Nov 25 2024

Adding Value with Adding Value with Risk-Based Information Security

The article emphasizes the importance of integrating risk management and information security management systems (ISMS) for effective IT security. It recommends a risk-based approach, leveraging frameworks like ISO/IEC 27001 and NIST Cybersecurity Framework (CSF) 2.0, to guide decisions that counteract risks while aligning with business objectives. Combining these methodologies enhances control accuracy and ensures that organizational assets critical to business goals are appropriately classified and protected.

An enterprise risk management system (ERMS) bridges IT operations and business processes by defining the business value of organizational assets. This alignment enables ISMS to identify and safeguard IT assets vital to achieving organizational objectives. Developing a registry of assets through ERMS avoids redundancies and ensures ISMS efforts are business-driven, not purely technological.

The NIST CSF 2.0 introduces a “govern” function, improving governance, priority-setting, and alignment with security objectives. It integrates with frameworks like ISO 27001 using a maturity model to evaluate controls’ effectiveness and compliance. This approach ensures clarity, reduces redundancies, and provides actionable insights into improving cybersecurity risk profiles and resilience across the supply chain.

Operationally, integrating frameworks involves a centralized tool for managing controls, aligning them with risk treatment plans (RTP), and avoiding overlaps. By sharing metrics across frameworks and using maturity models, organizations can efficiently evaluate security measures and align with business goals. The article underscores the value of combining ISO 27001’s holistic ISMS with NIST CSF’s risk-focused profile to foster continual improvement in an evolving digital ecosystem.

For example, let’s consider an elementary task such as updating the risk policy. This is part of control 5.1 of ISO27001 on information security policies. It is part of the subcategory GV.PO-01 of the NIST CSF on policies for managing cybersecurity risks, but it is also present in the RTP with regard to the generic risk of failure to update company policies. The elementary control tasks are evaluated individually. Then, the results of multiple similar tasks are aggregated to obtain a control of one of the various standards, frameworks or plans that we are considering.

Best method for evaluating the effectiveness of control activities may be to adopt the Capability Maturity Model Integration (CMMI). It is a simple model for finding the level of maturity of implementation of an action with respect to the objectives set for that action. Furthermore, it is sufficiently generic to be adaptable to all evaluation environments and is perfectly linked with gap analysis. The latter is precisely the technique suitable for our evaluations – that is, by measuring the current state of maturity of implementation of the control and comparing it with the pre-established level of effectiveness, we are able to determine how much still needs to be done.

In short, the advantage of evaluating control tasks instead of the controls proposed by the frameworks is twofold.

  • The first advantage is in the very nature of the control task that corresponds to a concrete action, required by some business process, and therefore well identified in terms of role and responsibility. In other words, something is used that the company has built for its own needs and therefore knows well. This is an indicator of quality in the evaluation.
  • The second advantage is in the method of treatment of the various frameworks. Instead of building specific controls with new costs to be sustained for their management, it is preferable to identify each control of the framework for which control tasks are relevant and automatically aggregate the relative evaluations. The only burden is to define the relationship between the companys control tasks and the controls of the chosen framework, but just once.

More details and considerations on pros and cons are described in recent ISACA Journal article, “Adding Value With Risk-Based Information Security.”

Source: National Institute of Standards and Technology, The NIST Cybersecurity Framework (CSF) 2.0, USA, 2024, https://www.nist.gov/informative-references

Information Security Risk Management for ISO 27001/ISO 27002

Information Security Risk Assessment Workshop

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: Risk-Based Information Security


Sep 08 2023

NIST Gap Assessment Tool

Category: NIST CSF,NIST Privacydisc7 @ 1:23 pm

The NIST Gap Assessment Tool will cost-effectively assess your organization against the NIST SP 800-171 standard. It will help you to:

  • Understand the NIST SP 800-171 requirements for storing, processing, and transmitting CUI (Controlled Unclassified Information)
  • Quickly identify your NIST SP 800-171 compliance gaps
  • Plan and prioritise your NIST SP 800-171 project to ensure data handling meets U.S. DoD (Department of Defense) requirements

Get started with your NIST SP 800-171 compliance project

The DoD requires U.S. contractors and their subcontractors to have an available assessment of their compliance with NIST SP 800-171. As part of a national movement to have a consistent approach to cybersecurity across the U.S., even organizations that store, process, or transmit unclassified and/or sensitive information must complete an assessment.

ITG NIST Gap Assessment Tool provides the assessment template you need to guide you through compliance with the DoD’s requirements for NIST SP 800-171. The tool lays out all 14 categories and 110 security controls from the Standard, in Excel format, so you can complete a full and easy-to-use assessment with concise data reporting.

What does the tool do?

  • Features the following tabs: ‘Instructions’, ‘Summary’, and ‘Assessment and SSP (System Security Plan)’.
  • The ‘Instructions’ tab provides an easy explanation of how to use the tool and assess your compliance project, so you can complete the process without hassle.
  • The ‘Assessment and SSP’ tab shows all control numbers and requires you to complete your assessment of each control.
  • Once you have completed the full assessment, the ‘Summary’ tab provides high-level graphs for each category and overall completion. Analysis includes an overall compliance score and shows the amount of security controls that are completed, ongoing, or not applied in your organization.
  • The ‘Summary’ tab also provides clear direction for areas of development and how you should plan and prioritize your project effectively, so you can start the journey of providing a completed NIST SP 800-171 assessment to the DoD.

This NIST Gap Assessment Tool is designed for conducting a comprehensive compliance assessment.  NIST SP 800-171 Assessment Tool.

The Complete DOD NIST 800-171 Compliance Manual: Comprehensive Controlled Unclassified Information (CUI) Marking & Handling Section

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: NIST Gap Assessment Tool, NIST SP 800-171


Aug 03 2022

NIST Gap Assessment Tool

Category: NIST CSFDISC @ 2:48 pm

NIST 800-171a/CMMC 2.0 Self-Assessment Guide

NIST Cybersecurity Framework – A Pocket Guide

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Ask DISC an InfoSec & compliance related question

Tags: NIST 800-171, NIST Gap Assessment Tool


Feb 21 2022

New Version of the NIST CSF Tool

Category: NIST CSF,NIST PrivacyDISC @ 9:32 am
NIST CSF Tool

By John Masserini

THE NIST CSF TOOL

I am quite thrilled to announce that the long-overdue update to my NIST CSF tool V2.0 is finally done. While this new version generally looks the same as the prior one, there are substantial changes underneath which will make updating it in the future far easier.

Originally released in January of 2019, it has become the most popular page on the site, with almost 20,000 downloads. To get a full understanding of the tool, you can read the original post here which goes into great detail about why it was developed and how to use it.

After numerous requests, I have also added the NIST Privacy Framework to the tool as well. The same logic has been applied here as to the CSF side – it’s just as, or perhaps even more, important to measure what you do (your practices) against what you say you do (your policies) when it comes to Privacy as it is Security.

As always, I welcome suggestions and feedback. The email to reach me is in the worksheet.

You can find the new version on the Downloads page.

NIST Cybersecurity Framework: A pocket guide 

Tags: NIST CSF Tool


Jan 12 2022

NIST Cybersecurity Framework (CSF)

Category: Information Security,NIST CSFDISC @ 10:34 am

NIST Cybersecurity Framework – A Pocket Guide

NIST Cybersecurity Framework - A Pocket Guide

Tags: CSF, NIST Cybersecurity Framework


Mar 11 2021

Get More Value from NIST CSF, MITRE ATT&CK and COSO ERM with RiskLens

Category: Attack Matrix,NIST CSFDISC @ 11:13 pm

MITRE ATT&CK matrices

MITRE ATT&CK is a tool to help cybersecurity teams get inside the minds of threat actors to anticipate their lines of attack and most effectively position defenses. MITRE ATT&CK works synergistically with FAIR to refine a risk scenario (“threat actor uses a method to attack an asset resulting in a loss”).

Enter an asset into the MITRE ATT&CK knowledge base and it returns a list of likely threat actors and their methods to inform a risk scenario statement. It also helps to fill in color and detail for the FAIR factors, such as the relative strength of threat actors likely to go after an asset or the resistance strength of the controls around the asset, as well as the frequency of attack one might expect from these actors, based on internal or industry data (housed in the Data Helpers and Loss Tables on the RiskLens platform). All these are ultimately fed into the Monte Carlo simulation engine to show probable loss exposure for the scenario. The data we collect on our assets and threat actors can be stored in libraries on the platform for repeat use.

MITRE ATT&CK also suggests controls for mitigation efforts specific to attacks. As with the controls suggested by NIST CSF, we can assess those in the platform for cost-effectiveness in risk reduction in financial terms.

Finally, RiskLens + MITRE ATT&CK can help refine tactics for the first line of defense. With a clear sense of top risk scenarios generated by RiskLens, and a clear sense of attack vectors for those scenarios, the SOC can better prioritize among the many incoming alerts based on potential bottom-line impact.

Tags: MITRE ATT&CK


Nov 18 2020

Senate passes bill to secure internet-connected devices against cyber

Category: NIST CSF,NIST PrivacyDISC @ 11:40 pm

The Senate this week unanimously passed bipartisan legislation designed to boost the cybersecurity of internet-connected devices.

The Senate passes a bill that would require all internet-connected devices purchased by the US government to comply with NIST’s minimum security recommendations

The Internet of Things Cybersecurity Improvement Act would require all internet-connected devices purchased by the federal government — such as computers and mobile devices — to comply with minimum security recommendations issued by the National Institute of Standards and Technology.

The bill would require private sector groups providing devices to the federal government to notify agencies if the internet-connected device has a vulnerability that could leave the government open to attacks.

The legislation, which the Senate advanced on Tuesday, was passed unanimously by the House in September. It now heads to President Trump for a signature.

“Most experts expect tens of billions of devices operating on our networks within the next several years as the Internet of Things (IoT) landscape continues to expand,” Gardner noted in a separate statement. “We need to make sure these devices are secure from malicious cyber-attacks as they continue to transform our society and add countless new entry points into our networks. Ensuring that our government has the capabilities and expertise to help navigate the impacts of the latest technology will be important in the coming years and decades.”

Source: Senate passes bill to secure internet-connected devices against cyber











Dec 07 2019

NIST CyberSecurity Framework and ISO 27001

Category: Information Security,ISO 27k,NIST CSFDISC @ 6:54 pm

NIST CyberSecurity Framework and ISO 27001

[pdf-embedder url=”https://blog.deurainfosec.com/wp-content/uploads/2019/12/NIST_ISO_Green_Paper_NEW_V3___Final_Edits.pdf”]

How to get started with the NIST Cybersecurity Framework (CSF) – Includes Preso

Written Information Security Program (WISP) – ISO 27002, NIST Cybersecurity Framework & NIST 800-53
httpv://www.youtube.com/watch?v=B8QjwD6f4rc

What is ISO 27001?
httpv://www.youtube.com/watch?v=AzSJyfjIFMw

Virtual Session: NIST Cybersecurity Framework Explained
httpv://www.youtube.com/watch?v=nFUyCrSnR68





Enter your email address:

Delivered by FeedBurner




Tags: iso 27001, NIST CSF, NIST RMF


Oct 14 2019

The best practice guide for an effective infoSec function

Building ISMS

The best practice guide for an effective infoSec function: iTnews has put together a bit of advice from various controls including ISO 27k and NIST CSF to guide you through what’s needed to build an effective information security management system (ISMS) within your organization.

This comprehensive report is a must-have reference for executives, senior managers and folks interested in the information security management area.

 

Practice Guide

Open a PDF file The best practice guide for an effective infoSec function.

How to Build a Cybersecurity Program based on the NIST Cybersecurity Framework
httpv://www.youtube.com/watch?v=pDra0cy5WZI

Beginners ultimate guide to ISO 27001 Information Security Management Systems
httpv://www.youtube.com/watch?v=LytISQyhQVE

Conducting a cybersecurity risk assessment


Subscribe to DISC InfoSec blog by Email




Tags: isms


Sep 21 2019

How to get started with the NIST Cybersecurity Framework (CSF) – Expel

Category: NIST CSF,Security ComplianceDISC @ 11:02 am

We give you a quick tour of the NIST Cybersecurity framework and describe how you can baseline your efforts in a couple of hours. So check it out.

Source: How to get started with the NIST Cybersecurity Framework (CSF) – Expel

The CyberSecurity Framework Ver 1.1 Preso
[pdf-embedder url=”https://blog.deurainfosec.com/wp-content/uploads/2019/09/NIST-CSF-1.1-preso.pdf” title=”NIST CSF 1.1 preso”]

Virtual Session: NIST Cybersecurity Framework Explained
httpv://www.youtube.com/watch?v=nFUyCrSnR68

CSS2017 Session 14 SANS Training – NIST Cyber Security Framework
httpv://www.youtube.com/watch?v=I-s4bAzH7t0

Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certification | Edureka
httpv://www.youtube.com/watch?v=uk8-jJgu8-I

Free PDF download: NIST Cybersecurity Framework and ISO 27001 | IT Governance USA


Subscribe to DISC InfoSec blog by Email




Tags: NIST CSF