Introduction to NIST

Cybersecurity Framework
for Your Security
Architecture & Plan
Michael Lin, Systems Engineering Manager
BRKSEC-1021
Agenda

• Risk Management
• NIST Cybersecurity Framework
• Using the NIST CSF
• Baldrige Cybersecurity
Excellence Builder (CEB)
• Cisco’s Alignment to NIST CSF
Cisco Spark
Questions?
Use Cisco Spark to chat with the
speaker after the session

How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space

Cisco Spark spaces will be cs.co/ciscolivebot#BRKSEC-1021

available until July 3, 2017.

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Achieving Cybersecurity Excellence

• Planning & risk management

• People, process, & technology
• Restore operations ASAP
• Plan review & improvement
• Security as an architecture

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Risk
Management
What Plan Would You Choose?
Your Car: 2006 Acura TL Book Value: $6500

Plan
Collision $600/Year
3

Plan
Comprehensive $300/Year
2

Plan
Liability $200/Year
1

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
The Cyber Question

Unacceptable Risk Level

How can we
efficiently
and
effectively
manage our
cyber risks? Acceptable Risk Level

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Risk Management 101

Potential
Loss
Protection
Costs

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Risk Management Basics- F-A-R-M
Impossible to eliminate all risks
Assess
Assess
Frame: Establish a risk context...
Security Category
Assess: Threats, Vulnerabilities, Harm,
and Likelihood Frame
Frame
Respond: Accept, Avoid, Mitigate,
Transfer, or Share
Monitor
Monitor Respond
Respond
Monitor: The threat landscape changes
constantly!
Source: NIST SP 800-39, “Managing Information Security Risk”

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Key Things About Cybersecurity
• Business operations
• Resources your business use
• Information reside
• Access to info/systems
• What to protect

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
NIST CSF
 Improving Critical Infrastructure Cybersecurity
Executive Order 13636
February 2013

“It is the policy of the United States to enhance the security

and resilience of the Nation’s critical infrastructure and to
maintain a cyber environment that encourages efficiency,
innovation, and economic prosperity while promoting safety,
security, business confidentiality, privacy, and civil liberties.”

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Who Is NIST???

• Standards & Technology

• Cloud Computing
• Smart Grid
• Cyberspace
• Cybersecurity Framework

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
 STRENGTHENING THE CYBERSECURITY OF FEDERAL
NETWORKS AND CRITICAL INFRASTRUCTURE
Executive Order
May 2017

“Effective immediately, each agency head shall use The

Framework for Improving Critical Infrastructure Cybersecurity
(the Framework) developed by the National Institute of
Standards and Technology, or any successor document, to
manage the agency's cybersecurity risk.”
BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
NIST CSF Gaining Momentum

Identify 1 Common cybersecurity language

2 Risk-based investment decisions

Recover Protect
3 Leverages existing best practices

4 Simple, flexible, and global

5 Freely available to everyone

Respond Detect
6 Supply chain risk management

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
NIST CSF Gaining Momentum
“The NIST Cybersecurity Framework is now used by 30% of U.S.
organizations, and is projected to reach 50% percent by 2020.”

50%
0% 30%

2014 2016 2020

Source: Cybersecurity "Rosetta Stone" Celebrates Two Years of Success

https://www.nist.gov/news-events/news/2016/02/cybersecurity-rosetta-stone-celebrates-two-years-success
BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Promotes Cybersecurity Best Practices
People Process Technology

NIST CSF covers all three

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Framework
Basics
NIST CSF Components

Framework Framework
Core Profiles

Framework
Tiers

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
 Core
NIST CSF Core
Informative
Functions Categories Subcategories
Resources

Identify
1
Protect 2 3 4
Detect Subdivide Subdivide Standards
High-level
Functions into Categories into references to
cybersecurity
Respond specific desired achieve the
goals
activities outcomes outcomes
Recover

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
High Level Core View

Know what you have

Secure what you have

Spot threats quickly

Take action immediately

Restore operations

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Importance of People and Process
Only half of the
Framework’s
Categories are
addressed by
technology

Highlights the
importance of both
people and
process in
cybersecurity

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
 Core
Informative Resources
Function Category Subcategory Informative Resources
• CIS Control 1
• COBIT 5 BAI09.01, BAI09.02
Asset Physical device • ISA 62443-2-1:2009 4.2.3.4
Identify
Management inventories
(ID) (ID.AM) (ID.AM-1) • ISA 62443-3-3:2013 SR 7.8
• ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
• NIST SP 800-53 Rev. 4 CM-8

CIS Control 1
Inventory of Authorized and Unauthorized Devices

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Tiers Tiers

Reflect how an organization views cybersecurity risk and the processes in place
to manage that risk

Tier 4 Adaptive: Practices fully established and continuously improved

Tier 3 Repeatable: Practices approved and established by organizational policy

Tier 2 Risk Informed: Practices approved but not completely established by policy

Tier 1 Partial: Informal, ad hoc, reactive responses

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
 Profiles
Profiles
The alignment of the Framework core with an organizations business
requirements, risk tolerance, and resources

• Describes the current state and desired

future state
• Reveals gaps that can flow into action
plan development
• Facilitates a roadmap for reducing
cybersecurity risk

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Using the
Framework
NIST CSF Use Cases

Basic Establishing Communicating Identifying Methodology

Review of or Improving a Cybersecurity Opportunities to Protect
Cybersecurity Cybersecurity Requirements for Updated Privacy and
with
Practices Program Stakeholders
Informative Civil Liberties
References

“How well are “Can we “Can we speak “What else “Can we

we doing assess and the same should we protect data
today?” improve?” language?” consider?” better?”

Let’s focus here

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Improving a Program

Implement Action Plan Start Prioritize and Scope

7 1

Analyze Gaps 6 2 Orient

5 3
Create Target Profile 4 Create Current Profile

Conduct Risk Assessment

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
 1

Prioritize and Scope

Identify business/mission objectives and high-level organizational priorities

• Make strategic decisions on cybersecurity

• Determine scope of systems and assets that
support the mission
• Assess risk tolerance

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
 2
Orient
Identify related systems, regulatory requirements, and overall risk approach

• Identify threats to systems and assets

• Identify vulnerabilities associated with systems
and assets

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Current Profile (example) 3

Function Category Subcategory Current Profile

Physical device Manual, spreadsheet-based system is
Tier 1
inventories (ID.AM-1) insufficient and lacks network visibility.

Software inventories Tier 1 Asset management system cannot detect

(ID.AM-2) new software applications being deployed.

Communication/data Flow maps are documented and approved

Asset Tier 2
Identify flow maps (ID.AM-3) but needs to be formalized by policy.
Management
(ID) (ID.AM) External system Current business model does not require
catalogs (ID.AM-4) Unused external system catalogs.

Resource prioritization Prioritization system is working well for our

Tier 4
(ID.AM-5) needs today.

Roles/responsibilities New cybersecurity responsibilities need to

clarification (ID.AM-6) Tier 3 be formalized by policy.

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
 Risk Assessment 4

Fxn. Cat. Sub. Current Profile Risk Assessment

ID.AM-1 Tier 1
Unacceptably high risks
ID.AM-2 Tier 1

ID.AM-3 Tier 2
ID ID.AM
ID.AM-4 Unused
Acceptable risks at this time
ID.AM-5 Tier 4

ID.AM-6 Tier 3

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Target Profile
5

Fxn. Cat. Sub. Target Profile

ID.AM-1 Tier 4
This is where we want to be
ID.AM-2 Tier 4
• Physical device and software
ID.AM-3 Tier 2
inventories at Tier 4, “Adaptive”
ID ID.AM
• Practices fully established, ID.AM-4 Unused
continuously improved, and built
ID.AM-5 Tier 4
into our overall risk management
program
ID.AM-6 Tier 3

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
 6

Gap Analysis
Fxn. Cat. Sub. Current Profile Fxn. Cat. Sub. Target Profile

ID.AM-1 Tier 1 ID.AM-1 Tier 4

ID.AM-2 Tier 1 ID.AM-2 Tier 4

ID.AM-3 Tier 2 Enables a ID.AM-3 Tier 2

ID ID.AM ID ID.AM
ID.AM-4 Unused prioritized ID.AM-4 Unused
action plan
ID.AM-5 Tier 4 ID.AM-5 Tier 4

ID.AM-6 Tier 3 ID.AM-6 Tier 3

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
 7

Action Plan
Fxn. Cat. Sub. Informative Resources NIST SP 800-53 Revision 4
• CIS Control 1 CM-8 / Information System Component Inventory
• COBIT 5 BAI09.01, BAI09.02
Control: The organization:
• ISA 62443-2-1:2009 4.2.3.4 a. Develops and documents an inventory of
ID.AM-1
• ISA 62443-3-3:2013 SR 7.8 information system components that:
1. Accurately reflects the current information
• ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 system;
• NIST SP 800-53 Rev. 4 CM-8 2. Includes all components within the authorization
ID ID.AM boundary of the information system;
• CIS Control 2
3. Is at the level of granularity deemed necessary
• COBIT 5 BAI09.01, BAI09.02, BAI09.05 for tracking and reporting; and
• ISA 62443-2-1:2009 4.2.3.4 4. Includes [Assignment: organization-defined
ID.AM-2 information deemed necessary to achieve
• ISA 62443-3-3:2013 SR 7.8 effective information system component
• ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 accountability]
• NIST SP 800-53 Rev. 4 CM-8

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
 7

Develop Action Plan- Inventory

?
?

We need an accurate ...but we don’t even

device inventory... know what’s
on our network!

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
 7

Implement Action Plan- Discovery/Profiling

ISE Cisco Identity Services Engine

Discovers and accurately identifies

devices connected to wired,
wireless, and VPN

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Continuous Improvement- Not Once & Done

Implement Action Plan Prioritize and Scope

7 1

Analyze Gaps 6 2 Orient

5 3
Create Target Profile 4 Create Current Profile

Conduct Risk Assessment

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
 Implementation Coordination
Risk Management

Senior Executive

Changes in Current Mission Priority, Risk

and Future Risk Appetite, and Budget

Business/Process

Implementation Progress,
Changes in Assets, Framework Profiles
Vulnerabilities, and Threats
Operations

Implementation

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
 How Do You Discuss This?

Senior Executive

Changes in Current Mission Priority, Risk

and Future Risk Appetite, and Budget

Business/Process

Implementation Progress,
Changes in Assets, Framework Profiles
Vulnerabilities, and Threats
Operations

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
 NIST CSF
1 Determine the cyber activities that are essential to your strategy and service delivery
2 Prioritize your investments in managing cybersecurity risk
3 Determine how best to enable people to be risk conscious and security aware
4 Assess the efficiency and effectiveness of your use of cyber standards and practices
5 Assess the cybersecurity results you achieve
6 Identify strengths to leverage and priorities for improvement

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Baldrige Cybersecurity
Excellence Builder
 About Baldrige- Quality & Performance Excellence

Supports Leadership & Performance

Excellence

Public-private partnership dedicated

to Performance Excellence

Provides organization assessment

tools- measure & evaluate
Government Education Healthcare

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Baldrige Cybersecurity Excellence Builder “CEB”

New self-assessment tool to improve your

organization’s cybersecurity performance

Asks the key cybersecurity assessment questions

Identify areas for improvement

Adapts and scales to your organization

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Baldrige CEB & NIST CSF Relationship

Leading Edge of Validated Leadership Cybersecurity Standards, Guidelines,

and Performance Practice Practices, and References

Self-Assessment Tool

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Baldrige CEB
Organizational Context The Baldrige
Cybersecurity
Excellence Builder
Strategy Workforce
helps you
Leadership Integration Results understand
and improve
Customers Operations what is critical to
your organization’s
Measurement, Analysis, and Knowledge Management
cybersecurity risk
Core Values and Concepts
management

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Baldrige CEB- Improve Your Cyber Performance
Start
Measure and evaluate
7 1 Decide on the scope
your progress

Prioritize your actions, and develop Complete the

6 2
your action plan organizational context

Assess your answers

5 3 Answer the process questions
using the rubric
4

Answer the results questions

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
 Baldrige CEB- Sample Process & Results Questions
Process
Questions

Results
Questions

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Baldrige CEB- Assessment Rubric
1
Reactive

2
Early

3
Developing

4
Mature

5
Leading

6
Exemplary
BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Baldrige CEB- Assessment Rubric

Assess your answers using the

5
assessment rubric

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Baldrige CEB- Self Analysis Worksheet

6 5 3 4 H
Exemplary Leading Developing Mature

3 2 2 1
Developing Early Early Reactive H

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Baldrige CEB- Benefits by Organizational Roles

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Baldrige CEB- Crosswalk of CSF & CEB

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Cisco Supports
NIST CSF
Cybersecurity Excellence = Effective Security

Simple Open Automated

Effective Security

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
 Technology

Cisco Security & NIST CSF Matrix- Identify

Asset Management
Business Environment Non-technical control area
ID Governance Non-technical control area
Risk Assessment
Risk Mgmt. Strategy Non-technical control area

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
 Technology

Cisco Security & NIST CSF Matrix- Protect

Access Control
Awareness/Training Non-technical control area
Data Security
PR
Info Protection Process Non-technical control area
Maintenance
Protective Technology

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
 Technology

Cisco Security & NIST CSF Matrix- Detect

Anomalies and Events

DE Continuous Monitoring
Detection Processes Non-technical control area

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
 Technology

Cisco Security & NIST CSF Matrix- Restore

Response Planning Non-technical control area

Communications Non-technical control area
RS Analysis
Mitigation
Improvements Non-technical control area

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
 Technology

Cisco Security & NIST CSF Matrix- Recover

Recovery Planning Non-technical control area

RC Improvements Non-technical control area
Communications Non-technical control area

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Cisco IT Aligns to NIST

“To me the most important thing is not which, but to pick one,
and align it to your own needs, threats and risk tolerance.”

Steve Martino
Cisco IT- VP CISO

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Successful Adoption
• Know the NIST CSF & Baldrige CEB
• Leadership buy in- sell it
• Form team/committee
• Follow the 7 steps
• Adopt elements and make it your own
• Contact Cisco

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Pitfalls to Avoid

• Don’t do it alone
• Never think it’s done
• Don’t adopt controls just to have
• Don’t think just “Critical Infrastructure”
• Not one size fits all

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Summary

The Problem
Cybersecurity Risk Management

The Solution
NIST Cybersecurity Framework (CSF) + Baldrige CEB

Alignment with NIST

Our strategy, products, and services enable CSF adoption

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Next Steps

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
CSF Reference Tool

FileMaker runtime database version of CSF

Core

Search and customize the CSF Core to your

needs

Export into different file types (CSV, XML, etc.)

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
References

NIST Cybersecurity Framework (CSF)

http://www.nist.gov/cyberframework

Baldrige Cybersecurity Excellence Builder (CEB)

http://www.nist.gov/baldrige

Cybersecurity Executive Order

http://cisco.com/go/cyberEO

Cisco Trust and Transparency Center

http://www.cisco.com/go/trust

Cisco Cybersecurity Reports

http://www.cisco.com/go/securityreport

Cisco Security Products and Services

http://www.cisco.com/go/security

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
 Complete Your Online
Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will
receive a $750 gift card.
• Complete your session surveys
through the Cisco Live mobile
app or on www.CiscoLive.com/us.

Don’t forget: Cisco Live sessions will be

available for viewing on demand after the
event at www.CiscoLive.com/Online.

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Thank you
Appendix
 Technology

Cisco Security & NIST CSF Matrix

Asset Management
Business Environment Non-technical control area
ID Governance Non-technical control area
Risk Assessment
Risk Mgmt. Strategy Non-technical control area
Access Control
Awareness/Training Non-technical control area
Data Security
PR
Info Protection Process Non-technical control area
Maintenance
Protective Technology
Anomalies and Events
DE Continuous Monitoring
Detection Processes Non-technical control area
Response Planning Non-technical control area
Communications Non-technical control area
RS Analysis
Mitigation
Improvements Non-technical control area
Recovery Planning Non-technical control area
RC Improvements Non-technical control area
Communications Non-technical control area

BRKSEC-1021 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74