Difference between revisions of "User:Shawndouglas/sandbox/sublevel3"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
The NIST Cybersecurity Framework is the resulting cybersecurity guidance that came out of 2013's U.S. ''Executive Order 13636: Improving Critical Infrastructure Cybersecurity''.<ref name="HSFactSheet13">{{cite web |url=https://www.dhs.gov/publication/eo-13636-ppd-21-fact-sheet |title=Fact Sheet: Executive Order (EO) 13636 Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive (PPD) 21 Critical Infrastructure Security and Resilience |publisher=U.S. Deapartment of Homeland Security |date=March 2013 |accessdate=23 July 2020}}</ref> Building off the frameworks of NIST Special Publication 800-53 (Revision 4), COBIT 5, and the ISO 27000 series of standards, the NIST Cybersecurity Framework attempts to be a more high-level, concise, and voluntary framework for those without a rich technical background to better implement cybersecurity measures within their organization.<ref name="Chang-GuNIST15">{{cite web |url=https://www.praetorian.com/blog/nist-cybersecurity-framework-vs-nist-special-publication-800-53 |title=NIST Cybersecurity Framework vs. NIST Special Publication 800-53 |author=Chang-Gu, A. |work=Praetorian Security Blog |publisher=Praetorian Security, Inc |date=02 March 2015 |accessdate=23 July 2020}}</ref><ref name="MorganHowToUse18">{{cite web |url=https://www.securitymagazine.com/blogs/14-security-blog/post/88890-how-to-use-the-nist-cybersecurity-framework |title=How to Use the NIST Cybersecurity Framework: A Conversation with NIST’s Matthew Barrett |author=Morgan, J. |work=Security |publisher=BNP Media |date=04 April 2018 |accessdate=23 July 2020}}</ref>
What follows is a template to help guide you in developing your own cybersecurity plan. Remember that this is a template and strategy for developing the cybersecurity plan for your organization, not a regulatory guidance document. This template has at its core a modified version of the template structure suggested in the late 2018 ''Cybersecurity Strategy Development Guide'' created for the National Association of Regulatory Utility Commissioners (NARUC).<ref name="NARUCCyber18">{{cite web |url=https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204 |format=PDF |title=Cybersecurity Strategy Development Guide |author=Cadmus Group, LLC |publisher=National Association of Regulatory Utility Commissioners |date=30 October 2018 |accessdate=23 July 2020}}</ref> While their document focuses on cybersecurity for utility cooperatives and commissions, much of what NARUC suggests can still be more broadly applied to all but the tiniest of businesses. Additional resources such as the American Health Information Management Association's ''AHIMA Guidelines: The Cybersecurity Plan''<ref name="DowningAHIMA17">{{cite web |url=https://journal.ahima.org/wp-content/uploads/2017/12/AHIMA-Guidelines-Cybersecurity-Plan.pdf |format=PDF |title=AHIMA Guidelines: The Cybersecurity Plan |author=Downing, K. |publisher=American Health Information Management Association |date=December 2017 |accessdate=23 July 2020}}</ref>; National Rural Electric Cooperative Association (NRECA), Cooperative Research Network's ''Guide to Developing a Cyber Security and Risk Mitigation Plan''<ref name="LebanidzeGuide11">{{cite web |url=https://www.cooperative.com/programs-services/bts/documents/guide-cybersecurity-mitigation-plan.pdf |format=PDF |title=Guide to Developing a Cyber Security and Risk Mitigation Plan |author=Lebanidze, E. |publisher=National Rural Electric Cooperative Association, Cooperative Research Network |date=2011 |accessdate=23 July 2020}}</ref>; and various cybersecurity experts' articles<ref name="LagoHowTo19">{{cite web |url=https://www.cio.com/article/3295578/how-to-implement-a-successful-security-plan.html |title=How to implement a successful cybersecurity plan |author=Lago, C. |work=CIO |publisher=IDG Communications, Inc |date=10 July 2019 |accessdate=23 July 2020}}</ref><ref name="NortonSimilar18">{{cite web |url=https://www.hipaaone.com/2018/06/21/gap-assessment-vs-risk-analysis/ |title=Similar but Different: Gap Assessment vs Risk Analysis |author=Norton, K. |publisher=HIPAA One |date=21 June 2018 |accessdate=23 July 2020}}</ref><ref name="EwingFourWays17">{{cite web |url=https://deltarisk.com/blog/4-ways-to-integrate-your-cyber-security-incident-response-and-business-continuity-plans/ |title=4 Ways to Integrate Your Cyber Security Incident Response and Business Continuity Plans |author=Ewing, S. |publisher=Delta Risk |date=12 July 2017 |accessdate=23 July 2020}}</ref><ref name="KrasnowCyber17">{{cite web |url=https://www.irmi.com/articles/expert-commentary/cyber-security-event-recovery-plans |title=Cyber-Security Event Recovery Plans |author=Krasnow, M.J. |publisher=International Risk Management Institute, Inc |date=February 2017 |accessdate=23 July 2020}}</ref><ref name="CopelandHowToDev18">{{cite web |url=https://www.copelanddata.com/blog/how-to-develop-a-cybersecurity-plan/ |title=How to Develop A Cybersecurity Plan For Your Company (checklist included) |publisher=Copeland Technology Solutions |date=17 July 2018 |accessdate=23 July 2020}}</ref><ref name="TalamantesDoesYour17">{{cite web |url=https://www.redteamsecure.com/blog/does-your-cybersecurity-plan-need-an-update/ |title=Does Your Cybersecurity Plan Need an Update? |author=Talamantes, J. |work=RedTeam Knowledge Base |publisher=RedTeam Security Corporation |date=06 September 2017 |accessdate=23 July 2020}}</ref> have been reviewed to further supplement the template. This template covers 10 main cybersecurity planning steps, each with multiple sub-steps. Additional commentary, guidance, and citation is included with those sub-steps.


Version 1.0 of the framework was introduced in 2014, and by 2016<ref name="DarkNIST16">{{cite web |url=https://www.darkreading.com/attacks-breaches/nist-cybersecurity-framework-adoption-hampered-by-costs-survey-finds/d/d-id/1324901 |title=NIST Cybersecurity Framework Adoption Hampered By Costs, Survey Finds |author=Dark Reading Staff |work=Dark Reading - Attacks/Breaches |publisher=Informa PLC Informa UK Limited |date=30 March 2016 |accessdate=23 July 2020}}</ref>:
Note that before development begins, you'll want to consider the knowledge resources available and key stakeholders involved. Do you have the expertise available in-house to address all 10 planning steps, or will you need to acquire help from one or more third parties? Who are the key individuals providing critical support to the business and its operations? Having the critical expertise and stakeholders involved with the plan's development process early on can enhance the overall plan and provide for more effective strategic outcomes.<ref name="NARUCCyber18" />


* Seventy percent of organizations viewed the framework as "a security best practice," though fifty percent noted its required high level of investment as problematic to adoption.
Also remind yourself that completing this plan will likely not require a straightforward, by-the-numbers approach. The most feasible outcome will have you jumping around a few steps and filling in blanks or revising statements in previous portions of the plan. While the ordering of these steps is deliberate, completing them in order may not make the best sense for your organization. Don't be afraid to jump around or go back and update sections you've worked on previously using new-found knowledge. For example, some organizations with limited professional expertise in cybersecurity may find value in jumping to the end of section 5.3 and reviewing the wording of some of the cybersecurity controls early in the process in order to become more familiar with the related vocabulary.
* Sixty-four percent of organizations chose to use only part of the framework "due to cost and lack of regulatory pressures."
* Eighty-three percent of organizations that said they would be adopting the framework in 2017 also indicated they would only use part of the framework.


However, organizations are slowly changing their view from more moment-in-time approaches to cybersecurity, to more long-term and continual conformance and improvement approaches.<ref name="DarkNIST16" /><ref name="BizTechWhyARisk17">{{cite web |url=https://biztechmagazine.com/article/2017/12/why-risk-based-approach-leads-effective-cybersecurity |title=Why a Risk-Based Approach Leads to Effective Cybersecurity |author=BizTech Staff |work=BizTech |publisher=CDW LLC |date=20 December 2017 |accessdate=23 July 2020}}</ref><ref name="DanielSmarter18">{{cite web |url=https://www.cyberthreatalliance.org/smarter-way-think-cybersecurity-change-mindset-even-odds/ |title=Smarter Cybersecurity Thinking: Change Your Mindset to Even the Odds |author=Daniel, M. |work=Cyber Threat Alliance Blog |date=25 January 2018 |accessdate=23 July 2020}}</ref> Version 1.1 of the NIST Cybersecurity Framework was introduced in April 2018, updating guidance on authentication and identity procedures, self-assessment of cybersecurity risk, and vulnerability disclosure.<ref name=NISTReleases18">{{cite web |url=https://www.nist.gov/news-events/news/2018/04/nist-releases-version-11-its-popular-cybersecurity-framework |title=NIST Releases Version 1.1 of its Popular Cybersecurity Framework |publisher=National Institute of Standards and Technology |date=16 April 2018 |accessdate=23 July 2020}}</ref> Since the framework is already based upon NIST SP 800-53 and other solid frameworks, and it's developed "to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders,"<ref name="NISTNewTo19">{{cite web |url=https://www.nist.gov/cyberframework/new-framework |title=New to Framework |work=Cybersecurity Framework |publisher=National Institute of Standards and Technology |date=18 November 2019 |accessdate=23 July 2020}}</ref> the framework is likely to be further embraced in some form worldwide.  
Finally, the various steps of this plan will recommend the development of a variety of other policies, procedures, and documents, e.g., a communications plan and a response and continuity plan. As NIST notes in its SP 800-53 framework, effective security plans make reference to other policy and procedure documents and don't necessarily fully contain those actual policies and procedures themselves. Rather, the plan should "provide explicitly or by reference, sufficient information to define what needs to be accomplished" by those policies and procedures. All of that is to say that when going through the steps below, be cognizant of that advice. Recommendations to make a communications plan or response plan don't necessarily mean those plans should be an actual portion of your overall cybersecurity plan, but rather a component external to the plan yet referenced and detailed sufficiently within the plan.


It should be noted, however, that the framework isn't strictly intended to be a standalone framework; rather it's meant to be customized and used in conjunction with the control, program, and risk frameworks it's based upon.<ref name="MorganHowToUse18" /> At its core, the NIST Cybersecurity Framework promotes the functions of identification, protection, detection, response, and recovery. Aligned with those functions are nearly 300 controls pulled from the referenced frameworks, reinforcing the related concepts of security control development, project management, and risk management being rooted into the framework.<ref name="MorganHowToUse18" />
'''''An Example Cybersecurity Plan'''''
 
The following instructional template for developing a cybersecurity plan is admittedly a lot of information to take in at once. Some people are much better understanding a concept through examples. As such, what is modestly called ''An Example Cyberssecurity Plan'' has been developed to accompany this guide. That example plan includes an introduction to provide more context concerning its creation, as well as a simple outline of the following steps 5.1 through 5.10. The example plan itself comes afterwards, presented from the persepctive of fictional environmental laboratory company ABC123 Co. This example is slightly unorthodox in that it presents a cybersecurity plan in an iterative state of development, emphasizing the "living document" aspect of cybersecurity plan. The document demonstrates the concepts emphasized in this guide, including the concept of referencing other relevant policies and documents without duplicating them within the cybersecurity plan. Note that while a separate document, ''An Example Cybersecurity Plan'' is released under the same Creative Commons license as this guide, and those license requirements should still be followed.
 
'''Link to file''': [[:File:An Example Cybersecurity Plan - Shawn Douglas - v1.0.pdf|''An Example Cybersecurity Plan'']]
 
'''Instructions''': After clicking the above link, click the link (underneath the PDF icon) at the top of the resulting page to view in browser, or right-click and "save as" to save a copy.)


==References==
==References==
{{Reflist|colwidth=30em}}
{{Reflist|colwidth=30em}}

Revision as of 23:21, 11 February 2022

What follows is a template to help guide you in developing your own cybersecurity plan. Remember that this is a template and strategy for developing the cybersecurity plan for your organization, not a regulatory guidance document. This template has at its core a modified version of the template structure suggested in the late 2018 Cybersecurity Strategy Development Guide created for the National Association of Regulatory Utility Commissioners (NARUC).[1] While their document focuses on cybersecurity for utility cooperatives and commissions, much of what NARUC suggests can still be more broadly applied to all but the tiniest of businesses. Additional resources such as the American Health Information Management Association's AHIMA Guidelines: The Cybersecurity Plan[2]; National Rural Electric Cooperative Association (NRECA), Cooperative Research Network's Guide to Developing a Cyber Security and Risk Mitigation Plan[3]; and various cybersecurity experts' articles[4][5][6][7][8][9] have been reviewed to further supplement the template. This template covers 10 main cybersecurity planning steps, each with multiple sub-steps. Additional commentary, guidance, and citation is included with those sub-steps.

Note that before development begins, you'll want to consider the knowledge resources available and key stakeholders involved. Do you have the expertise available in-house to address all 10 planning steps, or will you need to acquire help from one or more third parties? Who are the key individuals providing critical support to the business and its operations? Having the critical expertise and stakeholders involved with the plan's development process early on can enhance the overall plan and provide for more effective strategic outcomes.[1]

Also remind yourself that completing this plan will likely not require a straightforward, by-the-numbers approach. The most feasible outcome will have you jumping around a few steps and filling in blanks or revising statements in previous portions of the plan. While the ordering of these steps is deliberate, completing them in order may not make the best sense for your organization. Don't be afraid to jump around or go back and update sections you've worked on previously using new-found knowledge. For example, some organizations with limited professional expertise in cybersecurity may find value in jumping to the end of section 5.3 and reviewing the wording of some of the cybersecurity controls early in the process in order to become more familiar with the related vocabulary.

Finally, the various steps of this plan will recommend the development of a variety of other policies, procedures, and documents, e.g., a communications plan and a response and continuity plan. As NIST notes in its SP 800-53 framework, effective security plans make reference to other policy and procedure documents and don't necessarily fully contain those actual policies and procedures themselves. Rather, the plan should "provide explicitly or by reference, sufficient information to define what needs to be accomplished" by those policies and procedures. All of that is to say that when going through the steps below, be cognizant of that advice. Recommendations to make a communications plan or response plan don't necessarily mean those plans should be an actual portion of your overall cybersecurity plan, but rather a component external to the plan yet referenced and detailed sufficiently within the plan.

An Example Cybersecurity Plan

The following instructional template for developing a cybersecurity plan is admittedly a lot of information to take in at once. Some people are much better understanding a concept through examples. As such, what is modestly called An Example Cyberssecurity Plan has been developed to accompany this guide. That example plan includes an introduction to provide more context concerning its creation, as well as a simple outline of the following steps 5.1 through 5.10. The example plan itself comes afterwards, presented from the persepctive of fictional environmental laboratory company ABC123 Co. This example is slightly unorthodox in that it presents a cybersecurity plan in an iterative state of development, emphasizing the "living document" aspect of cybersecurity plan. The document demonstrates the concepts emphasized in this guide, including the concept of referencing other relevant policies and documents without duplicating them within the cybersecurity plan. Note that while a separate document, An Example Cybersecurity Plan is released under the same Creative Commons license as this guide, and those license requirements should still be followed.

Link to file: An Example Cybersecurity Plan

Instructions: After clicking the above link, click the link (underneath the PDF icon) at the top of the resulting page to view in browser, or right-click and "save as" to save a copy.)

References

  1. 1.0 1.1 Cadmus Group, LLC (30 October 2018). "Cybersecurity Strategy Development Guide" (PDF). National Association of Regulatory Utility Commissioners. https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204. Retrieved 23 July 2020. 
  2. Downing, K. (December 2017). "AHIMA Guidelines: The Cybersecurity Plan" (PDF). American Health Information Management Association. https://journal.ahima.org/wp-content/uploads/2017/12/AHIMA-Guidelines-Cybersecurity-Plan.pdf. Retrieved 23 July 2020. 
  3. Lebanidze, E. (2011). "Guide to Developing a Cyber Security and Risk Mitigation Plan" (PDF). National Rural Electric Cooperative Association, Cooperative Research Network. https://www.cooperative.com/programs-services/bts/documents/guide-cybersecurity-mitigation-plan.pdf. Retrieved 23 July 2020. 
  4. Lago, C. (10 July 2019). "How to implement a successful cybersecurity plan". CIO. IDG Communications, Inc. https://www.cio.com/article/3295578/how-to-implement-a-successful-security-plan.html. Retrieved 23 July 2020. 
  5. Norton, K. (21 June 2018). "Similar but Different: Gap Assessment vs Risk Analysis". HIPAA One. https://www.hipaaone.com/2018/06/21/gap-assessment-vs-risk-analysis/. Retrieved 23 July 2020. 
  6. Ewing, S. (12 July 2017). "4 Ways to Integrate Your Cyber Security Incident Response and Business Continuity Plans". Delta Risk. https://deltarisk.com/blog/4-ways-to-integrate-your-cyber-security-incident-response-and-business-continuity-plans/. Retrieved 23 July 2020. 
  7. Krasnow, M.J. (February 2017). "Cyber-Security Event Recovery Plans". International Risk Management Institute, Inc. https://www.irmi.com/articles/expert-commentary/cyber-security-event-recovery-plans. Retrieved 23 July 2020. 
  8. "How to Develop A Cybersecurity Plan For Your Company (checklist included)". Copeland Technology Solutions. 17 July 2018. https://www.copelanddata.com/blog/how-to-develop-a-cybersecurity-plan/. Retrieved 23 July 2020. 
  9. Talamantes, J. (6 September 2017). "Does Your Cybersecurity Plan Need an Update?". RedTeam Knowledge Base. RedTeam Security Corporation. https://www.redteamsecure.com/blog/does-your-cybersecurity-plan-need-an-update/. Retrieved 23 July 2020.