Cyber Security 101

Best Practices

Cybersecurity standards are techniques generally set forth in published materials that attempt to protect the cyber environment of a user or organisation. This cyber environment includes users, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks. The critical objective of cybersecurity standards is to reduce the risks, including prevention or mitigation of cyber attacks. In order to be of benefit to organisations, these standards need to consist of published materials which embody collections of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies.

There has been a considerable amount of collaboration by user groups and providers over the last several decades throughout both domestic and international forums to develop cybersecurity best practices and address standards for cyber capabilities, policies and products.  The most popular US security framework for cybersecurity framework is The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).  On February 2015, the President issued an Executive Order (EO 13636 – Improving Critical Infrastructure Cybersecurity) directing NIST to develop NIST CSF as a voluntary framework based on existing standards.

The NIST CSF is a tremendous resource to SMBs in that it presents a policy framework of computer security guidance for how private sector organisations can assess and improve their ability to prevent, detect, and respond to cyber attacks.  Version 1.0 came out in 2014 which was followed in 2017 with a draft version of the framework, version 1.1, which was circulated for public comment.

The NIST CSF organizes its “core” material into five “functions” which are broken down into the following:  Identify, Protect, Detect, Respond, and Recover.  These functions are then subdivided into a total of 22 “categories”. For each category, NIST CSF defines a number of 98 subcategories of cybersecurity outcomes and security controls. 

One of the great advantages of NIST CSF is the fact that in references and attempts to incorporate a number of other well respected information security standards such as ISO 27001, COBIT, NIST SP 800-53, ISA 62443, and the Council on CyberSecurity Critical Security Controls (CCS CSC, now managed by the Center for Internet Security.

Here are the functions and categories, along with their unique identifiers and definitions, quoted straight from the category column of its spreadsheet

Identify

“Develop the organisational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.”

  • Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organisation to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organisation’s risk strategy.
  • Business Environment (ID.BE): The organisation’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.
  • Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organisation’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.
  • Risk Assessment (ID.RA): The organisation understands the cybersecurity risk to organisational operations (including mission, functions, image, or reputation), organisational assets, and individuals.
  • Risk Management Strategy (ID.RM): The organisation’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.

Protect

“Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.”

  • Access Control (PR.AC): Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions.
  • Awareness and Training (PR.AT): The organisation’s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements.
  • Data Security (PR.DS): Information and records (data) are managed consistent with the organisation’s risk strategy to protect the confidentiality, integrity, and availability of information.
  • Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organisational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.
  • Maintenance (PR.MA): Maintenance and repairs of industrial control and information system components is performed consistent with policies and procedures.
  • Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

Detect

“Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.”

  • Anomalies and Events (DE.AE): Anomalous activity is detected in a timely manner and the potential impact of events is understood.
  • Security Continuous Monitoring (DE.CM): The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.
  • Detection Processes (DE.DP): Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.

Respond

“Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.”

  • Response Planning (RS.RP): Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events.
  • Communications (RS.CO): Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies.
  • Analysis (RS.AN): Analysis is conducted to ensure adequate response and support recovery activities.
  • Mitigation (RS.MI): Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident.
  • Improvements (RS.IM): Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities. 

Recover

“Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.”

  • Recovery Planning (RC.RP): Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events.
  • Improvements (RC.IM): Recovery planning and processes are improved by incorporating lessons learned into future activities.
  • Communications (RC.CO): Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors.