richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/Corpus/Standards/NIST/NIST Cybersecurity Framework's five Functions.md

13 KiB
Raw Permalink Blame History

reviewdate
2024-09-09

See also:

Journey To CSF 2.0 NIST CSWP 29 (Initial Public Draft)

The CSF 2.0 draft reflects a number of major changes, including:  source

  • The frameworks scope has expanded — explicitly — from protecting critical infrastructure, such as hospitals and power plants, to providing cybersecurity for all organizations regardless of type or size. This difference is reflected in the CSFs official title, which has changed to “The Cybersecurity Framework,” its colloquial name, from the more limiting “Framework for Improving Critical Infrastructure Cybersecurity.” 
  • Until now, the CSF has described the main pillars of a successful and holistic cybersecurity program using five main functions: identify, protect, detect, respond and recover. To these, NIST now has added a sixth, the govern function, which covers how an organization can make and execute its own internal decisions to support its cybersecurity strategy. It emphasizes that cybersecurity is a major source of enterprise risk, ranking alongside legal, financial and other risks as considerations for senior leadership. 
  • The draft provides improved and expanded guidance on implementing the CSF, especially for creating profiles, which tailor the CSF for particular situations. The cybersecurity community has requested assistance in using it for specific economic sectors and use cases, where profiles can help. Importantly, the draft now includes implementation examples for each functions subcategories to help organizations, especially smaller firms, to use the framework effectively.

Discussion Draft of the NIST Cybersecurity Framework 2.0 Core

April 24, 2023 source

This Table and the text below shows the proposed CSF 2.0 Core Functions, Categories, and Subcategories.

Function Category Identifier
Govern (GV) Organizational Context GV.OC
Risk Management Strategy GV.RM
Roles and Responsibilities GV.RR
Policies and Procedures GV.PO
Identify (ID) Asset Management ID.AM
Risk Assessment ID.RA
Supply Chain Risk Management ID.SC
Improvement ID.IM
Protect (PR) Identity Management, Authentication, and Access Control PR.AA
Awareness and Training PR.AT
Data Security PR.DS
Platform Security PR.PS
Technology Infrastructure Resilience PR.IR
Detect (DE) Adverse Event Analysis DE.AE
Continuous Monitoring DE.CM
Respond (RS) Incident Management RS.MA
Incident Analysis RS.AN
Incident Response Reporting and Communication RS.CO
Incident Mitigation RS.MI
Recover (RC) Incident Recovery Plan Execution RC.RP
Incident Recovery Communication RC.CO

Govern (GV)

Organizational Context (GV.OC)

The organization's risk context, including mission, mission priorities, stakeholders, objectives, and direction, is understood (formerly ID.BE)

  • GV.OC-01: ==Organizational mission== is understood in order to prioritize cybersecurity risk management (formerly ID.BE-2 and ID.BE-3)
  • GV.OC-02: ==Internal and external stakeholders==, and their expectations regarding cybersecurity risk management, are determined
  • GV.OC-03: ==Legal, regulatory, and contractual requirements== regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed (formerly ID.GV-3)
  • GV.OC-04: ==Critical objectives, capabilities, and services that stakeholders expect== are determined and communicated (formerly ID.BE-4 and ID.BE-5)
  • GV.OC-05: ==Critical outcomes, capabilities, and services that the organization relies on== are determined and communicated (formerly ID.BE-1 and ID.BE-4)

Risk Management Strategy (GV.RM)

The organizations priorities, constraints, risk tolerance and appetite statements, and assumptions are established and used to support operational risk decisions (formerly ID.RM)

  • GV.RM-01: Cybersecurity risk management ==objectives== are established and agreed to by organizational stakeholders (formerly ID.RM-1)
  • GV.RM-02: Cybersecurity ==supply chain risk management== strategy is established, agreed to by organizational stakeholders, and managed (formerly ID.SC-1)
  • GV.RM-03: ==Risk appetite and risk tolerance statements== are determined and communicated based on the organizations business environment (formerly ID.RM-2 and ID.RM-3)
  • GV.RM-04: ==Cybersecurity risk management is considered part of enterprise risk management== (formerly ID.GV-4)
  • GV.RM-05: Strategic direction describing ==appropriate risk response options==, including cybersecurity risk transfer mechanisms (e.g., insurance, outsourcing), investment in mitigations, and risk acceptance is established and communicated
  • GV.RM-06: ==Responsibility and accountability== are determined and communicated for ensuring that the risk management strategy and program are resourced, implemented, assessed, and maintained
  • GV.RM-07: Risk management ==strategy is reviewed and adjusted== to ensure coverage of organizational requirements and risks
  • GV.RM-08: ==Effectiveness and adequacy== of cybersecurity risk management strategy and results are assessed and reviewed by organizational leaders

Roles and Responsibilities (GV.RR)

Cybersecurity roles and responsibilities are coordinated and aligned with all internal and external stakeholders to enable accountability, performance assessment, and continuous improvement (formerly ID.GV-2)

  • GV.RR-01: ==Organizational leadership takes responsibility for decisions associated with cybersecurity risks and establishes a culture that is risk-aware, behaves in an ethical manner, and promotes continuous improvement==
  • GV.RR-02: ==Roles and responsibilities related to cybersecurity risk management== are established and communicated (formerly ID.GV-2, ID.AM-6, and DE.DP-1)
  • GV.RR-03: ==Roles and responsibilities for customers, partners, and other third-party stakeholders== are established and communicated (formerly ID.AM-6)
  • GV.RR-04: ==Roles and responsibilities for suppliers== are established, documented in contractual language, and communicated (formerly ID.AM-6)
  • GV.RR-05: ==Lines of communication across the organization== are established for cybersecurity risks, including supply chain risks
  • GV.RR-06: ==Resourcing and authorities for cybersecurity== are decided commensurate with risk strategy, roles, and policies
  • GV.RR-07==: Cybersecurity is included in human resources practices== (e.g., training, deprovisioning, personnel screening) (formerly PR.IP-11)

Policies and Procedures (GV.PO)

Organizational cybersecurity policies, processes, and procedures are established and communicated (formerly ID.GV-1)

  • GV.PO-01: Policies, processes, and procedures for managing cybersecurity risks are established based on organizational context, risk management strategy, and priorities and are communicated (formerly ID.GV-1)
  • GV.PO-02: The same policies used internally are applied to suppliers
  • GV.PO-03: Policies and procedures are reviewed, updated, and communicated to reflect changes in requirements, threats, technology, and organizational mission

Identify (ID)

Asset Management (ID.AM)

Assets (e.g., data, devices, software, systems, facilities, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organizations risk strategy.

  • ID.AM-01: ==Inventories of physical devices== managed by the organization are maintained
  • ID.AM-02: ==Inventories of software and services== managed by the organization are maintained
  • ID.AM-03: ==Representations of the organizations authorized network communication and network data flows== are maintained (formerly ID.AM-3 and DE.AE-1)
  • ID.AM-04: ==Inventories of external assets and suppliers== are maintained
  • ID.AM-05: ==Assets are prioritized== based on classification, criticality, resources, and organizational value
  • ID.AM-06: Dropped (moved to GV.RR-02, GV.RR-03, and GV.RR-04)
  • ID.AM-07: ==Sensitive data and corresponding metadata== are inventoried and tracked
  • ID.AM-08: Systems, devices, and software are ==managed throughout their life cycle==, including pre-deployment checks, preventive maintenance, transfers, end-of-life, and disposition (formerly PR.DS-3, PR.IP-2, PR.MA-1, and PR.MA-2)

Risk Assessment (ID.RA)

The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.

  • ID.RA-01: Vulnerabilities in first-party and third-party assets are identified, validated, and recorded (formerly ID.RA-1 and DE.CM-8)
  • ID.RA-02: Cyber threat intelligence is received from information sharing forums and sources
  • ID.RA-03: Threats, both internal and external, are identified and recorded
  • ID.RA-04: Potential business impacts and likelihoods are identified and recorded
  • ID.RA-05: Threats, vulnerabilities, likelihoods, and impacts are used to determine exposure and inform risk prioritization
  • ID.RA-06: Risk responses are chosen, prioritized, planned, tracked, and communicated (formerly ID.RA-6 and RS.MI-3)
  • ID.RA-07: Changes are managed, assessed for risk impact, and recorded (formerly part of PR.IP-3)
  • ID.RA-08: Risks associated with technology suppliers and their supplied products and services are identified, recorded, prioritized, and monitored (formerly ID.SC-2 and PR.DS-8)
  • ID.RA-09: Processes for receiving, analyzing, and responding to vulnerability disclosures are established (formerly RS.AN-5)
  • ID.RA-10: Exceptions to security measures are reviewed, tracked, and compensated for

Supply Chain Risk Management (ID.SC)

The organizations supply chain risks are identified, assessed, and managed consistent with the organizations priorities, constraints, risk tolerances, and assumptions.

  • ID.SC-01: Dropped (moved to GV.RM-02)
  • ID.SC-02: Dropped (moved to ID.RA-08)
  • ID.SC-03: Cybersecurity requirements are integrated into contracts with suppliers and third-party partners
  • ID.SC-04: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations
  • ID.SC-05: Dropped (moved to ID.IM-02)
  • ID.SC-06: Supplier termination and transition processes include security considerations

Improvement (ID.IM)

Improvements to organizational cybersecurity risk management processes and activities are identified.

  • ID.IM-01: Continuous evaluation, including through reviews, audits, and assessments (including self-assessments), is applied to identify opportunities for improvement across all Framework Functions
  • ID.IM-02: Security tests and exercises, including in coordination with suppliers and third-party providers, are carried out to identify improvements (formerly ID.SC-5, PR.IP-10, and DE.DP-3)
  • ID.IM-03: Improvements for processes and activities across all Framework Functions are identified based on lessons learned (formerly PR.IP-7, PR.IP-8, DE.DP-5, RS.IM-1, RS.IM-2, and RC.IM-2)