Nist cybersecurity framework что это
Cybersecurity Framework v1.1 доработан c учетом отзывов специалистов на предыдущие проекты документа.
Национальный институт стандартов и технологий США (National Institute of Standards and Technology, NIST) представил новую редакцию руководства по усилению кибербезопасности критической инфраструктуры Cybersecurity Framework v1.1.
Согласно заявлению NIST, версия 1.1 фокусируется на сферах, жизненно важных для обеспечения национальной и экономической безопасности, включая энергетический, банковский, телекоммуникационный и оборонный секторы. Новый вариант фреймворка доработан c учетом отзывов специалистов на предыдущие проекты документа. В частности, обновлены рекомендации относительно аутентификации и идентичности, обеспечения кибербезопасности в цепочках поставок, а также раскрытия информации об уязвимостях. В документ добавлен новый раздел, поясняющий, как организации могут использовать фреймворк для оценки рисков кибербезопасности.
Позднее в текущем году NIST намерен выпустить обновленную сопутствующую «дорожную карту» для улучшения кибербезопасности критической инфраструктуры, в которой будут описываться ключевые области разработки, согласования и сотрудничества.
В марте нынешнего года NIST опубликовал вторую часть руководства по кибербезопасности для предприятий и организаций NIST Special Publication 800-160 Volume 2, Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems. Документ содержит перечень рекомендаций по противостоянию различным типам киберугроз.
Национальный институт стандартов и технологий США - подразделение Управления по технологиям США, одного из агентств одного из агентств Департамента торговли США. Совместно с Американским национальным институтом стандартов (ANSI) участвует в разработке стандартов и спецификаций к программным решениям используемым, как в государственном секторе США, так и имеющим коммерческое применение.
Один хакер может причинить столько же вреда, сколько 10 000 солдат! Подпишись на наш Телеграм канал, чтобы узнать первым, как выжить в цифровом кошмаре!
The NIST Cybersecurity Framework provides comprehensive guidance and best practices that private sector organizations can follow to improve information security and cybersecurity risk management.
NIST Cybersecurity Framework core structure
NIST Cybersecurity Framework includes functions, categories, subcategories, and informative references.
Functions give a general overview of security protocols of best practices. Functions are not intended to be procedural steps but are to be performed “concurrently and continuously to form an operational culture that addresses the dynamic cybersecurity risk.” Categories and subcategories provide more concrete action plans for specific departments or processes within an organization.
Examples of NIST functions and categories include the following:
- Identify: To protect against cyberattacks, the cybersecurity team needs a thorough understanding of what are the most important assets and resources of the organization. The identify function includes such categories as asset management, business environment, governance, risk assessment, risk management strategy, and supply chain risk management.
- Protect: The protect function covers much of the technical and physical security controls for developing and implementing appropriate safeguards and protecting critical infrastructure. These categories are identity management and access control, awareness and training, data security, information protection processes and procedures, maintenance, and protective technology.
- Detect: The detect function implements measures that alert an organization to cyberattacks. Detect categories include anomalies and events, security continuous monitoring, and detection processes.
- Respond: The respond function categories ensure the appropriate response to cyberattacks and other cybersecurity events. Specific categories include response planning, communications, analysis, mitigation, and improvements.
- Recover: Recovery activities implement plans for cyber resilience and ensure business continuity in the event of a cyberattack, security breach, or other cybersecurity event. The recovery functions are recovery planning improvements and communications.
The NIST CSF's informative references draw direct correlation between the functions, categories, subcategories, and the specific security controls of other frameworks. These frameworks include the Center for Internet Security (CIS) Controls®, COBIT 5, International Society of Automation (ISA) 62443-2-1:2009, ISA 62443-3-3:2013, International Organization for Standardization and the International Electrotechnical Commission 27001:2013, and NIST SP 800-53 Rev. 4.
The NIST CSF does not tell how to inventory the physical devices and systems or how to inventory the software platforms and applications; it merely provides a checklist of tasks to be completed. An organization can choose its own method on how to perform the inventory. If an organization needs further guidance, it can refer to the informative references to related controls in other complementary standards. There is a lot of freedom in the CSF to pick and choose the tools that best suit the cybersecurity risk management needs of an organization.
Establishing a NIST Framework cybersecurity risk management program
The NIST Cybersecurity Framework provides a step-by-step guide on how to establish or improve their information security risk management program:
- Prioritize and scope: Create a clear idea of the scope of the project and identify the priorities. Establish the high-level business or mission objectives, business needs, and determine the risk tolerance of the organization.
- Orient: Take stock of the organization’s assets and systems and identify applicable regulations, risk approach, and threats to which the organization might be exposed.
- Create a current profile: A current profile is a snapshot of how the organization is managing risk at present, as defined by the categories and subcategories of the CSF.
- Conduct a risk assessment: Evaluate the operational environment, emerging risks, and cybersecurity threat information to determine the probability and severity of a cybersecurity event that can impact the organization.
- Create a target profile: A target profile represents the risk management goal of the information security team.
- Determine, analyze, and prioritize gaps: By identifying the gaps between the current and target profile, the information security team can create an action plan, including measurable milestones and resources (people, budget, time) required to fill these gaps.
- Implement action plan: Implement the action plan defined in Step 6.
Background
Recognizing the national and economic security of the United States depends on the reliable function of critical infrastructure, the President issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. The Order directed NIST to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices - for reducing cyber risks to critical infrastructure. The Cybersecurity Enhancement Act of 2014 reinforced NIST’s EO 13636 role.
Created through collaboration between industry and government, the voluntary Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.
The Framework Core and Informative References are available as separate downloads in two formats: spreadsheet (Excel) , and alternate view (PDF). A companion Roadmap discusses future steps and identifies key areas of cybersecurity development, alignment, and collaboration.
The National Online Informative References (OLIR) Program is a NIST effort to facilitate subject matter experts (SMEs) in defining standardized online informative references (OLIRs) between elements of their documents, products, and services and elements of NIST documents like the Cybersecurity Framework Version 1.1, Privacy Framework Version 1.0, NISTIR 8259A, or NIST SP 800-53 Revision 5. The NIST Interagency or Internal Report (IR) 8278 - National Online Informative References (OLIR) Program: Program Overview and OLIR Uses focuses on explaining what OLIRs are, what benefits they provide, how anyone can search and access OLIRs, and how subject matter experts can contribute OLIRs.
To increase awareness, understanding, and use of the Cybersecurity Framework, NIST is highlighting brief "Success Stories" explaining how diverse organizations use the Framework to improve their cybersecurity risk management.
A listing of publicly available Framework resources can be found here. Resources include, but are not limited to: approaches, methodologies, implementation guides, mappings to the Framework, case studies, educational materials, internet resource centers (e.g., blogs, document stores), example profiles, and other Framework document templates.
NIST continues to welcome informal feedback about the Framework and Roadmap. Organizations and individuals may contribute observations, suggestions, examples of use, and lessons learned to cyberframework [at] nist.gov .
What is the NIST Cybersecurity Framework?
The National Institute of Standards and Technology (NIST) is a non-regulatory agency that promotes innovation by advancing measurement science, standards, and technology. The NIST Cybersecurity Framework (NIST CSF) consists of standards, guidelines, and best practices that help organizations improve their management of cybersecurity risk.
The NIST CSF is designed to be flexible enough to integrate with the existing security processes within any organization, in any industry. It provides an excellent starting point for implementing information security and cybersecurity risk management in virtually any private sector organization in the United States.
History of the NIST Cybersecurity Framework
On February 12, 2013, Executive Order (EO) 13636—"Improving Critical Infrastructure Cybersecurity"—was issued. This began NIST’s work with the U.S. private sector to "identify existing voluntary consensus standards and industry best practices to build them into a Cybersecurity Framework." The result of this collaboration was the NIST Cybersecurity Framework Version 1.0.
The Cybersecurity Enhancement Act (CEA) of 2014 broadened NIST's efforts in developing the Cybersecurity Framework. Today, the NIST CSF is still is one of the most widely adopted security frameworks across all U.S. industries.
Cybersecurity domains
A strong cybersecurity strategy has layers of protection to defend against cyber crime, including cyber attacks that attempt to access, change, or destroy data; extort money from users or the organization; or aim to disrupt normal business operations. Countermeasures should address:
-
Critical infrastructure security - Practices for protecting the computer systems, networks, and other assets that society relies upon for national security, economic health, and/or public safety. The National Institute of Standards and Technology (NIST) has created a cybersecurity framework to help organizations in this area, while the U.S. Department of Homeland Security (DHS) provides additional guidance.
- Specifically, true confidential computing that encrypts cloud data at rest (in storage), in motion (as it travels to, from and within the cloud) and in use (during processing) to support customer privacy, business requirements and regulatory compliance standards.
- Data protection measures, such as the General Data Protection Regulation or GDPR, that secure your most sensitive data from unauthorized access, exposure, or theft.
This Quick Start Guide intends to provide direction and guidance to those organizations – in any sector or community – seeking to improve cybersecurity risk management via utilization of the NIST Cybersecurity Framework. Though the Cybersecurity Framework is not a one-size-fits-all approach to managing cybersecurity risk for organizations, it is ultimately aimed at reducing and better managing these risks. As such, this guide is intended for any and all organizations regardless of sector or size. Organizations will vary in how they customize practices described in this document. Organizations can determine activities that are important to critical service delivery and can prioritize investments to maximize impact.
The Quick Start Guide has been translated into Portuguese and Spanish.
What is the Framework?
The Framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.
Check out our Frameworks Basics FAQs section for further information.
NIST CSF and the IBM Cloud
IBM has many resources available about how to adopt the NIST Cybersecurity Framework. IBM also provides a variety of security framework and risk assessment services to help assess an organization's security posture.
Businesses can use IBM’s security framework and risk assessment services to help identify vulnerabilities to mitigate risks. These services provide network monitoring and management and enhance privacy, security options, and identification of security risks.
IBM also can help align security standards and practices to the NIST CSF in a cloud environment.
Cybersecurity is the practice of protecting critical systems and sensitive information from digital attacks. Also known as information technology (IT) security, cybersecurity measures are designed to combat threats against networked systems and applications, whether those threats originate from inside or outside of an organization.
In 2020, the average cost of a data breach was USD 3.86 million globally, and USD 8.64 million in the United States. These costs include the expenses of discovering and responding to the breach, the cost of downtime and lost revenue, and the long-term reputational damage to a business and its brand. Cybercriminals target customers’ personally identifiable information (PII) — names, addresses, national identification numbers (e.g., Social Security number in the US, fiscal codes in Italy), and credit card information — and then sell these records in underground digital marketplaces. Compromised PII often leads to a loss of customer trust, the imposition of regulatory fines, and even legal action.
Security system complexity, created by disparate technologies and a lack of in-house expertise, can amplify these costs. But organizations with a comprehensive cybersecurity strategy, governed by best practices and automated using advanced analytics, artificial intelligence (AI) and machine learning, can fight cyberthreats more effectively and reduce the lifecycle and impact of breaches when they occur.
An Introduction to the Components of the Framework
The Cybersecurity Framework consists of three main components: the Core, Implementation Tiers, and Profiles.
The Framework Core provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand. The Core guides organizations in managing and reducing their cybersecurity risks in a way that complements an organization’s existing cybersecurity and risk management processes.
The Framework Implementation Tiers assist organizations by providing context on how an organization views cybersecurity risk management. The Tiers guide organizations to consider the appropriate level of rigor for their cybersecurity program and are often used as a communication tool to discuss risk appetite, mission priority, and budget.
Framework Profiles are an organization’s unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core. Profiles are primarily used to identify and prioritize opportunities for improving cybersecurity at an organization.
To learn more about the Framework’s three main components, see the Components of Framework online learning module, or to learn more about the how organizations are using the Framework and its potential benefits, see the Uses and Benefits of Framework module.
В феврале 2013-го года президент США Барак Обама подписал указ №13636 "Усиление кибербезопасности критических инфраструктур", который среди прочего обязал американский институт по стандартизации NIST разработать базовую модель защиты американских критических инфраструктур (Cybersecurity Framework). Я был уверен, что за прошедшие 2,5 года я уже про нее писал, но оказалось, что нет. Поэтому исправляюсь.
- сам документ в форматах PDF и EPUB
- табличку защитных мер в формате Excel
- базу данных защитных мер в формате FileMaker Pro.
В основу модели была положена модифицированная триада - доступность, целостность и конфиденциальность, многим знакомая и по 31-му приказу, принятому примерно в тоже самое время.
Однако помимо схожих с 31-м приказом моментов, NIST сделать свой документ более практичным и конкретным. Например, он описал архитектуру промышленной сети с точки зрения ее построения и ее безопасности. Это так называемая пятиуровневая модель Университета Пурдью (Purdue), которая стала стандартом де-факто при проектировании промышленных систем. Она же вошла и в стандарт ISA SP99 и, позже, в IEC 62443, ставший наследником ISA SP99. Мне всегда не хватало в документах ФСТЭК иллюстративного материала (исключением, пожалуй, являются только документы по КСИИ).
Все защитные меры разбиты на 5 больших блоков (функций) - идентификация, защита, обнаружение, реагирование и восстановление. По сути, речь идет о жизненном цикле системы защиты любого объекта - от корпоративной до промышленной сети.
В каждом из пяти блоков затем выделяются несколько категорий защитных мер. Если вспомнить NIST SP800-53, то там упоминались 18 блоков защитных мер. В новом документе NIST число категорий возросло до 22. Расширение произошло за счет добавления ряда "бизнесовых" тем - управление рисками, корпоративное управление, бизнес-окружение и т.п., а также за счет перегруппировки ранее существовавших тем.
Наконец, NIST провел колоссальную работу по увязке предлагаемых защитных мер с уже существующими стандартами и практиками. В частности были учтены и даны ссылки на защитные меры из стандартов:
- NIST 800-82 и 800-53
- ISA/IEC-62443
- ISO 27001/02
- Стандарты ENISA
- Стандарт Катара
- Стандарт API
- Рекомендации ICS-CERT
- COBIT
- Council on CyberSecurity (CCS) Top 20 Critical Security Controls (CSC) .
Для новой редакции 31-го приказа, а также иных документов по защите промышленных систем, данная модель Cybersecurity Framework от NIST более чем полезна. Уж, как минимум, в части систематизации информации.
Один хакер может причинить столько же вреда, сколько 10 000 солдат! Подпишись на наш Телеграм канал, чтобы узнать первым, как выжить в цифровом кошмаре!
NIST Framework implementation tiers
To help private sector organizations measure their progress towards implementing the NIST Cybersecurity Framework, the framework identifies four implementation tiers:
- Tier 1 – Partial: The organization is familiar with the NIST CSF and may have implemented some aspects of control in some areas of the infrastructure. Implementation of cybersecurity activities and protocols has been reactive vs. planned. The organization has limited awareness of cybersecurity risks and lacks the processes and resources to enable information security.
- Tier 2 – Risk Informed: The organization is more aware of cybersecurity risks and shares information on an informal basis. It lacks a planned, repeatable, and proactive organization-wide cybersecurity risk management process.
- Tier 3 – Repeatable: The organization and its senior executives are aware of cybersecurity risks. They have implemented a repeatable, organization-wide cybersecurity risk management plan. The cybersecurity team has created an action plan to monitor and respond effectively to cyberattacks.
- Tier 4 – Adaptive: The organization is now cyber resilient and uses lessons learned and predictive indicators to prevent cyberattacks. The cybersecurity team continuously improves and advances the organization’s cybersecurity technologies and practices and adapts to changes in threats quickly and efficiently. There is an organization-wide approach to information security risk management with risk informed decision-making, policies, procedures, and processes. Adaptive organizations incorporate cybersecurity risk management into budget decisions and organizational culture.
Читайте также: