Cyber-Security Frameworks and Best Practices

The first thing that that consider was to provide guidelines to improve the cybersecurity if correctly implemenented. So it is not a framework indented to perform risk analysis, but it is an high level framework that tries to remain general to be used by many companies as possible.

It’s scope was to link together all the previous knowledge of the field providing a base common framework.

The initial target audience was mainly the critical infrastructure sector, that has particular challenges to solve. In a second moment they expanded the concepts expressed in the framework by letting it be useful for a wide range of companies that deals with:

• Information Technologies
• Industrial control systems
• Cyber-Physical Systems; especially in the second revision that consider also Connected Networks and IoT devices.
• IoT.

The main feature it that the framework is technology neutral, so it do not consider any hardware platform, or particular technology to be as flexible as possible and effective during time.

The second important feature is that it tries to provide a link between all the existing concepts addressed in previous standards.

At the same time it provides a common taxonomy used to characterize the security posture of other organizations (in case of partnerships and acquisitions).

It can be used also to describe a possible state of the security level that the company wants to achieve, this is possible because the framework provides the instruments to plan a future objective and see how far it is.

Thanks to those instruments it can be also used to prioritize and rank the opportunities that can be used to improve in a replicable way in different iterations of the direct control loop comparing the improvements also between different companies, for example in a federated environment.

At last, but not least, it provides a common language that can be used for the communication between stakeholders.

So in summary the NIST CSF supports both cyber security assessment, and planning and monitoring activities.

It order to manage risks there is the need to identify the likelihood and the impact of the risks, the CSF helps to identify the set of risks to try to estimate the likelihood and impact of it; but the CSF can’t be used to estimate and quantify the risk.

The core part of the framework is composed by a table composed by five security functions divided in categories, sub-categories and list of references to the different standards. The Core is not a checklist, it is a framework that gives a set of possible actions, not all of them may be important for some companies.

The categories are particular elements to be take into account for each category, where the sub-categories are refinement of each category.

The second part of the frameworks regard the implementation tiers. When the core tries to focus on the life cycle of the protection cycle, here the focus is more on the analysis of the implementation of the activities.

The implementation tiers ranges from Tier 1 (Partial) to Tier 4 (Adaptive), describing an increasing degree of rigor and sophistication in cybersecurity risk management practices.

They must be not used to represent maturity level of a company, for example a more flexible implementation can be more secure that a very strict one. Progression to higher tiers is encouraged when a cost-benefit analysis indicates a feasible and cost effective reduction of cybersecurity risks. They give to the management the right instrument used to know how and when increasing the tiers.

The tier is characterized by three elements:

1. Risk Management Process. How you identify, and manage the risk
2. Integrated Risk Management Program. How much the risk is considered in an integrated analysis with all the other elements of the company
3. External Participation.

In the tier 2 there is the minimum amount of structure, with the fact that the management has a basic idea of the risk and how it can affect the company, with a first prioritization of the activities based on the risks.

The main differences between Tier 3 and 4 is the degree in collaboration and in the degree of precision and applicability of the standards and best practices.

They are filters that can be applied on the core part of the frameworks, abstracting the situation to consider, giving the possibility to identify a current state or a future state used to align Functions Categories and Subcategories with the business requirements, risk tolerance and resources. The NIST CSF do not share examples and template of profiles. This is one of the main problems of the NIST CSF, that has been addressed by the Italian Framework.

1. It can be used to identify opportunities for new or revised informative references, it is easy to identify the updates of the framework itself. At the same time it is easy to check for references changes that can lead to an update of the framework by mapping different framework stimulating improvements
2. It can be used to strongly preserve privacy and civil liberty. It is possible to share which area of the core part are covered without revealing how.
3. It also can be used for self assessment purposes by consider the sub-categories.

There are the same five functions of the NIST framework, and the concept of Category and Sub-Category has been maintained, the Priority Levels have been added, preserving the Informative References and Guidelines are been added.

The first contextualization done regarded the Public Administration. The level of priority defined for P.A. are four:

1. High.
2. Medium.
3. Low.
4. Not Selected. It is a not critical element of the domain so it can be not considered.

The level of priority was assigned in accordance with a survey and an approval by the final organization in accordance with the domain. The fact that the level of priority assigned to each sub-categories change in accordance with the context makes time consuming the process of contextualization. So a methodology is needed to perform a self-contextualization.

immagine priorità

For each sub-category the provided at least three levels of maturity, the framework provides different options, each option depends on the specific context. Going from the first level to the three there is an increas on the level of complexity in the management of the process but decrease the time of obtain information.

immagine maturity levels

It can happen that for specific sub-categories there is just the level 1 and the maximum level.

When the NIST framework was updated some things were improved:

• 61 improvements in the descriptions
  • 17 in the core part
• Added one category (supply chain)
  • ten new sub-categories

Also the NCF was improved, including also the new GDPR laws, coming out with the version 2.0 of the NCF that provide a new contextualization based on the GDPR.

For the second version the researchers worked together with the garanante della privacy office to map the law requirements with the pre-existent sub-categories. Four possible cases:

1. Perfect Placement. There was already present a sub-category that can be mapped with one article, more subcategories.
2. Partial Placement. There were requirements of the law that were fitting partially with a sub-category, so the regulation was not full covered.
3. Not possible placement. In this case there was the need for a new sub-category
4. Not needed placement.

So there is not a perfect match between the GDPR and the National Cybersecurity Framework. During the Covid emergence the framework provided a new contextualization for the financial domain, and now they are working on a contextualization for the healthcare domain.

It is composed by many different documents, that have been produced starting in 2002 by NIST under the mandate of the United States government. It is the first concrete act that changed the way of how the US reasoned in terms of security. Federal Information System Management Act requires that:

each federal agency develops, documents and implements an agency-wide program to provide information security to all information and information systems that support assets and agency processes, including those provided or managed by other agencies, contractors or third parties.

Before 2002 the information security was not pervasive as it is today. This law triggered different processes and the production of different documents. It was implemented in two phases:

1. Definition of standards and guidelines. It lasted more than ten years, producing a large set of documents.
2. Implementation and assessments Aids.

There are many other documents along the ISO 27001 and the ISO 27002 ones. There are also guidance for the auditors, documents specific for the financial services, network security, and incident management. It is the most widespread and internationally recognized world wide. For this reason a recognized entity will be considered certified also in US and on eastern countries. The cons of the ISO 27k family are their costs of the certification, of course it is challenging to small companies to be certified. Most of the time it is used as a self assessment system. Another limitation is given by the fact that the documents do not provide priorities (all or nothing if you want to obtain the certificate). It is not enforced by law.

There exists a mapping between the special publications and the ISO documents, but they are at different level of granularity, so to have a complete overview it is needed to combine them. In any case they are both the result of years of effort of thousand of Cybersecurity experts.