyzed.
NIST SP 800-53 Rev. 4 RA-3
ID.RA-5: Risk responses are identified. NIST SP 800-53 Rev. 4 PM-9
ID.RA‐6: Risk responses are identified and

NIST SP 800-53 Rev. 4 PM-9
Prioritized
26
ID.RM-1: Risk management ISA 99.02.01 4.3.4.2

COBIT APO12.04, APO12.05, APO13.02, BAI02.03, BAI04.02
processes are managed and agreed
NIST SP 800-53 Rev. 4 PM-9
to NIST SP 800-39
Risk Management Strategy
(RM): The organization’s
priorities, constraints, risk
ID.RM Risk Management tolerances, and assumptions
are established and used to ISA 99.02.01 4.3.2.6.5
Strategy
support operational risk ID.RM-2: Organizational risk tolerance is COBIT APO10.04, APO10.05, APO12.06
decisions. determined and clearly expressed NIST SP 800-53 Rev. 4 PM-9
NIST SP 800-39
ID.RM-3: The organization’s determination of

risk tolerance is informed by their role in critical
NIST SP 800-53 Rev. 4 PM-8, PM-9, PM-11
infrastructure and sector specific risk analysis
27
NIST Framework Function: Protect
ISA 99.02.01 4.3.3.5.1

PR.AC-1: Identities and credentials are managed for COBIT DSS05.04, DSS06.03
authorized devices and users ISO/IEC 27001 A.11
NIST SP 800-53 Rev. 4 AC-2, AC-5, AC-6, IA Family
CCS CSC 16
Access Control (AC): ISA 99.02.01 4.3.3.3.2, 4.3.3.3.8

Access to information PR.AC-2: Physical access to resources is managed and COBIT DSS01.04, DSS05.05
resources and secured
ISO/IEC 27001 A.9.1, A.9.2, A.11.4, A.11.6
associated facilities are NIST SP 800-53 Rev 4 PE-2, PE-3, PE-4, PE-6, PE-9
limited to authorized
users, processes or ISA 99.02.01 4.3.3.6.6
PR.AC Access Control devices (including other PR.AC-3: Remote access is managed COBIT APO13.01, DSS01.04, DSS05.03
information systems), ISO/IEC 27001 A.11.4, A.11.7
and to authorized NIST SP 800-53 Rev. 4 AC-17, AC-19, AC-20
activities and
transactions. ISA 99.02.01 4.3.3.7.3
PR.AC-4: Access permissions are managed ISO/IEC 27001 A.11.1.1
NIST SP 800-53 Rev. 4 AC-3, AC-4, AC-6, AC-16
CCS CSC 12, 15
ISA 99.02.01 4.3.3.4

PR.AC-5: Network integrity is protected
ISO/IEC 27001 A.10.1.4, A.11.4.5
NIST SP 800-53 Rev 4 AC-4
28
ISA 99.02.01 4.3.2.4.2

COBIT APO07.03, BAI05.07
PR.AT-1: General users are informed and
ISO/IEC 27001 A.8.2.2
trained.
NIST SP 800-53 Rev. 4 AT-2
CCS CSC 9
ISA 99.02.01 4.3.2.4.2, 4.3.2.4.3

PR.AT-2: Privileged users COBIT APO07.02
understand roles and ISO/IEC 27001 A.8.2.2
Awareness and Training (AT): responsibilities. NIST SP 800-53 Rev. 4 AT-3
The organization’s personnel CCS CSC 9
and partners are adequately
trained to perform their ISA 99.02.01 4.3.2.4.2
PR.AT-3: Third-party stakeholders COBIT APO07.03, APO10.04, APO10.05
information security-related
PR.AT Awareness and Training duties and responsibilities (suppliers, customers, partners) ISO/IEC 27001 A.8.2.2
consistent with related understand roles and responsibilities. NIST SP 800-53 Rev. 4 AT-3
policies, procedures, and CCS CSC 9
agreements. ISA 99.02.01 4.3.2.4.2
PR.AT-4: Senior executives COBIT APO07.03
understand roles and ISO/IEC 27001 A.8.2.2
responsibilities. NIST SP 800-53 Rev. 4 AT-3
CCS CSC 9
ISA 99.02.01 4.3.2.4.2

PR.AT-5: Physical and information COBIT APO07.03
security personnel understand roles ISO/IEC 27001 A.8.2.2
and responsibilities. NIST SP 800-53 Rev. 4 AT-3
CCS CSC 9
29
COBIT APO01.06, BAI02.01, BAI06.01, DSS06.06

ISO/IEC 27001 A.15.1.3, A.15.1.4
PR.DS-1: Data at rest is protected.
CCS CSC 17
NIST SP 800-53 Rev 4 SC-28
COBIT APO01.06, BAI02.01, BAI06.01, DSS06.06
ISO/IEC 27001 A.10.8.3
PR.DS-2: Data in motion is secured.
NIST SP 800-53 Rev. 4 SC-8
CCS CSC 17
COBIT BAI09.03
PR.DS-3: Assets are formally managed throughout
ISO/IEC 27001 A.9.2.7, A.10.7.2
removal, transfers and disposition. NIST SP 800-53 Rev 4 PE-16, MP-6, DM-2
Data Security (DS): COBIT APO13.01
Information and records PR.DS-4: Adequate capacity to ensure availability is
ISO/IEC 27001 A.10.3.1
(data) are managed maintained. NIST SP 800-53 Rev 4 CP-2, SC-5
consistent with the
organization’s risk strategy to COBIT APO01.06
PR.DS Data Security protect the confidentiality, ISO/IEC 27001 A.12.5.4
integrity, and availability of PR.DS-5: There is protection against data leaks. CCS CSC 17
information and assets. NIST SP 800-53 Rev 4 AC-4, PE-19, SC-13, SI-4, SC-7, SC-8, SC-31,
AC-5, AC-6, PS-6
PR.DS-6: Intellectual property is protected. COBIT APO01.03, APO10.02, APO10.04, MEA03.01
COBIT BAI06.01, BAI01.10

PR.DS-7: Unnecessary assets are eliminated. ISO/IEC 27001 A.10.1.3
NIST SP 800-53 Rev. 4 AC-5, AC-6
COBIT BAI07.04
PR.DS-8: Separate testing environments are used in
ISO/IEC 27001 A.10.1.4
system development. NIST SP 800-53 Rev. 4 CM-2
COBIT BAI07.04, DSS06.03, MEA03.01
PR.DS-9: Privacy of individuals and personally
ISO/IEC 27001 A.15.1.3
identifiable information (PII) is protected. NIST SP 800-53 Rev 4, Appendix J
30
PR.IP-1: A baseline configuration of information ISA 99.02.01 4.3.4.3.2, 4.3.4.3.3

COBIT BAI10.01, BAI10.02, BAI10.03, BAI10.05
technology/operational technology systems is
NIST SP 800-53 Rev. 4 CM-2, CM-3, CM-4, CM-5, CM-7, CM-9, SA-10
created. CCS CSC 3, 10
ISA 99.02.01 4.3.4.3.3
COBIT APO13.01
PR.IP-2: A system development lifecycle to
ISO/IEC 27001 A.12.5.5
manage systems is implemented. NIST SP 800-53 Rev 4 SA-3, SA-4, SA-8, SA-10, SA-11, SA-15, SA-17, PL-8
CCS CSC 6
ISA 99.02.01 4.3.4.3.2, 4.3.4.3.3
PR.IP-3: Configuration change control processes COBIT BAI06.01, BAI01.06
Information Protection
are in place. ISO/IEC 27001 A.10.1.2
Processes and
NIST SP 800-53 Rev. 4 CM-3, CM-4, SA-10
Procedures (IP): Security
policy (that addresses ISA 99.02.01 4.3.4.3.9
purpose, scope, roles, COBIT APO13.01
PR.IP-4: Backups of information are managed.
responsibilities, ISO/IEC 27001 A.10.5.1
management NIST SP 800-53 Rev. 4 CP-4, CP-6, CP-9
commitment, and PR.IP-5: Policy and regulations regarding the physical COBIT DSS01.04, DSS05.05
PR.IP Information coordination among
operating environment for organizational assets are ISO/IEC 27001 9.1.4
Protection organizational entities), met. NIST SP 800-53 Rev. 4 PE-10, PE-12, PE-13, PE-14, PE-15, PE-18
processes, and
COBIT BAI09.03
procedures are PR.IP-6: Information is destroyed according to
ISO/IEC 27001 9.2.6
maintained and used to policy and requirements. NIST SP 800-53 Rev 4 MP-6
manage protection of
information systems COBIT APO11.06, DSS04.05
PR.IP-7: Protection processes are continuously improved.
NIST SP 800-53 Rev 4 PM-6, CA-2, CA-7, CP-2, IR-8, PL-2
PR.IP-8: Information sharing occurs ISO/IEC 27001 A.10
with appropriate parties. NIST SP 800-53 Rev. 4 AC-21
PR.IP-9: Response plans (business continuity COBIT DSS04.03
plan(s), disaster recovery plan(s), incident ISO/IEC 27001 A.14.1
handling plan(s) are in place and managed. NIST SP 800-53 Rev. 4 CP-2, IR-8
PR.IP-10: Response plans are exercised. NIST SP 800-53 Rev.4 IR-3
PR.IP-11: Cyber security is included in human COBIT APO07.01, APO07.02, APO07.03, APO07.04, APO07.05
resources practices (including de-provisioning, ISO/IEC 27001 8.2.3, 8.3.1
personnel screening and others). NIST SP 800-53 Rev 4 PS Family 31
PR.MA-1: Maintenance and repair of organizational

Maintenance (MA): ISO/IEC 27001 A.9.1.1, A.9.2.4, A.10.4.1
assets is performed and logged in a timely manner,
Maintenance and repairs of NIST SP 800-53 Rev 4 MA-2, MA-3, MA-5
with approved and controlled tools.
operational and information
system components is
PR.MA Maintenance performed consistent with
policies and procedures. PR.MA-2: Remote maintenance of organizational
assets is approved, logged and performed in a COBIT 5
manner that prevents unauthorized access and ISO/IEC 27001 A.9.2.4, A.11.4.4
supports availability requirements for important NIST SP 800-53 Rev 4 MA-4
operational and information systems.
ISA 99.02.01 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2,

4.4.2.4
COBIT APO11.04
PR.PT-1: Audit and log records are stored in
ISO/IEC 27001 A.10.10.1, A.10.10.3, A.10.10.4, A.10.10.5,
accordance with audit policy. A.15.3.1
NIST SP 800-53 Rev. 4 AU Family
CCS CSC 14
Protective Technology (PT): COBIT DSS05.02, APO13.01
Technical security solutions are PR.PT-2: Removable media are protected ISO/IEC 27001 A.10.7
managed to ensure the according to a specified policy. NIST SP 800-53 Rev. 4 AC-19, MP-2, MP-4, MP-5, MP-7
security and resilience of
PR.PT Protective Technology systems and assets, consistent
with related policies, CCS CSC 6
PR.PT-3: Access to systems and assets is
procedures, and agreements. COBIT DSS05.02
appropriately controlled. NIST SP 800-53 Rev 4 CM-7
COBIT DSS05.02, APO13.01

ISO/IEC 27001 10.10.2
PR.PT-4: Communications networks are secured.
NIST SP 800-53 Rev 4 AC-18
CCS CSC 7
COBIT APO13.01,
PR.PT-5: Specialized systems are protected
NIST SP 800-53 Rev 4
according to the risk analysis (SCADA, ICS, DLS).
32
NIST Framework Function: Detect
ISA 99.02.01 4.4.3.3

DE.AE-1: A baseline of normal operations and
COBIT DSS03.01
procedures is identified and managed. NIST SP 800-53 Rev. 4 AC-2, SI-3, SI-4, AT-3, CM-2
DE.AE-2: Detected events are analyzed to

Anomalies and Events (AE): NIST SP 800-53 Rev. 4 SI-4, IR-4
understand attack targets and methods.
Anomalous activity is detected
in a timely manner and the
DE.AE Anomalies and Events potential impact of events is DE.AE-3: Cyber-security data is correlated
understood. NIST SP 800-53 Rev. 4 SI-4
from diverse information sources.
DE.AE-4: Impact of potential cyber-security

NIST SP 800-53 Rev. 4 IR-4, SI -4
events is determined.
ISA 99.02.01 4.2.3.10

DE.AE-05: Incident alert thresholds are created. NIST SP 800-53 Rev. 4 IR-4, IR-5, IR-9
NIST SP 800-61 Rev 2
33
COBIT DSS05.07
DE.CM-1: The network is monitored to ISO/IEC 27001 A.10.10.2, A.10.10.4, A.10.10.5
detect potential cyber-security events. NIST SP 800-53 Rev. 4 CM-3, CA-7, AC-2, IR-5, SC-5, SI-4
CCS CSC 14, 16
DE.CM-2: The physical environment

is monitored to detect potential NIST SP 800-53 Rev. 4 CM-3, CA-7, IR-5, PE-3, PE-6, PE-20
cyber-security events.
Security Continuous DE.CM-3: Personnel activity is

Monitoring (CM): The monitored to detect potential NIST SP 800-53 Rev. 4 AC-2, CM-3, CA-7
information system and
assets are monitored to
DE.CM Security identify cybersecurity COBIT DSS05.01
Continuous Monitoring events and verify the ISO/IEC 27001 A.10.4.1
effectiveness of DE.CM-4: Malicious code is detected.
NIST SP 800-53 Rev 4 SI-3
protective measures. CCS CSC 5
DE.CM-5: Unauthorized mobile code is ISO/IEC 27001 A.10.4.2

detected. NIST SP 800-53 Rev 4 SC-18
DE.CM-6: External service providers are ISO/IEC 27001 A.10.2.2

monitored. NIST SP 800-53 Rev 4 CA-7, PS-7, SI-4, SA-4, SA-9
DE.CM-7: Unauthorized resources are

NIST SP 800-53 Rev. 4 CM-3, CA-7, PE-3, PE-6, PE-20, SI-4
monitored.
DE.CM-8: Vulnerability assessments are
NIST SP 800-53 Rev. 4 CM-3, CA-7, CA-8, RA-5, SA-11, SA-12
performed.
34
DE.DP-1: Roles and responsibilities for ISA 99.02.01 4.4.3.1

COBIT DSS05.01
detection are well defined to ensure
NIST SP 800-53 Rev 4 IR-2, IR-4, IR-8
accountability. CCS CSC 5
DE.DP-2: Detection activities comply with

Detection Processes (DP):
Detection processes and all applicable requirements, including ISA 99.02.01 4.4.3.2
procedures are maintained and those related to privacy and civil NIST SP 800-53 Rev 4 CA-2, CA-7
tested to ensure timely and liberties.
DE.DP Detection Processes adequate awareness of
anomalous events.
DE.DP-3: Detection processes are ISA 99.02.01 4.4.3.2
exercised to ensure readiness. NIST SP 800-53 Rev 4 PM-14
DE.DP-4: Event detection information is

NIST SP 800-53 Rev. 4 CP-2, IR-8
communicated to appropriate parties.
COBIT APO11.06, DSS04.05

DE.DP-5: Detection processes are
NIST SP 800-53 Rev 4 PM-6, CA-2, CA-7, CP-2, IR-8,
continuously improved. PL-2
35
NIST Framework Function: Respond
Response Planning (RP):

Response processes and ISA 99.02.01 4.3.4.5.1
RS.PL Response RS.PL-1: Response plan is implemented during or after
procedures are maintained and NIST SP 800-53 Rev. 4 CP-10, IR-4
Planning
tested to ensure timely response an event. CCS CSC 18
of detected cybersecurity events.
ISO/IEC 27001 A.13.2.1

RS.CO-1: Personnel know their roles and order of ISA 99.02.01 4.3.4.5.2, 4.3.4.5.3, 4.3.4.5.4
operations when a response is needed. NIST SP 800-53 Rev 4 CP-2, IR-8
ISO/IEC 27001 A.13.1.1, A.13.1.2

Communications (CO): Response RS.CO-2: Events are reported consistent with ISA 99.02.01 4.3.4.5.5
activities are coordinated with established criteria. NIST SP 800-53 Rev 4 IR-6, IR-8
internal and external
stakeholders, as appropriate, to
RS.CO include external support from
Communications RS.CO-3: Detection/response information, such as breach
federal, state, and local law ISO/IEC 27001 A.10
enforcement agencies. reporting requirements, is shared consistent with response
plans, including those related to privacy and civil liberties.
RS.CO-4: Coordination with stakeholders occurs ISO/IEC 27001 A.8.1.1, A.6.1.2, A.6.1.6, A.10.8.2
consistent with response plans, including those related NIST SP 800-53 Rev. 4 CP-2, IR-8
to privacy and civil liberties.
RS.CO-5: Voluntary coordination occurs with external

NIST SP 800-53 Rev. 4 PM-15, SI-5
stakeholders (for example: business partners,
information sharing and analysis centers or customers).
36
RS.AN-1: Notifications from the detection system ISO/IEC 27001 A.6.2.1

are investigated. NIST SP 800-53 Rev. 4 IR-4, IR-5, PE-6, SI-4, AU-13
Analysis (AN): Analysis is ISO/IEC 27001 A.6.2.1

RS.AN-2: Understand the impact of the incident.
conducted to ensure NIST SP 800-53 Rev. 4 CP-10, IR-4
adequate response and
RS.AN Analysis support recovery
activities. ISO/IEC 27001 A.13.2.2, A.13.2.3
RS.AN-3: Forensics are performed.
NIST SP 800-53 Rev. 4 IR-4
ISO/IEC 27001 A.13.2.2

RS.AN-4: Incidents are classified consistent with
ISA 99.02.01 4.3.4.5.6
response plans. NIST SP 800-53 Rev. 4 IR-4
Mitigation (MI): Activities ISO/IEC 27001 A.3.6, A.13.2.3

are performed to prevent RS.MI-1: Incidents are contained. ISA 99.02.01 4.3.4.5.6
expansion of an event, NIST SP 800-53 Rev. 4 IR-4
RS.MI Mitigation mitigate its effects, and
eradicate the incident.
ISA 99.02.01 4.3.4.5.6, 4.3.4.5.10
RS.MI-2: Incidents are eradicated.
NIST SP 800-53 Rev. 4 IR-4
Improvements (IM):
Organizational response ISO/IEC 27001 A.13.2.2
activities are improved by RS.IM-1: Response plans incorporate lessons learned. ISA 99.02.01 4.3.4.5.10, 4.4.3.4
incorporating lessons NIST SP 800-53 Rev. 4 CP-2, IR-8
RS.IM Improvements learned from current and
previous
detection/response
activities. RS.IM-2: Response strategies are updated. NIST SP 800-53 Rev. 4 CP-2, IR-8
37
NIST Framework Function: Recover
Recovery Planning (RP): Recovery COBIT DSS02.05, DSS03.04

processes and procedures are ISO/IEC 27001 A.14.1.3, A.14.1.4, A.14.1.5
RC.RP Recovery Planning RC.RP-1: Recovery plan is executed. NIST SP 800-53 Rev. 4 CP-10, CP-2
maintained and tested to ensure
timely restoration of systems or assets CCS CSC 8
affected by cybersecurity events.
RC.IM-1: Plans are updated with lessons ISA 99.02.01 4.4.3.4

learned. COBIT BAI05.07
RC.IM Improvements ISO/IEC 27001 13.2.2
Improvements (IM): Recovery planning
and processes are improved by NIST SP 800-53 Rev. 4 CP-2
incorporating lessons learned into
future activities
RC.IM-2: Recovery strategy is updated. COBIT APO05.04, BAI07.08
NIST SP 800-53 Rev. 4 CP-2
Communications (CO): Restoration

COBIT MEA03.02
activities are coordinated with internal RC.CO-1: Public relations are managed.
NIST SP 800-53 Rev. 4 IR-4, IR-8
and external parties, such as
RC.CO Communications
coordinating centers, Internet Service
Providers, owners of attacking
systems, victims, other CSIRTs, and
vendors. RC.CO-2: Reputation after an event is
COBIT MEA03.02
repaired.
38
Cybersecurity Risk Management / Best Practices
WORKING GROUP 4: Final Report, March 2015
39
Part 4: The Technology Center
40
Category Subcategory Technical Requirements
Operations staff assigned to inventory critical infrastructure network devices
ID.AM-1: Physical devices and and systems may need easy to operate database software and technologies
systems within the organization that can automate, scale and report on the adding and removing of networked
are inventoried. resources that are inventoried. This automated system should detect the presence of
unauthorized hardware.
Operations staff assigned to inventory network critical software may use easy
ID.AM-2: Software platforms and to operate database software and technologies that can automate, scale and
applications within the organization report on the adding and removing of network software resources that are
are inventoried. inventoried. This automated system can detect the presence of unauthorized
software, databases and applications.
Computing systems, information storage systems, databases, VPNs, LANs,
VLANs,WANs, VPNs, Text/SMS, Email systems can all have the scheduling, credentials
ID.AM-3: The organizational
of access, business process rules, and security controls built into them, such that
communication and data flow is
personnel and authorized external entities can access the correct information in
mapped.
timely manner according to the documented
ID.AM Asset communications flow.
Management Organizational staff assigned to catalog externally facing critical
infrastructure information systems, servers, virtual machines, software, networks and
ID.AM-4: External information resources can use easy to operate database software and technologies that can scale
systems are mapped and and report on the externally facing resources that are inventoried. This externally
cataloged. facing catalog system can be made secure to prevent corruption of critical network
functions, to prevent theft of services/software and to prevent fraudulent actions. It is
highly
Once the highest priority functions and their corresponding supporting
ID.AM-5: Resources are prioritized based technical resources are prioritized, it is imperative that spare equipment, circuit
on the classification/criticality/business boards, parts, fuel, circuits, servers, and anything physical and technical that can
value of hardware, devices, data and minimize outages and downtime of critical systems, be procured. These critical spares
software. should be stored where operational staff can quickly access and install in order to
minimize any outages or downtime of critical systems.
ID.AM-6: Workforce roles and
Documented roles and responsibilities can be stored and accessible, where
responsibilities for business functions,
all of the organization's staff can read, download and print.
including cyber security, are established. 41
Once the supply chain roles and responsibilities are identified, conveyed and in place, the key
information that can transfer between various sub‐ organizations, organizations, and its
ID.BE-1: The organization’s external sources can be developed, enhanced, improved or updated to meet the critical
role in the supply chain is business communications requirements within a supply chain ecosystem.
identified and
communicated. The critical networks, protocols, web services, forms, emails, VPNs, VLANs, WANs, databases,
web portals that can transfer critical information between various sub‐organizations,
organizations, and it's external sources can be developed, enhanced, improved or updated to
meet the critical business requirements within a supply chain ecosystem.
Once the Critical Infrastructure roles and responsibilities are identified, conveyed and in place,
ID.BE-2: The the key information that can transfer between various sub‐organizations, organizations, and its
organization’s place in external sources can be developed, enhanced, improved or updated to meet the critical
critical infrastructure business communications requirements within a supply chain ecosystem.
and their industry
ecosystem is identified The critical networks, protocols, web services, forms, emails, VPNs, VLANs, WANs, databases,
and communicated. web portals that can transfer critical information between various sub‐organizations,
ID.BE Business
organizations, and it's external sources can be developed, enhanced, improved or updated to
Environment
meet the critical business requirements within a Critical Infrastructure ecosystem.
ID.BE-3: Priorities for
organizational mission,
None
objectives and activities
are established.
Primary, secondary and tertiary communications systems and techniques can
ID.BE-4: Dependencies and critical be implemented, so that the organization can reach its critically dependent 3rd party entities
functions for delivery of critical in an emergency and/or crisis situation. These modes of communication include but limited to
services are established. telephony, VoIP, IM, Video conference, Internet/Email, Text/SMS and possibly Social media as
modes of critical communications.
Primary, secondary and tertiary communications systems and techniques can
ID.BE-5: Resilience be implemented, so that the organization can reach its critically dependent 3rd party entities
requirements to support in an emergency and/or crisis situation. These modes of communication include but limited to
delivery of critical services are telephony, VoIP, IM, Video conference, Internet/Email, Text/SMS, and possibly Social media as
established. a last resort of critical communications. All of these modes of communications can be made as
secure as practically possible and include authentication functions. 42
Documented Security policy, along with roles and responsibilities can
ID.GV-1: Organizational information security
be stored and accessible , where all of the organization's staff can
policy is established.
read, download and print.
ID.GV-2: Information security roles and

None
responsibility are coordinated and aligned.
ID.GV Governance ID.GV-3: Legal and regulatory requirements

regarding cyber security, including privacy and
None
civil liberties obligations, are understood and
managed.
Documented Security policy along with roles and responsibilities

ID.GV-4: Governance and risk management
may be stored and accessible, where all of the organization's staff
processes address cyber-security risks.
can read, download and print.
43

When organizations perform penetration testing using a reliable set of
penetration test technologies testing along with pretest analysis on the target
ID.RA-1: Asset system, in order to identify vulnerabilities based upon this analysis, and design
vulnerabilities are testing to try and exploit vulnerability. An organization may employ vulnerability
identified and scanning tools that include the capability to readily detect new vulnerabilities. An
documented. organization may look to external expertise to perform independent testing of
critical infrastructure under the appropriate and relevant service level and security
agreements.
The organization can implement automated information feeds from external
ID.RA-2: Threat and sources, like RSS, Message Boards, Twitter, Google "Search" filters etc., and any
vulnerability information is other means of receiving electronic updates on new cyber threats and attacks.
received from information- These automated information feeds may include new information on equipment,
sharing forums and sources. software, databases, web applications and open‐source software that the
ID.RA Risk Assessment organization has in in place.
The organization may implement automated information feeds from external
sources, like RSS, Message Boards, Twitter, Google "Search" filters etc., and any
ID.RA-3: Threats to
other means of receiving electronic updates on new cyber threats and attacks.
organizational assets are
These automated information feeds may include new information on equipment,
identified and documented.
software, databases, web applications and open‐source software that the
organization has in in place.
ID.RA-4: Potential impacts are

None
analyzed.
ID.RA-5: Risk responses are

None
identified.
44

ID.RM Risk ID.RM-1: Risk management None
Management processes are managed and
agreed to
ID.RM-2: Organizational risk tolerance is None
determined and clearly expressed
Once the Critical Infrastructure roles and responsibilities are identified,

conveyed and in place, the key information that should transfer between various
sub‐organizations, organizations, and its external sources can be developed,
ID.RM-3: The organization’s enhanced, improved or updated to meet the critical business communications
determination of risk tolerance is requirements within a supply chain ecosystem.
informed by their role in critical
infrastructure and sector specific risk The critical networks, protocols, web services, forms, emails, VPNs, VLANs, WANs,
analysis databases, web portals that can transfer critical information between various
sub‐organizations, organizations, and it's external sources can be developed,
enhanced, improved or updated to meet the critical business requirements within a
Critical Infrastructure ecosystem.
45

PR.AC Access Computing systems, information storage systems, databases, VPNs, LANs,
Control VLANs,WANs, VPNs, Text/SMS, Email systems should all have the authorized
PR.AC-1: Identities and credentials are
identities, authorized credentials of access, business process rules, and security
managed for authorized devices and users
controls built into them, such that personnel and authorized external entities can
access the correct information in a timely manner according to the documented
communications flow.
The entire physical protection environment should be monitored and managed by
an automated, easy to use system that can see and detect entry by authorized and
unauthorized persons. This automated physical protection management system
PR.AC-2: Physical access to resources is
should also have the integrated ability to allow authorized operations personnel
managed and secured
(i.e.; a NOC) to visibly see critical/protected assets, collect/store/playback video of
protected assets, lock and unlock physical assets, doors, entry ways, vehicles etc.,
remotely.
The entire remote protection environment should be monitored and managed by
an automated, easy to use REMOTE ACCESS system that can see and detect entry
by authorized and unauthorized persons and activity. This automated REMOTE
ACCESS protection management system, should also have the integrated ability to
PR.AC-3: Remote access is managed allow authorized operations personnel (i.e.; a NOC) to visibly see who is doing what
from outside the physical confines of the organization and at a virtual level.
Authorized operations personnel can also be able to see what 'virtual' activity is
taking place, like login attempts, remote port scans, database injections, software
and file modificatio s, storage system accesses, unauthorized remote
communications etc.
The organization may implement automated access control to systems,
PR.AC-4: Access permissions are managed servers, access doors etc. to limited unauthorized access and only allow those who
can successfully show their valid and up‐to‐date credentials.
The overall network design may be designed to maintain the fullest, maximum
PR.AC-5: Network integrity is protected
practical operational integrity. The network design should employ maximum
practical diversity, redundancy, and segmentation where it is practical.
46
PR.AT Awareness PR.AT-1: General users are informed None
and Training and trained.
Organizations, sub‐organizations and all data owners who manage and maintain information
PR.AT-2: Privileged users technology assets may receive comprehensive training on implementing cybersecurity best
understand roles and practices.
responsibilities.
Computing systems, information storage systems, databases, VPNs, LANs, VLANs, WANs,
PR.AT-3: Third-party VPNs, Text/SMS, Email systems should all have the authorized identities, authorized
stakeholders (suppliers, credentials of access, business process rules, and security controls built into them, such that
customers, partners) personnel and authorized external entities can access the correct information in a timely
understand roles and manner according to the documented communications flow. Security policy filters should be
responsibilities. in place that monitors file structure, metadata, or data type, thus, determining where this
data may flow through the information system based upon specified attributes.
VPNs, Text/SMS, Email systems can all have the authorized identities, authorized credentials
PR.AT-4: Senior executives of access, business process rules, and security controls built into them, such that personnel
understand roles and and authorized external entities can access the correct information in a timely manner
responsibilities. according to the documented communications flow. Security policy filters should be in place
that monitors file structure, metadata, or data type, thus, determining where this data may
flow through the information system based upon specified attributes.
VPNs, Text/SMS, Email systems can all have the authorized identities, authorized credentials
PR.AT-5: Physical and of access, business process rules, and security controls built into them, such that personnel
information security and authorized external entities can access the correct information in a timely manner
personnel understand roles according to the documented communications flow. Security policy filters should be in place
and responsibilities. that monitors file structure, metadata, or data type, thus, determining where this data may
flow through the information system based upon specified attributes.
47
PR.DS Data Security Tools and technologies may include, but not limited to: Network port
scanning / packet capture‐inspection / Intrusion Detection‐ Protection(IPS/IDS) /
Endpoint monitoring‐security / Threat correlation functions / Digital forensics /
PR.DS-1: Data at rest is protected. Data‐File flow and anomaly detection / Access control / SSL Decryption / Log analysis
/ File‐content filtering‐blocking / Outbound botnet communication disruption /
Secure Email gateways / Big‐ data security analytics / and Next Gen Firewalls. *
Computing systems,
Tools and technologies may include, but not limited to: Network port
scanning / packet capture‐inspection / Intrusion Detection‐ Protection(IPS/IDS) /
Endpoint monitoring‐security / Threat correlation functions / Digital forensics /
PR.DS-2: Data in motion is secured. Data‐File flow and anomaly detection / Access control / SSL Decryption / Log analysis
/ File‐content filtering‐blocking / Outbound botnet communication disruption /
Secure Email gateways / Big‐ data security analytics / and Next Gen Firewalls. *
Computing systems,
PR.DS-3: Assets are formally

The previously required hardware and software asset invent ry systems, may
managed throughout removal,
have functionality to track and document disposal of assets.
transfers and disposition.
PR.DS-4: Adequate capacity to Organizations should implement maximum practical diversity, redundancy,
ensure availability is maintained. sparing for all of their critical systems, networks and data storage.
Computing systems, information storage systems, databases, VPNs, LANs, VLANs,

WANs, VPNs, Text/SMS, Email systems may all have the scheduling, credentials of
PR.DS-5: There is protection against data
access, business process rules, and security controls built into them, such that
leaks.
personnel and authorized external entities can access the correct information in a
timely manner according to the documented communications flow.
48

PR.DS Data Security
Computing systems, information storage systems, databases, VPNs, LANs,
VLANs,WANs, VPNs, Text/SMS, Email systems should all have the scheduling,
credentials of access, business process rules, and security controls built into
PR.DS-6: Intellectual property is protected.
them, such that personnel and authorized external entities can access the
correct information in a timely manner according to the documented
communications flow.
Separate development and testing systems, servers, storage and networking

PR.DS-7: Unnecessary assets are assets should be designed and built to allow new services, applications and
eliminated. products to be developed without being attacked, breached or stolen from
unauthorized entities via the Internet.
PR.DS-8: Separate testing
environments are used in system None
development.
PR.DS-9: Privacy of individuals and

personally identifiable information (PII) None
is protected.
49
PR.IP Information PR.IP-1: A baseline configuration of The organization can implement a set of continuous monitoring systems and the
Protection information technology/operational database processing and storage assets required to handle large volumes of
technology systems is created. collected data from critical assets.
PR.IP-2: A system development

SDLC and project management tools may be implemented, based on an
lifecycle to manage systems is
organization's decisions to use specific methodologies.
implemented.
PR.IP-3: Configuration change control The previously required hardware and software asset inventory systems, may
processes are in place. have functionality to track and document disposal of assets.
PR.IP-4: Backups of information are There should be more than adequate storage capacity, database capacity, and
managed. network bandwidth to allow frequent backups of critical information and data.
PR.IP-5: Policy and regulations regarding

the physical operating environment for None
organizational assets are met.
PR.IP-6: Information is destroyed The previously required hardware and software infrastructure asset inventory
according to policy and requirements. systems, may have functionality to track and document disposal of assets.
50
PR.IP Information
Protection Computing systems, information storage systems, databases, VPNs, LANs,
VLANs,WANs, VPNs, Text/SMS, Email systems may all have the authorized identities,
PR.IP-7: Protection processes are
authorized credentials of access, business process rules, and security controls built into
continuously improved.
them, such that personnel and authorized external entities can access the correct
information in a timely manner according to the documented communications flow.
PR.IP-8: Information
The utilization of secure communication and encryption is vital to the sharing of cyber
sharing occurs with
protection technologies, methods and procedures.
appropriate parties.
PR.IP-9: Response plans
The organization may consider DR technologies, systems, protocols,
(business continuity plan(s),
networks, off‐site data storage facilities, and services. There may be more than
disaster recovery plan(s),
adequate storage capacity, database capacity, and network bandwidth to allow frequent
incident handling plan(s) are in
backups of critical information and data .
place and managed.
PR.IP-10: Response plans are networks, off‐site data storage facilities, and services. There may be more than
exercised. adequate storage capacity, database capacity, and network bandwidth
to allow frequent backups of critical information and data.
PR.IP-11: Cyber security is
included in human resources An organization's IT department, may have to procure mobile and Endpoint
practices (including de- device management technologies that will also disable / decommission / wipe / destroy
provisioning, personnel screening all account privileges for employees that have departed the organization.
and others).
PR.IP‐12: A vulnerability
management plan is developed and
implemented None
51

PR.MA
Maintenance Access control / logging / disabling
PR.MA-1: Maintenance and repair of organizational assets is performed
technologies and systems may have to be
and logged in a timely manner, with approved and controlled tools.
deployed to protect critical assets.
PR.MA-2: Remote maintenance of organizational assets is approved,

Access control / logging / disabling
logged and performed in a manner that prevents unauthorized access
technologies and systems may have to be
and supports availability requirements for important operational and
deployed to protect critical assets.
information systems.
52
PR.PT-1: Audit and log records are stored in Access control / logging / disabling technologies and systems may have
accordance with audit policy. to be deployed to protect critical assets.
USB drives, Bluetooth devices and any wireless device that can store
PR.PT-2: Removable media are protected
information, should be tracked / inventoried / disposed of properly if
according to a specified policy.
they are allowed in an organization's operational environment.
PR.PT Protective
Technology PR.PT-3: Access to systems and assets is Access control / logging / disabling technologies and systems may have
appropriately controlled. to be deployed to protect critical assets.
Organizations may have to procure and deploy Next‐Gen Firewalls,

PR.PT-4: Communications networks are
Session border controller(SBC), software‐application firewalls and
secured.
encryption technologies in order to protect critical communications.
PR.PT-5: Specialized systems are protected
according to the risk analysis (SCADA, ICS,
DLS). None
53

The organization may employ automated mechanisms to maintain an
up‐to‐date, complete, accurate, and readily available baseline
DE.AE-1: A baseline of normal operations configuration. Mechanisms can include hardware and software inventory
and procedures is identified and managed. tools, configuration management tools, and network management tools.
These tools, for example, can be used to track version numbers of
software.
Organizations may consider automated mechanisms for centralized and

DE.AE-2: Detected events are analyzed to
analysis includes, for example, Security Information Management(SIEM)
understand attack targets and methods.
technologies.
DE.AE Automated mechanisms for tracking security incidents and
Anomalies and collecting/analyzing incident information include, for example, the
Events DE.AE-3: Cyber-security data is correlated
Einstein network monitoring device and monitoring online Computer
from diverse information sources.
Incident Response Centers or other electronic databases of incident
handling.
Automatic tools include, for example, host‐based, network‐based,

transport‐ based, or storage‐based event monitoring tools or Security
DE.AE-4: Impact of potential cyber-
Information and Event Management (SIEM) technologies that provide real
security events is determined.
time analysis of alerts and/or notifications generated by organizational
information systems.
DE.AE-05: Incident alert thresholds are Systems for monitoring, scanning and collection will need their
created. parameters adjusted as thresholds are established and changed.
54
DE.CM-1: The network is
The organization may employ different monitoring tools, e.g., host
monitored to detect potential
monitoring, network monitoring, and anti‐virus software.
DE.CM-2: The physical

Physical segmentation is a key security countermeasure designed to
environment is monitored to
compartmentalize devices into security zones where identified security
detect potential cyber-
practices are employed to achieve the desired target security level.
security events.
DE.CM Security
Continuous DE.CM-3: Personnel activity
Monitoring is monitored to detect Access control / logging / disabling technologies and systems may have to be
potential cyber-security deployed to protect critical infrastructure assets.
events.
The organization may implement nonsignature‐based malicious code

detection mechanisms, which include the use of heuristics to detect, analyze, and
DE.CM-4: Malicious code is
describe the characteristics or behavior of malicious code and to provide safeguards
detected.
against malicious code for which sig atures do not yet exist or for
which existing signatures may not be effective.
55
The organization may implement non signature‐based malicious code detection
mechanisms, which include the use of heuristics to detect, analyze, and describe the
DE.CM-5: Unauthorized
characteristics or behavior of malicious code and to provide safeguards against
mobile code is detected.
malicious code for which signatures do not yet exist or for which existing signatures
may not be effective.
DE.CM-6: External service Access control / logging / disabling technologies and systems may have to be
providers are monitored. deployed to protect critical infrastructure assets.
DE.CM Security
Continuous The organization may deploy automated monitoring tools to help in its monitoring
Monitoring efforts for critical infrastructure. Automated tools include, for example, host‐based,
DE.CM-7: Unauthorized network‐based, network‐based, transport‐based, or storage‐based event monitoring
resources are monitored. tools or Security Information and Event Management (SIEM) technologies that provide
real time analysis of alerts and/or notifications generated by organizations information
systems.
The organization may implement vulnerability scanning tools that include the
DE.CM-8: Vulnerability capability to readily update the information systems vulnerabilities to be scanned.
assessments are performed. Also, automated mechanisms to compare the results of vulnerability scans over time
may be implemented to determine trends.
56
Organizations may consider deploying various tools and technologies to PREVENT /
MITIGATE / RESPOND and RECOVER from cyber‐attack incidents. These tools and
technologies may include, but not limited to: Network port scanning / packet
DE.DP-1: Roles and responsibilities for capture‐inspection / Intrusion Detection‐ Protection(IPS/IDS) / Endpoint
detection are well defined to ensure monitoring‐security / Threat correlation functions / Digital forensics / Data‐File flow
accountability. and anomaly detection / Accesscontrol / SSL Decryption / Log analysis / File‐content
filtering‐blocking / Outbound botnet communication disruption / Secure Email
gateways / Big‐ data security analytics / and Next Gen Firewalls.
DE.DP-2: Detection activities comply

with all applicable requirements,
None
including those related to privacy and
civil liberties.
DE.DP-3: Detection processes are Organizations can procure Cyber Incident Detection tools and technologies that can
DE.DP Detection exercised to ensure readiness. be adequately tested without disabling live‐operational systems and networks.
Processes For critical infrastructure the organization may deploy an information system that
alerts appropriate personnel when there is an indication that a compromise has or
DE.DP-4: Event detection information is may occur. Alerts may be generated from a variety of sources, including, for example,
communicated to appropriate parties. audit records or input from malicious code protection mechanisms, intrusion
detection or prevention mechanisms, or boundary protection devices such as
firewalls, gateways, and routers.
MITIGATE / RESPOND and RECOVER from cyber‐attack incidents. These tools and
technologies may include, but not limited to: Network port scanning / packet
capture‐inspection / Intrusion Detection‐ Protection(IPS/IDS) / Endpoint
DE.DP-5: Detection processes are
monitoring‐security / Threat correlation functions / Digital forensics / Data‐File flow
and anomaly detection / Access control / SSL Decryption / Log analysis / File‐content
filtering‐blocking /Outbound botnet communication disruption / Secure Email
gateways / Big‐ data security analytics / and Next Gen Firewalls.
57
Before and during execution of the response plan, the

RS.PL-1: Response plan is implemented during or organization can use fall back technologies that allows
RS.PL Response Planning
after an event. information systems to operate in a reserved mode while
being reconfigured.
58

The organizations can ensure that secure, reliable electronic
RS.CO-1: Personnel know their roles and order of communications (email, text, voice comms., etc.) are in place, so
operations when a response is needed. that appropriate personnel are alerted into action when an
incident response is required.
RS.CO-2: Events are reported consistent with communications (email, text, voice comms., etc.) are in place, so
established criteria. that appropriate personnel are alerted into action when an
RS.CO RS.CO-3: Detection/response information, such as breach
communications (email, text, voice comms., etc.) are in place, so
Communications reporting requirements, is shared consistent with response
that appropriate personnel are alerted into action when an
plans, including those related to privacy and civil liberties.
RS.CO-4: Coordination with stakeholders occurs EXTERNAL communications (email, text, voice comms., etc.) are in
consistent with response plans, including those place, so that appropriate 3rd parties/Stakeholders/ 1st
related to privacy and civil liberties. Responder personnel are alerted into action when an incident
response is required.
RS.CO-5: Voluntary coordination occurs with external The organization can employ automated mechanisms to make
stakeholders (for example: business partners, security alert and advisory information available throughout the
information sharing and analysis centers or customers). organization.
59
Organizations may consider deploying various tools and technologies to

PREVENT / MITIGATE / RESPOND and RECOVER from cyber‐attack incidents. These
tools and technologies may include, but not limited to: Network port scanning /
RS.AN-1: Notifications from
packet capture‐inspection / Intrusion Detection‐ Protection(IPS/IDS) / Endpoint
the detection system are
monitoring‐security / Threat correlation functions / Digital forensics / Data‐File flow
investigated.
and anomaly detection / Access control / SSL Decryption / Log analysis /
File‐content filtering‐blocking / Outbound botnet communication disruption /
Secure Email gateways / Big‐ data security analytics / and Next Gen Firewalls.
The organization implements a configurable capability to automatically

RS.AN Analysis RS.AN-2: Understand the impact of the
disable critical information systems and/or accounts if security incidents are
incident.
detected.
Audit reduction capability can include, for example, modern data mining
techniques with advanced data filters to identify anomalous behavior in audit
RS.AN-3: Forensics are performed.
records.. The report generation capability may be able to generate customizable
reports.
Automated mechanisms for tracking security incidents and collecting/analyzing
RS.AN-4: Incidents are
incident information include, for example, the Einstein network monitoring device
classified consistent with
and monitoring online Computer Incident Response Centers or other electronic
response plans.
databases of incidents.
60

Incident‐related information may be obtained from a variety of sources,
RS.MI-1: Incidents are contained. including, for example, audit monitoring, network monitoring, physical access
monitoring, user/administrator reports, and reported supply chain events.
The organization adopts automatic mechanisms to support the incident
handling process, for example, online incident management systems. The
RS.MI-2: Incidents are eradicated.
organization may also deploy dynamic reconfiguration of information systems to
stop attacks, to misdirect attacks, and to isolate components of system.
RS.MI Mitigation
The organization should employ vulnerability scanning tools and techniques.
RS.MI‐3: Newly identified Organizations can employ these analysis approaches in a variety of tools, e.g.
vulnerabilities are mitigated or web‐based applications scanners, static analysis tools, and binary analyzers.
documented as accepted risks Vulnerability scanning includes, for example: (1) scanning for patch levels; (2)
scanning for functions, ports, and protocols; (3) scanning for improperly configured
or improperly operation information flow control mechanisms.
RS.IM-1: Response plans incorporate The Lessons learned may be documented and stored/placed in an area or
lessons learned. directory where the organization's security staff can access.
RS.IM Improvements
RS.IM-2: Response strategies are
None
updated.
61
Category Subcategory IBM offerings

RC.RP Recovery Planning RC.RP-1: Recovery plan is executed.
networks, off‐site data storage facilities, and services. There may be more than
adequate storage capacity, database capacity, and network bandwidth to allow
frequent backups of critical information and data.
RC.IM-1: Plans are updated with
lessons learned. BC/DR Lessons learned may be documented and stored/placed in an area or directory
RC.IM Improvements where the organization's security staff can access.
Automated technology can be implemented to support the incident handling

RC.IM-2: Recovery strategy is process. For example, online incident management systems. The organization may
updated. also employ dynamic reconfiguration tools that are able to
reconfigure information systems if and when an attack occurs.
RC.CO-1: Public relations are None

managed.
RC.CO-2: Reputation after an event

RC.CO Communications is repaired. None
RC.CO‐3: Recovery activities are The organizations can ensure that secure, reliable electronic communications
communicated to internal (email, text, voice comms..........................................................., etc.) are in
stakeholders and executive and place, so that appropriate personnel are alerted into action when an incident
management teams response is required.
62
Part 5: The Operations Center
63
Operations Center Capabilities
Incident Response Center

Reported Security Issues Input Output
Cybersecurity Operations Center (CSOC)
Help Desk, Assessment Findings CSIRT
Technologies & Services
Security Administration Center
Cyber-Intelligence Services
Identify Protect Detect Respond Recover
Zero-day threats & vulnerabilities
64
65
Category Subcategory Operational Requirements
Appropriate and adequate Operations staff may be assigned to locate, track,

count, and document all critical infrastructure network hardware, computing systems,
ID.AM-1: Physical devices and
physical machines, virtual machines, virtual and physical network circuits, staff
systems within the organization
devices, mobile devices, receivers, transmitters, antennas, optical systems,
are inventoried.
transportation systems and any system or device that has computing, storage and
network connectivity functions.
Appropriate and adequate Operations staff should be assigned to locate, track, count,
ID.AM-2: Software platforms and and document all network critical infrastructure software, critical applications, OSS
ID.AM Asset
applications within the organization software, (i.e.; Billing & Customer Account DBs), network/customer databases, mobile
Management
are inventoried. employee supporting systems, and stored information that is critical to the operations
of the organization.
The organization can determine "who‐internally" needs to know "what“ information,

"when" and "how" will that information be delivered. The organization can take into
ID.AM-3: The organizational
account "all" internal communications with: Tiers I,II,III of operations, network ops
communication and data flow is
centers, engineering, technical management, program/project management,
mapped.
customer service, IT, sales, C‐ suite officials, billing, accounting, human resources,
security offices etc.
66
Organizational staff can identify, inventory, track and update the catalog of externally
facing critical infrastructure systems, databases, web servers, virtual machines,
virtual/physical circuits, networks, VPNs, VLANs, WANs, communications channels,
email systems, phone/UC systems, calendars, applications, web portals, eCommerce
ID.AM-4: External information
interfaces, mobile/remote employee devices, cloud‐data center resources and any
systems are mapped and
other hardware and software that is used to communicate with "outside" entities.
cataloged.
Outside entities include but not limited to: vendors/suppliers, emergency responders,
government officials, peers, customers, public facing websites, customer portals,
contact centers, legal entities, executive communications, billing interfaces,
eCommerce interfaces, mobile employee support, cloud‐data centers etc. *
Organizational leadership, operations and engineering staff may determine the

ID.AM-5: Resources are prioritized based
ID.AM Asset primary‐critical infrastructure functions and services that make the organization
on the classification/criticality/business
Management operate as an ongoing concern. They consider questions: "If we lost <function>, can
value of hardware, devices, data and
we continue to operate our business and business plan(s)?" An example of this xercise
software.
may be similar to: "If we lost our <website>, services to our customers
Organizational leadership, operations and engineering staff can determine who (by
job function) needs to know what information within the entire organization.
Following this exercise, various levels of cybersecurity responsibilities and leadership
ID.AM-6: Workforce roles and can be assigned. These levels of cybersecurity responsibilities will include but not
responsibilities for business functions, limited to: Security of entire infrastructure, security of groups of systems /
including cyber security, are established. applications / databases / SW /devices, security of individual systems / applications /
databases / SW / devices, as well as security of internal and external communications
channels. The cybersecurity leadership can then develop cybersecurity policies and
procedures, then train the appropriate staff of these cybersecurity procedures.
67
Category Subcategory Operqational Requirements
Organizational leadership, operations and engineering staff can determine
how the organization fits into a supply chain ecosystem. The following questions can be
ID.BE-1: The organization’s
answered: Is the organization a producer, a consumer, both, or something that has yet to be
role in the supply chain is
defined? Does the organization turn raw materials into a product? Does the organization
identified and
provide a service where human resources and expertise is the main ingredient for business
communicated.
operations? Is the organization in the middle of a larger supply chain ecosystem? How does the
organization earn revenue from it's customers? How does the sales function get what it needs
to sell a product or service to customers?
ID.BE-2: The
organization’s place in Organizational leadership, operations and engineering staff may determine how the
critical infrastructure organization fits into a Critical Infrastructure ecosystem. The following questions can be
and their industry answered: Does this organization supply a product or service to critical infrastructure that
ecosystem is identified supports the functioning of our society or economy? Does this organization supply a product or
ID.BE Business and communicated. service to the government to support the security of our society or economy?
Environment
ID.BE-3: Priorities for Organizational leadership, operations and engineering staff can determine the organization's
organizational mission, mission and its primary business objectives as an ongoing concern. The sub‐organizations that
objectives and activities are deemed critical to operating the business can be prioritized such that key decision makers
are established. are very aware of their responsibilities and available human and physical resources.
ID.BE-4: Dependencies and critical
Organizational leadership, operations and engineering staff can determine critical functions for
functions for delivery of critical
delivery of critical services.
services are established.
Once the organizational leadership, operations and engineering staff has determined critical
ID.BE-5: Resilience functions for delivery of critical services. Then they can determine redundant, sometimes
requirements to support duplicative methods for delivery of critical components, supplies and materials. This may
delivery of critical services are include but not limited to redundant circuits for communications, alternate secondary
established. suppliers of fuel, secondary suppliers of critical components, secondary shipping and delivery
providers, alternate means of communicating with government officials and first responders.
68
An organization's executive and technical leadership can determine which information
ID.GV-1: Organizational and data types that can be protected from threats. Critical financial and technical data
information security policy may be protected and secured from unauthorized access and can address privacy
is established. considerations. Other types of information may be allowed to reach certain people on
a need‐to‐know basis, in order to perform their jobs.
Once the information security policies are established within an organization, these
policies can be conveyed to the appropriate levels of executives, management, and
ID.GV-2: Information security staffing, such that everyone knows their responsibilities in protecting various types of
roles and responsibility are information. External policies and procedures for protecting information can also be
coordinated and aligned. developed. These externally facing information security policies and procedures can
also be strongly conveyed to external suppliers, partners, peers and 3rd party entities
that support the organization.
An organization's executive and technical leadership can include the
organization's legal counsel and/or legal staff in the development of cybersecurity and
ID.GV-3: Legal and regulatory
ID.GV Governance information protection policies. They can ensure that these new cybersecurity and
requirements regarding
information protection policies conform to and do not violate privacy laws and civil
cyber security, including
liberties obligations. Once the legal details of the cybersecurity and information
privacy and civil liberties
protection policies are established, they can be conveyed to the entire organization's
obligations, are understood
staff. Staff confirmation and possibly acceptance of these cybersecurity and
and managed.
information protection policies may need to be obtained. Non‐acceptance by certain
individuals, may dictate what responsibilities are assigned to them.
Once an organization creates an ongoing Threats/Risk catalog, they may progress to
developing the appropriate cyber risk management responses by all of the
sub‐organizations that play a role of managing and responding to these risks. These
ID.GV-4: Governance and risk
appropriate responses, may include, but not be limited to the 5 phases of emergency
management processes
management; Prevention, Mitigation, Preparedness, Response, and Recovery. The
address cyber-security risks.
appropriate responses may describe "Who does What, and When" for every identified
risk in the risk catalog. These responses can include every sub‐organization from the
top executives all the way through to the most remote member of an organization.
69
Technical staff may research publicly available information and vendor proprietary
information to learn of all of the publicly‐known vulnerabilities of the critical hardware,
ID.RA-1: Asset software, database and network resources of an organization. The technical staff may also
vulnerabilities are research cyber‐criminal elements for vulnerabilities that are not public or known by the
identified and vendors. Once documented and key organizational decision makers can be alerted. Technical
documented. staff may subscribe to websites and news boards that exist for the sole purpose of spreading
details of found technical vulnerabilities over the Internet. An organization may outline what
systems should be monitored,
ID.RA-2: Threat and
Technical staff may research publicly available information and vendor proprietary
vulnerability information is
information to learn of all of the publicly‐known vulnerabilities of the critical hardware,
received from information-
software, database and network resources of an organization.
sharing forums and sources.
ID.RA-3: Threats to Technical staff may research publicly available information and vendor proprietary
organizational assets are information to learn of all of the publicly‐known vulnerabilities of the critical hardware,
identified and documented. software, database and network resources of an organization
ID.RA Risk Assessment
Organizational leadership, operations and engineering staff may determine the
primary‐critical functions and services that make the organization operate as an ongoing
ID.RA-4: Potential impacts are
concern. They can ask the questions: "If we lost <function>, can we continue to operate our
analyzed.
business and business plan(s)?" An example of this exercise may be similar to: "If e lost our
<website>, could we still deliver services to our customers?"
ID.RA-5: Risk responses are The organization may build a list, chart or table to identify threats and vulnerabilities to the
identified. critical business functions, their systems, their networks and their software.
Once an organization creates an ongoing Threats/Risk catalog, they may progress to
developing the appropriate cyber risk management responses by all of the sub‐organizations
ID.RA‐6: Risk responses are that play a role of managing and responding to these risks. These appropriate responses, may
identified and prioritized include, but not be limited to the 5 phases of emergency management; PREVENTION,
MITIGATION, PREPAREDNESS, RESPONSE, and RECOVERY. The appropriate responses may
describe "Who does What, and When" for every identified risk in the risk catalog. These
responses may include every sub‐organization from the top executives all the way through to
the most remote member of an organization.
70

ID.RM Risk The appropriate cyber risk management responses, may include, but not be
Management limited to the 5 phases of emergency management; PREVENTION, MITIGATION,
PREPAREDNESS, RESPONSE, and RECOVERY. The appropriate responses should
ID.RM-1: Risk management
describe "Who does What, and When" for every identified risk in the risk catalog.
processes are managed and
These responses should include every sub‐ organization from the top executives all
agreed to
the way through to the most remote and junior member of an organization. These
responses can also include the timeliness of each response, to include, but not
limited to immediate responses through, timelines needed based on dependencies.
The appropriate cyber risk management responses, may include, but not be
limited to the 5 phases of emergency management; PREVENTION, MITIGATION,
PREPAREDNESS, RESPONSE, and RECOVERY. The appropriate responses may describe
ID.RM-2: Organizational risk tolerance is
"Who does What, and When" for every identified risk in the risk catalog. These
determined and clearly expressed
responses can include every sub‐organization from the top executives all the way
through to the most remote member of an organization. These responses may also
include the timeliness of each response, to include, but not limited to immediate
response through, timelines needed based on dependencies. ‐
Organizational leadership, operations and engineering staff may determine how the
organization fits into a Critical Infrastructure ecosystem. The following questions
should be answered: Does this organization supply a product or service to critical
infrastructure that supports the functioning of our society or economy? Does this
ID.RM-3: The organization’s
organization supply a product or service to the government to support the security of
determination of risk tolerance is
our society or economy? The organization may understand and communicate its role,
informed by their role in critical
responsibilities and criticality within a Critical Infrastructure ecosystem to its entire
infrastructure and sector specific risk
staff. The sub‐organizations that are deemed critical to operating the business can be
analysis
prioritized such that key decision makers are very aware of their responsibilities and
available human and physical resources. This sub‐ organization prioritization must
also be conveyed to the entire staff in such a way that every person know whom
(internally and externally) to take direction from
71
The organization can determine "who‐internally" needs to know "what“ information, "when" and "how"
will that information be delivered. The organization can take into account "all" internal communications
with: Tiers I, II, III of critical infrastructure related operations, network ops centers, engineering, technical
management, program/project management, customer service, IT, sales, C‐suite officials, billing,
accounting, human resources, security offices etc. Once these communication paths and flows have been
PR.AC-1: Identities and determined the organization can set access controls‐ business process rules within various systems to
credentials are managed allow authorized personnel to reach their required information, when they need it to perform their job
for authorized devices and function. The entire flow of information that describes who‐what‐when‐how must be documented and
users conveyed through ongoing training, to the effected personnel. The organization can determine
"who‐externally" needs to know "what" information, "when" and "how" will that information be
delivered. The organization must take into account "all" external communications with: vendors /
suppliers, emergency responders, government officials, peers, customers, public facing websites,
customer portals, contact centers, legal entities, executive communications, billing interfaces,
eCommerce interfaces, mobile/remote employees etc.
PR.AC Access
Control The organization should determine whom within, internal and external to the entire organization, can be
allowed "PHYSICAL" access to critical infrastructure networks systems, computing systems, storage
PR.AC-2: Physical access systems, databases, email systems, technical spaces, data centers, wiring closets, servers rooms, devices,
to resources is managed tools, vehicles etc. that allow the organization to be an on‐going concern. These critical systems should
and secured be protected from unauthorized 'physical' access by locked doors, locked equipment cabinets, locked file
and software cabinets, locked fencing, biometric locks to shared technical areas, locked vehicles, locked
property and even building/landscaping designs to prevent brute‐force entries to critical areas.
The organization should determine whom within, internal and external to the entire organization, can be
allowed "REMOTE" access to critical infrastructure networks systems, computing systems, storage
systems, databases, email systems, technical spaces, data centers, wiring closets, servers rooms, devices,
PR.AC-3: Remote access is
tools, vehicles etc. that allow the organization to be an on‐going concern. These critical systems should
managed
be protected from unauthorized 'REMOTE' access by mechanisms including, but not limited to: firewalls,
USERNAME/PASSWORDs, mult‐factor identification, access control lists, scheduling limits, VPN access,
LAN/WAN access, biometrics, encryption keys etc.
72
Organization may implement an Access‐Permission policy based on

Separation of duties and Least Privilege. Separation of duties requires dividing all
organizational functions among multiple people to limit the possibility that one employee
could harm an organization without the cooperation of others. In general, employees are less
PR.AC-4: Access permissions
likely to engage in malicious acts if they should collaborate with other employees. Ideally,
are managed
organizations may include separation of duties in the design of their business processes and
enforce these processes through technical and nontechnical means. The separation of duties
policy also requires implementation of least privilege, which means authorizing people to use
PR.AC Access only the resources needed to do their job
Control
The organization's technical and operations staff may design their critical
infrastructure networks, such that they can withstand attacks, nodal failures and resources
outages. A suggested approach is to segment the network design into smaller segments, so if
PR.AC-5: Network integrity is an anomaly occurs at one location or node, it can be isolated and not take down the entire
protected network. It is understood that segmentation may not be applicable to all network scenarios,
but it should be considered by the organization and evaluated for its ability to maintain
network integrity. Alternatives to network segmentation may be explored in order to achieve
comparable levels of resiliency.
73
Organizational leadership, operations and engineering staff should determine

who (by job function) needs to know what information within the entire organization. Following
this exercise, various levels of cybersecurity responsibilities and leadership can be assigned.
PR.AT-1: General users are These levels of cybersecurity responsibilities will include but not limited to: Security of entire
informed and trained. infrastructure, security of groups of systems / applications / databases / SW / devices, security
of individual systems / applications / database / SW / devices, as well as security of internal and
external communications channels. The cybersecurity leadership can then develop cybersecurity
policies and procedures, then train the appropriate staff of these cybersecurity procedures.
The organization may determine "who‐internally" needs to know "what“ information, "when"
and "how" will that information be delivered. The organization can take into account "all"
internal communications with: Tiers I,II,III of critical infrastructure related operations, network
PR.AT-2: Privileged ops centers, engineering, technical management, program/project management, customer
PR.AT Awareness users understand service, IT, sales, C‐suite officials, billing, accounting, human resources, security offices etc. Once
and Training roles and these communication paths and flows have been determined the organization can set access
responsibilities. controls‐ business process rules within various systems to allow authorized personnel to reach
their required information, when they need it to perform their job function. The entire flow of
information that describes who‐what‐ when‐how can be documented and conveyed through
ongoing training, to the effected personnel.
and "how" will that information be delivered. The organization may take into account "all"
PR.AT-3: Third-party
stakeholders (suppliers,
ops centers, engineering, technical management, program/project management, customer
customers, partners)
service, IT, sales, C‐suite officials, billing, accounting, human resources, security offices etc. Once
understand roles and
these communication paths and flows have been determined the organization can set access
responsibilities.
controls‐ business process rules within various systems to allow authorized personnel to reach
their required information, when they need it to perform their job function.
74
PR.AT-4: Senior ops centers, engineering, technical management, program/project management, customer
executives understand service, IT, sales, C‐suite officials, billing, accounting, human resources, security offices etc.
roles and Once these communication paths and flows have been determined the organization should set
responsibilities. access controls‐ business process rules within various systems to allow authorized personnel to
reach their required information, when they need it to perform their job function. The entire
flow of information that describes who‐what‐ when‐how may be documented and conveyed
through ongoing training, to the effected personnel
PR.AT Awareness
and Training
PR.AT-5: Physical and ops centers, engineering, technical management, program/project management, customer
information security service, IT, sales, C‐suite officials, billing, accounting, human resources, security offices etc.
personnel understand Once these communication paths and flows have been determined the organization must set
roles and responsibilities. access controls‐ business process rules within various systems to allow authorized personnel to
reach their required information, when they need it to perform their job function. The entire
flow of information that describes who‐what‐ when‐how can be documented and conveyed
through ongoing training, to the effected personnel.
75

MITIGATE / RESPOND and RECOVER from cyber‐attack incidents for critical infrastructure.
* Organizations with Data centers or connect with (Cloud) Data Centers should establish
a benchmark of what applications reside in the datacenter. This benchmark may include,
but not limited to: File activity / Authorized Access Accounts / Data flow activity /
PR.DS-1: Data at rest is protected. Software version control / Database snapshots / Communications ports / Protocols in use
/ VM quantities and activity. Organizations should classify, compartmentalize and
segment their critical assets and data. Establish “Zones” of various levels of trust,
including a “Zero‐Trust” Zone for the most critical data and network assets. Zero‐Trust
Zones mean no default trust is allowed for any entity, user, device, application, or packet
regardless of what it is and its location in the network.

MITIGATE / RESPOND and RECOVER from cyber‐attack incidents for critical infrastructure.
PR.DS Data Security * Organizations with Data centers or connect with (Cloud) Data Centers should establish
a benchmark of what applications reside in the datacenter. This benchmark may include,
but not limited to: File activity / Authorized Access Accounts / Data flow activity /
PR.DS-2: Data in motion is secured. Software version control / Database snapshots / Communications ports / Protocols in use
/ VM quantities and activity. Organizations may classify, compartmentalize and segment
their critical assets and data. Establish “Zones” of various levels of trust, including a
“Zero‐Trust” Zone for the most critical data and network assets. Zero‐Trust Zones mean
no default trust is allowed for any entity, user, device, application, or packet regardless of
what it is and its location in the network.
PR.DS-3: Assets are formally Organizations can monitor and control critical infrastructure asset configuration and
managed throughout installation changes. Only authorized staff and departments may be allowed to change
removal, transfers and the physical and virtual configurations of critical assets, software, applications, databases
disposition. and stored data.
76
Organizations should ensure that bandwidth, physical circuits, virtual circuits,

PR.DS-4: Adequate
available frequencies, computing capacity, data storage, virtual machines, and asset capacities
capacity to ensure
are kept at levels that exceed the minimum required levels by 30‐100%, such that failed critical
availability is
infrastructure assets can have their functions shifted to working assets in order to maintain
maintained.
maximum desired availability.
Organizations may consider deploying various tools and technologies to PREVENT / MITIGATE /
RESPOND and RECOVER from cyber‐attack incidents on critical infrastructure. Organizations
with Data centers or connect with (Cloud) Data Centers should establish a benchmark of what
applications reside in the datacenter. This benchmark may include, but not limited to: File
activity / Authorized Access Accounts / Data flow activity / Software version control / Database
snapshots / Communications ports / Protocols in use / VM quantities and activity.
PR.DS-5: There is protection
Organizations can classify, compartmentalize and segment their critical assets and data.
against data leaks.
Establish “Zones” of various levels of trust, including a “Zero‐Trust” Zone for the most critical
PR.DS Data Security data and network assets. Zero‐Trust Zones mean no default trust is allowed for any entity, user,
device, application, or packet regardless of what it is and its location in the network.
Organizations may only allow granular control of devices, data, content, network access and
applications to only authorized users and authorized sub‐organizations.
.
Organizations may consider deploying various tools and technologies to PREVENT / MITIGATE /
RESPOND and RECOVER from cyber‐attack incidents on critical infrastructure. Organizations
PR.DS-6: Integrity checking with Data centers or connect with (Cloud) Data Centers should establish a benchmark of what
mechanisms are applications reside in the datacenter. This benchmark may include, but not limited to: File
used to verify activity / Authorized Access Accounts / Data flow activity / Software version control / Database
software, firmware, snapshots / Communications ports / Protocols in use / VM quantities and activity.
and information Organizations can classify, compartmentalize and segment their critical assets and data.
integrity Establish “Zones” of various levels of trust, including a “Zero‐Trust” Zone for the most critical
data and network assets. Zero‐Trust Zones mean no default trust is allowed for any entity, user,
device, application, or packet regardless of what it is and its location in the network.
77
Organizations should ensure that all critical infrastructure development and

PR.DS‐7: The development and testing
testing systems, servers, storage and networking assets are completely
environment(s) are separate from the
disconnected from the public Internet and completely disconnected from "Live"
production environment
production‐customer serving networks and systems.
PR.DS-8: Separate testing
PR.DS Data Security environments are used in system None
development.
PR.DS-9: Privacy of individuals and

personally identifiable information (PII) None
is protected.
78
Organizations may monitor and establish BASELINE critical infrastructure
network traffic, file access, database activity, software modifications, stored data
access, and overall asset behavior, in order to better detect anomalies, unauthorized
PR.IP-1: A baseline configuration of access, breaches and attacks. Organizations can scan and certify all new network
information connected and mobile devices before they can be placed into service. Organizations
technology/operational technology with Data centers or connect with (Cloud) Data Centers should establish a benchmark
systems is created. of what applications reside in the datacenter. This benchmark may include, but not
limited to: File activity / Authorized Access Accounts / Data flow activity / Software
version control / Database snapshots / Communications ports / Protocols in use / VM
quantities and activity.
PR.IP-2: A system development Organizations using a systems‐software development lifecycle (SDLC) approach, may
lifecycle to manage systems is incorporate security into every phase of planning, analysis, design, and
implemented. implementation of all of their critical infrastructure systems.
PR.IP Information
Protection Organizations can monitor and control critical infrastructure asset configuration and
PR.IP-3: Configuration change installation changes. Only authorized staff and departments may be allowed to change
control processes are in place. the physical and virtual configurations of critical assets, software, applications,
databases and stored data.
Organizations may establish a critical infrastructure data and systems backup
PR.IP-4: Backups of information are
policy, and required procedures. Once the procedures are established they can be
managed.
tested, updated and then conveyed to the authorized data owners and staff.
PR.IP-5: Policy and regulations Organizations can consider building a Security Team of staff or use external security
regarding the physical operating resources with the following roles included, but not limited to: Incident Responders /
environment for organizational assets Digital Forensics / Investigators / Security Leadership / Compliance Auditor / Legal
are met. Professional / Security Operations
Organizations can monitor and control critical infrastructure asset
PR.IP-6: Information is destroyed
configuration and installation changes. Only authorized staff and departments may be
according to policy and
allowed to change the physical and virtual configurations of critical assets, software,
requirements.
applications, databases and stored data.
79
Organizations can strive to identify a cyber incident as rapidly as possible and

PR.IP-7: Protection processes are
reach incident containment within 1 to 4 hours. Organizations can track and
measure performance times and seeks ways to reduce time to containment.
PR.IP-8: Information Organizations may share what they learn about Threats, Attacks, Signatures,
sharing occurs with and remediation/recovery information with trusted organizations,
appropriate parties. government entities and trusted industry peers.
PR.IP-9: Response plans Organizations may develop/document a formalized Incident Response Plan. This Incident
(business continuity plan(s), Response Plan should contain, but not limited to the following areas: Preparation / Incident
disaster recovery plan(s), Identification / Incident Containment / Incident‐Threat Eradication / Recovery / and Lessons
incident handling plan(s) are in Learned. This Incident Response Plan may be approved by the highest levels of
place and managed. organizational leadership and by all data/system/network owning business units.
PR.IP Information Organizations may TEST formalized Incident Response Plans on a regular and frequent
Protection basis. This Incident Response TESTING can contain, but not limited to the following areas:
PR.IP-10: Response plans are Preparation / Incident Identification / Incident Containment / Incident‐Threat Eradication /
exercised. Recovery / and Lessons Learned. This Incident Response TESTING may be coordinated with
all levels of organizational leadership and by all data/system/network owning business
units.
PR.IP-11: Cyber security is
included in human resources Organizations, sub‐organizations and all data owners who manage and maintain
practices (including de- information technology assets may receive comprehensive training on implementing
provisioning, personnel screening cybersecurity best practices.
and others).
PR.IP‐12: A vulnerability
management plan is developed and Organizations may establish and document a Threats/Vulnerabilities management plan as it
implemented relates to critical infrastructure
80

PR.MA
Maintenance Organizations may monitor and control critical infrastructure
PR.MA-1: Maintenance and repair of organizational assets asset configuration and installation changes. Only authorized
is performed and logged in a timely manner, with approved staff and departments may be allowed to change the physical
and controlled tools. and virtual configurations of critical assets, software,
applications, databases and stored data.
PR.MA-2: Remote maintenance of organizational assets Organizations may monitor and control critical infrastructure
is approved, logged and performed in a manner that asset configuration and installation changes. Only authorized
prevents unauthorized access and supports availability staff and departments may be allowed to change the physical
requirements for important operational and information and virtual configurations of critical assets, software,
systems. applications, databases and stored data.
81
Organizations may collect data and track all activities with critical
infrastructure assets. This may include, but not limited to logging of all logins,
PR.PT-1: Audit and log records are
applications used, files accessed/copied/downloaded, all doors opened,
stored in accordance with audit policy.
Internet connections/URLs / times these events occurred and who conducted
these activities.
Organizations may identify all possible threats and vulnerabilities to their
PR.PT-2: Removable media are
infrastructure assets, including, but not limited to: Unauthorized Access / Data
protected according to a specified
Breaches / Malware / DDoS / Advanced Persistent Threats / Zero‐day
policy.
Attacks / Phishing / SQL Injections / USB injected bots / and False alarms.
The organization can determine "who‐internally" needs to know "what"
information, "when" and "how" will that information be delivered. The
PR.PT Protective organization may take into account "all" internal communications with: Tiers
PR.PT-3: Access to systems and assets is
Technology I,II,III of critical infrastructure related operations, network ops centers,
appropriately controlled.
engineering, technical management, program/project management, customer
service, IT, sales, C‐suite officials, billing, accounting, human resources,
security offices etc
Organizations may protect critical infrastructure related physical and virtual
PR.PT-4: Communications networks are circuits, networks and communications systems from attack and DDoS by
secured. employing Next‐Gen firewalls, session border controllers (SBC), IPv6,
encryption technologies and the latest cyber/network security best practices.
PR.PT-5: Specialized systems are
protected according to the risk analysis
(SCADA, ICS, DLS). None
82
The organization and appropriate staff can develop, document, and maintain under
configuration control, a current baseline configuration of the critical infrastructure
DE.AE-1: A baseline of normal information system. Baseline configurations include information about information system
operations and procedures is components (e.g. standard software packages installed on workstastions, notebook
identified and managed. computers, servers, network components, or mobile devices) along with the network
topology. The organization may maintain baseline configurations by creating new baselines
as organizational informational systems change over time.
The organization and appropriate staff can correlate incident information and individual
incident responses to achieve an organization‐wide perspective on incident awareness and
DE.AE-2: Detected events are response for critical infrastructure. The organization may also employ automated
analyzed to understand attack mechanisms to integrate audit review, analysis, and reporting processes to support
targets and methods. organization processes for investigation and response to suspicious activities. The
organization then may analyze and correlate audit records across different repositories to
gain organization‐wide situational awareness.
DE.AE Anomalies The organization and appropriate staff can properly track and document information system
and Events security incidents for critical infrastructure. This can include an automated mechanism to
DE.AE-3: Cyber-security data is
assist in the tracking of security incidents and the collection and analysis of incident
correlated from diverse
information. Also, the organization and appropriate staff may develop an incident response
information sources.
plan that defines the resources and management support needed to effectively maintain
and mature your incident response capabilities.
DE.AE-4: Impact of potential The organization and appropriate staff can coordinate with external organizations to
cyber-security events is correlate and share incident information to achieve a cross‐ organization perspective of the
determined. security event as it relates to critical infrastructure.
When organizations employ monitoring, scanning and collection functions, and baselines
have been set for 'normal' behavior, the organization may establish thresholds of incident
DE.AE-05: Incident alert thresholds
alerts, where valid problems are alerted upon, and keeps false alarms to a minimum. This
are created.
can be an iterative process and the thresholds should be adjusted as the organization learns
more details of 'normal' behavior as it relates to critical infrastructure.
83
The organization and appropriate staff monitors the information system to detect attacks
and indicators of potential attacks in accordance with defined monitoring objectives for
DE.CM-1: The network is critical infrastructure. The organization may be looking for unauthorized local, network,
monitored to detect potential and remote connections. To accomplish this organization may deploy monitoring devices
cyber-security events. strategically within the information system to collect organization‐determined essential
information, and at ad hoc locations within the system to track specific types of
transactions of interests to the organization.
DE.CM-2: The physical

environment is monitored to For critical infrastructure, the organization and appropriate staff may establish procedures
detect potential cyber- for monitoring and alarming when physical or environmental security is compromised.
DE.CM Security security events.
Continuous
Monitoring The organization and appropriate staff may identify and select the proper types of critical
DE.CM-3: Personnel activity
infrastructure information, system accounts to support, i.e. administrator, user, etc. The
is monitored to detect
organization can then assign account managers for the system information accounts,
potential cyber-security
establish account privileges, and monitor the use of information system accounts, including
events.
deleting accounts promptly and when necessary.
For critical infrastructure, the organization and appropriate staff employs malicious code
DE.CM-4: Malicious code is
protection mechanisms at information system entry and exit points to detect and eradicate
detected.
malicious code.
84
DE.CM-5: Unauthorized For critical infrastructure, the organization and appropriate staff may define
mobile code is detected. acceptable and unacceptable mobile code and mobile code technologies.
For critical infrastructure, organizations may require that service providers of

DE.CM-6: External service external information system services comply with organizational information security
providers are monitored. requirements and employ mechanisms to monitor compliance by external providers
on an ongoing basis.
DE.CM Security
Continuous For critical infrastructure, the organization and appropriate staff may develop
Monitoring a monitoring strategy and implement a continuous monitoring program, which
DE.CM-7: Unauthorized
includes organization metrics to be monitored and the frequency at which to monitor
resources are monitored.
these metrics. The organization can analyze and assess the information that is
generated by this monitoring program for any anomalies or security concerns.
For critical infrastructure, the organization and appropriate staff can scan for
vulnerabilities in the information system and hosted applications at a defined
DE.CM-8: Vulnerability
frequency and when new vulnerabilities potentially affecting the system/applications
assessments are performed.
are identified and reported. The process may include analyzing the scans and
correcting legitimate vulnerabilities.
85
The organization and appropriate staff develops a security assessment plan that describes
the scope of the assessment, including employing assessors or assessment teams with a
level of independence to conduct security control assessments of critical infrastructure
DE.DP-1: Roles and
assets. Independent assessors or assessment teams are individuals or groups who conduct
responsibilities for detection are
impartial assessments of organizational information systems. To achieve impartiality,
well defined to ensure
assessors should not: (i) create a mutual or conflicting interests with the organizations
accountability.
where the assessments are being conducted; (ii) assess their own work; (iii) act as
management or employees of the organization they are serving; or (iv) place themselves in
positions of advocacy for the organizations acquiring their services.
DE.DP-2: Detection activities
comply with all applicable
requirements, including those None
related to privacy and civil
liberties.
The organization and appropriate staff may test critical infrastructure intrusion‐monitoring
DE.DP Detection DE.DP-3: Detection processes
tools at a defined frequency. Testing intrusion‐ monitoring is necessary to ensure that the
Processes are exercised to ensure
tools are operating correctly and continue to meet the monitoring objectives of the
readiness.
organization.
The organization and appropriate staff may share information obtained from the
DE.DP-4: Event detection vulnerability scanning process and security control assessments with appropriate staff to
information is communicated to help eliminate similar vulnerabilities in other critical infrastructure information systems.
appropriate parties. This could include automatic alerts from the information system itself that conveys the
information to the appropriate staff.
The organization and appropriate staff may analyze communication
traffic/event patterns for the critical infrastructure information system; develop profiles
representing common traffic patterns and/or events; and use the traffic/event profiles for
DE.DP-5: Detection processes tuning system‐monitoring devices to reduce the number of false positives and the number
are continuously improved. of false negatives. In addition, the organization may use trend analysis to determine if
security control implementations, the frequency of continuous monitoring activities,
and/or the types of activities used in continuous monitoring process need to be modified
based on empirical data.
86

The organization and appropriate staff may provide the capability to
restore critical infrastructure information system components within a
RS.PL-1: Response plan is implemented specified time to a known operational state of the system. The
RS.PL Response Planning
during or after an event. organization and appropriate staff may also identify classes of
incidents and the appropriate responses to these incidents to ensure
a response plan can be carefully carried out.
87
The organization and supporting staff may develop an incident
response plan that provides a roadmap for implementing its incident
response capability; provides a high‐level approach for how the
RS.CO-1: Personnel know their roles and order
incident response capability fits into the overall organization; and
of operations when a response is needed.
defines reportable incidents etc. This plan may be provided to
organization‐defined incident response personnel as it relates to critical
infrastructure.
The organization and appropriate staff require the reporting of suspect

security incidents within a specified time to the appropriate personnel.
RS.CO-2: Events are reported consistent
The organization then may provide security incident information to
with established criteria.
other organizations involved in the supply chain for information
RS.CO systems or information system components related to the incident.
Communications RS.CO-3: Detection/response information, such as The organization and appropriate staff may incorporate into their
breach reporting requirements, is shared consistent critical infrastructure information system monitoring mechanism,
with response plans, including those related to automatic means to alert security personnel of inappropriate or
privacy and civil liberties. unusual activities with security implications.
RS.CO-4: Coordination with stakeholders occurs The organization and appropriate staff may coordinate its contingency
consistent with response plans, including those plan with the contingency plans of external service providers to ensure
related to privacy and civil liberties. that contingency requirements can be satisfied.
The organization and appropriate staff establish and institutionalize
RS.CO-5: Voluntary coordination occurs with
contact with selected groups and associations within the security
external stakeholders (for example: business
community. The organization may then develop a channel to receive
partners, information sharing and analysis centers
information system security alerts, advisories, and directives from
or customers).
these organizations on an ongoing basis.
88
RS.AN-1: Notifications from The organization and appropriate staff may review and analyzes critical
the detection system are infrastructure information system audit records at specified intervals for indications
investigated. of unauthorized activities. The anomalies can be reported to the appropriate staff.
Organization can determine the consequences of various cyber incidents as it

RS.AN-2: Understand the impact of the relates to critical infrastructure. These consequences may include, but not limited
incident. to impact to supply chain / degradation of public trust / financial and market losses
RS.AN Analysis / degradation of brand reputation / impact to critical infrastructure.
The organization and appropriate staff may deploy a critical infrastructure
information system which provides an audit reduction and report generation
RS.AN-3: Forensics are performed. capability. Audit reduction is a process that manipulates collected audit information
and organizes such information in a summary format that is more meaningful to
analysts.
RS.AN-4: Incidents are The organization and appropriate staff can track and document critical
classified consistent with infrastructure information system security incidents. This may include maintaining
response plans. records about the incidents, the status of the incidents, and how it was handling.
89

An organization and appropriate staff can coordinate incident handling activities with
contingency planning activities. This may include coordinating with mission/business
RS.MI-1: Incidents are contained.
owners, information system owners, authorizing officials human resources officials,
and physical and personnel security offices.
For critical infrastructure, appropriate and adequate Operations staff can implement
incident handling measures for security incidents that includes preparation,
RS.MI-2: Incidents are eradicated. detection and analysis, containment, eradication, and recovery. The measures
implemented may include lessons learned from ongoing incident handling activities.
RS.MI Mitigation These measures should also be incorporated into training and testing exercises.
RS.MI‐3: Newly identified For critical infrastructure, the organization and appropriate staff may develop
vulnerabilities are mitigated or a continuous monitoring strategy and implements a continuous monitoring program.
documented as accepted risks The program may include a list of organization units to be monitored, the metrics in
which to monitor them, and the frequency in which to employ such monitoring.
The organization and appropriate staff should not only incorporate lessons learned
RS.IM-1: Response plans incorporate from within the organization and particular organization groups, but should
lessons learned. continually coordinate with external service providers to ensure that their
capabilities are aligned with the organization.
RS.IM Improvements
The organization and appropriate staff may revisit the developed response
RS.IM-2: Response strategies are
strategies on a scheduled basis and re‐evaluate ongoing needs. This strategy
updated.
may be constantly reviewed and approved by appropriate staff leaders.
90

The organization provides for the recover and reconstitution of the critical
RC.RP Recovery Planning RC.RP-1: Recovery plan is executed.
infrastructure information system to a known state after a disruption, compromise, or
failure. Reconstitution takes place following recovery and includes activities for
returning organizational information systems to fully operational states.
RC.IM-1: Plans are updated with The organization and appropriate staff should not only incorporate lessons learned
lessons learned. from within the organization and particular organization groups, but should
RC.IM Improvements
continually coordinate with external service providers to ensure that their capabilities
are aligned with the organization.
For critical infrastructure, appropriate and adequate Operations staff may implement
RC.IM-2: Recovery strategy is
incident handling measures for security incidents that includes preparation, detection
updated.
and analysis, containment, eradication, and recovery. The measures implemented
should include lessons learned from ongoing incident handling activities. These
measures may also be incorporated into training and testing exercises.
For critical infrastructure, the organization and supporting staff can identify external
RC.CO-1: Public relations are
compliance requirements and review, and adjust policies, principles, standards,
managed.
procedures and methodologies to ensure that legal regulatory, privacy and contractual
requirements are addressed and communicated.
For critical infrastructure, the organization and supporting staff may identify external
RC.CO-2: Reputation after an event
RC.CO Communications compliance requirements and review, and adjust policies, principles, standards,
is repaired.
procedures and methodologies to ensure that legal regulatory and contractual
requirements are addressed and communicated.
RC.CO‐3: Recovery activities are The appropriate staff and organization leaders may identify essential missions and
communicated to internal business functions and their associated contingency requirements. The organization
stakeholders and executive and then can provide contingency roles and responsibilities to the appropriate individuals.
management teams Once finalized, the organization may distribute copies of this plan, update the plan as
need be, and protect the plan from unauthorized disclosure or modification.
91
Part 6: The Testing Center
92
The Testing Center
Test Plans Threat Modeling
Controls Testing Operations Testing
93
Threat Modeling
94
Controls Testing
Program Engine The C3 Test Analyzer Controls Engine
Identify
COBIT 5.0
Crown Jewels
ISO 27001
Protect CSC CSC
Identities
IEC 62443
Information
NIST 800-53
Detect
Applications
BSIMM V5
Infrastructure PCI DSS
Respond HIPAA
201 CMR 17
………………
Recover Enterprise Network
95
Penetration Testing Methodology
96
Penetration Testing Methodology
97
Part 7: The Program Office
98
The Written Information Security Program (WISP)
99
100
101
102
Part 8: The GRC Office
103
Governance Models
104
Communications Sector Risk Assessment
105
Risk Assessment Approach
106
Risk Assessment Approach
107
The Risk Assessment – Identify Function
Relevant Categories: Relevant Categories:
Asset Management (ID.AM): The data, personnel, devices, Financial: Barriers are dependent on the size of an organization, and
systems, and facilities that enable the organization to achieve costs are not linear. Marginal cost for improving Tier position is
business purposes are identified and managed consistent with often exponential. Nonetheless, enterprises should use the NIST
their relative importance to business objectives and the framework’s Tier definitions to determine their current posture, and
organization’s risk strategy. where they want to be.
Business Environment (ID.BE): The organization’s mission, Technology: There is no specific set of technologies for
objectives, stakeholders, and activities are understood and implementing the framework, as they are evolving and changing.
prioritized; this information is used to inform cybersecurity roles, Barrier is the complexity of the problem. Nonetheless, full
responsibilities, and risk management decisions. assessment of the Business Environment should be undertaken as a
starting point for risk management calculations.
Governance (ID.GV): The policies, procedures, and processes to Legal/Policy: Difficulties in differentiating between what is classified
manage and monitor the organization’s regulatory, legal, risk, and what is nonclassified information. For segments like Satellite,
environmental, and operational requirements are understood and differentiation between the federal government (classified) and
inform the management of cybersecurity risk. consumer/enterprise markets (unclassified) makes governance
determinations more complex
Risk Assessment (ID.RA): The organization understands the Operational: Challenge in obtaining and being able to discern what
cybersecurity risk to organizational operations (including mission, information is reliable and what is not in a complex threat
functions, image, or reputation), organizational assets, and environment. Nonetheless, undertaking a Risk Assessment on a
individuals. best-available basis is a necessary starting point for risk
management calculations.
Risk Management Strategy (ID.RM): The organization’s priorities, Financial: There is little cyber empirical data to support ROI
constraints, risk tolerances, and assumptions are established and calculations, as it is very difficult to determine risk exposure.
used to support operational risk decisions. Barriers can be mitigated, however, through the use of informed risk
management resources, such as the National Association of
Corporate Director’s Cyber Risk Oversight Handbook, published in
collaboration with the Internet Security Alliance.
108
The Risk Assessment – Protect Function
Access Control (PR.AC): Access to assets and associated facilities Financial: Legacy systems require significant investments to
is limited to authorized users, processes, or devices, and to implement framework, and there would be a lower ROI. Companies
authorized activities and transactions. should use the NIST Tier position analysis to determine where they
currently are, and where they want to be.
Awareness and Training (PR.AT): The organization’s personnel Operational: Difficult to implement and gauge effectiveness of
and partners are provided cybersecurity awareness education training in a complex threat environment.
and are adequately trained to perform their information
security-related duties and responsibilities consistent with
related policies, procedures, and agreements.
Data Security (PR.DS): Information and records (data) are Financial: Money spent on security controls cannot be accurately
managed consistent with the organization’s risk strategy to analyzed to determine their value. Companies should use the NIST
protect the confidentiality, integrity, and availability of framework’s Tiers to determine where they currently are, and
information. where they want to be.
Information Protection Processes and Procedures (PR.IP): Technology: Wide diversity of technologies and available solutions is
Security policies (that address purpose, scope, roles, a complexity barrier. Although unique systems, enterprises should
responsibilities, management commitment, and coordination analyze for common vulnerabilities/modes of exploitation that can be
among organizational entities), processes, and procedures are leveraged to overcome barriers.
maintained and used to manage protection of information
systems and assets.
Maintenance (PR.MA): Maintenance and repairs of industrial Operational: Implementing the Framework does not ensure that it is
control and information system components is performed being followed through as part of the business model. Enterprises
consistent with policies and procedures. should seek to align the Framework with on-going operations
wherever possible.
Protective Technology (PR.PT): Technical security solutions are Operational: Usage can be monitored, but it can be very difficult to
managed to ensure the security and resilience of systems and understand the effect. Using the NIST Framework Tier position
assets, consistent with related policies, procedures, and analysis, organizations can prioritize security measures.
agreements.
109
The Risk Assessment – Detect Function
Anomalies and Events (DE.AE): Anomalous activity is detected Operational: Difficult to determine the impact in real‐time.
in a timely manner and the potential impact of events is Enterprises should seek to align the Framework with on‐going
understood. operations wherever possible.
Security Continuous Monitoring (DE.CM): The information Operational: Companies are not actively monitoring all employee
system and assets are monitored at discrete intervals to identify activity. Implementing would require additional investments. Using
cybersecurity events and verify the effectiveness of protective the NIST Tier position analysis, organizations can prioritize
measures. security measures.
Detection Processes (DE.DP): Detection processes and Financial: There will be an additional CAPEX cost to procuring SIEM /
procedures are maintained and tested to ensure timely and IPS / IDS technologies and systems. There will be an additional OPEX
adequate awareness of anomalous events. cost to allocate, hire, train staff to be responsible for SIEM /
IPS / IDS technologies and systems.
110
The Risk Assessment – Respond Function
Planning (RS.RP): Response process and procedures are Financial: Additional CAPEX and OPEX cost to procuring BC and DR
executed and maintained, to ensure timely response to detected technologies and systems and training staff to recover systems and
cybersecurity events. data, in order to return the organization back to normal business
operations.
Communications (RS.CO): Response activities are coordinated Legal/Policy: Liability concerns could limit voluntary information
with internal and external stakeholders, as appropriate, to sharing. Liability Protection via CISPA and other Bills, as well as
include external support from law enforcement agencies. liability protection from self‐audit, should mitigate this barrier.
Analysis (RS.AN): Analysis is conducted to ensure adequate Operational: Lack of internal cyber security expertise in the areas of
response and support recovery activities investigation / security analysis / forensics / incident response / and
specialized technologies will hinder an effective response to an
attack, breach or loss of data.
Mitigation (RS.MI): Activities are performed to prevent Financial: The hacker/attacker community has an endless capacity to
expansion of an event, mitigate its effects, and eradicate the advance their missions, methods and attack technologies.
incident. Organizations are left to often times guess a hacker’s/attacker’s next
action and point of attack costing them time and money.
Improvements (RS.IM): Organizational response activities are Financial: Numerous False alarms, lack of dedicated security staff,
improved by incorporating lessons learned from current and lack of staff availability, lack of budget all could affect the
previous detection/response activities. organizations ability to keep their response strategies up to date.
111
The Risk Assessment – Recover Function
Recovery Planning (RC.RP): Recovery processes and procedures Financial: There will be an additional CAPEX cost to procuring DR
are executed and maintained to ensure timely restoration of technologies and offsite services like storage and data recovery.
systems or assets affected by cybersecurity events. There will be an additional OPEX cost to allocate, hire, train staff to
be responsible for Business Continuity and Disaster Recovery
Improvements (RC.IM): Recovery planning and processes are Operational: Lack of BC/DR Plans will hinder an effective recovery
improved by incorporating lessons learned into future activities. from an attack, breach or loss of data.
Communications (RC.CO): Restoration activities are coordinated Operational: Some staff, executives, shareholders and board
with internal and external parties, such as coordinating centers, members may disagree with the content and delivery time of press
Internet Service Providers, owners of attacking systems, victims, releases and official notifications.
other CSIRTs, and vendors.
112
Conclusions and Recommendations
There is currently a large and growing set of independent research, which has consistently shown that the primary problem
with respect to securing critical infrastructure is economic. Sources as varied as PWC, McAfee/Intel, CIO Magazine, and the
Center for Strategic and International Studies (CSIS).
As a general matter, mitigating some of the costs involved with voluntary adoption of the Framework will increase
awareness and overall implementation, particularly for small‐to‐ medium enterprises. Therefore, the barriers feeder group
recommends that the federal government resume the work on incentives that was initiated by four government agencies–
U.S. Departments of the Treasury, Commerce, and Homeland Security, and a General Services Administration
(GSA)/Department of Defense (DOD) joint effort– that was called‐for in EO 13636.
Even relatively homogenous critical infrastructure sectors, such as the Communications Sector, often have substantial
differences at the individual enterprise level. Incentives may need to be applied at the corporate level to be effective, and
only each individual corporate entity would be in a position to evaluate what policies and incentives work best for them.
Therefore, a menu of market incentives available for corporations that elect voluntary adoption of effective standards and
practices would best drive further adoption of the Framework.
The barriers feeder group suggests the FCC consider, and advocate for the federal government at‐large to develop a set of
economic incentives that will further Framework adoption.
113
Questions?
114

Program Management

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Program Management

Încărcat de

Drepturi de autor:

Formate disponibile

Designing & Building a Cybersecurity Program

Based on the NIST Cybersecurity Framework (CSF)

Part 1: The Controls Factory

Part 2: The Threat Office Deliverables

Part 3: The Controls Office Deliverables

Part 4: The Technology Center Deliverables

Part 5: The Operations Center Deliverables

Part 6: The Testing Center Deliverables

Part 7: The Program Office Deliverables

Part 8: The GRC Office Deliverables

The Current Profile

Design Area Build & Run Area Management Area

Resilience, Operations &

Threat Control Technology Operations Testing Program GRC

(Cyber Observable eXpression)

Pre-exploit Exploit Data exfiltration

Credential Strategic File

Ways to infect: Java Ways to communicate

Understanding the cyber attack kill chain STAGE 01: RECON

STAGE 02: LURE STAGE 03: REDIRECT

 Using information collected in the RECON stage,

STAGE 04: EXPLOIT KIT STAGE 05: DROPPER FILE

STAGE 06: CALL HOME STAGE 07: DATA THEFT

The policies, procedures, practices and organizational

Control Types Controls Lifecycle

NIST Framework Components NIST Framework Core

NIST Framework Profile & Tiers Cyber Resilience Approach

Framework Controls Checklist

ISA 99.02.01 4.2.3.4

Asset Management (AM): The personnel, ISA 99.02.01 4.2.3.4

ISA 99.02.01 4.3.2.3.3

COBIT APO08.01, APO08.02, APO08.03, APO08.04,

ID.BE-2: The organization’s place in critical

ID.BE-5: Resilience requirements to support delivery of

Function Category Subcategory Informative References

ISA 99.02.01 4.3.2.6

Governance (GV): The policies,

ID.GV-4: Governance and risk

Function Category Subcategory Informative References

ISA 99.02.01 4.2.3, 4.2.3.7, 4.2.3.9, 4.2.3.12

ISA 99.02.01 4.2.3, 4.2.3.9, 4.2.3.12

ID.RA-5: Risk responses are identified. NIST SP 800-53 Rev. 4 PM-9

ID.RA‐6: Risk responses are identified and

Function Category Subcategory Informative References

ID.RM-1: Risk management ISA 99.02.01 4.3.4.2

ID.RM-3: The organization’s determination of

ISA 99.02.01 4.3.3.5.1

Access Control (AC): ISA 99.02.01 4.3.3.3.2, 4.3.3.3.8

ISA 99.02.01 4.3.3.4

Function Category Subcategory Informative References

ISA 99.02.01 4.3.2.4.2

ISA 99.02.01 4.3.2.4.2, 4.3.2.4.3

ISA 99.02.01 4.3.2.4.2

COBIT APO01.06, BAI02.01, BAI06.01, DSS06.06

PR.DS-6: Intellectual property is protected. COBIT APO01.03, APO10.02, APO10.04, MEA03.01

COBIT BAI06.01, BAI01.10

PR.IP-1: A baseline configuration of information ISA 99.02.01 4.3.4.3.2, 4.3.4.3.3

PR.IP-10: Response plans are exercised. NIST SP 800-53 Rev.4 IR-3

PR.MA-1: Maintenance and repair of organizational

ISA 99.02.01 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1, 4.4.2.2,

COBIT DSS05.02, APO13.01

Function Category Subcategory Informative References

ISA 99.02.01 4.4.3.3