Thursday, August 11, 2022

Principle of Information Security Module 3 Information Security Management part 10

NIST Security Models

Other approaches to security are described in the many documents available from the NIST Computer Security Resource Center ( Because the NIST documents are publicly available at no charge and have been for some time, they have been broadly reviewed by government and industry professionals, and were among the references cited by the U.S. government when it decided not to select the ISO/IEC 17799 (now 27000 series) standards. The following NIST documents can assist in the design of a security framework:

  • SP 800-12, Rev. 1: “An Introduction to Information Security”

  • SP 800-18, Rev. 1: “Guide for Developing Security Plans for Federal Information Systems”

  • SP 800-30, Rev. 1: “Guide for Conducting Risk Assessments”

  • SP 800-37, Rev. 2: “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy”

  • SP 800-39: “Managing Information Security Risk: Organization, Mission, and Information System View”

  • SP 800-50: “Building an Information Technology Security Awareness and Training Program”

  • SP 800-55, Rev. 1: “Performance Measurement Guide for Information Security”

  • SP 800-100: “Information Security Handbook: A Guide for Managers”

Many of these documents have been referenced elsewhere in this book as sources of information for the management of security. The following sections examine select documents in this series as they apply to the blueprint for information security.

NIST SP 800-12

SP 800-12, Rev. 1, “An Introduction to Information Security,” is an excellent reference and guide for the security manager or administrator in the routine management of information security. It provides little guidance, however, for the design and implementation of new security systems, and therefore should be used only as a precursor to understanding an information security blueprint.

NIST SP 800-14

SP 800-14, “Generally Accepted Principles and Practices for Securing Information Technology Systems,” provides best practices and security principles that can direct the security team in the development of a security blueprint. Even though this legacy publication has been “retired,” there is not yet a replacement document in the NIST SP series that provides a better basic grounding in information security. In addition to detailing security best practices across the spectrum of security areas, it provides philosophical principles that the security team should integrate into the entire information security process:

Security supports the mission of the organization—Failure to develop an information security system based on the organization’s mission, vision, and culture guarantees the failure of the information security program.

Security is an integral element of sound management—Effective management includes planning, organizing, leading, and controlling. Security enhances management functions by providing input during the planning process for organizational initiatives. Information security controls support sound management via the enforcement of managerial and security policies.

Security should be cost-effective—The costs of information security should be considered part of the cost of doing business, much like the costs of computers, networks, and voice communications systems. Security is not a profit-generating area of the organization and may not lead to competitive advantages. Information security should justify its own costs. The use of security measures that do not justify their cost must have a strong business justification, such as a legal requirement.

Systems owners have security responsibilities outside their own organizations—Whenever systems store and use information from customers, patients, clients, partners, or others, the security of this information becomes the responsibility of the systems’ owners. These owners are expected to diligently work with each other to assure the confidentiality, integrity, and availability of the entire value chain of their interconnected systems.

Security responsibilities and accountability should be made explicit—Policy documents should clearly identify the security responsibilities of users, administrators, and managers. To be legally binding, the policies must be documented, disseminated, read, understood, and agreed to by all involved members of the organization. As noted in Module 6, ignorance of the law is no excuse, but ignorance of policy is. Organizations should also provide information about relevant laws in issue-specific security policies.

Security requires a comprehensive and integrated approach—Security personnel alone cannot effectively implement security. As emphasized throughout this textbook, security is everyone’s responsibility. The three communities of interest—information technology management and professionals; information security management and professionals; and users, managers, administrators, and other stakeholders—should participate in the process of developing a comprehensive information security program.

Security should be periodically reassessed—Information security that is implemented and then ignored is considered negligent because the organization has not demonstrated due diligence. Security is an ongoing process. To be effective against a constantly shifting set of threats and a changing user base, the security process must be periodically repeated. Continuous analyses of threats, assets, and controls must be conducted and new blueprints developed. Only thorough preparation, design, implementation, vigilance, and ongoing maintenance can secure the organization’s information assets.

Security is constrained by societal factors—Several factors influence the implementation and maintenance of security controls and safeguards, including legal demands, shareholder requirements, and even business practices. For example, security professionals generally prefer to isolate information assets from the Internet, which is the leading avenue of threats to the assets, but the business requirements of the organization may preclude this control measure.

NIST SP 800-18, Rev. 1

SP 800-18, Rev. 1, “Guide for Developing Security Plans for Federal Information Systems,” can be used as the foundation for a comprehensive security blueprint and framework. This publication provides detailed methods for assessing, designing, and implementing controls and plans for applications of varying size. SP 800-18, Rev. 1, can serve as a useful guide to the activities described in this module and as an aid in the planning process. It also includes templates for major application security plans. As with any publication of this scope and magnitude, SP 800-18, Rev. 1, must be customized to fit the particular needs of an organization.

NIST and the Risk Management Framework

NIST’s approach to managing risk in the organization, titled the Risk Management Framework (RMF), emphasizes the following.

  • Building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls

  • Maintaining awareness of the security state of information systems on an ongoing basis through enhanced monitoring processes.

  • Providing essential information to help senior leaders make decisions about accepting risk to an organization’s operations and assets, individuals, and other organizations arising from the use of information systems.
The RMF has the following characteristics:

  • Promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring.

  • Encourages the use of automation to provide senior leaders with necessary information to make cost-effective, risk-based decisions about information systems that support an organization’s core missions and business functions.

  • Integrates information security into the enterprise architecture and system development life cycle.

  • Emphasizes the selection, implementation, assessment, and monitoring of security controls and the authorization of information systems.

  • Links risk management processes at the information system level to risk management processes at the organization level through a risk executive function.

  • Establishes responsibility and accountability for security controls deployed within an organization’s information systems and inherited by those systems (i.e., common controls).

The NIST Risk Management Framework is discussed in detail in Module 4, “Risk Management.”

The NIST Cybersecurity Framework

In early 2014, NIST published a new Cybersecurity Framework in response to Executive Order 13636 from President Obama. NIST’s mandate was to create a voluntary framework that provides an effective approach to “manage cybersecurity risk for those processes, information, and systems directly involved in the delivery of critical infrastructure services.”* The resulting framework, which is designed specifically to be vendor-neutral, closely resembles the other approaches described in this textbook, but it provides additional structure to the process, if not detail. The NIST framework builds on and works closely with the RMF described in the previous section. The framework document represents the integration of previously discussed special publications from NIST, in a form that makes the framework easier to understand and enables organizations to implement an information security improvement program.

The intent of the framework is to allow organizations to: “1) Describe their current cybersecurity posture; 2) Describe their target state for cybersecurity; 3) Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; 4) Assess progress toward the target state; and 5) Communicate among internal and external stakeholders about cybersecurity risk.”

The NIST framework consists of three fundamental components:

The framework core—This is a set of information security activities an organization is expected to perform, as well as their desired results. These core activities are as follows:

  • Identify—Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

  • Protect—Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.

  • Detect—Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

  • Respond—Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.

  • Recover—Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.”

The framework tiers—The framework then provides a self-defined set of tiers so organizations can relate the maturity of their security programs and implement corresponding measures and functions. The four tiers include the following:

  • Tier 1: Partial—In this category, an organization does not have formal risk management practices, and security activities are relatively informal and ad hoc.

  • Tier 2: Risk Informed—Organizations in this category have developed but not fully implemented risk management practices, and have just begun their formal security programs, so security is not fully established across the organization.

  • Tier 3: Repeatable—Organizations in this category not only have risk management practices formally established, they have documented policy implemented. The organization has begun a repeatable security program to improve its approach to information protection and proactively manage risk to information assets.

  • Tier 4: Adaptive—The most mature organization falls into this tier. The organization not only has well-established risk management and security programs, it can quickly adapt to new environments and threats. The organization is experienced at managing risk and responding to threats and has integrated security completely into its culture.

The framework profile—Organizations are expected to identify which tier their security programs most closely match and then use corresponding recommendations within the framework to improve their programs. This framework profile is then used to perform a gap analysis—comparing the current state of information security and risk management to a desired state, identifying the difference, and developing a plan to move the organization toward the desired state. This approach is identical to the approaches outlined elsewhere in this text.

Using the materials provided in the NIST framework, organizations are encouraged to follow a seven-step approach to implementing or improving their risk management and information security programs:

Step 1Prioritize and scope—The organization identifies its business/mission objectives and high-level organizational priorities. With this information, the organization makes strategic decisions regarding cybersecurity implementations and determines the scope of systems and assets that support the selected business line or process.

Step 2Orient—Once the scope of the cybersecurity program has been determined for the business line or process, the organization identifies related systems and assets, regulatory requirements, and overall risk approach. The organization then identifies threats to, and vulnerabilities of, those systems and assets.

Step 3Create a current profile—The organization develops a current profile by indicating which category and subcategory outcomes from the framework core are currently being achieved.

Step 4Conduct a risk assessment—This assessment could be guided by the organization’s overall risk management process or previous risk assessment activities. The organization analyzes the operational environment in order to discern the likelihood of a cybersecurity event and the impact that the event could have on the organization.

Step 5Create a target profile—The organization creates a target profile that focuses on the assessment of the framework categories and subcategories describing the organization’s desired cybersecurity outcomes.

Step 6Determine, analyze, and prioritize gaps—The organization compares the current profile and the target profile to determine gaps. Next it creates a prioritized action plan to address those gaps that draws upon mission drivers, a cost-benefit analysis, and understanding of risk to achieve the outcomes in the target profile. The organization then determines resources necessary to address the gaps.

Step 7Implement action plan—The organization determines which actions to take in regards to the gaps, if any, identified in the previous step. It then monitors its current cybersecurity practices against the target profile.

As you will learn in Module 11 while studying the SDLC waterfall methodology, the preceding steps are designed to be an iterative process that gradually moves the organization closer to a Tier 4 security level and results in a better approach to risk management and information protection.

NIST also provides a “Roadmap for Improving Critical Infrastructure Cybersecurity,” which provides supplemental guidance for the framework and insights into its future development and refinement as an evolutionary, living document.


Post a Comment