How to use the NIST Cybersecurity Framework
NIST Cybersecurity Framework
Version 1.0 of the NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) celebrated its fourth birthday in February. The CSF is a “risk-based approach to managing cybersecurity risk… designed to complement existing business and cybersecurity operations.” I recently spoke with Matthew Barrett, NIST program manager for the CSF, and he provided me with a great deal of insight into using the framework.
NIST (National Institute of Standards and Technology) is a division of the U.S. Department of Commerce, and they have been involved in information security since the 1970s. On May 11, 2017, President Trump signed Executive Order 13800 requiring all federal agencies to use the CSF, so if you conduct business with these entities, you are likely to hear a great deal more about it in the near future.
Current State of Cybersecurity
To begin the conversation, I asked Matthew what he thought about the current state of cybersecurity in business and government.
“I think there is a bit of an awakening going on to the true importance of just how foundational cybersecurity is,” he says. “It used to be that businesses were based on trust, and it is still the case. Increasingly, we’ve built out our technological infrastructure and more and more important over time is digital trust. I’m not sure whether all parties understood when they were implementing those technologies just how much that pendulum was going to swing from traditional trust models to the digital representations of those trust models. It’s not an overnight thing. There’s a cascade. I see a ripple that has started that hasn’t completed its way across the pond.”
The CSF in a Nutshell
If you have worked with other security standards or frameworks based on best practices or compliance approaches, the CSF provides a different viewpoint. It is not intended to be used as a standalone framework for developing an information security program. Rather, the CSF is designed to be paired with other frameworks or standards such as ISO/IEC 27000, COBIT 5, ANSI/ISA 62443, and NIST SP 800-53. It is also meant to be customized rather than being used as a process or activity checklist. The CSF has three components – the core, tiers and profiles.
The core of the framework has five functions – identify, protect, detect, respond and recover. These functions can be thought of as outcomes and aligned with them are 22 categories, 98 subcategories, 125 outcomes and 287 informative references (controls). The core, with all the informative references, is also available in Excel format which can make a handy template to add to your cybersecurity policy and control toolkit. According to Matthew, becoming comfortable with these five functions and the associated concepts at the leadership level tends to be the first stage of the adoption curve.
Determining the organization’s tier is often the second step in adoption. The tiers are a useful tool and they “provide context on how an organization views cybersecurity risk and the processes in place to manage that risk.” There are four tiers: partial, risk-informed, repeatable and adaptive. Although the tiers don’t officially function as a maturity model, it is difficult for me not to see them as such.
However, Matthew explained the CSF’s position on maturity models: “We take exception to the way maturity models are applied where everyone has to get the highest mark on the maturity scale. That’s a great ambition. Rooted in the real world of things, we know that people have budgets, and those budgets are finite. More so than the way people tend to implement maturity models, we’re trying to highlight that you can pick and choose.”
“In my mind’s eye,” Matthew continued, “I picture a tier that isn’t even on the map. A tier zero. There’s a group of people who have managed to short-list high-impact items, and that’s about all they do relative to cybersecurity. For most people, that’s a temporary stopping point. Some people stop there and never get to dynamic, iterative cybersecurity risk management.”
Based on my own personal observations in the field, most SMBs, local governments and even many larger entities probably fall into Tier 1, and the only way to realistically get to Tier 2 is for management to become risk informed. However, getting executives and boards interested in information and cybersecurity is a formidable hurdle.
If an organization is truly a part of national critical infrastructure, remaining at Tier 2 would be troubling. Tier 3 is the first tier that defines organization-wide policy as a requirement, and I would personally see Tier 3 as the minimally acceptable target for most organizations, but this is my opinion rather than NIST’s or Matthew’s.
The tiers do provide a solid tool for organizational management to realistically evaluate their cybersecurity program and make rational, pragmatic, informed business decisions for program improvements going forward. Taking the leap from Tier 1 to Tier 2 is probably the most difficult step for most organizations. Once an organization gets to Tier 2, management has accountability and consequently more motivation to move forward.
NIST recommends that the framework be “customized in a way that maximizes business value,” and that customization is referred to as a “Profile.”
Matthew believes that all cybersecurity programs have three things to do and three things only:
- Support mission/business objectives;
- Fulfill cybersecurity requirements; and
- Manage the vulnerability and threat associated with the technical environment.
The CSF provides a seven-step process for creating or improving a cybersecurity program using a continuous improvement loop:
- Prioritize and scope
- Create a current profile
- Conduct a risk assessment
- Create a target profile
- Determine, analyze, and prioritize gaps
- Implement action plan
Profiles can be used as a tool to provide a basis for prioritization, budgeting and gap analysis.
One of my personal rants is on the disinterest so many executives show toward information security. I am always irritated when I see IT and security managers unilaterally commit an organization to cyber risk without obtaining informed consent from senior management. Often, these staff members make decisions that are far outside the scope of their roles and authority, and I think some executives prefer their own blissful state of ignorance. This leaves too much room for managers to claim “I never knew. Mistakes were made.” Like both ISO 27001 and COBIT 5, the CSF clearly defines management’s role in information security processes, so the CSF can be used as a powerful tool to engage boards and managers and hold them accountable for risk and budgeting decisions.
Matthew’s response to my rant was diplomatic. “I wonder whether the very nature of cybersecurity professionals makes us hold on to risk decisions rather than distribute them portfolio style. Smaller, less impactful risk decisions that are distributed. Distribute decisions, empower folks, and there is accountability around that empowerment, as well.” The CSF provides tools to distribute this risk.
Adoption and Implementation Trends
Results from a 2015 Gartner poll claim that about 30% of organizations have adopted the CSF and by 2020, 50% of organizations will have adopted it. I am skeptical of this assessment. Based on personal observation of the SMB and local government sectors, I would be astonished to find that even 25% of them have formal information security programs based on any framework or standard, let alone the CSF.
However, CSF has been used and customized by a diverse group of organizations such as the Italian government, the American Water Works Association, Intel, the Texas Department of Information Resources, and many others. Case studies can be found on the NIST CSF website.
It’s always good to look at information security programs from multiple viewpoints and the NIST CSF provides many excellent tools to do just that. NIST provides many additional materials on using the framework and they can be found on the CSF Homepage. The site also has an excellent 30-minute video presentation of Matthew providing an overview of the framework.
This article first appeared in Security Magazine.
© Copyright Jeffrey Morgan, 2018
Health care providers are 12,000 times more dangerous than school shooters
Health care providers are 12,000 times more dangerous than school shooters
Every well-run business relies on some form of risk assessment as part of its decision making process. Threats are assessed and prioritized according to their relative impact and probability and the business takes appropriate action based on that information. Or so one hopes.
In public policy, this isn’t the way it works. Two perfect examples of public policy overreach not based on credible risk and threat data are school shootings and climate change.
School shootings are horrific events that should never happen and I can’t even imagine the pain this causes for the families of the victims. However, school shootings are low-risk, high-impact events. In the big picture, the probability that someone will be killed in a school shooting is about the same as getting struck by lightning or being killed by a cow. I used 2015 data, where available, to build the chart above.
School shootings vs. medical malpractice
In 2015, 21 people were killed in school shootings while medical malpractice killed an estimated 251,000 according to a Johns Hopkins University study. Other studies put the number as high as 330,000. In 2015, you were 11,952.38 times more likely to be killed in a hospital than in a school shooting.
Medical error is the third leading cause of death in the United States and it kills nearly 700 people every single day or about 29 people every hour. More people die from medical malpractice every hour than are killed by school shootings in a year. Today, more Americans will be killed by medical malpractice than have died in all the school shootings in the entire history of the United States.
Where are all the posturing politicians on medical errors? Why aren’t news trucks lined up outside of hospitals profiling the doctors and nurses who may have just killed a patient? Why aren’t policy makers proposing trillions of dollars in spending and draconian regulations to address this travesty?
You are about 4 times more likely to be killed by an insect than you are to be killed in a school shooting. Yet, school shootings bring out calls for billions of dollars in spending, new regulations, and limitations on constitutional rights. There is no evidence that any of these proposals will prevent another school shooting. There is a great deal of evidence, though, that political cronies will become wealthy from policies that won’t work. Why won’t these work?
A cascade failure
The Marjory Stoneman Douglas High School tragedy was clearly a systemic cascade failure where those entrusted with the safety of students failed to do their jobs at every level. The school board, school administration, FBI, SROs, deputies, and many more all failed to fulfill their responsibilities over a long period of time. Nikolas Cruz was a known threat actor and no one did anything about him.
In the private sector, Robert Runcie, the incompetent superintendent, would already be ancient history as would Broward County sheriff, Scott Israel. They would both have been handed walking papers immediately and they should be facing criminal charges and civil litigation for their negligence. This event wasn’t caused by lack of laws or resources; it was caused by incompetent management and governance.
We don’t need to throw fantastic sums of federal money and new federal laws at the issue of school safety. What we do need are public sector employees who will actually do their jobs. Moreover, these issues should be addressed at local levels where citizens can make their own risk assessments based on unique requirements, cultural factors, and risk appetite. Heavy-handed, one-size-fits-all solutions from distant Washington bureaucrats aren’t the answer.
Risk and climate change
Climate change is another issue where proposals for risk mitigation are completely out of proportion to the actual risk. If meteorologists could accurately predict tomorrow’s weather, I might find dire predictions of the climate 100 years from now to be more credible. If a single climate model actually accounted for the climate over the last 20 years, I might be inclined to take it seriously.
Predicting the future is risky business – just ask any investor or financial manager. For some reason though, policy makers take apocalyptic, Nostradamus-like predictions of our future weather seriously. And, why not? Billions of dollars for ineffective school security programs are small change compared to the sums of money involved in “fixing” the climate. Fixing the planet could make someone his or her first trillion and all of their political cronies will be richly rewarded.
Bureaucrats at the United Nations, the most incompetent and expensive bureaucracy the world has ever known, actually believe they can fix the climate. Or maybe they just know they can become wealthy and powerful on a journey to nowhere. No one today will actually be around to see whether or not the predictions are right, so what difference does it make?
Emotional reactions never create good policy and we really need politicians at all levels of government who are capable of cool-headed, objective risk assessment.
© Copyright Jeffrey Morgan, 2018
Risk assessments for local governments and SMBs
Next week, I am scheduled for a semi-annual risk assessment with my dentist. He performs a very specific, highly focused type of risk assessment that is totally worth the $125 it will cost. In addition to performing specialized maintenance (hypersonic cleaning), he will provide a threat assessment (for oral cancer, cavities, periodontal disease and other anomalies). I’ll leave his office confident that my mouth is in a low-risk situation for the next six months as long as I continue to follow best practices and perform daily maintenance procedures. I am only vulnerable to these threats if I fail to follow a daily program of brushing and flossing.
I could always choose to save the small fee for these risk assessments and wait for a major dental disaster to occur. The problem with this approach is that a single incident may cost thousands of dollars if I need a root canal or some other type of procedure. Ten years of checkups are less costly than even a single disaster.
Enterprise IT risk assessments
Unfortunately, in the world of local government and SMBs, the most common approach to risk management is to allow a major catastrophe to occur before realizing the value of an enterprise risk management program.
I am at a loss to explain it. Incidents or problems involving your information and IT infrastructure are far more costly than risk management programs. Data loss, breaches, major downtime, malware, lawsuits and fines for compliance violations may cost hundreds of thousands or millions of dollars. They can permanently shut down your small business or really irritate your board of directors in a corporate environment. In the public sector, constituents pay for major screw-ups through increased taxes while the events are often covered up and the culprits skirt the blame and keep their jobs.
When was your organization’s last risk assessment? Can you put your hands on the report? If you haven’t had a risk assessment recently, it’s a safe bet that your policies are sorely lacking. Defining an organizational policy for risk assessment is an essential component of any comprehensive suite of security policies. Both HIPAA and GLBA require periodic risk assessments, but it is a sound practice for all types and sizes of organizations.
Where to start?
If you haven’t previously conducted an enterprise IT risk assessment you should carefully consider your starting point. For example, if you have few or no security policies, it may be wise to form an IG (information governance) committee and begin by developing of a comprehensive set of policies, procedures, standards and guidelines. On the other hand, your management team may benefit from the kind of wake-up call that a devastatingly thorough risk assessment can produce. A 100-page report that says you suck at security and risk management on every page may be just what you need to get everyone’s attention.
The results of a risk assessment should be used to reduce your organization’s risk exposure, improve CIA (confidentiality, integrity and availability), initiate positive change, and begin building a security culture. While using risk assessments as a punitive device isn’t the best approach, such reports often expose malfeasance and incompetence of proportions so vast that appropriate consequences are in order. In other words, if you have been paying a CIO $200,000 and the assessment uncovers gaping policy, security and privacy holes, you should certainly replace the CIO with one who has the required skill set.
Scope the project carefully
Risk assessments come in a lot of flavors and the specific purpose and scope must be worked out with the auditors in advance. A few years ago, a client of mine released an RFP for a risk assessment after we worked extensively on the development of their information security policies. The proposals ranged from $15,000 to well over $150,000. This can happen even with a pretty clear scope. Big 4 firms, for instance, have hourly rates that may be several times what a local, independent practitioners may charge. NIST SP 800-30 provides valuable information on how to perform risk assessments, including some information on scoping.
Risk assessments may be qualitative or quantitative. You may be able to do some of the quantitative work in-house by gathering cost data for all your assets in advance of the assessment. Regardless of the scope and approach, the auditors will ask to see lots of documentation.
One positive outcome of a risk assessment is that it may force your management team to rethink EVERYTHING – in-house application development, infrastructure support, IT staffing & responsibilities, LOB (line of business) staffing & responsibilities, budgets, and just about everything else related to the manner in which your organization is run.
Risk assessments are way cheaper than disasters, so go schedule your checkup.
© Copyright Jeffrey Morgan, 2017by
Information governance for counties and municipalities
What’s your municipal organization’s most valuable asset?
The correct answer is information, but you wouldn’t know it by observing the casual, haphazard manner in which information is managed in many county and municipal operations. Information is often the least valued and least understood asset in local government organizations.
Tangible assets such as buildings and equipment are insured and can be replaced with relative ease. If your data vanishes, you may never be able to replace it. A breach of confidential information can never be made right and your organization’s reputation will be tarnished for years to come. Litigation that results from poor information management can cripple your organization, and the cost of discovery alone often forces organizations to settle.
The core problem
Does your municipal organization have a formal information governance (IG) program?
Most municipal entities don’t have IG programs and consequently lack institutional, enterprisewide understanding of their information assets. The root of the problem is a dearth of leadership in information management that starts with senior executives and elected officials. In many cases, there are departmental managers who do understand their own information universes, but those individuals rarely carry enough clout to influence the decision-making processes at the enterprise level.
“Jeff, hold the phone! We already have a records management program and a CIO. We’re on top of this.”
Information governance isn’t records management, although records management is a subset of IG. Robert Smallwood provides an excellent definition of information governance: “Security, control and optimization of information.”[i] He takes it a step further and writes “Information governance is policy-based control of information to meet all legal, regulatory, risk, and business demands.”[ii] These two statements sound simple, but if you ponder their meanings a bit, they have enormous implications not only for information management in your organization, but for the way in which your entire organization is managed.
The role of the municipal CIO
In my experience, municipal IT operations are often poorly aligned with the business divisions they support and silos are an endemic problem in such organizations. I don’t want to paint with too broad a brush because there are plenty of CIOs who do understand their organizations’ business and information requirements. However, in municipal government, such people are rare.
While the title chief information officer implies a deep understanding of information, many municipal CIOs function more as technology directors and sometimes they more closely resemble purchasing managers or other roles. Since there is no universal definition of a CIO’s role, it is not reasonable to expect that they all come to their job with a clear understanding of information governance. Moreover, municipalities can have several dozen lines of business, each with its own set of complex regulatory requirements, so asking your CIO to be a Master of the Universe may be asking too much.
The solution: What IG can do for your organization
If you don’t have an IG program, I encourage you to start one. I am talking about creating an ecumenical view of your organization’s information assets and aligning that view with your business requirements at every level of your organization. Establishing such a program will allow you to build a superstructure that includes the following:
- Enterprise information management and strategic planning: auditing, risk management, records retention, metadata standardization, storage, FOIA, defensible deletion, eradication of silos and more.
- Enterprise information security (infosec) and cybersecurity: Develop policies, processes and procedures for security that are aligned with your organization’s risks and requirements. Create a culture of security in your organization. Vastly decrease security risks.
- IT service management (ITSM): Improve IT services by aligning them with the organization’s business requirements as determined by the IG committee. IT governance is often treated in county and municipal government as if it is somehow separate, but IT may be more productive if it is treated as a component of an overarching information governance program.
The IG committee
I am not a proponent of management by committee, but in a county or municipal setting with many lines of business, an information governance committee is appropriate not only to oversee information policies and procedures, but to provide guidance and oversight for IT operations as well. The makeup of your municipal IG committee will resemble the following:
- An executive sponsor: Preferably the county executive, city manager or similar role.
- An elected official: A county commissioner, city council member, etc. The primary governing board must be key part of IG team.
- The municipal attorney.
- A human resources official.
- An IT professional.
- A risk management specialist.
- A records management staffer.
- Representatives from other key departments, potentially including law enforcement, corrections, nursing home services, public health, mental health, social services the county recorder, etc.
References and resources
Following are links to some resources for more information about developing an IG program.
ARMA International, a not-for-profit association for professionals specializing in governing information as a strategic asset.
Information Governance Initiative, a forum for information governance professionals.
AIIM, a nonprofit membership organization for information professionals.
Institute for Information Governance, a provider of training in the fields of information governance and electronic records management.
EDRM, a provider of resources related to e-discovery and information governance. Part of the Duke Law Center for Judicial Studies.
“Defining the Differences Between Information Governance, IT Governance and Data Governance,” by Robert Smallwood, Aug. 18, 2014. Retrieved April 17, 2017, from the AIIM website.
Information Governance for Executives, by Robert Smallwood. Bacchus Business Books, 2016.
[i] Smallwood, Robert. Information Governance for Executives, 2016
[ii] Smallwood, Robert. “Defining the Differences Between Information Governance, IT Governance and Data Governance,” 2014
This article first appeared on CIO.com at http://www.cio.com/article/3192530/security/information-governance-for-counties-and-municipalities.html
© Copyright Jeffrey Morgan, 2017by