2017 - ccsesa · the following text describes the use of the ccsf to accomplish the seven cobit...
TRANSCRIPT
1 | P a g e
2017
ImplementingtheCCSESACybersecurityFramework
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
2|P a g e
CCSESACybersecurityGuidebookProudtocollaborateinsupportofresponsibletechnologyprojectingourchildrenandemployees.
CCSESA’smissionistostrengthentheserviceandleadershipcapabilitiesofCalifornia’s58CountySuperintendentsinsupportofstudent,schools,districtsandcommunities.
Empoweringeducationthroughassessmentandsecurity.
Bothgroupsworkingtosupportthethoughtful,responsibleandeffectiveintegrationofeducation,securityandtechnologytoincreasestudenteffectivenessandachievement.
SpecialThankstoanadvisorygroupthatprovidedqualitycontrolthroughoutthedevelopmentofthisproject:
• RajSra-Administrator,InformationSystems&TechnologyatFresnoCOE
• JustinNorcross-ChiefTechnologyOfficeratInyoCOE• GregLindner-ChiefTechnologyOfficeratLosAngeles
COE• DaneLancaster-SeniorDirector,Information
TechnologyatMarinCOE• NanetteWaggoner-Director,InformationTechnology
ServicesatMercedCOE• CarlFong-ExecutiveDirectorITatOrangeCOE• KarenConnaghan-AssistantSuperintendent/CTOat
SanDiegoCOE• LorrieOwens-Administrator,InformationTechnology
ServicesatSanMateoCOE• DavidWu-ChiefTechnologyOfficer/Asst.
SuperintendentatSantaClaraCOE• SallySavona-DivisionDirector,Technology&Learning
ResourcesatStanislausCOE
• StephenCarr-ChiefTechnologyOfficeratVenturaCOE• MarkArchon-Director,InstructionalTechnology
ServicesatFresnoCOE• VernAlvarado-InfrastructureManageratMercedCOE• PeterSkibitzki-DirectorofInformationTechnology
andCommunicationsatPlacerCOE• RichardD'Souza–InformationSecurityOfficer-
InformationTechnologyServicesatRiversideCOE• DavidEvans-SystemsSecurityandResearchOfficerat
SanBernardinoCOE• MitchHsu–DirectorofTechnologyServicesatVentura
COE• LuisWong–CEOK12HighSpeedNetwork
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
3|P a g e
ExecutiveSummaryInformationisakeyresourceforalleducationalinstitutions.Instructionaltechnologyandinformationtechnologythatsupportinformationareincreasinglyallencompassing,advanced,andconnected.Becauseofthis,informationsystemsareconstantlybeingattacked.Destructiveassaultsagainstschools,schooldistrictsandothereducationalinstitutionspointtowardareneweddedicationtomanagementofriskatanacceptablelevel.Manyschoolsaresteppinguptothischallenge;butthereisaneedtohelpindevelopingroadmapstoprotecteducationalassets.Onesolutionisanindustry-standardapproachthatlookstowardotherinstitutionsbeingsuccessfulthroughacombinationofmanageableprocessesandquantitativeimprovements.Thisguidebookwasdevelopedtodescribejustsuchpracticestoallowschoolsandschooldistrictstobetterunderstandriskinthemanagementofthatrisk.ThetextenablesthereadertoimplementindustryprovenmethodstoimplementtheprovidedCCSESACybersecurityFrameworkwhichisbuiltuponlegislationandpresidentialordersdescribedbelow.Applicationofthisframeworkfacilitatescommunicationaboutprioritiesandactivitiesinsimple,easytounderstandtermsmitigatingdistrictrisk.Inadditiontothetext,accompanyinge-Learningmoduleswillguidethereaderthroughthisprocess.
Asearlyas2013,Pres.BarackObamaissuedExecutiveOrder(EO)13636,ImprovingCriticalInfrastructureCybersecurity.Recallthatpriortothisexecutiveordertherehadbeenseveralsecuritybreachestargetingfinancialinstitutionsandretailestablishmentsresultinginsignificantlossestothedistricts.ThisExecutiveOrdercalledforthedevelopmentofa"voluntary"risk-basedframeworkcenteredonmanagingsecuritythatcouldprovideseveralcharacteristics:
• Theframeworkwouldbeprioritized.• Theframeworkwouldbeflexible.• Implementationoftheframeworkwouldberepeatable.• Theframeworkitselfisperformance-based.• Theframeworkwouldbecost-effective.
VariouspartnersdevelopedtheframeworkthroughpartnershipsincludinginternationalpartnershipsofbothFortune100andsmallerorganizations,whichincludedmanyoftheownersandoperatorsofcriticalinfrastructurethroughoutthenation.LeadershipforthedevelopmentoftheframeworkwasprovidedbytheNationalInstituteofStandardsandTechnology(NIST).Theframeworkprovidedarisk-basedapproachtoenablerapidsuccessinstepstoimprovetheoverallsecuritymaturitywithindistricts.CCSESArecognizesthatthevaluescloselyheldthroughthedistrictmirrorsthegovernanceandmanagementpracticesfosteredformanyyears.Collaboratingwithaknownindustry-standard,ControlObjectivesforInformationandrelatedTechnology(COBIT)5,providedforthedevelopmentandkeyprinciplesofthetwoframeworksallowedeachtomeldintoasinglesecurityframeworkinvolvingimplementationbyavarietyofaudiencesfromsmallschoolstolargeschoolstoCountyOfficesofEducation.
ThisdocumentmapseachoftheNISTstepsandactivitiesdevelopedbecauseoftheExecutiveOrderthusextendingCCSESA’sguidancewithpracticalandmeasurableactivities.Achievingtheobjectivesprescribedinthisframeworkwillallowschooldistrictstoleverageoperationalriskwhileunderstandingthatriskinamorebusiness-likecontextthusenablingdistrictstobeveryproactiveinmanagingrisk.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
4|P a g e
Thisapproachprovidesaproactivevaluetothestakeholdersofthedistricttranslatinghigh-levelstrategicorenterprisegoalsintoamoremanageable,specificobjectiveratherthanasimpledisconnectedchecklistmodel.
WhiletheintentionofCCSESASecurityFrameworkistosupporteducationalservices,itisapplicabletoanyorganizationthatwishestobettermanageandreducecybersecurityrisk.Schoolsarenotimmunetocybersecurityattacks.Districtsareconnectedtocriticalfunctionsthroughvarioustelecommunicationservicesthatcanrenderthemvulnerabletohackingandothermaliciousattacks.Improvingtheoverallriskmanagementcapabilitiesbyeachmemberoftheschooldistrictwillultimatelyreducecybersecurityrisk.
CCSESA’sFrameworkprovidesdistrictswithauniqueandvaluableunderstandingofhowtoimplementtheNISTFrameworksandcorrelatethoseindicatorsprovidedintheframeworktoCOBIT5standardsaswellasISO27001specifications.TheISO270001standardsdefineaninformationsystemsmanagementprogram.Thislevelofunderstandingispresentedthroughouttheguidebookandprovidedtemplatesintheformofatoolkitaspartofthiseffort.WhiletheNISTFrameworkprovidesreferencestoimportantsecuritycontrols,theCCSESAFrameworkhelpstoapplythosesecuritycontrolsthroughconceptssuchastheCOBITgoalscascade.ThiscascadesupportstheidentificationofneedsandenterprisegoalsthatareachievedbyoutcomessupportingthesuccessfuluseoftheCOBITenablingprocessesandgovernancestructures.Byfollowingtheguidelinesspecifiedwithinthisframework,schooldistrictsareguidedtoattainoutcomesinamoremeasurablewaythanwithouttheunderlyingprocesses.Theuseofthisdocumentcanresultinadistrictunderstandingpotentialriskandbeingpreparedtodealwithunforeseencircumstancesandpotentialdisastersallowingthemtominimizetheirlossesintheeventofasecuritybreachordisaster.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
5|P a g e
TableofContentsExecutiveSummary......................................................................................................................................3TableofContents.........................................................................................................................................5Section1.FrameworkImplementation........................................................................................................7
RelationshipoftheCOBIT5GoalsCascadetotheCCSF..........................................................................7StepsofImplementation........................................................................................................................10CSFStep1:PrioritizeandScope............................................................................................................13CSFStep2:Orient..................................................................................................................................17CSFStep3:CreateaCurrentProfile......................................................................................................18CSFStep4:ConductaRiskAssessment................................................................................................22CSFStep5:CreateaTargetProfile........................................................................................................23CSFStep6:Determine,Analyze,andPrioritizeGaps...........................................................................26CSFStep7:ImplementActionPlan.......................................................................................................30CSFActionPlanReview.........................................................................................................................36CSFLifecycleManagement....................................................................................................................38
AppendixA.Introduction...........................................................................................................................43Background............................................................................................................................................43GovernanceandManagementofEnterpriseInformationTechnology.................................................45IntroductiontotheFrameworkforImprovingCriticalInfrastructureCybersecurity.............................46IntroductiontoCOBIT5.........................................................................................................................48COBIT5GovernanceandManagement.................................................................................................49COBIT5GoalsCascade...........................................................................................................................49COBIT5Enablers....................................................................................................................................49COBIT5ProcessReferenceModel.........................................................................................................50COBIT5ImplementationGuidance........................................................................................................53ScopeandApproach..............................................................................................................................53
AppendixB.IntroductiontoNISTCybersecurityFramework1.0...............................................................55FrameworkBackground.........................................................................................................................55CoordinationofFrameworkImplementation........................................................................................62FrameworkCore.....................................................................................................................................63FrameworkImplementationTiers..........................................................................................................67FrameworkProfiles................................................................................................................................70RiskConsiderationsfromCOBITandtheCCSF.......................................................................................71
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
6|P a g e
TheRiskFunctionPerspective(COBIT5)................................................................................................72TheRiskManagementPerspective........................................................................................................73
AppendixC.CommunicatingCybersecurityRequirementswithStakeholders..........................................75AppendixD:FrameworkCore....................................................................................................................76AppendixE:CCSESACCSFToolkit...............................................................................................................91
ProfileMetadata....................................................................................................................................91CurrentStateProfile...............................................................................................................................93TargetStateProfile.................................................................................................................................94GapAnalysis...........................................................................................................................................95
AppendixF:ConsiderationsforCriticalInfrastructureSectors..................................................................97RoleIdentification..................................................................................................................................97ImplementationScope...........................................................................................................................97RiskConsiderations................................................................................................................................97QualityManagement.............................................................................................................................97ThreatandVulnerabilityInformation....................................................................................................98AutomatedIndicatorSharing.................................................................................................................98SupplyChainRiskManagement.............................................................................................................99CurrentandTargetProfiles....................................................................................................................99FrameworkNextSteps...........................................................................................................................99
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
7|P a g e
Section1.FrameworkImplementationThefollowingsectiondescribestheuseofCCSESA-suppliedmethodologiestoaccomplishtheimplementationguidanceintheCCSF“HowtoUse”SectionCCSFandCOBITeachprovidesevenhigh-levelsteps,orphases.Thesegenerallyalign,althoughCOBITprovidesapostexecutionassessment(Phase6—DidWeGetThere?)andongoinglifecyclemaintenanceactivities(Phase7—HowDoWeKeeptheMomentumGoing?)thatareimplicit,butnotfullydescribedintheCCSF.Itisimportanttonotethatimplementationisnotan“allornothing”endeavor.Thoseadoptingtheprocessesdescribedmayselectwhicheveroneswillassistinaccomplishingenterprisegoals.Inthissense,theprocessesareavailabletoselectfrom,notachecklisttoimplement.
ThefollowingtextdescribestheuseoftheCCSFtoaccomplishthesevenCOBITimplementationphases,providingthefollowinginformationabouteachphase:
• Thepurposeofthephase• Keyactivitiesinthephase• COBIT5practice(s)andprocess(s)thatsupport(s)applicationofthatphase(i.e.,realizationof
theapplicableCCSFCoreCategory/SubcategoryOutcome)
Theactivitiesandprocessesdescribedareinformativeandmayhelptheimplementationteamtodeterminewhattodoforeachphase,buttheyarenotprescriptiveandtheyshouldbetailoredtoachieveindividualdistrictgoalsandapproach.Keepinmindavailablebudget,resourceexpertiseandimplementationcosts.
RelationshipoftheCOBIT5GoalsCascadetotheCCSFTheCCSFrecognizesthat,becauseeveryschooldistrictfacesuniquechallengesandopportunities,includinghavingnumerousinternalandexternalstakeholders,eachhasuniquerequirementsforgovernanceandmanagementactivities.Thesestakeholdersdriverequirementsfortheenterprise,andthusthecybersecurityrisk.Asthoserequirementsareset,thedistrictcanusetheCOBIT5frameworkgoalscascadeandfurtherrefinethoserequirements.
TheCOBIT5frameworkdescribesthegoalscascadeas
“themechanismtotranslatestakeholderneedsintospecific,actionableandcustomizedenterprisegoals,IT-relatedgoalsandenablergoals.Thistranslationallowssettingspecificgoalsateven’levelandineveryareaoftheenterpriseinsupportoftheoverallgoalsandstakeholderrequirements,andthuseffectivelysupportsalignmentbetweenenterpriseneedsandITsolutionsandservices!'
TheCOBIT5goalscascadeisshowninFigure16.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
8|P a g e
Thegoalscascadesupportstheidentificationofstakeholderneedsandenterprisegoals,whichthemselvescontributetounderstandingoftheoveralldistrictdriverssuchas“compliancewithexternallawsandregulations”or“businessservicecontinuityandavailability.”Theachievementofenterprisegoalsissupportedbytechnicaloutcomes,which,inturn,requiresuccessfulapplicationanduseofanumberofenablers.TheenablerconceptisdetailedwithintheCOBIT5framework.Enablersincludeprocesses,districtstructuresandinformation,andforeachenabler,asetofspecificrelevantgoalsdefinedinsupportoftechnicalgoals.InrelationtotheCCSF,theenablerssupportactivitiestoattainoutcomesintheCorecategoriesandsubcategories.
AnimportantnotethatwashighlightedthroughoutCCSFdevelopmentexerciseswasthattheremaybelayersofkeystakeholderswithvaryingenterprisegoals.Inthecriticalinfrastructurecommunity,forexample,districtgoalsmayincludedriversfromnationalpriorities,stakeholdersfromcriticalsector-
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
9|P a g e
specificagenciesorofficialsfromsectorcoordinatingcouncils.Thesearenotunlikeexistingenterprisegoals,suchas
“Compliancewithexternallawsandregulations.”
Examiningthedistrictgoalsinthisstepshouldincludeunderstandingbalancedprioritiesamongwhatisbestfortheenterpriseandanyexternalcommitments,suchasprovisioningofcriticalservices.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
10|P a g e
StepsofImplementationThestepsoftheCCSFincludethefollowing:
1.PrioritizeandScope
2.Orient
3.CreateaCurrentProfile
4.ConductaRiskAssessment
5.CreateaTargetProfile
6.Determine,Analyzeand
PrioritizeGaps
7.ImplementActionPlans
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
11|P a g e
ThestepsofCOBIT5GoalsCascadeincludethefollowing
Thefollowingpagesrepresentanattemptatprovidingsomeconsiderationstoreviewinfollowingthe7-stepprocessofimplementingtheCCSESACybersecurityFramework.EachcomponentincludestherelevantcomponentofCOBIT5.TheCOBIT5referencesprovidedwillbecodedtoallowforeasyaccessusingtheCCSFdbase.Forexample:
EDM01.01translatestoEvaluating,DirectingMonitoringportionoftheCOBIT5ProcessMapforthegovernanceofenterpriseIT.AchartofthevariouscorrelationsarefoundattheconclusionofthisSection.
Phase1- Whatarethedrivers?
Phase2- Wherearewenow?
Phase3- Wheredowewanttobe?
Phase4- Whatneedstobedone?
Phase5- Howdowegetthere
Phase6- Didwegetthere?
Phase7- Howdowekeepthe
momentum going?
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
12|P a g e
COBIT5ProcessReferenceModel
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
13|P a g e
CSFStep1:PrioritizeandScope.COBITPhase1—WhatAretheDriversTheITGovernanceInstitute’sgovernanceguidanceforBoardsofDirectorsandExecutiveManagementpointsoutthat
“Informationsecuritygovernanceistheresponsibilityoftheboardofdirectorsandseniorexecutives.”
ItmustbeanintegralandtransparentpartofdistrictgovernanceandbealignedwiththeITgovernanceframework.Toexerciseeffectiveenterpriseandinformationsecuritygovernance,BoardsandSeniorExecutivesmusthaveaclearunderstandingofwhattoexpectfromtheirdistrict’sinformationsecurityprogram.ReviewerspointedoutthateffectivealignmentofbusinessdriverswithITGovernanceandManagementresultedinimprovedsecurityandbetterunderstandingofenterprisesecurityrequirements.ITGovernanceandManagement’sbasisinmissionsupportstheuseoflanguageandterminologythatarefamiliartotheexecutivelevel,ratherthantheuseoftechnicaljargonandbuzzwordsthataremisalignedwithcommonbusinessterms.Understandingofthegovernanceissuesandbenefits,inbusinessterms,supportsbuy-inandcommitmentfromseniormanagement.
Throughthesemethods,accomplishmentoftheCoreoutcomesthroughselecteddistrictgoalsandprocessesdirectlysupportstakeholdergoalsanddrivers,movingITGovernanceandManagementfrommerelyacomplianceexercisetoamethodtoprovidevaluetothedistrict.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
14|P a g e
ImplementationConsiderationsforCCSFStep1Purpose
• Toobtainanunderstandingofthedistrictgovernanceapproach(includingriskarchitecture,businessdriversandcompliancerequirements)toinformriskassessmentactivitiesandtoprioritizesecurityactivity.
Inputs
• Enterprisepolicies,strategies,governanceandbusinessplans• Riskarchitecturestrategy• Currententerpriseenvironmentandbusinessprocesses• Enterprisevisionandmissionstatements
High-levelActivities
• Identifythekeyexecutiveboard-levelstakeholdersthatauthoritativelyspeaktomissiondriversandriskappetite.
• DeterminethescopetobeaddressedthroughapplicationoftheCCSF.Thislevelcouldbedistrictwideoranysubsectionofthedistrict.
• Identifydistrictmissionand/orservicesaddressedthroughuseoftheCCSF.• Identifytheapplicableriskarchitectureforthedistrictandavailablemethodsforrisk
identification,measurement,assessment,reportingandmonitoring.• Definerolesandresponsibilitiesforconveyingprioritizationandresourceavailability,
andforimplementingactionstoachieveITvalue.• Determinethesystems(people,processesandtechnology)requiredtoattainmissiongoals.• UsetheCOBIT5goalscascadetotranslatestakeholderneedsintospecific,actionable
andcustomizedenterprisegoals.ThiseffectivelysupportsalignmentamongenterpriseneedsandtheCCSFoutcomesfromsubsequentphases,andaidsinreportingprogresstowardgoals.
• Documenttheprioritizationdecisionsandresourcesavailableformanagingrisktotheappropriatelevel.Documentationshouldincludeaccountability,deadlinesandreportingmethod.
Outcomes
• Enterprisearchitecturevision• Organizationalmissionanddrivers• Organizationaldirectionregardingfundingandotherresources• Qualitymanagementsystem(QMS)• Understandingofthedistrict’spresentandfutureattitudetowardriskandITriskposition
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
15|P a g e
COBIT5Practice
CCSFDescription
COBIT5CORR
ELLATIONTOCCSESA
CYB
ERSECURITYFRA
MEW
ORK
IMPLEM
ENTA
TIONSTEP1
EDM01.01Evaluatethegovernancesystem.Continuallyidentifyengagewiththedistrict’sstakeholders,documentingandunderstandingofallrequirements,andmakeajudgmentonthecurrentandfuturedesignofgovernanceofthedistrict’sITenvironment.
APO01(ALL)Provideaconsistentmanagementapproachtoenablethedistrictgovernmentrequirementstobemet,coveringmanagementprocesses,districtstructures,rolesandresponsibilities,reliableandrepeatableactivities,andskillsandcompetencies.
APO02.01Understandenterprisedirection.Considerthecurrententerpriseenvironmentandbusinessprocesses,aswellastheenterprisestrategyandfutureobjectives.Consideralsotheexternalenvironmentofthedistrict(drivers,regulationsandbasisforcompetition).
APO03.01
Developthedistrictarchitecturalvision.Thearchitecturalvisionprovidesafirst-cut,high-leveldescriptionofthebaselineandtargetarchitectures,coveringthedistrict,information,data,applicationsandtechnologydomainsITdirectorswiththekeytooltosellthebenefitsoftheproposedcapabilitytostakeholderswithinthedistrict.Thearchitecturevisiondescribeshowthenewcapabilitywillmeetenterprisegoalsandstrategicobjectivesandaddressstakeholderconcernswhenimplemented.
APO04.02Maintainanunderstandingoftheenterpriseenvironment.Workwithrelevantstakeholderstounderstandthechallenges.Maintainanadequateunderstandingofdistrictstrategyinthecompetitiveenvironmentorotherconstraintssothatopportunitiesenabledbythenewtechnologiescanbeidentified
APO05.01
Establishthetargetinvestmentmix.ReviewandensureclarityoftheenterpriseinITstrategiesandcurrentservices.Defineanappropriateinvestmentmixedoncost,alignmentwithstrategyandfinancialmeasuressuchascostandexpectedROIoverthefulleconomiclifecycle,degreeofriskandtypeofbenefitfortheprogramsintheportfolio.AdjusttheenterpriseandITstrategieswerenecessary.
APO05.02Determinetheavailabilityofsourcesoffunds.Determinepotentialsourcesoffunds,differentfundingoptionsandtheimplicationsofthefundingsourceontheinvestmentreturnexpectations.
APO05.03Evaluateandselectprogramstobefunded.Basedontheoverallinvestmentportfoliomixrequirements,evaluateandprioritizeprogrambusinesscases,anddecideoninvestmentproposals.Allocatefundsandinitiateprograms.
APO06.01
Managefinanceandaccounting.EstablishingandmaintainingamethodtoaccountforallIT-relatedcosts,investmentsanddepreciationisanintegralpartoftheenterprisefinancialsystemsandchartofaccountstomanageinvestmentsandcostofIT.Captureandallocateactualcosts,analyzingvariancesbetweenforecastandactualcost,andreportusingtheenterprise’sfinancialmeasurementsystems.
APO06.02Prioritizeresourceallocation.Implementadecision-makingprocesstoprioritizetheallocationofresourcesandrulesfordiscretionaryinvestmentsbyindividualbusinessunits.Includethepotentialuseofexternalserviceprovidersandconsiderthebuy,develop,andrentoptions.
APO06.04Createmaintainbudgets.PrepareabudgetreflectingtheinvestmentprioritiessupportingstrategicobjectivesbasedontheportfolioofIT-enableprogramsandITservices.
APO06.05
Modelandallocatecosts.EstablishanduseanITcostingmodelbasedontheservicedefinition,ensuringtheallocationofcostsforservicesasidentifiable,measurableandpredictable,toencouragetheresponsibleuseofresourcesincludingthoseprovidedbyserviceproviders.Regularlyreviewingbenchmarktheappropriatenessofthecost/chargebackmodeltomaintainitsrelevanceandappropriatenesstotheevolvingbusinessandITactivities.
APO06.05Managecosts.Implementacostmanagementprocesscomparingactualcostofbudgets.Costshouldbemonitoredandreportedand,inthecaseofdeviations,identifiedinatimelymannerandtheirimpactonenterpriseprocessesandservicesassessed.
APO07.01
Maintainadequateandappropriatestaffing.EvaluatestaffingrequirementsandregularbasisoronmajorchangestotheenterpriseoroperationalorITenvironmentstoensurethattheenterprisehassufficienthumanresourcestosupportenterprisegoalsandobjectives.Staffingincludesbothinternalandexternalresources.
APO08.01 Understandbusinessexpectations.UnderstandcurrentbusinessissuesandobjectivesofbusinessexpectationsforIT.Ensurethatrequirementsareunderstood,managedandcommunicated,andtheirstatusagreedonandapproved.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
16|P a g e
COBIT5Practice
CCSFDescription
APO08.03 Managethebusinessrelationship.Managetherelationshipwithcustomers(businessrepresentatives).Ensurethatrelationshiprolesandresponsibilitiesaredefinedandassigned,andcommunicationisfacilitated.
APO10.01 Identifyandevaluatesupplierrelationshipsandcontracts.Identifysuppliersandassociatedcontracts,thencategorizethemintotype,significanceandcriticality.Establishsupplierandcontractevaluationcriteriaandevaluatetheoverallportfolioofexistingalternativesuppliersandcontracts.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
17|P a g e
CSFStep2:OrientCOBITPhase2—WhereAreWeNow?Havingidentifiedthedistrictmissionanddriversthatsupportstakeholderobjectives,thedistrictidentifiesrelatedsystemsandassetsthatenableachievingthosestakeholderneeds.ItisimportanttonotethattheCCSFdoesnotlimitthesesystemsandassetstopurelyITwhicharesubsetsoftheoveralllistofassetstobeconsidered.ExamplesofassetstoconsiderintheOrientstepinclude:
• facilitiesinwhichtechnologyresides,• operatorsthatensureequipmentfunctionssafelyandinfrastructurethatdeliversproductsto
customers.
Havinggainedanunderstandingofthecascadinggoals,andhowthebusinessandITfunctionneedtodelivervaluefromITinsupportoftheenterprisegoals,thedistrictthenidentifiesthreatsto,andvulnerabilitiesof,thosesystemsandassets.Thismustbeconductedwithanunderstandingofthedistrict’spresentandfutureattitudetowardriskandITriskposition.
BeforecreatingtheCurrentProfile,theimplementershouldreviewtheFrameworkImplementationTiersasdescribedinFigure13,p.68.SelectionoftheappropriateTierthatwillattainstakeholderneedsinanoptimalwaywillestablishthescaleforansweringthequestion,“Wherearewenow?”ThegoaloftheprocessistoestablishtheappropriatelevelsofgovernanceandmanagementtoaccomplishtheriskobjectivesdefinedinCOBITphase1andCCSFStep1.SelectionofaTierthatislessthansuitablemayresultinthelackofsufficientprocessestoaddressriskortocoordinatewithotherentities.ImproperselectionofthehighestTier,however,mayimposecostlydistrict-wideprogramsandprocesseswhosebenefitsarenotcommensuratewiththephase1goalsdefined.Thedialoguetodetermineappropriategoals,Tiersandactivities,inconsiderationoftheuniqueorganizationalcontextisoneofthekeybenefitsofapplyingthisframework.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
18|P a g e
CSFStep3:CreateaCurrentProfileCOBITPhase2—WhereAreWeNow?(ContinuationfromCCSFStep2)TheCCSESACCSFCorecontainsapproximately100subcategoriesofoutcomes(don’tgetoverwhelmed),manyofwhicharesupportedbyoneormoreCOBITprocess.FortheCCSF,theusershouldcreatetheCurrentProfileforallthesubcategories.Viewedthroughthelensofthedistricttier,whichhelpsinformhowtoaccomplishanoutcome,theimplementerreviewseachsubcategoryanddeterminestheleveltowhichthatoutcomehasbeenattainedtofulfillstakeholdergoals.Foreachrowinthetemplate,determineandrecordthecurrentlevelofachievement,asguidedbytheprinciplesintheCOBITPAM(ProcessAssessmentModel,seep.67)andinCOBITAssessor’sGuide:UsingCOBIT5.Theassessor’sguideprovidesdetailedcriteriafordeterminingappropriateactivitiestoachievetheoutcomes.Inconsiderationofthatguidance,selecttheappropriatelevelofachievementforeachsubcategoryaccordingtothescaledetailedinFigure17.
Figure17-AchievementRatingScaleAbbreviation Description %Achieved
N NotAchieved 0-15
P PartiallyAchieved >15-50
L LargelyAchieved >50-85
F FullyAchieved >85-100
Source:ThistableisadaptedfromISO15504-2:2003,Section5.7.2andisusedextensivelyforquantifyingachievementduringassessment.
AppendixBprovidesafullCOBITCurrentProfiletemplatebasedontheCCSESCCSFCore,includingadetaileddescriptionoftheCurrentProfileelementsinFigureB.2.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
19|P a g e
ImplementationConsiderationsforCCSESACCSFSteps2and3Purpose
1. Togainanunderstandingofthedistrictsystemsandassetsthatenablethemissiondescribedinphase1,determiningspecificITgoalsforprotectingthosesystems(inaccordancewithbusinessimpactrequirements).
2. Tounderstandoverarchingthreatsto,andvulnerabilitiesout,thosesystemsandassets,andusetheCurrentProfiletemplatetorecordcurrentoutcomeachievementlevels.
Inputs
• Organizationalmissionanddrivers• Understandingofthecascadinggoals• StatementofhowbusinessandITfunctiondelivervaluefromIT• Understandingofthedistrict’spresentandfutureattitudetowardriskandITriskposition• FrameworkImplementationTiers
High-levelActivities
• Determinebusinessandoperationalsystemsonwhichstakeholderdrivers(asdescribedinphase1)depend.Determinationshouldincludeanydownstreamdependenciesforidentifiedsystemsandassets.
• Ascertainavailabilitygoalsand/orrecoverygoalsforidentifiedsystemsandassetsinordertoprovidestakeholdervalueandfulfilldistrictobligations(suchascontractualavailabilityrequirements,criticalinfrastructureservicerequirements,andservicelevelagreements).
• ReviewtheFrameworkImplementationTiersandrecordtheTierselectedforthedistrict(withinthescopedeterminedinphase1).
• ConsideringthecharacteristicsofthedesiredTier,usingtheCOBIT5assessmentmethodology(basedonISO15504),completetheCurrentProfiletemplate,reviewingthrougheachsubcategoryandrecordingcurrentstatusrangingfromNotAchievedtoFullyAchieved.Ensurethatappropriaterationale/evidenceisincludedforeachcomponent.
Outputs
• Threatsto,andvulnerabilitiesof,importantsystemsandassets• Organizationalriskassessment• CurrentprofileIT-enabledservicecatalog• Serviceagreements• Availability,performanceandcapacitybaselinesforfuturecomparison
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
20|P a g e
COBIT 5 Practice
CCSFDescriptionCO
BIT5CO
RRELLATIONTOCCSESACYB
ERSECU
RITYFRA
MEW
ORK
IMPLEM
ENTA
TIONSTEP2
APO02.01 Understandenterprisedirection.Considerthecurrententerpriseenvironmentandbusinessprocesses,aswellastheenterprisestrategyandfutureobjectives.Consideralsotheexternalenvironmentoftheenterprise(industrydrivers,relevantregulations,basisforcompetition).
APO02.02 Assessthecurrentenvironment,capabilitiesandperformance.AssesstheperformanceofcurrentinternalbusinessandITcapabilitiesandexternalITservices,anddevelopanunderstandingoftheenterprisearchitectureinrelationtoIT.Identifyissuescurrentlybeingexperiencedanddeveloprecommendationsandareasthatcouldbenefitfromimprovement.Considerserviceproviderdifferentiatorsandoptionsandthefinancialimpactandpotentialcostandbenefitsofusingexternalservices.
APO03.02 Definereferencearchitecture.Thereferencearchitecturedescribesthecurrentandtargetarchitecturesforthebusiness,information,data,applicationandtechnologydomains.
APO04.01 Createanenvironmentconducivetoinnovation.Createanenvironmentthatisconducivetoinnovation,consideringissuessuchasculture,reward,collaboration,technologyforums,andmechanismstopromoteandcaptureemployeeideas.
APO07.02 IdentifykeyITpersonnel.IdentifykeyITpersonnelwhileminimizingrelianceonasingleindividualperformingacriticaljobfunctionthroughknowledgecapture(documentation),knowledgesharing,successionplanningandstaffbackup.
APO07.03 Maintaintheskillsandcompetenciesofpersonnel.Defineandmanagetheskillsandcompetenciesrequiredofpersonnel.Regularlyverifythatpersonnelhavethecompetenciestofulfilltheirrolesbasedontheireducation,training,and/orexperience,andverifythatthesecompetenciesarebeingmaintained,usingqualificationandcertificationprogramswereappropriate.Provideemployeeswithongoinglearningandopportunitiestomaintaintheirknowledge,skillsandcompetenciesatalevelrequiredtoachieveenterprisegoals.
APO007.05 PlanandtracktheusageofITandbusinesshumanresources.UnderstandandtrackthecurrentandfuturedemandforbusinessandIThumanresourceswithresponsibilitiesforenterpriseIT.Identifyshortfallsandprovideinputintosourcingplans,enterpriseandITrecruitmentprocessessourcingplans,andbusinessandITrecruitmentprocesses.
APO09.01 IdentifyITservices.AnalyzebusinessrequirementsandthewayinwhichIT-enabledservicesandservicelevelssupportbusinessprocesses.Discussandagreeonpotentialservicesandservicelevelswiththebusiness,andcomparethemwiththecurrentserviceportfoliotoidentifyneworchangedservicesorserviceleveloptions.
APO09.02 CatalogIT-enabledservices.Defineandmaintainoneormoreservicecatalogforrelevanttargetgroups.PublishandmaintainliveIT-enabledservicesintheservicecatalog.
APO09.03 Defineandprepareserviceagreements.Defineandprepareserviceagreementsbasedontheoptionsintheservicecatalog.Includeinternaloperationalagreements.
APO11.02 Defineandmanagequalitystandards,practicesandprocedures.Identifyandmaintainrequirements,standards,proceduresandpracticesforkeyprocessestoguidetheenterpriseinmeetingtheintentontheagreed-onQMS.ThisshouldbeinlinewiththeITcontrolframeworkrequirements.Considercertificationforkeyprocesses,districtunits,productsorservices.
APO12.01 Collectdata.IdentifyandcollectrelevantdatatoenableeffectiveIT-relatedriskidentification,analysisandreporting.
BAI03.11 DefineITservicesandmaintaintheserviceportfolio.DefineandagreeonneworchangedITservicesandserviceleveloptions.Documentneworchangedservicedefinitionsandserviceleveloptionstobeupdatedintheservicesportfolio.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
21|P a g e
COBIT 5 Practice
CCSFDescription
BAR04.01 Assesscurrentavailability,performanceandcapacityandcreateabaseline.Assessavailability,performanceandcapacityofservicesandresourcestoensurethatcost-justifiablecapacityandperformanceareavailabletosupportbusinessneedsanddeliveragainstservicelevelagreements.Createavailability,performanceandcapacitybaselinesforfuturecomparison.
BAI04.03 Planforneworchangedservicerequirements.Planandprioritizeavailabilityperformanceandcapacityimplicationsofchangingbusinessneedsandservicerequirements.
BAI09.01 Identifyandrecordcurrentassets.Maintainanup-to-dateandaccuraterecordofallITassetsrequiredtodeliverservicesandensurealignmentwithconfigurationmanagementandfinancialmanagement.
BAI09.02 Managecriticalassets.Identifyassetsthatarecriticalinprovidingservicecapabilityandtakestepstomaximizethereliabilityandavailabilitytosupportbusinessneeds.
BAI10.01 Establishandmaintainaconfigurationmodel.Establishandmaintainalogicalmodeloftheservices,assetsandinfrastructureandhowtorecordconfigurationitems(CI)andtherelationshipsamongthem.IncludetheCISconsiderednecessarytomaintainserviceseffectivelyandtoprovideasinglereliabledescriptionoftheassetsinaservice.
BAI10.02 Establishandmaintainaconfigurationrepositoryandbaseline.Establishandmaintainaconfigurationmanagementrepositoryandcreatecontrolconfigurationbaselines.
BAI10.03 Maintainandcontrolconfigurationitems.Maintainanup-to-daterepositoryofconfigurationitemsbypopulatingwithchanges.
MEA03.01 Identifyexternalcompliancerequirements.Onacontinuousbasis,identifyandmonitorforchangesinlocalandinternationallaws,regulationsandotherexternalrequirementsthatmustbecompliedwithfromanITperspective.
MEA03.02 Optimizeresponsetoexternalrequirements.Reviewandadjustpolicies,principles,standards,proceduresandmethodologiestoensurethatlegal,regulatoryandcontractualrequirementsareaddressedandcommunicated.Considerindustrystandards,codesofgoodpracticeandgoodpracticeguidanceforadoptionandadaption.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
22|P a g e
CSFStep4:ConductaRiskAssessmentCOBITPhase3-WhereDoWeWanttoBeBasedontheassessedCurrentProfileprocesscapabilitylevels,anappropriatetargetcapabilitylevelshouldbedeterminedforeachprocess.Thechosenlevelshouldconsideranyrelevantexternalandinternalbenchmarks(Forexample,government-providedtemplatesorguidance).Withtheunderstandingofvulnerabilitiesandthreatstovaluableassets,asdeterminedinphase2,performacomprehensiveriskassessmenttodeterminehowbesttoprotectthoseassets,detectandrespondtoattacksonthem,andrecoverfromanydegradationorinterruption.ManagedSecurityRiskAssessmentsshouldbeconductedbyanoutsideagencyskilledinthedevelopmentofservicebenchmarksforsecurity.
InadditiontothetwoCOBIT5processesthatdealspecificallywithrisk,EDM03EnsureRiskOptimizationandAPO12ManageRisk,thereisanadditionalCOBIT5guideforRISKwhichdealswithtwoperspectives
1. theriskfunctionand2. theriskmanagementprocess.
TheriskfunctionperspectivedescribeshowtheuseofCOBIT5enablerstoimplementeffectiveandefficientriskgovernanceandmanagement.
TheCOBIT5genericenablersareStakeholders,Goals,Life-cycleandGoodPractices.TheyprovideageneralperspectiveofwhattheRiskfunctionshouldconsiderwhenfulfillingtheirresponsibilities.Morespecificguidancecanbefoundintheenablersthemselves:
• Principles,PoliciesandFrameworks• Processes• Organizationalstructures• Culture,EthicsandBehavior• Information• Services,InfrastructureandApplications• People,SkillsandCompetencies.
TheuseofCOBIT5forRiskcombinesthisknowledgeintoanapproachtoriskmanagementisbotheffectiveandefficient.Aswithallprocesses,theriskmanagementfunctionanditsprocessesaredesignedtoachievespecificoutcomesthatalignwiththebusinessesgoalsandthedistrict’sstrategicobjectives.ThisapproachcombinesthebestpracticesofCOSOandISO31000withtheCOBIT5riskmanagementknowledgepooltobuildcapabilityinmanagingriskinaccordancewiththeISO15504standardforcapabilityimprovement.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
23|P a g e
CSFStep5:CreateaTargetProfileCOBITPhase3-WhereDoWeWanttoBe(Continued)Theintentionofthedistrict’sTier,whichhelpsinformhowanoutcomeshouldbeaccomplished,reviewthrougheachofthesubcategoriesanddeterminetheleveltowhichthatoutcomeshouldbeattainedinamannerthatfulfillsdistrictgoals.
UsingtheinformationinAppendixBandtheCOBITTargetProfiletemplateprovidedinthetoolkit,theimplementershoulddeveloptheTargetProfilebasedontheCCSFCore,includingadetaileddescriptionoftheTargetProfileelements.
ImplementationConsiderationsforCCSESACCSFSteps4and5Purpose
1. Togainanunderstandingofthesecurity-specificgoals,fordistrictsystemsandassetsthatenablethemissiondescribedinphase1,toattainstakeholderriskmanagementgoals.
2. Thosesystemsandassets,todiscernthelikelihoodofcybersecurityeventsandthepotentialdistrictimpact.
Inputs
• CurrentProfile• Processcapabilitylevels/FrameworkImplementationTiers• Resultsofgoalsanalysis/processidentification• Security-relatedgoalsforapplicablesystemsandassets
High-levelActivities
• Basedonrecordedsecurity-relatedgoalsforapplicablesystemsandassets,conductriskanalysisactivitiestocatalogpotentialsecurityriskeventstothosesystemsandassets.
• Foreachpotentialeventrecordedabove,determinethelikelihoodofthatpotentialbeingrealizedandthepotentialimpactonthedistrict.TheCCSFnotesthatitisimportantthatdistrictsseektoincorporateemergingrisk,threatvulnerabilitydatatofacilitatearobustunderstandingofthelikelihoodandimpactofcybersecurityevents.
• DeterminewhetheranyFrameworkCoresubcategoriesareNotApplicabletothesystemsandassetsidentifiedasthescopeasanoutputfrom4-WhatNeedstoBeDone?1.
• Determinewhetheradditionalcategories/subcategories(assecurity-specificgoals)shouldbeaddedtotheTargetProfiletoaccountforuniquedistrictrisk.
• ConsideringthecharacteristicsofthedesiredTierdescription.Ensurethatappropriaterationale/evidenceisincludedforeachcomponent.
Outputs
• Catalogpotentialsecurityriskeventstocriticalsystemsandassets• Targetcapabilitylevel• Comprehensiveriskassessment• Targetprofile• Businessimpactassessmentresults• Referencearchitecture
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
24|P a g e
COBIT5Practice
CCSFDescriptionCOBIT5CORR
ELLATIONTOCCSESA
CYB
ERSECURITYFRA
MEW
ORK
IMPLEM
ENTA
TIONSTEP4and5
APO02.01 Understandenterprisedirection.Considerthecurrententerpriseenvironmentandbusinessprocesses,aswellastheenterprisestrategyandfutureobjectives.Consideralsotheexternalenvironmentoftheenterprise(industrydrivers,relevantregulations,basisforcompetition).
APO02.02 Assessthecurrentenvironment,capabilitiesandperformance.AssesstheperformanceofcurrentinternalbusinessandITcapabilitiesandexternalITservices,anddevelopanunderstandingoftheenterprisearchitectureinrelationtoIT.Identifyissuescurrentlybeingexperiencedanddeveloprecommendationsandareasthatcouldbenefitfromimprovement.Considerserviceproviderdifferentiatorsandoptionsandthefinancialimpactandpotentialcostandbenefitsofusingexternalservices.
APO03.02 Definereferencearchitecture.Thereferencearchitecturedescribesthecurrentandtargetarchitecturesforthebusiness,information,data,applicationandtechnologydomains.
APO04.01 Createanenvironmentconducivetoinnovation.Createanenvironmentthatisconducivetoinnovation,consideringissuessuchasculture,reward,collaboration,technologyforums,andmechanismstopromoteandcaptureemployeeideas.
APO07.02 IdentifykeyITpersonnel.IdentifykeyITpersonnelwhileminimizingrelianceonasingleindividualperformingacriticaljobfunctionthroughknowledgecapture(documentation),knowledgesharing,successionplanningandstaffbackup.
APO07.03 Maintaintheskillsandcompetenciesofpersonnel.Defineandmanagetheskillsandcompetenciesrequiredofpersonnel.Regularlyverifythatpersonnelhavethecompetenciestofulfilltheirrolesbasedontheireducation,training,and/orexperience,andverifythatthesecompetenciesarebeingmaintained,usingqualificationandcertificationprogramswereappropriate.Provideemployeeswithongoinglearningandopportunitiestomaintaintheirknowledge,skillsandcompetenciesatalevelrequiredtoachieveenterprisegoals.
APO07.05 PlanandtracktheusageofITandbusinesshumanresources.UnderstandandtrackthecurrentandfuturedemandforbusinessandIThumanresourceswithresponsibilitiesforenterpriseIT.Identifyshortfallsandprovideinputintosourcingplans,enterpriseandITrecruitmentprocessessourcingplans,andbusinessandITrecruitmentprocesses.
APO09.01 IdentifyITservices.AnalyzebusinessrequirementsandthewayinwhichIT-enabledservicesandservicelevelssupportbusinessprocesses.Discussandagreeonpotentialservicesandservicelevelswiththebusiness,andcomparethemwiththecurrentserviceportfoliotoidentifyneworchangedservicesorserviceleveloptions.
APO09.02 CatalogIT-enabledservices.Defineandmaintainoneormoreservicecatalogforrelevanttargetgroups.PublishandmaintainliveIT-enabledservicesintheservicecatalog.
APO09.03 Defineandprepareserviceagreements.Defineandprepareserviceagreementsbasedontheoptionsintheservicecatalog.Includeinternaloperationalagreements.
APO011.02 Defineandmanagequalitystandards,practicesandprocedures.Identifyandmaintainrequirements,standards,proceduresandpracticesforkeyprocessestoguidetheenterpriseinmeetingtheintentontheagreed-onQMS.ThisshouldbeinlinewiththeITcontrolframeworkrequirements.Considercertificationforkeyprocesses,districtunits,productsorservices.
APO012.01 Collectdata.IdentifyandcollectrelevantdatatoenableeffectiveIT-relatedriskidentification,analysisandreporting.
BAI03.11 DefineITservicesandmaintaintheserviceportfolio.DefineandagreeonneworchangedITservicesandserviceleveloptions.Documentneworchangedservicedefinitionsandserviceleveloptionstobeupdatedintheservicesportfolio.
BAR04.01 Assesscurrentavailability,performanceandcapacityandcreateabaseline.Assessavailability,performanceandcapacityofservicesandresourcestoensurethatcost-justifiablecapacityandperformanceareavailabletosupportbusinessneedsanddeliveragainstservicelevelagreements.Createavailability,performanceandcapacitybaselinesforfuturecomparison.
BAI04.03 Planforneworchangedservicerequirements.Planandprioritizeavailabilityperformanceandcapacityimplicationsofchangingbusinessneedsandservicerequirements.
BAI09.01 Identifyandrecordcurrentassets.Maintainanup-to-dateandaccuraterecordofallITassetsrequiredtodeliverservicesandensurealignmentwithconfigurationmanagementandfinancialmanagement.
BAI09.02 Managecriticalassets.Identifyassetsthatarecriticalinprovidingservicecapabilityandtakestepstomaximizethereliabilityandavailabilitytosupportbusinessneeds.
BAI10.01 Establishandmaintainaconfigurationmodel.Establishandmaintainalogicalmodeloftheservices,assetsandinfrastructureandhowtorecordconfigurationitems(CI)andtherelationshipsamongthem.IncludetheCISconsiderednecessarytomaintainserviceseffectivelyandtoprovideasinglereliabledescriptionoftheassetsinaservice.
BAI10.02 Establishandmaintainaconfigurationrepositoryandbaseline.Establishandmaintainaconfigurationmanagementrepositoryandcreatecontrolconfigurationbaselines.
BAI10.03 Maintainandcontrolconfigurationitems.Maintainanup-to-daterepositoryofconfigurationitemsbypopulatingwithchanges.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
25|P a g e
COBIT5Practice
CCSFDescription
MEA03.01 Identifyexternalcompliancerequirements.Onacontinuousbasis,identifyandmonitorforchangesinlocalandinternationallaws,regulationsandotherexternalrequirementsthatmustbecompliedwithfromanITperspective.
MEA03.02 Optimizeresponsetoexternalrequirements.Reviewandadjustpolicies,principles,standards,proceduresandmethodologiestoensurethatlegal,regulatoryandcontractualrequirementsareaddressedandcommunicated.Considerindustrystandards,codesofgoodpracticeandgoodpracticeguidanceforadoptionandadaption.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
26|P a g e
CSFStep6:Determine,Analyze,andPrioritizeGapsCOBIT5Phase4-WhatNeedstoBeDoneForeachofthesubcategoriesintheTargetProfile,considerthedifferencebetweenthetargetlevelofachievementinthecurrentlevel.Theresultofthisgapassessmentwillhelpidentifydistrictstrengthsandweaknesses.COBIT5highlightsseveralimportantconsiderationsforthisphase:
• Thisphasemayidentifysomerelativelyeasy-to-achieveimprovementssuchasimprovedtraining,thesharingofgoodpracticesinstandardizingprocedures;however,thegapanalysisislikelytorequireconsiderableexpertiseinbusinessandITmanagementtechniquestodeveloppracticalsolutions.Experienceinundertakingbehavioralanddistrictchangewillalsobeneeded.
• Understandingofprocesstechniques,advancedbusinessandtechnicalexpertise,andknowledgeofbusinessandsystemmanagementsoftwareapplicationsandservicesmaybeneeded.Toensurethatthisphaseisexecutedeffectively,itisimportantfortheteamtothebusinessandITprocessownersandotherrequiredstakeholders,engaginginternalexpertise.Ifnecessary,externaladviceshouldalsobeobtained.Riskthatwillnotbemitigatedafterclosingthegapsshouldbeidentifiedand,ifacceptable,formallyacceptedbymanagement.
Theopportunitiesforimprovementshouldbedocumentedinaprioritizedactionplantoaddressgaps.Theplanshoulddrawonmissiondrivers,andcost/benefitanalysis,anunderstandingofimpactandlikelihoodofrisktoachievetheoutcomesasdescribedintheTargetProfile.Theplanshouldalsoincludeconsiderationoftheresourcesnecessarytoaddressthegaps.UsingProfilesinthismannerenablesthedistricttomakeinformeddecisionsaboutcybersecurityactivities;supportsriskmanagement;enablesthedistricttoperformcost-effective,targetedimprovements.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
27|P a g e
ImplementationConsiderationsforCCSFStep6:Determine,Analyze,andPrioritizeGaps
Purpose
Tounderstandwhatactionsarerequiredtoattainstakeholdergoalsthroughidentificationofgapsbetweenthecurrentandtargetenvironmentsandalignmentwithdistrictprioritiesandresources.
Inputs
• TargetProfile• Process,businessandtechnicalexpertise• Resourcerequirements
High-levelActivities
• ForeachsubcategorylistedintheTargetProfile,recordthedifferencebetweenadesiredcapabilitylevelandthecurrentstateasrecordedintheCurrentProfile,ifany.
• ForeachsubcategorywhereadifferencebetweenCurrentandTargetstatewasrecorded,utilizingCOBIT5:EnablingProcesses(asincludedintheFrameworkCore),determinerequiredactivitiesanddetailedactivities.ThesearedescribedinCOBIT5:EnablingProcessesasthehow,whyandwhattoimplementforeachgovernanceofmanagementpracticetoimproveITperformanceand/oraddressITsolutionandservicedeliveryrisk.AdditionalinformativereferencesfromtheFrameworkCoremayassistwithdeterminingappropriatecontrolsoractivities.
• Reviewingthepotentialactivitiesdefined,determinetheappropriatepriorityofthoseactivitiestoenableoptimalvaluerealizationwhileprovidingreasonableassuranceofriskmanagementpracticesareappropriatetoensurethattheactualITriskdoesnotexceedagreeduponriskappetite.
• Determinetheresourcesnecessarytoaccomplishtheactivitiesdescribed,inconsiderationofstakeholderguidancefromphase1regardingavailableresourcessuchasbudget,personnelandexpertise.
• Createandrecordanactionplanofactivitieswithmilestones,ensuringappropriateresponsibilityandaccountability,toachievethedesiredoutcomesaccordingtothedeterminepriorities.
Outputs
• Profilegapassessment• Prioritizedactionplan• Riskacceptancedocumentation• Performanceandconformancetargets
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
28|P a g e
RelevantCOBIT5Practices:CCSFStep6COBIT5PRACTICE
CCSFDescription
EDM01.02 Directthegovernancesystem.Informleadersandobtaintheirsupport,bi-inandcommitment.Guidetostructures,processesandpracticesforthegovernanceofITinlinewithagreed-upongovernessdesignprinciples,decision-makingmodelsandauthoritylevels.Definetheinformationrequiredforinformeddecisionmaking.
EDM02.02 Directvalueoptimization.DirectvaluemanagementprinciplesandpracticestoenableoptimalvaluerealizationfromIT-enabledinvestmentsthroughoutthefulleconomiclifecycle.
EDM03.02 Directriskmanagement.DirecttheestablishmentofriskmanagementpracticestoprovidereasonableassurancethatITriskmanagementpracticesareappropriatetoensurethattheactualITriskdoesnotexceedtheboard'sriskappetite.
EDM04.02 DirectresourcemanagementensuringtheadoptionofresourcemanagementprinciplestoenableoptimaluseofITresourcesthroughouttheirfulleconomiclifecycle.
EDEM05.02 Directstakeholdercommunicationandreportingensuringtheestablishmentofeffectivestakeholdercommunicationandreporting,includingmechanismsforensuringthequalityandcompletenessofinformation,oversightofmandatoryreporting,andcreatingacommunicationstrategyforstakeholders.
APO02.05 Definethestrategicplanandroadmap.Createastrategicplanthatdefines,incooperationwithrelevantstakeholders,howIT-relatedgoalswillcontributetotheenterprise'sstrategicgoals.IncludehowITwillsupportIT-enabledinvestmentprograms,businessprocesses,ITservicesandITassets.DirectITtodefinetheinitiativesthatwillberequiredtoclosethegaps,thesourcingstrategyandthemeasurementstobeusedtomonitorachievementofgoals,thenprioritizetheinitiativesandcombinetheminahigh-levelroadmap.
APO02.06 CommunicatetheITstrategyanddirection.CreateawarenessandunderstandingofthebusinessandITobjectivesanddirection,ascapturedintheITstrategy,throughcommunicationtoappropriatestakeholdersandusersthroughouttheenterprise.
APO08.04 Coordinateandcommunicate.Workwithstakeholdersandcoordinatetheend-to-enddeliveryofITservicesandsolutionsprovidedtothebusiness.
APO11.05 Integratequalitymanagementintosolutionsfordevelopmentandservicedelivery.Incorporaterelevantqualitymanagementpracticesandthedefinition,monitoring,reportingandongoingmanagementsolutionsdevelopmentandserviceofferings.
BAI02.04 Obtainapprovalofrequirementsandsolutions.Coordinatefeedbackfromaffectedstakeholdersand,atpredeterminedkeystages,obtainbusinesssponsororproductownerapprovalandsignoffonfunctionalandtechnicalrequirements,feasibilitystudies,riskanalysesandrecommendedsolutions.
BAI03.01 Designhigh-levelsolutions.Developanddocumenthigh-leveldesignsusingagreeduponandappropriatelyphasedorrapidagiledevelopmenttechniques.EnsurealignmentwiththeITstrategyandenterprisearchitecture.Reassessandupdatethedesignswhensignificantissuesoccurduringdetaileddesignorbuildingphasesorasasolutionevolves.Ensurethatstakeholdersactivelyparticipateinthedesignandapprovedversion.
BAI03.02R Designdetailedsolutioncomponents.Develop,documentandelaboratedetaileddesignsprogressivelyusingagreed-onandappropriatephasedorrapidagiledevelopmenttechniques,addressingallcomponents(businessprocessesandrelatedautomatedandmanualcontrols,supportingITapplications,infrastructureservicesandtechnologyproducts,andpartners/suppliers).Ensurethatthedetaileddesignincludesinternalandexternalservicelevelagreements(SLAs)andoperatinglevelagreements(OLAs).
BAI03.03 Developsolutioncomponents.Developsolutioncomponentsprogressivelyinaccordancewithdetaileddesignsfollowingdevelopmentmethodsanddocumentationstandards,qualityassurance(QA)requirements,andapprovalstandards.Ensurethatallcontrolrequirementsinthebusinessprocesses,supportingITapplicationsandinfrastructureservices,servicesandtechnologyproducts,andpartners/suppliersareaddressed.
BAI03.04 Procuresolutioncomponents.Procuresolutioncomponentsbasedontheacquisitionplaninaccordancewithrequirementsanddetaileddesigns,architectureprinciplesandstandards,andtheenterprise’soverallprocurementandcontractprocedures,QArequirements,andapprovalstandards.Ensurethatalllegalandcontractualrequirementsareidentifiedandaddressedbythesupplier.
BAI03.05 Buildsolutions.Installandconfiguresolutionsandintegratewithbusinessprocessactivities.Implementcontrol,securityandauditabilitymeasuresduringconfiguration,andduringintegrationofhardwareandinfrastructuralsoftware,toprotectresourcesandensureavailabilityanddataintegrity.Updatetheservicescataloguetoreflectthenewsolutions.
BAI03.06 PerformQA.DevelopresourceandexecuteaQAplanalignedwiththeQMStoobtainthequalityspecifiedintherequirementsdefinitionandtheenterprise’squalitypoliciesandprocedures.
BAI03.07 Prepareforsolutiontesting.Establishatestplanandrequiredenvironmentstotesttheindividualandintegratedsolutioncomponents,includingthebusinessprocessesandsupportingservices,applicationsandinfrastructure.
BARI03.08 Executesolutiontesting.Executetestingcontinuallyduringdevelopment,includingcontroltesting,inaccordancewiththedefinedtestplananddevelopmentpracticesintheappropriateenvironment.Engagebusinessprocessownersandendusersinthetestteam.Identify,logandprioritizeerrorsandissuesidentifiedduringtesting.
BAI05.01 Establishthedesiretochange.Understandthescopeandimpactoftheenvisionedchangeandstakeholderreadiness/willingnesstochange.Identifyactionstomotivatestakeholderstoacceptandwanttomakethechangeworksuccessfully.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
29|P a g e
BAI05.02 Formaneffectiveimplementationteam.Establishaneffectiveimplementationteambyassemblingappropriatemembers,creatingtrust,andestablishingcommongoalsandeffectivenessmeasures.
BAI05.03 Communicatedesiredvision.Communicatethedesiredvisionforthechangeinthelanguageofthoseaffectedbyit.Thecommunicationshouldbemadebyseniormanagementandincludetherationalefor,andbenefitsof,thechange,theimpactsofnotmakingthechange;andthevision,theroadmapandtheinvolvementrequiredofthevariousstakeholders.
BAI05.04 Empowerroleplayersandidentifyshort-termwins.(HR)processes.Identifyandcommunicateshort-termwinsempowerthosewithimplementationrulesbyensuringthataccountabilitiesareassigned,providingtraining,andaligningdistrictstructuresandhumanresourcesthatcanberealizedandareimportantfromachangeenablementperspective.
BAI05.05 Enableoperationsinuse.Planandimplementalltechnical,operationalandusageaspectssuchthatallthosewhoareinvolvedinthefuturestateenvironmentcanexercisetheirresponsibility.
BAI05.06 Embednewapproaches.Embedthenewapproachesbytrackingimplementedchanges,addressingtheeffectivenessoftheoperationtakecorrectivemeasuresasappropriate,whichmayincludeenforcingcompliance.Inaddition,useplan,andsustainingongoingawarenesstoregulareducation.
MEA01.01 Establishamonitoringapproach.Engagewithstakeholderstoestablishandmaintainamonitoringapproachtodefinetheobjectives,scopeandmethodformeasuringbusinesssolutionservicedeliveryandcontributiontoenterpriseobjectives.Integratethisapproachwiththecorporateperformancemanagementsystem.
MEA01.02 Setperformanceandconformancetargets.Workwithstakeholderstodefine,periodicallyreview,updateandapproveperformanceandconformaltargetswithintheperformancemeasurementsystem.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
30|P a g e
CSFStep7:ImplementActionPlanCOBITPhase5—HowDoWeGetTherePhase5includestheactualexecutionoftheprioritizedactionplan,asdefinedinphase4.Actionplanexecutionprovidesanopportunityforfrequentstakeholdercommunications,whichshoulduselanguageandterminologyappropriateforeachaudience.Forexample,ITmanagementdiscussionsmayconsiderspecificfacilitiesandprocesses,whileboardandexecutivediscussionsmaybemorerelatedtoannualizedlossexpectancyormarketopportunities.
Actionplanexecutionmaybegraduallyimplemented,buildingonthemomentumofprojectsuccess,buildingfurthercredibilityandimprovingsuccess.Theexecutionoftheactionplanprovidesanopportunitytofosteraneffectiveriskmanagementculturethroughoutthedistrict.Performancemeasuresandincrementalmetricswillhelpdocumentsuccessandsupportanyadjustmentsrequired.ManysuchmeasuresaredescribedintheCOBIT5processes,especiallythoseintheBuild,AcquireandImplement(BAI)andDeliver,ServiceandSupport(DSS)domains.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
31|P a g e
ImplementationConsiderationCCSFStep7:ImplementActionPlanPurpose
Toexecutetheplan,asdefinedinphase4,toaddressgapsandimprovesecuritytoachievestakeholdergoalsinaprioritizedandcost-effectivemanner.
Inputs
• Prioritizedactionplan• Organizationalmissionanddrivers• Performanceandconformancetargets
High-levelActivities
• Executetheactionplanasdefinedinphase4.ConsiderrootcausesandsuccessfactorsfromthechallengeslistedintheCOBIT5implementationguideincluding:
o Makesmallimprovementstotesttheapproachandmakesureitworks.o Involvetheprocessownersandotherstakeholdersindevelopmentofthe
improvement.o Applyadequatetrainingwhererequired.o Developprocessesbeforeattemptingtoautomate.o Reorganize,ifrequired,toenablebetterownershipofprocesses.o Matchroles(specificallythosethatarekeyforsuccessfuladoption)toindividual
capabilitiesandcharacteristics.o Setclear,measurableandrealisticgoals(outcomeexpectedfromtheimprovement).o Setpracticalperformancemetrics(tomonitorwhethertheimprovementisdriving
achievementofgoals).o Producescorecardsshowinghowperformanceisbeingmeasured.o Communicateinbusinessimpacttermstheresultsandbenefitsbeinggained.o Implementquickwinsanddeliversolutionsinshorttimescales.o Assessperformanceinmeetingtheoriginalobjectivesandconfirmrealizationof
desiredoutcomes.• Considertheneedtoredirectfutureactivitiesandtakecorrectiveaction.• Assistintheresolutionofsignificantissues,ifrequired.• Ifnecessary,returntophase3andadjustTargetProfile,GapAssessmentandActionPlan.
Outputs
• Operatingproceduresforimplementedactionitems• Performancecommunicationsreports• Performancemetricsresults
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
32|P a g e
RelevantCOBIT5PracticeCCSFStep7:ImplementActionPlanCOBIT5Practices
CCSFDescription
EDM01.02 Directthegovernancesystem.Informleadersandobtaintheirsupport,buy-inandcommitment.Guidethestructures,processesandpracticesforthegovernanceofITinlinewithagreed-ongovernancedesignprinciples,decision-makingmodelsandauthoritylevels.Definetheinformationrequiredforinformeddecisionmaking.
EDM02.02 Directvalueoptimization.DirectvaluemanagementprinciplesandpracticestoenableoptimalvaluerealizationfromIT-enabledinvestmentsthroughouttheirfulleconomiclifecycle.
EDM03.02 Directriskmanagement.DirecttheestablishmentofriskmanagementpracticestoprovidereasonableassurancethatITriskmanagementpracticesareappropriatetoensurethattheactualITriskdoesnotexceedtheboard’sriskappetite.
EDM04.02 Directresourcemanagement.EnsuretheadoptionofresourcemanagementprinciplestoenableoptimaluseofITresourcesthroughouttheirfulleconomiclifecycle.
EDM05.02 Directstakeholdercommunicationandreporting.Ensuretheestablishmentofeffectivestakeholdercommunicationandreporting,includingmechanismsforensuringthequalityandcompletenessofinformation,oversightofmandatoryreporting,andcreatingacommunicationstrategyforstakeholders.
APO02.05 Definethestrategicplanandroadmap.Createastrategicplanthatdefines,inco-operationwithrelevantstakeholders,howIT-relatedgoalswillcontributetotheenterprise’sstrategicgoals.IncludehowITwillsupportIT-enabledinvestmentprograms,businessprocesses,ITservicesandITassets.DirectITtodefinetheinitiativesthatwillberequiredtoclosethegaps,thesourcingstrategyandthemeasurementstobeusedtomonitorachievementofgoals,thenprioritizetheinitiativesandcombinetheminahigh-levelroadmap.
APO02.06 CommunicatetheITstrategyanddirection.CreateawarenessandunderstandingofthebusinessandITobjectivesanddirection,ascapturedintheITstrategy,throughcommunicationtoappropriatestakeholdersandusersthroughouttheenterprise.
APO08.04 Co-ordinateandcommunicate.Workwithstakeholdersandco-ordinatetheend-to-enddeliveryofITservicesandsolutionsprovidedtothebusiness.
APO11.05 Integratequalitymanagementintosolutionsfordevelopmentandservicedelivery.Incorporaterelevantqualitymanagementpracticesintothedefinition,monitoring,reportingandongoingmanagementofsolutionsdevelopmentandserviceofferings.
BAI02.04 Obtainapprovalofrequirementsandsolutions.Co-ordinatefeedbackfromaffectedstakeholdersand,atpredeterminedkeystages,obtainbusinesssponsororproductownerapprovalandsign-offonfunctionalandtechnicalrequirements,feasibilitystudies,riskanalysesandrecommendedsolutions.
BAI02.01 Designhigh-levelsolutions.Developanddocumenthigh-leveldesignsusingagreed-onandappropriatephasedorrapidagiledevelopmenttechniques.EnsurealignmentwiththeITstrategyandenterprisearchitecture.Reassessandupdatethedesignswhensignificantissuesoccurduringdetaileddesignorbuildingphasesorasthesolutionevolves.Ensurethatstakeholdersactivelyparticipateinthedesignandapproveeachversion.
BAI03.02 Designdetailedsolutioncomponents.Develop,documentandelaboratedetaileddesignsprogressivelyusingagreed-onandappropriatephasedorrapidagiledevelopmenttechniques,addressingallcomponents(businessprocessesandrelatedautomatedandmanualcontrols,supportingITapplications,infrastructureservicesandtechnologyproducts,andpartners/suppliers).EnsurethatthedetaileddesignincludesinternalandexternalSLAsandOLAs.
BAI03.03 Developsolutioncomponents.Developsolutioncomponentsprogressivelyinaccordancewithdetaileddesignsfollowingdevelopmentmethodsanddocumentationstandards,QArequirements,andapprovalstandards.Ensurethatallcontrolrequirementsinthebusinessprocesses,supportingITapplicationsandinfrastructureservices,servicesandtechnologyproducts,andpartners/suppliersareaddressed.
BAI03.05 Procuresolutioncomponents.Procuresolutioncomponentsbasedontheacquisitionplaninaccordancewithrequirementsanddetaileddesigns,architectureprinciplesandstandards,andtheenterprise'soverallprocurementandcontractprocedures,QArequirements,andapprovalstandards.Ensurethatalllegalandcontractualrequirementsareidentifiedandaddressedbythesupplier.
BAI03.05 Buildsolutions.Installandconfiguresolutionsandintegratewithbusinessprocessactivities.Implementcontrol,securityandauditabilitymeasuresduringconfiguration,andduringintegrationofhardwareandinfrastructuralsoftware,toprotectresourcesandensureavailabilityanddataintegrity.Updatetheservicescataloguetoreflectthenewsolutions.
BAI03.06 PerformQA.Develop,resourceandexecuteaQAplanalignedwiththeQMS(seep.96)toobtainthequalityspecifiedintherequirementsdefinitionandtheenterprise’squalitypoliciesandprocedures.
BAI03.07 Prepareforsolutiontesting.Establishatestplanandrequiredenvironmentstotesttheindividualandintegratedsolutioncomponents,includingthebusinessprocessesandsupportingservices,applicationsandinfrastructure.
BAI03.08 Executesolutiontesting.Executetestingcontinuallyduringdevelopment,includingcontroltesting,inaccordancewiththedefinedtestplananddevelopmentpracticesintheappropriateenvironment.Engagebusinessprocessownersandendusersinthetestteam.Identify,logandprioritizeerrorsandissuesidentifiedduringtesting.
BAI.05.01 Establishthedesiretochange.Understandthescopeandimpactoftheenvisionedchangeandstakeholderreadiness/willingnesstochange.Identifyactionstomotivatestakeholderstoacceptandwanttomakethechangeworksuccessfully.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
33|P a g e
RelevantCOBIT5PracticeCCSFStep7:ImplementActionPlanCOBIT5Practices
CCSFDescription
BAI05.02 Formaneffectiveimplementationteam.Establishaneffectiveimplementationteambyassemblingappropriatemembers,creatingtrust,andestablishingcommongoalsandeffectivenessmeasures.
BAI05.03 Communicatedesiredvision.Communicatethedesiredvisionforthechangeinthelanguageofthoseaffectedbyit.Thecommunicationshouldbemadebyseniormanagementandincludetherationalefor,andbenefitsof,thechange,theimpactsofnotmakingthechange;andthevision,theroadmapandtheinvolvementrequiredofthevariousstakeholders.
BAI05.04 Empowerroleplayersandidentifyshort-termwins.Empowerthosewithimplementationrolesbyensuringthataccountabilitiesareassigned,providingtraining,andaligningdistrictstructuresandHRprocesses.Identifyandcommunicateshort-termwinsthatcanberealizedandareimportantfromachangeenablementperspective.
BAI05.05 Enableoperationanduse.Planandimplementalltechnical,operationalandusageaspectssuchthatallthosewhoareinvolvedinthefuturestateenvironmentcanexercisetheirresponsibility.
BAI05.06 Embednewapproaches.Embedthenewapproachesbytrackingimplementedchanges,assessingtheeffectivenessoftheoperationanduseplan,andsustainingongoingawarenessthroughregularcommunication.Takecorrectivemeasuresasappropriate,whichmayincludeenforcingcompliance.
MEA01.01 Establishamonitoringapproach.Engagewithstakeholderstoestablishandmaintainamonitoringapproachtodefinetheobjectives,scopeandmethodformeasuringbusinesssolutionandservicedeliveryandcontributiontoenterpriseobjectives.Integratethisapproachwiththecorporateperformancemanagementsystem.
MEA01.02 Setperformanceandconformancetargets.Workwithstakeholderstodefine,periodicallyreview,updateandapproveperformanceandconformancetargetswithintheperformancemeasurementsystem.
MEA01.03 Collectandprocessperformanceandconformancedata.Collectandprocesstimelyandaccuratedataalignedwithenterpriseapproaches.
DSS01.01 Performoperationalprocedures.Maintainandperformoperationalproceduresandoperationaltasksreliablyandconsistently.
DSS01.02 ManageoutsourcedITservices.ManagetheoperationofoutsourcedITservicestomaintaintheprotectionofenterpriseinformationandreliabilityofservicedelivery.
DSS01.04 Managetheenvironment.Maintainmeasuresforprotectionagainstenvironmentalfactors.Installspecializedequipmentanddevicestomonitorandcontroltheenvironment.
DSS01.05 Managefacilities.Managefacilities,includingpowerandcommunicationsequipment,inlinewithlawsandregulations,technicalandbusinessrequirements,vendorspecifications,andhealthandsafetyguidelines.
DSS02.02 Record,classifyandprioritizerequestsandincidents.Identify,recordandclassifyservicerequestsandincidents,andassignapriorityaccordingtobusinesscriticalityandserviceagreements.
DSS02.03 Verify,approveandfulfillservicerequests.Selecttheappropriaterequestproceduresandverifythattheservicerequestsfulfilldefinedrequestcriteria.Obtainapproval,ifrequired,andfulfilltherequests.
DSS02.04 Investigate,diagnoseandallocateincidents.Identifyandrecordincidentsymptoms,determinepossiblecauses,andallocateforresolution.
DSS02.05 Resolveandrecoverfromincidents.Document,applyandtesttheidentifiedsolutionsorworkaroundsandperformrecoveryactionstorestoretheIT-relatedservice.
DSS02.06 Closeservicerequestsandincidents.Verifysatisfactoryincidentresolutionand/orrequestfulfillment,andclose.DSS02.07 Trackstatusandproducereports.Regularlytrack,analyzeandreportincidentandrequestfulfillmenttrendstoprovide
informationforcontinualimprovement.DSS03.01 Identifyandclassifyproblems.Defineandimplementcriteriaandprocedurestoreportproblemsidentified,including
problemclassification,categorizationandprioritization.DSS03.02 Investigateanddiagnoseproblems.Investigateanddiagnoseproblemsusingrelevantsubjectmanagementexpertsto
assessandanalyzerootcauses.DSS03.03 Raiseknownerrors.Assoonastherootcausesofproblemsareidentified,createknown-errorrecordsandan
appropriateworkaround,andidentifypotentialsolutions.DSS03.04 Resolveandcloseproblems.Identifyandinitiatesustainablesolutionsaddressingtherootcause,raisingchange
requestsviatheestablishedchangemanagementprocessifrequiredtoresolveerrors.Ensurethatthepersonnelaffectedareawareoftheactionstakenandtheplansdevelopedtopreventfutureincidentsfromoccurring.
DSS03.05 Performproactiveproblemmanagement.Collectandanalyzeoperationaldata(especiallyincidentandchangerecords)toidentifyemergingtrendsthatmayindicateproblems.Logproblemrecordstoenableassessment.
DSS04.02 Maintainacontinuitystrategy.Evaluatebusinesscontinuitymanagementoptionsandchooseacost-effectiveandviablecontinuitystrategythatwillensureenterpriserecoveryandcontinuityinthefaceofadisasterorothermajorincidentordisruption.
DSS04.03 Developandimplementabusinesscontinuityresponse.Developabusinesscontinuityplan(BCP)basedonthestrategythatdocumentstheproceduresandinformationinreadinessforuseinanincidenttoenabletheenterprisetocontinueitscriticalactivities.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
34|P a g e
RelevantCOBIT5PracticeCCSFStep7:ImplementActionPlanCOBIT5Practices
CCSFDescription
DSS04.04 Exercise,testandreviewtheBCP.Testthecontinuityarrangementsonaregularbasistoexercisetherecoveryplansagainstpredeterminedoutcomesandtoallowinnovativesolutionstobedevelopedandhelptoverifyovertimethattheplanwillworkasanticipated.
DSS04.05 Review,maintainandimprovethecontinuityplan.Conductamanagementreviewofthecontinuitycapabilityatregularintervalstoensureitscontinuedsuitability,adequacyandeffectiveness.Managechangestotheplaninaccordancewiththechangecontrolprocesstoensurethatthecontinuityplaniskeptuptodateandcontinuallyreflectsactualbusinessrequirements.
DSS04.06 Conductcontinuityplantraining.Provideallconcernedinternalandexternalpartieswithregulartrainingsessionsregardingtheproceduresandtheirrolesandresponsibilitiesincaseofdisruption.
DSS04.07 Managebackuparrangements.Maintainavailabilityofbusiness-criticalinformation.DSS04.08 Conductpost-resumptionreview.AssesstheadequacyoftheBCPfollowingthesuccessfulresumptionofbusiness
processesandservicesafteradisruption.DSS05.01 Protectagainstmalware.Implementandmaintainpreventive,detectiveandcorrectivemeasuresinplace(especially
up-to-datesecuritypatchesandviruscontrol)acrosstheenterprisetoprotectinformationsystemsandtechnologyfrommalware(e.g.,viruses,worms,spyware,spam).
DSS05.02 Managenetworkandconnectivitysecurity.Usesecuritymeasuresandrelatedmanagementprocedurestoprotectinformationoverallmethodsofconnectivity.
DSS05.03 Manageendpointsecurity.Ensurethatendpoints(e.g.,laptop,desktop,server,andothermobileandnetworkdevicesorsoftware)aresecuredatalevelthatisequaltoorgreaterthanthedefinedsecurityrequirementsoftheinformationprocessed,storedortransmitted.
DSS05.04 Manageuseridentityandlogicalaccess.Ensurethatallusershaveinformationaccessrightsinaccordancewiththeirbusinessrequirementsandco-ordinatewithbusinessunitsthatmanagetheirownaccessrightswithinbusinessprocesses.
DSS05.05 ManagephysicalaccesstoITassets.Defineandimplementprocedurestogrant,limitandrevokeaccesstopremises,buildingsandareasaccordingtobusinessneeds,includingemergencies.Accesstopremises,buildingsandareasshouldbejustified,authorized,loggedandmonitored.Thisshouldapplytoallpersonsenteringthepremises,includingstaff,temporarystaff,clients,vendors,visitorsoranyotherthirdparty.
DSS05.06 Managesensitivedocumentsandoutputdevices.Establishappropriatephysicalsafeguards,accountingpracticesandinventorymanagementoversensitiveITassets,suchasspecialforms,negotiableinstruments,special-purposeprintersorsecuritytokens.
DSS05.07 Monitortheinfrastructureforsecurity-relatedevents.Usingintrusiondetectiontools,monitortheinfrastructureforunauthorizedaccessandensurethatanyeventsareintegratedwithgeneraleventmonitoringandincidentmanagement.
DSS06.02 Controltheprocessingofinformation.Operatetheexecutionofthebusinessprocessactivitiesandrelatedcontrols,basedonenterpriserisk,toensurethatinformationprocessingisvalid,complete,accurate,timely,andsecure(i.e.,reflectslegitimateandauthorizedbusinessuse).
DSS06.03 Manageroles,responsibilities,accessprivilegesandlevelsofauthority.Managethebusinessroles,responsibilities,levelsofauthorityandsegregationofdutiesneededtosupportthebusinessprocessobjectives.Authorizeaccesstoanyinformationassetsrelatedtobusinessinformationprocesses,includingthoseunderthecustodyofthebusiness,ITandthirdparties.Thisensuresthatthebusinessknowswherethedataareandwhoishandlingdataonitsbehalf.
DSS06.04 Manageerrorsandexceptions.Managebusinessprocessexceptionsanderrorsandfacilitatetheircorrection.Includeescalationofbusinessprocesserrorsandexceptionsandtheexecutionofdefinedcorrectiveactions.Thisprovidesassuranceoftheaccuracyandintegrityofthebusinessinformationprocess.
DSS06.05 EnsuretraceabilityofInformationeventsandaccountabilities.Ensurethatbusinessinformationcanbetracedtotheoriginatingbusinesseventandaccountableparties.Thisenablestraceabilityoftheinformationthroughitslifecycleandrelatedprocesses.Thisprovidesassurancethatinformationthatdrivesthebusinessisreliableandhasbeenprocessedinaccordancewithdefinedobjectives.
DSS06.06 Secureinformationassets.Secureinformationassetsaccessiblebythebusinessthroughapprovedmethods,includinginformationinelectronicform(suchasmethodsthatcreatenewassetsinanyform,portablemediadevices,userapplicationsandstoragedevices),informationinphysicalform(suchassourcedocumentsoroutputreports)andinformationduringtransit.Thisbenefitsthebusinessbyprovidingend-to-endsafeguardingofinformation.
MEA01.05 Ensuretheimplementationofcorrectiveactions.Assiststakeholdersinidentifying,initiatingandtrackingcorrectiveactionstoaddressanomalies.
MEA02.02 Reviewbusinessprocesscontrolseffectiveness.Reviewtheoperationofcontrols,includingareviewofmonitoringandtestevidence,toensurethatcontrolswithinbusinessprocessesoperateeffectively.Includeactivitiestomaintainevidenceoftheeffectiveoperationofcontrolsthroughmechanismssuchasperiodictestingofcontrols,continuouscontrolsmonitoring,independentassessments,commandandcontrolcenters,andnetworkoperationscenters.Thisprovidesthebusinesswiththeassuranceofcontroleffectivenesstomeetrequirementsrelatedtobusiness,regulatoryandsocialresponsibilities.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
35|P a g e
RelevantCOBIT5PracticeCCSFStep7:ImplementActionPlanCOBIT5Practices
CCSFDescription
MEA02.03 Performcontrolself-assessments.Encouragemanagementandprocessownerstotakepositiveownershipofcontrolimprovementthroughacontinuingprogramofself-assessmenttoevaluatethecompletenessandeffectivenessofmanagement’scontroloverprocesses,policiesandcontracts.
MEA02.04 Identifyandreportcontroldeficiencies.Identifycontroldeficienciesandanalyzeandidentifytheirunderlyingrootcauses.Escalatecontroldeficienciesandreporttostakeholders.
MEA02.05 Ensurethatassuranceprovidersareindependentandqualified.Ensurethattheentitiesperformingassuranceareindependentfromthefunction,groupsordistrictsinscope.Theentitiesperformingassuranceshoulddemonstrateanappropriateattitudeandappearance,competenceintheskillsandknowledgenecessarytoperformassurance,andadherencetocodesofethicsandprofessionalstandards.
MEA02.06 Planassuranceinitiatives.Planassuranceinitiativesbasedonenterpriseobjectivesandstrategicpriorities,inherentrisk,resourceconstraints,andsufficientknowledgeoftheenterprise.
MEA02.08 Executeassuranceinitiatives.Executetheplannedassuranceinitiative.Reportonidentifiedfindings.Providepositiveassuranceopinions,whereappropriate,andrecommendationsforimprovementrelatingtoidentifiedoperationalperformance,externalcomplianceandinternalcontrolsystemresidualrisk.
MEA03.03 Confirmexternalcompliance.Confirmcomplianceofpolicies,principles,standards,proceduresandmethodologieswithlegal,regulatoryandcontractualrequirements.
MEA03.04 Obtainassuranceofexternalcompliance.Obtainandreportassuranceofcomplianceandadherencewithpolicies,principles,standards,proceduresandmethodologies.Confirmthatcorrectiveactionstoaddresscompliancegapsareclosedinatimelymanner.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
36|P a g e
CSFActionPlanReviewCOBITPhase6—DidWeGetThere?Phase6providesthemechanismstoreviewtheexecutionoftheactionplanandconsiderperformanceregardingthemonitoringapproachpreviouslyestablished(e.g.,MEA01processesfromphases4and5).Thoseimplementingshouldconsiderhowwellthedistrictachievedperformanceandconformancetargets,updatingongoingimprovementandcommunicationactivitiesinaccordancewithestablishedchangemanagementprocesses.Thisreviewphaseprovidestheopportunitytosharebothpositiveandnegativeresultswithstakeholders,fosteringconfidenceinplannedsolutionsandensuringalignmentwithdistrictdriversandgoals.
Performanceandconformancedatamaybesharedwithinternalteamstoimprovesubsequentprocesses.Appropriatelysanitizedrisk,activityandperformanceresultsmaybesharedwithexternalpartners,consistentwiththedistricts’documentclassificationpolicyforpublicdocuments,tohelpimprovegeneralunderstandingofITriskmanagement.
ImplementationConsiderationCCSFActionPlanReview
Purpose
Toreviewapplicationoftheimprovegovernancemanagementpracticesandconfirmthattheactionplandeliverstheexpectedbenefits.
Inputs
• Operatingproceduresforimplementedactionitems• Communicationartifacts• Performancemetrics• Actionplanstatusreports
High-levelActivities
• Assesstheactivitiesforphase5toassurethatimprovementsandadditionsachievetheanticipatedgoalsandattainriskmanagementobjectives.
• Documentlessonslearnedfromimplementationactivitiestoimprovefuturecyclesandassistotherdistrictsandsimilarexercises.
• Identifyanyspecificongoingmonitoringneedsinsupportofphase7.
Outputs
• Organizationalassessment• Correctiveactionreports• Performanceresultstostakeholders• Lessonslearnedreports• resultsinformationsharing
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
37|P a g e
RelevantCOBIT5PracticesCCSFActionPlanReviewCOBIT5Practice
CCSFDescription
APO02.02 Assessisthecurrentenvironment,capabilitiesandperformance.AssesstheperformanceofcurrentinternalbusinessandITcapabilitiesandextendITservices,anddevelopanunderstandingoftheenterprisearchitectureinrelationtoIT.Identifyissuescurrentlybeingexperiencedanddeveloprecommendationsandareasthatcouldbenefitfromimprovement.Considerserviceproviderdifferentiatorsandoptionsandthefinancialimpactofpotentialcostsandbenefitsofusingexternalservices.
MEA01.05 Ensuretheimplementationofcorrectiveactions.Assiststakeholdersinidentifying,initiatingandtrackingcorrectiveactionstoaddressanomalies.
MEA02.02 Reviewbusinessprocesscontrolseffectiveness.Reviewtheoperationofcontrols,includingareviewofmonitoringandtestevidence,toensurethatcontrolswithinthebusinessprocessesoperateeffectively.Includeactivitiestomaintainevidenceoftheeffectiveoperationofcontrolthroughmechanismssuchasperiodictestingcontrols,continuouscontrolmonitoring,independentassessments,command-and-controlcenters,andnetworkoperationscenters.Thisprovidesthebusinesswiththeassuranceofcontroleffectivenesstomeetrequirementsrelatedtobusiness,regulatoryandsocialresponsibilities.
MEA02.03 Performcontrolself-assessments.Encouragemanagementprocessownerstotakepositiveownershipofcontrolledimprovementthroughacontinuingprogramofself-assessmenttoevaluatethecompletenessandeffectivenessofmanagement’scontroloverprocesses,policiesandcontracts.
MEA02.04 Identifyandreportcontroldeficiencies.Identifycontroldeficienciesandanalyzeandidentifytheirunderlyingrootcauses.Escalatecontroldeficienciesandreporttostakeholders.
MEA02.05 Ensurethatinsuranceprovidersareindependentandqualified.Ensurethattheentitiesperformingassuranceareindependentfromthefunction,groupsordistrictsinscope.Theentitiesperformingassuranceshoulddemonstrateanappropriateattitudeandappearance,competenceandtheskillsandknowledgenecessarytoperforminsurance,andadherencetocodesofethicsandprofessionalstandards.
MEA02.08 Executeassuranceinitiatives.Executetheplannedinsuranceinitiative.Reportonidentifiedfindings.Providepositiveassuranceopinions,whereappropriate,andrecommendationsforimprovementrelatingtoidentifiedoperationalperformance,externalcomplianceandinternalcontrolsystemresidualrisk.
MEA03.04 Obtainassuranceofexternalcompliance.Obtainandreportassuranceofcomplianceandadherencewithpolicies,principles,standards,proceduresandmethodologies.Confirmthatcorrectiveactionstoaddresscompliancegapsareclosedinatimelymanner.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
38|P a g e
CSFLifecycleManagementCOBITPhase7-HowDoWeKeeptheMomentumGoingAneffectiveframeworkforgovernanceandmanagementofITaddressesthecompletelifecycleofITinvestment,ensuringthatitcreatesvalueinalignmentwithenterpriseobjectives.CombiningtheCCSFprinciplesandCOBIT5practiceshelpsensurevalue,managingriskandsupportingmissiondriversinaccordancewiththedirectionandsupportoftheexecutiveboardanddistrictbusinessmanagers.
Phase7providestheopportunitytoclosetheloopforcommunicationworkflowisintroducedinSection1-Implementation.Astechnicalassessmentisreported(suchasherperformancemetricssuchasthoseestablishedprocessesMEA01)tobusinessprocessowners,they,inturn,reportprogresstowardenterprisegoalsandmissionpriorities,usinglanguage,approachesandcommunicationsthataremeaningfultoexecutivemanagement.Momentum,gainbyprogressineffectivecommunication,drivesubsequentiterationsofthelifecycle.Updatedchallengesandopportunitiesleadtoupdatedriskassessmentsandpriorities,fosteringdistrictcommitmentandownershipofallaccountabilitiesandresponsibilities.Inthisway,successfulgovernanceandmanagementprocessesbecomeinstitutionalizedintheculture.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
39|P a g e
ImplementationConsiderationCCSFLifeCycleManagementPurpose
Toprovideongoingreview/assessmentoftheoverallsuccessoftheinitiative,identifyfurthergovernanceorrequirements,andsupportcontinualimprovement.
Inputs
• Operatingprocedures• Monitoringplan• Performancemetrics
High-levelActivities
• Continuallymonitortheactivitiesforphase5toassurethatimprovementsandadditionsachievetheanticipatedgoalsandattainriskmanagementobjectives.
• Revieweffectivenessofimprovedgovernanceandmanagementpracticesanddocumentbenefitsprovided.
• Documentlessonslearnedfromimplementationactivitiestofurtherimprovefuturecyclesandassistotherdistrictsandsimilarexercises.
Outputs
• Assuranceofexternalcompliance• Lessonslearnedreports• Performanceresultstostakeholders• Investmentportfolioperformancereports• Servicelevelreports• Supplierperformanceandcompliancereports• Customersatisfaction/QMSreports• Informationsecuritymanagementsystem• Projectperformancereportsagainstkeyprojectperformancecriteria• Changecontrolplansandresults• Ongoingstatusandconfigurationreports
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
40|P a g e
RelevantCOBIT5PracticeCCSFLifeCycleManagementCOBIT5PRACTICES
CCSFDescription
EDM01.03 Monitorthegovernancesystem.Monitortheeffectivenessandperformanceoftheenterprise’sgovernanceofIT.Assesswhetherthegovernancesystemandimplementedmechanisms(includingstructures,principlesandprocesses)areoperatingeffectivelyandprovideappropriateoversightofIT.
EDM02.01 Evaluatevalueoptimization.ContinuallyevaluatetheportfolioofIT-enabledinvestments,servicesandassetstodeterminethelikelihoodofachievingenterpriseobjectivesanddeliveringvalueatareasonablecost.Identifyandmakejudgmentonanychangesindirectionthatneedtobegiventomanagementtooptimizevaluecreation.
EDM02.03 Monitorvalueoptimization.MonitorthekeygoalsandmetricstodeterminetheextenttowhichthebusinessisgeneratingtheexpectedvalueandbenefitstotheenterprisefromIT-enabledinvestmentsandservices.Identifysignificantissuesandconsidercorrectiveactions.
EDM03.03 Monitorriskmanagement.Monitorthekeygoalsandmetricsoftheriskmanagementprocessesandestablishhowdeviationsorproblemswillbeidentified,trackedandreportedforremediation.
EDM04.03 Monitorresourcemanagement.Monitorthekeygoalsandmetricsoftheresourcemanagementprocessesandestablishhowdeviationsorproblemswillbeidentified,trackedandreportedforremediation.
EDM05.03 Monitorstakeholdercommunication.Monitortheeffectivenessofstakeholdercommunication.Assessmechanismsforensuringaccuracy,reliabilityandeffectiveness,andascertainwhethertherequirementsofdifferentstakeholdersaremet.
APO04.03 Monitorandscanthetechnologyenvironment.Performsystematicmonitoringandscanningoftheenterprise’sexternalenvironmenttoidentifyemergingtechnologiesthathavethepotentialtocreatevalue(e.g.,byrealizingtheenterprisestrategy,optimizingcosts,avoidingobsolescence,andbetterenablingenterpriseandITprocesses).Monitorthemarketplace,competitivelandscape,industrysectors,andlegalandregulatorytrendstobeabletoanalyzeemergingtechnologiesorinnovationideasintheenterprisecontext.
APO04.04 Assessthepotentialofemergingtechnologiesandinnovationideas.Analyzeidentifiedemergingtechnologiesand/orotherITinnovationsuggestions.Workwithstakeholderstovalidateassumptionsonthepotentialofnewtechnologiesandinnovation.
APO04.05 Recommendappropriatefurtherinitiatives.Evaluateandmonitortheresultsofproof-of-conceptinitiativesand,iffavorable,generaterecommendationsforfurtherinitiativesandgainstakeholdersupport.
APO04.06 Monitortheimplementationanduseofinnovation.Monitortheimplementationanduseofemergingtechnologiesandinnovationsduringintegration,adoptionandforthefulleconomiclifecycletoensurethatthepromisedbenefitsarerealizedandtoidentifylessonslearned.
APO05.04 Monitor,optimizeandreportoninvestmentportfolioperformance.Onaregularbasis,monitorandoptimizetheperformanceoftheinvestmentportfolioandindividualprogramsthroughouttheentireinvestmentlifecycle.
APO05.05 Maintainportfolios.Maintainportfoliosofinvestmentprogramsandprojects,ITservicesandITassets.
APO05.06 Managebenefitsachievement.MonitorthebenefitsofprovidingandmaintainingappropriateITservicesandcapabilities,basedontheagreed-onandcurrentbusinesscase.
APO07.05T TracktheusageofITandbusinesshumanresources.TrackthecurrentandfuturedemandforbusinessandIThumanresourceswithresponsibilitiesforenterpriseIT.Identifyshortfallsandprovideinputintosourcingplans,enterpriseandITrecruitmentprocessessourcingplans,andbusinessandITrecruitmentprocesses.
APO07.06 Managecontractstaff.EnsurethatconsultantsandcontractpersonnelwhosupporttheenterprisewithITskillsknowandcomplywiththedistrict'spoliciesandmeetagreed-oncontractualrequirements.
APO08.05 Provideinputtothecontinualimprovementofservices.ContinuallyimproveandevolveIT-enabledservicesandservicedeliverytotheenterprisetoalignwithchangingenterpriseandtechnologyrequirements.
APO09.04 Monitorandreportservicelevels.Monitorservicelevels,reportonachievementsandidentifytrends.Providetheappropriatemanagementinformationtoaidperformancemanagement.
APO09.05 Reviewserviceagreementsandcontracts.Conductperiodicreviewsoftheserviceagreementsandrevisewhenneeded.
APO10.03 Managesupplierrelationshipsandcontracts.Formalizeandmanagethesupplierrelationshipforeachsupplier.Manage,maintainandmonitorcontractsandservicedelivery.Ensurethatneworchangedcontractsconformtoenterprisestandardsandlegalandregulatoryrequirements.Dealwithcontractualdisputes.
APO10.04 Managesupplierrisk.Identifyandmanageriskrelatingtosuppliers’abilitytocontinuallyprovidesecure,efficientandeffectiveservicedelivery.
APO10.05 Monitorsupplierperformanceandcompliance.Periodicallyreviewtheoverallperformanceofsuppliers,compliancetocontractrequirements,andvalueformoney,andaddressidentifiedissues.
APO11.04 Performqualitymonitoring,controlandreviews.MonitorthequalityofprocessesandservicesonanongoingbasisasdefinedbytheQMS.Define,planandimplementmeasurementstomonitorcustomersatisfactionwithqualityaswellasthevaluetheQMSprovides.Theinformationgatheredshouldbeusedbytheprocessownertoimprovequality.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
41|P a g e
RelevantCOBIT5PracticeCCSFLifeCycleManagementCOBIT5PRACTICES
CCSFDescription
APO11.06 Maintaincontinuousimprovement.Maintainandregularlycommunicateanoverallqualityplanthatpromotescontinuousimprovement.Thisshouldincludetheneedfor,andbenefitsof,continuousimprovement.CollectandanalyzedataabouttheQMS,andimproveitseffectiveness.Correctnon-conformitiestopreventrecurrence.Promoteacultureofqualityandcontinualimprovement.
APO13.01 Establishandmaintainaninformationsecuritymanagementsystem(ISMS).EstablishandmaintainanISMSthatprovidesastandard,formalandcontinuousapproachtosecuritymanagementforinformation,enablingsecuretechnologyandbusinessprocessesthatarealignedwithbusinessrequirementsandenterprisesecuritymanagement.
APO13.02 Maintainaninformationsecurityplanthatdescribeshowinformationsecurityriskistobemanagedandalignedwiththeenterprisestrategyandenterprisearchitecture.Ensurethatrecommendationsforimplementingsecurityimprovementsarebasedonapprovedbusinesscasesandimplementedasanintegralpartofservicesandsolutionsdevelopment,thenoperatedasanintegralpartofbusinessoperation.
APO13.03 MonitorandreviewtheISMS.Maintainandregularlycommunicatetheneedfor,andbenefitsof,continuousinformationsecurityimprovement.CollectandanalyzedataabouttheISMS,andimprovetheeffectivenessoftheISMS.Correctnon-conformitiestopreventrecurrence.Promoteacultureofsecurityandcontinualimprovement.
BAI01.06 Monitor,controlandreportontheprogramoutcomes.Monitorandcontrolprogram(solutiondelivery)andenterprise(value/outcome)performanceagainstplanthroughoutthefulleconomiclifecycleoftheinvestment.Reportthisperformancetotheprogramsteeringcommitteeandthesponsors.
BAI01.10 Manageprogramandprojectrisk.Eliminateorminimizespecificriskassociatedwithprogramsandprojectsthroughasystematicprocessofplanning,identifying,analyzing,respondingto,andmonitoringandcontrollingtheareasoreventsthathavethepotentialtocauseunwantedchange.Riskfacedbyprogramandprojectmanagementshouldbeestablishedandcentrallyrecorded.
BAI01.11 Monitorandcontrolprojects.Measureprojectperformanceagainstkeyprojectperformancecriteriasuchasschedule,quality,costandrisk.Identifyanydeviationsfromtheexpected.Assesstheimpactofdeviationsontheprojectandoverallprogram,andreportresultstokeystakeholders.
BAI01.12 Manageprojectresourcesandworkpackages.Manageprojectworkpackagesbyplacingformalrequirementsonauthorizingandacceptingworkpackages,andassigningandco-coordinatingappropriatebusinessandITresources.
BAI03.09 Managechangestorequirements.Trackthestatusofindividualrequirements(includingallrejectedrequirements)throughouttheprojectlifecycleandmanagetheapprovalofchangestorequirements.
BAI03.10 Maintainsolutions.Developandexecuteaplanforthemaintenanceofsolutionandinfrastructurecomponents.Includeperiodicreviewsagainstbusinessneedsandoperationalrequirements.
BAI.04.04 Monitorandreviewavailabilityandcapacity.Monitor,measure,analyze,reportandreviewavailability,performanceandcapacity.Identifydeviationsfromestablishedbaselines.Reviewtrendanalysisreportsidentifyinganysignificantissuesandvariances,initiatingactionswherenecessary,andensuringthatalloutstandingissuesarefollowedup.
BAI05.07 Sustainchanges.Sustainchangesthrougheffectivetrainingofnewstaff,ongoingcommunicationcampaigns,continuedtopmanagementcommitment,adoptionmonitoringandsharingoflessonslearnedacrosstheenterprise.
BAI06(ALL) Manageallchangesinacontrolledmanner,includingstandardchangesandemergencymaintenancerelatingtobusinessprocesses,applicationsandinfrastructure.Thisincludeschangestandardsandprocedures,impactassessment,prioritizationandauthorization,emergencychanges,tracking,reporting,closureanddocumentation.
BAI07(ALL) Formallyacceptandmakeoperationalnewsolutions,includingimplementationplanning,systemanddataconversion,acceptancetesting,communication,releasepreparation,promotiontoproductionofneworchangedbusinessprocessesandITservices,earlyproductionsupport,andapost-implementationreview.
BAI08(ALL) Maintaintheavailabilityofrelevant,current,validatedandreliableknowledgetosupportallprocessactivitiesandtofacilitatedecisionmaking.Planfortheidentification,gathering,organizing,maintaining,useandretirementofknowledge.
BAI10.03 Maintainandcontrolconfigurationitems.Maintainanup-to-daterepositoryofconfigurationitemsbypopulatingwithchanges.
BAI10.04 Producestatusandconfigurationreports.Defineandproduceconfigurationreportsonstatuschangesofconfigurationitems.
BAI10.05 Verifyandreviewintegrityoftheconfigurationrepository.Periodicallyreviewtheconfigurationrepositoryandverifycompletenessandcorrectnessagainstthedesiredtarget.
DSS01(ALL) CoordinateandexecutetheactivitiesandoperationalproceduresrequiredtodeliverinternalandoutsourcedITservices,includingtheexecutionofpre-definedstandardoperatingproceduresandtherequiredmonitoringactivities.
DSS02(ALL) Providetimelyandeffectiveresponsetouserrequestsandresolutionofalltypesofincidents.Restorenormalservice;recordandfulfilluserrequests;andrecord,investigate,diagnose,escalateandresolveincidents.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
42|P a g e
RelevantCOBIT5PracticeCCSFLifeCycleManagementCOBIT5PRACTICES
CCSFDescription
DSSS03(ALL) Identifyandclassifyproblemsandtheirrootcausesandprovidetimelyresolutiontopreventrecurringincidents.Providerecommendationsforimprovements.
DSS04(ALL) EstablishandmaintainaplantoenablethebusinessandITtorespondtoincidentsanddisruptionsinordertocontinueoperationofcriticalbusinessprocessesandrequiredITservicesandmaintainavailabilityofinformationatalevelacceptabletotheenterprise.
MEA01.04 Analyzeandreportperformance.Periodicallyreviewandreportperformanceagainsttargets,usingamethodthatprovidesasuccinctall-aroundviewofITperformanceandfitswithintheenterprisemonitoringsystem.
MEA01.05 Ensuretheimplementationofcorrectiveactions.Assiststakeholdersinidentifying,initiatingandtrackingcorrectiveactionstoaddressanomalies.
MEA02(ALL) Continuouslymonitorandevaluatethecontrolenvironment,includingself-assessmentsandindependentassurancereviews.Enablemanagementtoidentifycontroldeficienciesandinefficienciesandtoinitiateimprovementactions.Plan,organizeandmaintainstandardsforinternalcontrolassessmentandassuranceactivities.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
43|P a g e
AppendixA.IntroductionBackgroundSecuritythreatstoeducationalsystemsarenotnew.Countyofficesofeducationandindividualschooldistrictshavebeenmanagingoperationalandinformationtechnologysecuritysystemsandvulnerabilityforanumberofyears.Theproblemisthattheopposition,thatisthosewhowishtoexploitschooldistrictinformationareadvancingatsucharapidratethatthemanagementofsecurityriskandvulnerabilitycanbeandisoverwhelming.Attacksoneducationalsystemsandtheincreasingrateofthoseattackspointtowardsadifficultfuturemanagingrisk.Thisisevidencedbytheincreasingdenialofserviceattacksagainstschooldistrictsinthepastfiveyearswhichinsomeinstanceshavebroughtthedistricttoastandstillandaffectedtheoveralleducationalprocess.Theseattackersarewell-organized,financiallystableandcanimplementsomeverysophisticatedtechniquesthatrenderattemptsatpreventionextremelydifficult.Yetschoolsanddistrictsarebecomingincreasinglymoredependentupontechnology,telecommunicationsandoverallconnectivity.Thistrendoftechnologydependencydoesnotappeartobeslowingandasnewtechnologyinnovationssuchasmobiledevicemanagement,BringYourOwnDevice(BYOD)andtheInternetofThings(iOT)becomecommonplace.Thisnecessitatestheneedtoprotecteducationalsystemsagainstcybersecurityattacks.
Tohelpaddresspotentialrisk,mitigatesecurityandvulnerabilityissuesandprovideoveralldirection,CCSESAhasdevelopedthisguidebooktoassistschools,districtsandCountyOfficesofEducationintheimplementationoftheNISTFrameworkforImprovingCriticalInfrastructurebetterknownastheCybersecurityFrameworkorCSF.
WhiletheCCSFwasoriginallycreatedtosupportinfrastructureproviders,theconcepts,practicesandproceduresareveryapplicabletoeducationalinstitutionsdesiringsomeformalityinmanagingandreducingoverallsecurityrisk.Theconnectednatureofourschoolsystemsandthesupportofdistrict-widecriticalinfrastructurecanbetterbeaddressedthroughaformalizedprocesstoallowsomelevelofstructure,servicesandcompliancy.Anyefforttomanageoverallsecurityriskwillultimatelyhelpreducecybersecurityattacks.
ThisguidebookaddressessomeofthetechnicalrequirementsneededtoapplytheNISTCybersecurityFramework,utilizingselecteddocumentsfromindustry-standards,principlesandpracticessuchasmanyofthosepracticesdevelopedbytheITGovernanceInstitute.TheanticipatedaudiencesutilizingthisguidebooktoestablishstandardswillrangefromBoardsofEducationtodistrict/campusmanagement,ITservicepersonnelanddistrictfaculty.ThefollowingFigure1identifiesseveraloftheprincipalrolesorfunctionsandpotentialbenefitstheycanexpectfromutilizingtheCCSF.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
44|P a g e
Figure1-CSFImplementation-TargetAudienceandBenefitsRole Function PotentialBenefit
Executive BoardofEducationandExecutiveManagement
• Understandingresponsibilitiesandrolesincybersecuritywithinthedistrict.
• Betterunderstandingofcurrentcybersecurityposture.
• Betterunderstandingofcybersecurityrisktothedistrict.
• Betterunderstandingofthecybersecuritytargetstatetobedeveloped.
• Understandingofactionsrequiredtoclosegapsbetweencurrentcybersecuritypostureandthetargetstate.
Educational/Processes ITManagement • Awarenessofeducationalimpacts.• Understandingtherelationshipof
educationalsystemsandtheirassociatedriskappetite.
Educational/Processes ITProcessManagement
• Understandingofeducationalrequirementsandmissionobjectivesandtheirpriorities.
Educational/Processes RiskManagement • Enhancedviewoftheoperationalenvironmenttodiscernthelikelihoodofacybersecurityevent.
Educational/Processes LegalExperts • Understandingofcyberthreatstoeducationalunitsandtheirmissionobjectives.
• Understandingofallcompliancerequirementsforeacheducationalunit.
Implementation/Operator ImplementationTeams
• Understandingofsecuritycontrolsandtheimportanceinmanagingoperationalsecurityrisk.
• Detailedunderstandingofrequiredactionstoclosegapsincybersecurityrequirements.
Implementation/Operator Employees • Understandingofcybersecurityrequirementsfortheirassociatededucationalsystems
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
45|P a g e
GovernanceandManagementofEnterpriseInformationTechnologyCCSESAisdedicatedtosupportingtheknowledgeandskillstohelpeducatorsdetermineandachievestrategicgoalsandrealizepotentialeducationalbenefitsthroughtheeffectiveandinnovativeuseoftechnology.Throughoutthisguidebook,standardvocabularywillbeusedtodescribethevariousprocesses,activitiesplanning:
• Enterprise-Agroupofindividualsworkingtogetherforacommonpurpose,typicallywithinthecontextofaneducationalinstitutionsuchasaschool,districtorCountyofficeofeducation.
• Organization-Thestructureofrelatedorconnectedcomponentsofanenterprisedefinedbyaparticularscope.
• Governance-Ensuresthateducationalneeds,conditionsandoptionsareevaluatedtodeterminebalanced,agreed-onenterpriseobjectivestobeachieved;settingdirectionthroughprioritizationanddecision-makingandmonitoringperformanceacomplianceagainstagreed-upondirectionandobjectives.
• Management-Planning,building,operatingandmonitoringactivitiesinalignmentwiththedirectionssetforthbythegovernancebodytoachievetheenterpriseobjectives.
ThedocumentsincludedwithinthisguidebookroutinelyreferenceInformationTechnologyorIT.Whenusedinthiscontext,ITisreferringtothetechnicalprocessesandsolutionsinvolvinghardwareandsoftwarethatenableeducationalfunctionstoachievestrategicorenterpriseobjectives.Thereadershouldrealizethattechnologyincludes3components:
• InstructionalTechnology-specifictechnologiesusedintheeducationalprocessesofinstructingstudents.• OperationalTechnology-automatedmachineryorcontrolsystemssuchasenvironmentalcontrols.• InformationTechnology-Hardware/Software
Someoftheplanningandmanagementprocessesdescribedinthisguidebookwillbehelpfulinorganizingandevaluatingsupportingconvergenceofoperationaltechnology,instructionaltechnologyandinformationtechnology.Itisimportantthatthosewhoutilizetheprocessesinthisguidebookadoptanoverallcomprehensiveviewoftechnologyandnotisolatethetechnologybaseduponscopeorprocess.Averybroadviewofenterprisetechnologywillhelpsupportoveralleffectivecybersecuritymanagementinallphasesoftheeducationalprocess.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
46|P a g e
IntroductiontotheFrameworkforImprovingCriticalInfrastructureCybersecurityBaseduponhighlyvisiblesituationsoccurringwithinthesecuritystructuresofourgovernment,retailestablishmentsandfinancialdistricts,therecognitionthatbroadsafeguardstoprotecttheseenterpriseswouldberequiredtopreventcompromiseofcriticalinfrastructure.Pres.BarackObamaissuedExecutiveOrder(EO)136361.ThisdirectedtheexecutivebranchoftheUSgovernmenttocollaboratewithindustrialandinternationalpartnerstoworkonthefollowinginitiatives:
1. Developatechnology-neutralvoluntarycybersecurityframework.2. Promoteandincentivizetheadoptionofcybersecuritypractices.3. Increasethevolume,timelinesandqualityofcyberthreatinformationsharing.4. Incorporatestrongprivacyandcivillibertiesprotectionsintoeveryinitiativetosecureour
criticalinfrastructure.5. Exploretheuseofexistingregulationtopromotecybersecurity.
InadditiontoEO13636,Pres.ObamaalsocreatedPresidentialPolicyDirective(PPD)-21:CriticalInfrastructureSecurityandResiliencewhichreplacedHomelandSecurityPresidentialDirective7.ThisimportantchangedirectedtheExecutiveBranchoftheUSGovernmenttotakethefollowingactionsforanyUScriticalinfrastructuresuchasthatlistedinFigure2.
• Developasituationalawarenesscapabilitythataddressesbothphysicalandcyberaspectsofourinfrastructureisfunctioninginnearrealtime.
• Understandthecascadingconsequencesofinfrastructurefailures.• Evaluateandmaturethepublic-privatepartnership.• UpdatetheNationalInfrastructureProtectionPlan.• Developacomprehensiveresearchanddevelopmentplan.
Figure2-Sector-SpecificAgenciesAsDescribedInPPD-21Sector SectorSpecificAgencyOrAgencies
Chemical DepartmentOfHomelandSecurityCommercialFacilities DepartmentOfHomelandSecurityCommunications DepartmentOfHomelandSecurityCriticalManufacturing DepartmentOfHomelandSecurityDams DepartmentOfHomelandSecurityDefenseIndustrialBase DepartmentOfDefenseEmergencyServices DepartmentOfHomelandSecurityEnergy DepartmentOfEnergyFinancialServices DepartmentOfTheTreasuryFoodAndAgriculture DepartmentsOfAgricultureAndHealthAndHumanServicesGovernmentFacilities DepartmentOfHomelandSecurityAndGen.ServicesAdministrationHealthcareAndPublicHealth DepartmentOfHealthAndHumanServicesInformationTechnology DepartmentOfHomelandSecurityNuclearReactors,MaterialsAndWaste DepartmentOfHomelandSecurityTransportationSystems DepartmentOfHomelandSecurityAndTransportationWaterAndWastewaterSystems EnvironmentalProtectionAgency
1ExecutiveOrder(EO)13636isavailablefromtheUSGovernmentPrintingOfficeatwww.gpo.gov/fdsys/pkg/FR-2013–02–19/pdf/2013-03915.pdf
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
47|P a g e
Section7oftheEO13636directedtheSecretaryofCommercetoaskNISTtoleaddevelopmentofaframework(theCCSF)toreducecyberrisktocriticalinfrastructure.Thisframeworkincludedasetofstandards,methodologies,proceduresandprocessesthatalignpolicy,businessandtechnologicalapproachestoaddresscyberrisk.TheEOdirectsNISTtoincorporatevoluntaryconsensusstandardsandindustrybestpractices,andtobeconsistentwithvoluntaryinternationalstandardswhensuchinternationalstandardswilladvancetheobjectivesoftheEO:
• CriticalsuccessfactorsoftheCCSFinsection7ofEO13636.ItrequiresthattheCCSF:• Provideaprioritized,flexible,repeatable,performance-basedandcost-effectiveapproach,
includinginformationsecuritymeasuresandcontrols,tohelpownersandoperatorsofcriticalinfrastructureidentify,assessandmanagecyberrisk.
• Focusonidentifyingcross-sectorsecuritystandardsandguidelinesapplicabletocriticalinfrastructure.
• Identifyareasforimprovementtofuturecollaborationwithparticularsectorsandstandards-developingdistricts.
• Provideguidancethatistechnologyneutralandthatenablescriticalinfrastructuresectorstobenefitfromacompetitivemarketforproductsandservicesthatmeetthestandards,methodologies,proceduresandprocessesdevelopedtoaddresscyberrisk.
• IncludeguidanceformeasuringtheperformanceofanentityandimplementingthecybersecurityFramework.
Toanswerthesegovernmentaldirectives,theNationalInstituteforStandardsandTechnology(NIST)releasedvariousrequestforinformation(RFI)in2013askingabroadarrayofquestionstogatherrelevantinputfromcross-sectorindustrypartners,academiaandotherstakeholders.NISTrequestedinformationonhowdistrictsarecurrentlyassessingriskandthreatstotheirdistrict;howcybersecurityfactorsintothatriskassessment;thecurrentusageofexistingcybersecurityframeworks,standardsandguidelines;andothermanagementpracticesrelatedtocybersecurity.Inaddition,NISTrequestedinformationaboutlegal/regulatoryaspectsofparticularframeworks,standards,guidelinesand/orbestpracticesandthechallengesdistrictsperceiveinmeetingthoserequirements.ThousandsofdatapointswereassembledandanalyzedbykeystakeholderswithintheNISTFramework.
Inordertoclarifymanyofthedatapointsreceived,NISTconductedseveralworkshopstorefinethefeedbackandgeneraterequiredreportingandpreparationforRFQdevelopment.BasedontheresponsestotheRFI,resultsofworkshopsandinterviews,andadditionalcommissionedresearch,NISTdevelopedaCybersecurityFrameworkthatidentifiedtheexistingpracticesinordertohelpadistrict’sriskmanagementpracticesasitrelatedtothepreventionanddetectionofaswellasresponsetoincludingrecoveryfromthevariousidentifiedcybersecurityissues.
ThefirstdraftoftheCCSFwasreleasedin2014identifyingthreeprimarycomponents:
• FrameworkCore• FrameworkImplementationTiers• FrameworkProfiles
Theguidebookprovidesdescriptionselsewhere.Initialresponsesfromdistrictsattemptingtoimplementtheframeworkweremixed.Alotofinformationbutnotalotofdetailonhowtoimplement
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
48|P a g e
thevariousimplementationtiersandprofiles.Theconceptswerenewandnotfullyunderstoodbythoseimplementationteamstaskedwiththeresponsibilityofimplementingastandardizedsecurityframework.Whatwasmissingappeartobeapracticalapproachtowardsimplementation.SeveralgroupsoptedtointegratetheNISTFrameworkwithanexisting,standardizedpracticedesignedtoassistvariousenterprisesinachievinggovernanceobjectivesandITmanagement.ThisstandardizedpracticeisrelatedtoCOBIT5.
IntroductiontoCOBIT5RecognitionoftheCOBITstandardshavebeeninexistenceforanumberofyearsbymostenterprisedistrictsasacomprehensiveframeworkdesignedtohelpdistrictsachievegovernanceandmanagementobjectivesforIT.Severalmodelsforimplementationareavailablerangingfromagradualapproachstartingsmallandbuildinguponinitialsuccessesorultimatelymanagedfortheentireenterprisetakingthefullintoendapproach.RegardlessofhowadistrictapproachestheimplementationoftheCOBITstandards.OptimalvaluefromITisobtainedbymaintainingabalancebetweenbenefitrealizationandoptimizingriskandresources.ThecurrentiterationofCOBITisversion5.0.Thisstandardisgenericinnatureandusefulforanyverticalsectormarketincludingeducationofallsizesfromsmallschooldistricts,twocharterschools,tothelargestofourschooldistricts.TheCOBIT5productfamilyisbelowinFigure3.
Figure3
COBIT5providesacomprehensiveframeworkassistingschooldistrictsinachievingtheirobjectivesforthegovernanceandmanagementoftheirtechnologyprogram.Theframeworkmaybeimplementedinagradualapproach,startingsmallandbuildingoninitialsuccess,ormanagedinaholisticmannerfortheentireschooldistricttakinginthefullend-to-endbusinessandITfunctionalareasofresponsibility.Ineitherapproach,coverthelpsenterprisescreateoptimalvaluefromITbymaintainingabalance
Figure3-CO
BIT5Prod
ctFa
mily
COBIT5
COBIT5EnablerGuides
COBIT5EnablighProcesses
COBIT5EnablingINformation
OtherEnablerGuides
COBIT5ProfessionalGuides
COBIT5Implementation
COBIT5forInformationSecurity
COBIT5forAssurance
COBIT5forRisk
OtherProfessionalGuides
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
49|P a g e
betweenrealizingbenefitsandoptimizingrisklevelsandresourceuse.Initself,COBIT5isverygenericandusefulforallenterprisesofallsizeswheretheschooldistricts,CountyofficeofeducationorevenHigherEducation.
ThebasisfortheCOBIT5frameworkisfivekeyprinciplesofgovernanceandmanagementofeducationalITenvironments:
1. Principle1:MeetingStakeholderNeeds(student,staff,administrationandevenparents)2. Principle2:CoveringtheEnterpriseTechnologyenvironment
(Information/Operation/Educational)3. Principal3:ApplyingaSingle,IntegratedFrameworkforallAudiencesandStakeholders4. Principle4:EnablingaHolisticApproach5. Principle5:SeparatingGovernancefromManagement
Together,thesefiveprinciplesenabletheenterprisetobuildaneffectivegovernanceandmanagementframeworkthatoptimizesinformationandtechnologyinvestmentandusethatforthebenefitofeducationalstakeholders.
Schooldistrictsexisttocreatevaluefortheirstudents.Consequently,anydistrictwillhavevaluecreationisagovernanceobjective.Valuecreationmeansrealizingbenefitsatanoptimalresourcecostwhileoptimizingrisk.Benefitscantakemanyformssuchasfinancialforcommercialenterprisesortaxpayerbenefitsandimprovepublicserviceforgovernmententities.
COBIT5GovernanceandManagementTheCOBIT5frameworkmakesacleardistinctionbetweengovernanceandmanagement.Thesetwodisciplinesencompassdifferenttypesofactivities,requiredifferentdistrictstructuresandservedifferentpurposes.TheCOBIT5viewonthekeydistinctionbetweengovernanceandmanagementis:
Governance-Governanceensuresthatstakeholderneeds,conditionsandoptionsareevaluatedtodeterminebalanced,agreed-onenterpriseobjectistobeachieved:settingdirectiontoprioritizationanddecision-making;andmonitoring.
Management-Managementplans,builds,runsandmonitorsactivitiesinalignmentwiththedirectionsetbythegovernancebodytoachievetheenterpriseobjectives.
COBIT5GoalsCascadeStakeholderneedshavetobetransformedintoadistrict’sactionablestrategy.TheCOBIT5goalscascadeisthemechanismtotranslatestakeholderneedsintospecific,actionableandcustomizedenterprisegoals,IT-relatedgoalsandenablergoals.Thistranslationallowssettingspecificgoalsateverylevelandineveryareaoftheenterpriseinsupportoftheoverallgoalsandstakeholderrequirements,andthuseffectivelysupportsalignmentbetweenenterpriseneedsandITsolutionsands3ervices.
COBIT5EnablersCOBIT5providesaholisticandsystemicviewongovernanceandmanagement,basedonanumberofenablers.Enablersarefactorsthat,individuallyandcollectively,influencewhethersomethingwillwork—inthiscase,governanceandmanagementoverenterpriseIT.Enablersaredrivenbythegoalscascade,i.e.,higher-levelIT-relatedgoalsdefinewhatthedifferentenablersshouldachieve.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
50|P a g e
TheCOBIT5frameworkdescribessevencategoriesofenablers:
1. Principles,policiesandframeworks2. Processes3. Organizationalstructures4. Culture,ethicsandbehavior5. Information6. Services,infrastructureandapplications7. People,skillsandcompetencies
Anyenterprisemustalwaysconsideraninterconnectedsetofenablers.Eachenabler…
…needstheinputofotherenablerstobefullyeffective,e.g.,processesneedinformation,districtstructuresneedskillsandbehaviorand
…deliversoutputtothebenefitofotherenablers,e.g.,processesdeliverinformation,skillsandbehaviormakeprocessesefficient.
COBIT5ProcessReferenceModelProcessesareoneofthesevenenablercategoriesforGovernanceandManagement.COBIT5includesaprocessreferencemodel,defininganddescribingindetailanumberofgovernanceandmanagementprocesses.ThemodelprovidesaprocessreferencetoolthatrepresentsalloftheprocessesthatrelatetoITactivitiesnormallyfoundindistrict,offeringacommonreferencemodelunderstandabletooperationalITandbusinessmanagers.Theproposedprocessmodelisacomplete,comprehensivemodel,butitisnottheonlypossibleprocessmodel.Eachenterprisemustdefineitsownprocessset,takingintoaccountthespecificsituation.
IncorporatinganoperationalmodelandacommonlanguageforallpartsofthedistrictinvolvedinITactivitiesisoneofthemostimportantandcriticalstepstowardgoodgovernance.ItalsoprovidesaframeworkformeasuringandmonitoringITperformance,communicatingwithserviceproviders,andintegratingbestmanagementpractices.
COBIT5advocatesthatthedistrictimplementsgovernanceandmanagementprocessessuchthatthekeyareasarecovered,showninFigure4.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
51|P a g e
Figure5belowshowsthecompletesetof37governanceandmanagementprocesseswithinCOBIT5.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
52|P a g e
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
53|P a g e
COBIT5ImplementationGuidanceOptimalvaluecanberealizedfromleveragingCOBITonlyifitiseffectivelyadoptedandadaptedtosuit
eachschoolordistrict’suniqueenvironment.Eachimplementationapproachwillalsoneedtoaddress
specificchallenges,includingmanagingchangestocultureandbehavior.
CCSESAprovidespracticalandextensiveimplementationguidancethroughitsimplementationofthis
frameworkandCOBIT5,whichisbasedonacontinualimprovementlifecycle.Itisnotintendedtobea
prescriptiveapproachnoracompletesolution,butratheraguidetoavoidcommonlyencountered
pitfalls,leveragegoodpracticesandassistinthecreationofsuccessfuloutcomes.Theguideisalso
supportedbyanimplementationtoolkitcontainingavarietyofresourcesthatwillbecontinually
enhanced.Itscontentincludes:
• Self-assessment,measurementanddiagnostictools
• TheNISTFrameworkindbaseformatwithimplementationreferences
• E-Learningmodules
ThefollowingareimportanttopicscoveredinCOBIT5Implementation:
1. Makingabusinesscasefortheimplementationandimprovementofthegovernanceand
managementofIT
2. Recognizingtypicalpainpointsandtriggerevents
3. Creatingtheappropriateenvironmentforimplementation
4. LeveragingCOBITtoidentitygapsandguidethedevelopmentofenablerssuchaspolicies,
processes,principles,districtstructures,androlesandresponsibilities.
ScopeandApproachTheguidanceinthisframeworkisintendedtoassistschoolsordistrictswithunderstandingstepsfor
FrameworkimplementationusingCCSESAandCOBITmethodsandapproach.Theguideprovides
processes,exampletemplatesandguidanceforusingFrameworktoidentifyandachieveenterpriseand
districtobjectivesforthegovernanceandmanagementofIT.
Theinformationisorganizedasfollows:
ü Section1.FrameworkImplementation–Describestheapproachtoimplementation
withsupportingtemplates
ü AppendixA.Introduction–ProvidesthebackgroundofthedevelopmentoftheNIST,
COBITandotherframeworksandstandards
ü AppendixB.IntroductiontoNISTCybersecurityFramework1.0 -Providesadetailed
introductionintotheNISTCybersecurityFramework1.0anditsthreecomponents:
FrameworkCore,ImplementationTiersandProfiles
ü AppendixC.CommunicatingCybersecurityRequirementswithStakeholders–Providessamplesofcommunicationstrategies
ü AppendixD:FrameworkCore–AprintedcopyoftheCCSESAFrameworkCorefor
reference
ü AppendixE:CCSESCCSFToolkit–Providessamplesofspreadsheetsanddatabasesused
intheimplementationoftheCCSESACyberSecurityFramework
ü AppendixF:ConsiderationsforCriticalInfrastructureSectors
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
54|P a g e
Figure-6providesanoverviewofthisdocumentandthelocationofinformationtoanswersome
commonquestionsregardingtheimplementationoftheFramework.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
55|P a g e
AppendixB.IntroductiontoNISTCybersecurityFramework1.0FrameworkBackgroundTheNISTCybersecurityFramework(akaCCSF)wasdevelopedinresponsetoUSPresidentialExecutive
Order13636,whichstates,
"Repeatedcyberintrusionsintocriticalinfrastructuredemonstratetheneedforimprovedcybersecurity.Thecyberthreattocriticalinfrastructurecontinuestogrowandrepresentsoneofthemostseriousnationalsecuritychallengeswemustconfront.”
KeepinmindwhatwasoccurringjustpriortothereleaseoftheEOin2013.Someveryhighprofile
districtssuchasTarget,HomeDepotandMichaelsencounteredsomeveryhighlyvisiblesecurity
breachesresultinginthecompromiseoflargeamountsofcustomerdataincludingcreditcard
information.Thedistrictsreactedaccordinglybutwithoutalotofdirectionorstandardization.
ThegoalsoftheObamaExecutiveOrderalignwellwiththeCOBIT5framework,whichrecognizesthat
“informationisakeyresourceforallenterprises,”and“informationtechnologyisincreasinglyadvanced
andhasbecomepervasiveinenterprisesandinsocial,publicandbusinessenvironments.”COBIT5
helpsenterprisestocreateoptimalvaluefromITbymaintainingabalancebetweenrealizingbenefits
andoptimizingrisklevelsandresourceuse.TheframeworkenablesITtobegovernedandmanagedina
holisticmannerfortheentireenterprise,takingintoaccountthefullend-to-endbusinessandIT
functionalareasofresponsibilityandconsideringtheIT-relatedinterestsofinternalandexternal
stakeholders.
Overthenextfewmonths,stafffromNIST(NationalInstituteofStandardsandTechnology)metwith
industrypartnerswithintheSMBandHighEdcommunitytoconsiderresponsestotheFebruary2013
RFI,andfurtherrefinedguidancetocreatearisk-basedframeworkforreducingrisk.
Participationandcommentsubmissionsincludedsignificantcontributionfromsmall-andmedium-sized
businesses(SMBs),andfromEducation(primarilyHigherEd).Thisinputgreatlyimprovedthe
understandingofthechallengesandrootcausesunderlyingrisk.ThesupportfromSMBsandHighEd
contributedtoabroadandflexibleframework.EachRFIresponseandeachsubsequentworkshop
commentwasreviewedandanalyzedbyNIST.Throughanalysisofresponsecoverageacrosscritical
infrastructuresectorsanddistricttypesandconsiderationoftermsandphrasesthatidentifiedkey
responsepoints,NISTidentifiedcommonalitiesandrecurringthemes.Thesethemeswereleveragedand
incorporatedthroughtheCCSFduringitsdevelopment.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
56|P a g e
Figure7-NISTInitialFrameworkConsiderationsCategories FrameworkPrinciples CommonPoints InitialGroups
Them
es
• Flexibility
• Impactonglobal
operations
• Riskapproaches
• Leverage
approaches,
standardsand
bestpractices
• Senior
management
engagement
• Understanding
threatenvironment
• Businessrisk/risk
assessment
• Separationof
businessand
operational
systems
• Models/levelsof
maturity
• Incidentresponse
• Cybersecurity
workforce
• Metrics
• Privacy/civil
liberties
• Tools
• Dependencies
• Industrybest
practices
• Resiliency
• Critical
infrastructure
cybersecurity
nomenclature
Source:NIST,2013InitialAnalysisofCybersecurityFrameworkRFIResponses,USA,Figure1
TheCCSFisarisk-based(vscompliance-based)approachtomanagingcybersecurityriskandis
comprisedofthreeparts:
1. TheFrameworkCore,
2. TheFrameworkImplementationTiersand
3. TheFrameworkProfiles.
EachCCSFcomponentreinforcestheconnectionbetweenbusinessdriversandcybersecurityactivities.
TheFrameworkCore(detailedlaterinthisguidebook)isasetofcybersecurityactivities,desiredoutcomesandapplicablereferencesthatarecommonacrosscriticalinfrastructuresectors
includingEducation.
TheFrameworkImplementationTiersprovidecontextonhowadistrictviewscybersecurityriskandtheprocessesinplacetomanagethatrisk.Tiersdescribethedegreetowhichadistrict’s
cybersecurityriskmanagementpracticesexhibitthecharacteristicsdefinedintheFramework
(e.g.,risk-andthreat-aware,repeatable,andadaptive).TheTierscharacterizeadistrict’s
practicesoverarange,fromPartial(Tier1)toAdaptive(Tier4).
AFrameworkProfilerepresentstheoutcomesbasedonbusinessneedsthatadistricthas
selectedfromtheFrameworkCategoriesandSubcategories.TheProfilecanbecharacterizedas
thealignmentofstandards,guidelinesandpracticestotheFrameworkCoreinaparticular
implementationscenario.Profilescanbeusedtoidentifyopportunitiesforimproving
cybersecurityposturebycomparingaCurrentProfile(the“asis”state)withaTargetProfile(the
“tobe”state).
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
57|P a g e
InadditiontoprovidingacybersecurityFramework,theFrameworkforImprovingCriticalInfrastructure
cybersecurityalsoprovidesbasicimplementationguidancethroughaseven-stepprocess.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
58|P a g e
Step7:ImplementActionPlan—Afterthegapsareidentifiedandprioritized,therequiredactionsaretakentoclosethegaps
andworktowardobtainingthetargetstate.
Step6:Determine,Analyze,andPrioritizeGaps—Organizationsconductagapanalysistodetermineopportunitiesfor
improvingthecurrentstate.Thegapsareidentifiedbyoverlayingthecurrentstateprofilewiththetargetstateprofile.
Step5:CreateaTargetProfile—Allowsdistrictstodeveloparisk-informedtargetstateprofile.Thetargetstateprofilefocuses
ontheassessmentoftheFrameworkCategoriesandSubcategoriesdescribingthedistrict’sdesiredcybersecurityoutcomes.
Step4:ConductaRiskAssessment—Allowsdistrictstoconductariskassessmentusingtheircurrentlyacceptedmethodology.
TheinformationusedfromthisstepintheprocessisusedinStep5.
Step3:CreateaCurrentProfile—Identifiestherequirementtodefinethecurrentstateofthedistrict’scybersecurityprogram
byestablishingacurrentstateprofile.
Step2:Orient—Providesdistrictsanopportunitytoidentifythreatsto,andvulnerabilitiesof,systemsidentifiedinthe
PrioritizeandScopestep.
Step1:PrioritizeandScope—Requeststhatdistrictsscopeandprioritizebusiness/missionobjectivesandhigh-leveldistrictal
priorities.Thisinformationallowsdistrictstomakestrategicdecisionsregardingthescopeofsystemsandassetsthatsupport
theselectedbusinesslinesorprocesseswithinthedistrict.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
59|P a g e
WhilehundredsoforganizationsprovidedinputintothedesignoftheCybersecurity
Framework,COBITprincipleswasdeeplyengagedintheCCSFdevelopmentateachstage.Many
COBITprinciplesarevisibleintheCCSFimplementationsteps.Figure8illustratessomeparallelsbetweenCCSFimplementationstepsandCOBIT5frameworkprinciples.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
60|P a g e
Figure8-ComparisonoftheCCSFImplementationStepswithCOBIT5PrincipalsCSFSteps1-7 COBITPrinciples1-5
Step1:PrioritizeandScope—Requeststhatdistrictsscopeandprioritizebusiness/missionobjectivesandhigh-leveldistrictpriorities.Thisinformationallowsdistrictstomakestrategicdecisionsregardingthescopeofsystemsandassetsthatsupporttheselectedbusinesslinesorprocesseswithinthedistrict.
Principle1:MeetingStakeholderNeeds—Enterprisesexisttocreatevaluefortheirstakeholdersbymaintainingabalancebetweentherealizationofbenefitsandtheoptimizationofriskanduseofresources.AnenterprisecancustomizeCOBIT5tosuititsowncontextthroughthegoalscascade,translatinghigh-levelenterprisegoalsintomanageable,specificgoalsandmapthesetospecificprocessesandpractices.
Step2:Orient—Providesdistrictsanopportunitytoidentifythreatsto,andvulnerabilitiesof,systemsidentifiedinthePrioritizeandScopestep.Step3:CreateaCurrentProfile—Identifiestherequirementtodefinethecurrentstateofthedistrict’scybersecurityprogrambyestablishingacurrentstateprofile.
Principle2:CoveringtheEnterpriseEnd-to-end—COBIT5integratesgovernanceofenterpriseITintoenterprisegovernance:
• Itcoversallfunctionsandprocesseswithintheenterprise;COBIT5doesnotfocusonlyonthe“ITfunction,"buttreatsinformationandrelatedtechnologiesasassetsthatneedtobedealtwithjustlikeanyotherassetbyeveryoneintheenterprise.
• ItconsidersallIT-relatedgovernanceandmanagementenablerstobeenterprise-wideandend-to-end,i.e.,inclusiveofeverythingandeveryone—internalandexternal—thatisrelevanttogovernanceandmanagementofenterpriseinformationandrelatedIT.
Step4:ConductaRiskAssessment—Allowsdistrictstoconductariskassessmentusingtheircurrentlyacceptedmethodology.TheinformationusedfromthisstepintheprocessisusedinStep5.
Principle3:ApplyingaSingle,IntegratedFramework—TherearemanyIT-relatedstandardsandgoodpractices,eachprovidingguidanceonasubsetofITactivities.COBIT5alignswithotherrelevantstandardsandframeworksatahighlevel,andthuscanserveastheoverarchingframeworkforgovernanceandmanagementofenterpriseIT.
Continuedonnextpage
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
61|P a g e
Figure8-ComparisonoftheCCSFImplementationStepswithCOBIT5PrincipalsCSFSteps1-7 COBITPrinciples1-5
Step5:CreateaTargetProfile—Allowsdistrictstodeveloparisk-informedtargetstateprofile.ThetargetstateprofilefocusesontheassessmentoftheFrameworkCategoriesandSubcategoriesdescribingthedistrict’sdesiredcybersecurityoutcomes.
Principle4:EnablingaHolisticApproach-EfficientandeffectivegovernanceandmanagementofenterpriseITrequireaholisticapproach,takingintoaccountseveralinteractingcomponents.COBIT5definesasetofenablerstosupporttheimplementationofacomprehensivegovernanceandmanagementsystemforenterpriseIT.Enablersarebroadlydefinedasanythingthatcanhelptoachievetheobjectivesoftheenterprise.TheCOBIT5frameworkdefinessevencategoriesofenablers:
1. Principles,PoliciesandFrameworks2. Processes3. OrganizationalStructures4. Culture,EthicsandBehavior5. Information6. Services,InfrastructureandApplications7. People,SkillsandCompetencies
Step6:Determine,Analyze,andPrioritizeGaps—Organizationsconductagapanalysistodetermineopportunitiesforimprovingthecurrentstate.Thegapsareidentifiedbyoverlayingthecurrentstateprofilewiththetargetstateprofile.
Principle5:SeparatingGovernancefromManagement—TheCOBIT5frameworkmakesacleardistinctionbetweengovernanceandmanagement.Thesetwodisciplinesencompassdifferenttypesofactivities,requiredifferentdistrictstructuresandservedifferentpurposes.
Step7:ImplementActionPlan—Afterthegapsareidentifiedandprioritized,therequiredactionsaretakentoclosethegapsandworktowardobtainingthetargetstate.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
62|P a g e
CoordinationofFrameworkImplementationAnotherimportantaspectoftheCCSFisitsguidanceregardingstakeholdercommunications.NIST’sanalysisofindustryfeedbackduringthedevelopmentperiodindicatedthatriskdecisions,inmanydistricts,hadalignmentproblemswithenterprisedriversandgoals.AsCOBIT5forRiskpointsout,whenboardandexecutivemanagementattheenterpriselevel(seeCOBIT5processEDM03-EnsureRiskOptimization)defineriskcapacityandriskappetite,theprioritizationandapprovalprocessofriskresponseactionsareimproved.
TheCCSFcommonflowofinformationanddecisionsatthefollowinglevelswithinadistrictaresimilartothosedescribedinCOBIT5’sstakeholderroles,showninFigure9.
Figure9-ComparisonoCCSFandCOBITRolesCSFRole COBIT5Roles
ExecutiveLevel BoardofDirectorsandExecutiveManagementBusiness/Process Businessmanagementandbusinessprocessowners
Implementation/Operations
ITmanagementandITprocessowners(e.g.,headofoperations,chiefarchitect,ITsecuritymanager,businesscontinuitymanagementspecialist)andotherimplementationteammembers
TheExecutiveLevelcommunicatesinformationaboutdistrictgoalsandmissionpriorities,usinglanguage,approachesandcommunicationsthataremeaningfultoexecutivemanagement.ThisactivityiscomparabletotheCOBITimplementationphase“Phase1—WhatAretheDrivers?”Dialoguewithbusinessmanagementandbusinessprocessownersincludesdefinitionofappropriaterisktolerancesandavailableresources.TheBusiness/Processlevel,inturn,usestheinformationasinputsintotheriskmanagementprocess,andthencollaborateswiththeITmanagementandITprocessownerstocommunicatebusinessneeds.
ThesetwolevelsofmanagementdeterminethecurrentcybersecuritystateusingaFrameworkProfiletemplate(describedlaterinthisdocument.)TheCurrentProfileandTargetProfileprovideconsiderationscomparabletoCOBIT’snexttwoimplementationphases,“Phase2—WhereAreWeNow?”and“Phase3—WhereDoWeWantToBe?”Throughcomparisonofthetargetwiththecurrentstate,theimplementationteamisabletorecommendspecificandprioritizedactionstoachievestakeholdergoals,alignedwiththephase1businessdrivers,resourcerequirementsanddistrictriskappetite.Thisactionplan,comparabletoCOBITimplementationphases4and5,“Phase4—WhatNeedstoBeDone?”and“Phase5—“HowDoWeGetThere?”,providesacost-effective,agilegovernanceofenterpriseITapproachthatisscalabletoanysizedistrict.
AsFigure10illustrates,theinformationflowiscyclical,withongoingmonitoringasacriticalstep.TheCOBITimplementationphases“Phase6—DidWeGetThere?”and“Phase7—HowDoWeKeeptheMomentumGoing?”provideimportantconsiderationstoensureongoing,cost-effectivegovernanceandmanagement.Forexample,astechnicalchangesoccur(e.g.,changestophysical,processandtechnicalassets;updatedthreats;discoveredorremediatedvulnerabilities),theimplementation/operationslevelcommunicatestheProfileimplementationprogresstothebusiness/processlevel.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
63|P a g e
Thebusiness/processlevelusesthisinformationtoperformanimpactassessmentinconsiderationofthebusinessdrivers.Business/processlevelmanagementreportstheoutcomesofthatimpactassessmenttotheexecutivelevel,usinglanguageandmethodsappropriatefortheboardofdirectors/executivemanagementcommunications,toinformthedistrict’soverallriskmanagementprocess.
FrameworkCoreTheFrameworkCoreisasetofcybersecurityactivitiessuitableforeducationalpractices,desiredoutcomesandapplicablereferences(notonlyeducationalbutotherSMB)thatarecommonacrosscriticalinfrastructuresectors.TheCorepresentsindustrystandards,guidelinesandpracticesinamannerthatallowsforcommunicationofcybersecurityactivitiesandoutcomesacrossthedistrictfromtheexecutivelevel(includingschoolboards)totheimplementation/operationslevelwithintheITDepartment.TheFrameworkCoreconsistsoffiveconcurrentandcontinuousFunctions:
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
64|P a g e
• Identify,• Protect,• Detect,• Respond,
• Recover.
Whenconsideredtogether,theseFunctionsprovideahigh-level,strategicviewofthelifecycleofaschooldistrict’smanagementofcybersecurityrisk.TheFrameworkCorethenidentifiesunderlyingkeyCategoriesandSubcategoriesforeachFunction,andmatchesthemwithexampleInformativeReferencessuchasexistingstandards,guidelinesandpracticesforeachSubcategory,asdepictedinFigure11.
NoticethehierarchicalfashionontheFramework.Thisisbestdepictedinavarietyofdbasetools,manyofwhichareavailablefromvariouslocationsontheweb(https://www.nist.gov/cyberframework/csf-reference-tool).Whatismissingisadetailedbreakdownofcriticalreferencesincludingstatespecificreferences.Thedbasetoolprovidedinthistoolkitcontainsanumberoftheselocalreferences.ThedbasehasbeendevelopedwithinaMicrosoftAccessformattoallowforeasyeditingandaugmentingwithadditionalresources.Inadditiontothedbasetool,anExcelversionoftheCorecomponentsisprovidedinmoredetailinthetoolkit.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
65|P a g e
TheoutcomesintheCorehelpthereadertoanswerthefollowingquestions:
• Whatpeople,processesandtechnologiesareessentialtoprovidetherightservicestotherightstakeholders?
• WhatdoweneedtodotoprotectthoseassetsfromtheriskdiscoveredintheIdentifyfunction?• Whatdetectioncapabilitycanweimplementtorecognizepotentialorrealizedrisktodistrict
assetsfromidentifiedrisk?• Whatresponseandrecoveryactivitiesareappropriateandnecessarytocontinueoperations
(albeitdiminished)orrestoreservicesdescribedabove?
TheCCSFdescribesthefiveCorefunctionsas:
• Identify—developthedistrictunderstandingtomanagecybersecurityrisktosystems,assets,dataandcapabilities.TheactivitiesintheIdentifyFunctionarefoundationalforeffectiveuseoftheFramework.Understandingthebusinesscontext,theresourcesthatsupportcriticalfunctionsandtherelatedcybersecurityriskenablesadistricttofocusandprioritizeitsefforts,consistentwithitsriskmanagementstrategyandbusinessneeds.ExamplesofoutcomeCategorieswithinthisFunctioninclude:AssetManagement;BusinessEnvironment;Governance;RiskAssessment;andRiskManagementStrategy.
• Protect—developandimplementtheappropriatesafeguardstoensuredeliveryofcriticalinfrastructureservices.TheProtectFunctionsupportstheabilitytolimitorcontaintheimpactofapotentialcybersecurityevent.ExamplesofoutcomeCategorieswithinthisFunctioninclude:AccessControl;AwarenessandTraining;DataSecurity;InformationProtectionProcessesandProcedures;Maintenance;andProtectiveTechnology.
• Detect—developandimplementtheappropriateactivitiestoidentifytheoccurrenceofacybersecurityevent.TheDetectFunctionenablestimelydiscoveryofcybersecurityevents.ExamplesofoutcomeCategorieswithinthisFunctioninclude:AnomaliesandEvents;SecurityContinuousMonitoring;andDetectionProcesses.
• Respond—developandimplementtheappropriateactivitiestotakeactionregardingadetectedcybersecurityevent.TheRespondFunctionsupportstheabilitytocontaintheimpactofapotentialcybersecurityevent.ExamplesofoutcomeCategorieswithinthisFunctioninclude:ResponsePlanning;Communications;Analysis;Mitigation;andImprovements.
• Recover—developandimplementtheappropriateactivitiestomaintainplansforresilienceandtorestoreanycapabilitiesorservicesthatwereimpairedduetoacybersecurityevent.TheRecoverFunctionsupportstimelyrecoverytonormaloperationstoreducetheimpactfromacybersecurityevent.ExamplesofoutcomeCategorieswithinthisFunctionincludeRecoveryPlanning,Improvements,andCommunications.
EachFunctioniscomprisedofoneormoreCategories,process-specificoutcomesthatsupportcybersecuritymanagement.TheseCategories,inturn,arecomprisedofnumerousspecificSubcategoriesthatprovideprocessassessmenttodeterminecurrentstateandtargetgoals.Figure12belowprovidesanoverviewoftheFrameworkCategories.Pleasenote:MostdepictionsoftheNISTFrameworkare“heavily”codedusing2charactercodes.Whilethiswillgeneratesomeissues,itisprobablythebestwaytodepictsomethingofthisnature.Figure12alsoprovidesthenormalcodingschemeforyourreview.BeforelaunchingintotheCCSESAFrameworktool,familiarizeyourselfwiththisschemeforeaseofoperation.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
66|P a g e
WhilemanydistrictsmaintaininternalprocessesandprocedurestoachievetheoutcomesinstantiatedbytheFrameworkCore,othersrequestedspecificguidanceastohowtogainthatachievement.Asillustrativeexamplesofpracticeswhichsomedistrictsusetoachievetheoutcomes,NISTprovidedinformativereferencestocross-sector,internationallyrecognizedguidance(includingCOBIT5)thatassistinaccomplishingeachSubcategory.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
67|P a g e
FrameworkImplementationTiersTheCCSFincludesseverallevelsofImplementationTiers(Partial/RiskInformed/Repeatable/Adaptive)thatassistinconductingassessmentandplanningofcybersecurityactivities.TheTiersdescribeattributestoconsiderwhencreatingaTargetProfile(TO-BE)orcompletingaCurrentProfile(AS-IS).TheAdescriptionoftheTiersareprovidedindetailinFigure13.Whilenotconsideredamaturitymodel,theTiercharacteristicsdescribeaprogressionfromadhoctoadaptiveinthreecategories:
• RiskManagementProcess—Considerstheleveltowhichthedistrictcybersecurityriskmanagementpracticesareformalizedandinstitutionalized.Theattributesconsidertheextenttowhichprioritizationofcybersecurityactivitiesareinformedbydistrictriskobjectives,thethreatenvironmentandstakeholderrequirements.
• IntegratedRiskManagementProgram—Reviewsthecybersecurityriskawarenessatthedistrictlevel.Levelsincreaseasrisk-informed,management-approvedprocessesandproceduresaredefinedandimplementedandastheyareadaptedbasedoninformationsharingandlessonslearnedfrompreviousactivities.
• ExternalParticipation—Considerstheleveltowhichthedistrictactivelysharesinformationwithexternalpartnerstoimprovesecuritybeforeasecurityeventoccursandinformsthosepartnersaboutindicators,observationsorevents.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
68|P a g e
Figure13-FrameworkImplementationTiersTier RiskManagement
ProcessIntegratedRisk
ManagementProgramExternalParticipation
Tier1:P
artia
lOrganizationalcybersecurityriskmanagementpracticesarenotformalized,andriskismanagedinanadhocandsometimesreactivemanner.Prioritizationofcybersecurityactivitiesmaynotbedirectlyinformedbydistrictriskobjectives,thethreatenvironmentorbusiness/missionrequirements.
Thereislimitedawarenessofcybersecurityriskatthedistrictlevelandadistrict-wideapproachtomanagingcybersecurityriskhasnotbeenestablished.Thedistrictimplementscybersecurityriskmanagementonanirregular,case-by-casebasisduetovariedexperienceorinformationgainedfromoutsidesources.Thedistrictmaynothaveprocessesthatenablecybersecurityinformationsharedwithinthedistrict.
Adistrictmaynothavetheprocessesinplacetoparticipateincoordinationorcollaborationwithotherentities.
Tier2:R
iskIn
form
ed
Riskmanagementpracticesareapprovedbymanagementbutmaynotbeestablishedasdistrict-widepolicy.Prioritizationofcybersecurityactivitiesisdirectlyinformedbydistrictriskobjectives,thethreatenvironmentorbusiness/missionrequirements.
Thereisanawarenessofcybersecurityriskatthedistrictlevelbutadistrict-wideapproachtomanagingcybersecurityriskhasnotbeenestablished.Risk-informed,management-approvedprocessesandproceduresaredefinedandimplemented,andstaffhasadequateresourcestoperformtheircybersecurityduties.Cybersecurityinformationsharedwithinthedistrictonaninformalbasis.
Thedistrictunderstandsitsroleinthelargerecosystem,buthasnotformalizeditscapabilitiestointeractandshareinformationexternally.
Tier3:R
epeatable
Thedistrict’sriskmanagementpracticesareformallyapprovedandexpressedaspolicy.Organizationalcybersecuritypracticesareregularlyupdatedbasedontheapplicationofriskmanagementprocessestochangesinbusiness/missionrequirementsandachangingthreatandtechnologylandscape.
Thereisadistrict-wideapproachtomanagecybersecurityrisk.Risk-informedpolicies,processesandproceduresaredefined,implementedasintendedandreviewed.Consistentmethodsareinplacetorespondeffectivelytochangesinrisk.Personnelpossesstheknowledgeandskillstoperformtheirappointedrolesandresponsibilities.
Thedistrictunderstandsitsdependenciesandpartnersandreceivesinformationfromthesepartnersthatenablescollaborationandrisk-basedmanagementdecisionswithinthedistrictinresponsetoevents.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
69|P a g e
Figure13-FrameworkImplementationTiersTier RiskManagement
ProcessIntegratedRisk
ManagementProgramExternalParticipation
Tier4:A
daptive
Thedistrictadaptsitscybersecuritypracticesbasedonlessonslearnedandpredictiveindicatorsderivedfrompreviousandcurrentcybersecurityactivities.Throughaprocessofcontinuousimprovementincorporatingadvancedcybersecuritytechnologiesandpractices,thedistrictactivelyadaptstoachangingcybersecuritylandscapeandrespondstoevolvingandsophisticatedthreatsinatimelymanner.
Thereisadistrict-wideapproachtomanagingcybersecurityriskthatusesrisk-informedpolicies,processesandprocedurestoaddresspotentialcybersecurityevents.Cybersecurityriskmanagementispartofthedistrictcultureandevolvesfromanawarenessofpreviousactivities,informationsharedbyothersourcesandcontinuousawarenessofactivitiesontheirsystemsandnetworks.
Thedistrictmanagesriskandactivelysharesinformationwithpartnerstoensurethataccurate,currentinformationisbeingdistributedandconsumedtoimprovecybersecuritybeforeacybersecurityeventoccurs.
TheCCSFprovidesneitherdescriptiveguidanceregardinghowtomeasuretheseattributes,noraquantitativemethodtodeterminetheapplicableTier.NISTreceivednumerouscommentsduringthedevelopmentprocess,manysupportingamaturitymodelsimilartothatusedinElectricitySubsectorCybersecurityCapabilityMaturityModel(ES-C2M2)ortheCarnegie-MellonMaturityMatrixIndex.Strictcriteriaaredifficult,however,acrossabroadarrayofusers,andNISTisnotauthoritativefordecidingmandatorythresholds…youare!!!!Forthatreason,theTiersaresubjective,butaredesignedtohelpadistrictconsidercurrentriskmanagementpractices,threatenvironment,legalandregulatoryrequirements,business/missionobjectives,anddistrictconstraints.ThelackofaconcretemeasurementstandardiCCSFversion1.0isnotintendedtopreventsuchmeasurement;districts(andorganizedgroups,suchascriticalinfrastructuresectors)maydevelopcriteriatoaidincomparisonandcommunicationofTierselection.Tocorrectthis,CCSESArecommendsthatdistrictsparticipateinaSecurityRiskAssessmentfromareputablesecuritycompany.UsingthisFrameworkandotherstandardsprescribedbytheassessmentgroup,anadequateprofilecanbedeveloped.
TheFrameworkImplementationTiersaresimilartoCOBIT’sProcessCapabilityLevels(PCLs).WhilePCLsareassessed(inaccordancewiththeCOBITProcessAssessmentModel[PAM]publication)attheindividualprocess,thetiersapplytothedistrictitself,orasub-componentofthedistrict,dependingonthescopeoftheimplementation.ConsiderationsofthePCLsmayassistwithdeterminingtheappropriateFrameworktier.
RatingtheoutcomesdescribedinFigure13willrequireprofessionaljudgmentbytheimplementer.Thereasonsforselectingatier,andforagreeing/disagreeingwithanoutcomestatementintheProfiles,shouldbeclearlydocumentedsothatadvicecanbegivenonareasinwhichtheprocessescanbeimproved.
Specifically,thetierscompareinthefollowingways:
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
70|P a g e
Figure13-ComparisonoCCSFTierstoCOBIT5ProcessCapabilityLevels(PCLs)CSFTier Descriptor Description COBIT5PCL
1 Partial TheRiskManagementandinformationsharingprocessesareeithernotimplementtedorarenotyetformalenoughtoprovideconsistentdistrictbenefit.
PCL0-IncompletePCL1-Performed
2 RiskInformed
Theoutcomesimplementedinamanagedfashion,informedbydistrictriskprocessesandprovidingsignificantdistrictawarenessofcybersecurityriskmanagement.
PCL2-Managed
3 Repeatable Themanagedprocessimplementedusingadefinedmethodthatiscapableofachievingintendedoutcomes.
PCL3-Established
4 Adaptive Theoutcomesareachievedproactively,learningfromtheexperienceofinternalandexternalstakeholders,perhapsinformedthroughexternalinformationsources.
PCL4-PredicablePCL5-Optimizing
TheroleoftheTiersindeterminingriskapproachiscloselyrelatedtoCOBIT’sEDM03EnsureRiskOptimization.Asthedistrictadaptsitscybersecuritypracticesbasedonlessonslearnedandpredictiveindicators,andasthedistrictorschoolbuildsanenterpriseapproachtoriskmanagement,thedistrictisbetterabletoensureidentificationandmanagementofrisktotheenterprisevalue.Thisinturn,enablestheEDM03goalsof:ensuringthattechnology-relatedenterpriseriskdoesnotexceedriskappetiteandrisktolerance,theimpactoftechnologyrisktoenterprisevalueisidentifiedandmanaged,andthepotentialforcompliancefailuresisminimized.
FrameworkProfilesAFrameworkProfile(“Profile”)representstheoutcomesbasedonbusinessneedsthatadistricthasselectedfromtheFrameworkCategoriesandSubcategories.TheProfilecanbecharacterizedasthealignmentofstandards,guidelinesandpracticestotheFrameworkCoreinaparticularimplementationscenario.ProfilescanbeusedtoidentifyopportunitiesforimprovingcybersecurityposturebycomparingaCurrentProfile(the“asis”state)withaTargetProfile(the“tobe”state).ThisisreferredtoastheAS-IS/TO-BETransformation.
TodevelopaProfile,adistrictcanrevieweachoftheCoreCategoriesandSubcategoriesand,basedonbusinessdriversandariskassessment(usuallyconductedthrougha3rdparty),determinewhicharemostimportant;thedistrictaddsCategoriesandSubcategoriesasneededtoaddressitsrisk.TheCurrentProfilecanthenbeusedtosupportprioritizationandmeasurementofprogresstowardtheTargetProfile,factoringinbusinessneedsincludingcost-effectivenessandinnovation.Thegenerationofabusinesscasetosupportadditionalinvestmentinsecuritytechnology(hardware/processes/people)canbemade.TheuseofProfilestoconductself-assessmentsandtocommunicatewithinadistrictorbetweendistrictsarecommon.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
71|P a g e
ToassistdistrictsinadoptingandimplementingtheFrameworkCCSFthenextSectionofthisguidebooklaysoutarecommendedseven-stepimplementationprocess.Eachstepisaprecursortothefollowingstep,althoughsomedistrictsmayconductsomestepsinadifferentorder.Forexample,adistrictmayadoptaTargetProfilebeforeperformingaCurrentProfile,ormightperformariskassessmentbeforedevelopingaCurrentProfile.Thesesteps,summarizedandwithdetailedimplementationrecommendationsdescribedlaterinthisguide,shouldberepeatedasnecessarytocontinuouslyimproveadistrict’scybersecurityandriskavoidance.
RiskConsiderationsfromCOBITandtheCCSFMaintaininganunderstandingofenterprisesecurityriskisakeycomponentoftheCCSF.StepfouroftheCCSFimplementationprocessincludestherequirementforperformingariskassessment.Riskassessmentsprovidestakeholdersandmanagersanopportunitytoweighsecurityvulnerabilities,threatstotheenterpriseandtechnologiesagainstoperationalrequirements.Riskassessmentsassistindefiningthesubcategoriesrequiredtoadequatelymitigatetherisktothedistrictandidentifytherigorinwhichthemitigationbeapplied.TherigorforimplementingcybersecuritycontrolsisattainedthroughImplementationTiersasdescribedinthisguidebook.
TheInstituteofRiskManagement(IRM)definesriskas“thecombinationoftheprobabilityofaneventanditsconsequence.Consequencescanrangefrompositivetonegative.”TheInternationalOrganizationforStandardizationdefinesriskintheinternationallyrecognizedISOGuide73,asthe“effectofuncertaintyonobjectives,”notingthataneffectmaybepositive,negativeoradeviationfromtheexpected.InthecontextofapplyingtheCCSF,then,theprimaryconsequencetobeconsideredisthelikelihoodofachievingstakeholdergoals.Similarly,COBIT5forRiskdefinesITriskasbusinessrisk,specifically,thebusinessriskassociatedwiththeuse,ownership,operation,involvement,influenceandadoptionofITwithinanenterprise.ITriskconsistsofIT-relatedeventsthatcouldpotentiallyimpactthebusiness.ITriskcanoccurwithbothuncertainfrequencyandimpact,andcreateschallengesinmeetingstrategicgoalsandobjectives.ITriskalwaysexists,whetheritisrecognizedbyanenterprise.
AsdescribedinCOBIT5forRiskandillustratedinFigure14,managedriskenablesbusinessdrivers,enhancesopportunities,andprovidesexecutivesandmanagerswithanunderstandingofthesecuritystrengthsandweaknesseswithinthedistrict.Whenriskispoorlymanaged,businessvalueisreduced,ITismisused,andexecutivesandmanagersareunawareofpotentialsecuritythreatsandvulnerabilitiesthatcouldleadtolostrevenueorreputation.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
72|P a g e
TheRiskFunctionPerspective(COBIT5)COBIT5isanend-to-endframeworkthatconsidersoptimizationofriskasakeyvalueobjective.COBIT5considersgovernanceandmanagementofriskaspartoftheoverallgovernanceandmanagementforIT.Foreachenabler,theriskfunctionperspectivedescribeshowtheenablercontributestotheoverallriskgovernanceandmanagementfunction.Forexample,which:
• Processesarerequiredtodefineandsustaintheriskfunction,governandmanagerisk—EDMO1,APO01,etc.
• Informationflowsarerequiredtogovernandmanagerisk—riskuniverse,riskprofile,etc.• Organizationalstructuresarerequiredtogovernandmanagerisk—ERMcommittee,risk
function,etc.
Sections2through8ofCOBIT5forRiskcontainexamplesforeachenabler.TheseexamplesarefurtherelaboratedinappendixBofCOBIT5forRisk.ThedetailsofthefullscopeofCOBIT5forRiskisprovidedinFigure15.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
73|P a g e
COBIT5forRiskprovidesspecificguidancerelatedtoallenablers:
1. Riskprinciples,policiesandframeworks2. Processesincludingrisk-function-specificdetailsandactivities3. Risk-specificdistrictstructures4. Intermsofculture,ethicsandbehavior,factorsdeterminingthesuccessofriskgovernance5. Risk-specificinformationtypesforenablingriskgovernanceandmanagementwithinthe
enterprise6. Withregardtoservices,infrastructureandapplications,servicecapabilitiesrequiredtoprovide
riskandrelatedfunctionstoanenterprise.7. Forthepeople,skillsandcompetenciesenabler,skillsandcompetenciesspecificforrisk
TheRiskManagementPerspectiveTheriskmanagementperspectiveaddressesgovernanceandmanagement,i.e.,howtoidentify,analyzeandrespondtoriskandhowtousetheCOBIT5frameworkforthatpurpose.Thisperspectiverequirescoreriskprocesses(COBIT5processesEDM03EnsureriskoptimizationandAPO12Managerisk)tobeimplemented.
TheCCSFleveragestheriskassessmentprocesstodefinehowdistrictswillimplementeachCoreSubcategory.Completingariskassessmentprovidesanunderstandingofthelikelihoodthatariskeventwilloccurandwhattheresultingimpactwillbe.Foreachpotentialeventrecordedabove,determinethelikelihoodofthateventoccurringandtheimpactifitoccurred.Districtsmaychoosetocompleteseveralriskassessmentsforeachbusinessareaandaggregatetheinformationtoformenterpriseriskassessments.
Forsomedistricts,aseparateriskassessmentmaybeconductedforeachbusinessarea(e.g.humanresources,accounting,customersupport)asdefinedbythePrioritizeandScopestep.SeparateriskassessmentsallowseparateTargetProfilestoensurethattheriskforthebusinessareaisaddressed
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
74|P a g e
withoutovercompensating.Theenterpriseriskassessmentprovidesabaselinetoensurethataminimumthresholdisdefined.Thisensuresthatlesssensitivebusinessareasarenotneglectedandthusprovideanavenueofattackformalicioususers.
Aftertheriskassessmentiscomplete,districtscandeterminetheacceptablelevelofriskforITassetsandsystems,expressedastheirrisktolerance,budgetandresources.TherisktoleranceisusedtodefinethecontrolsrequiredforeachSubcategoryandtherigorrequiredforimplementingthecontrolbydefiningthetargetstateprofile.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
75|P a g e
AppendixC.CommunicatingCybersecurityRequirementswithStakeholdersAnimportantcomponentofboththeCCSFandtheCOBIT5frameworkinvolvesthegovernanceandmanagementofsuppliersandbusinesspartners.Asingledistrictmayentaildozensofexternalstakeholdersandsupplychain/serviceproviders.EachofthesestakeholdersbringsopportunitiestofulfillenterpriseandIT-relatedgoals;theyalsoaddadditionalvulnerabilityandpotentialrisktobeconsidered.ImplementationoftheCCSFusingCOBITprinciplesandprocessesprovidesacommonlanguagetocommunicatestakeholderneedsandrequirements.
TheresultingprocessenablesITtobegovernedandmanagedinaholisticmannerfortheentireenterprise,supportingtheprimarydistrictaswellasitssupplychainpartners,inapplyinganintegratedframework.ManyCOBIT5practicesincludesuppliercomponents,guidedbymanyelementsofAPOIOManagesuppliers.SpecificexamplesofusingtheCCSFthroughCOBIT5withexternalbusinesspartnersinclude:
• Documentsuppliermanagementaspects.Cooperativeagreementsprovideanopportunitytodocumentthedrivers,riskagreementsandgoals,usingasubsetoftheprocessesinphase1(Section3).
• Recordtheresultofsupplier/partnerassessmentsusingtheCurrentProfiletemplate.AlignmentaroundthisCCSF/COBITmodelsupportsCOBIT’sprincipleofasingleintegratedframeworkmodeltorecordandcommunicategoalsandperformance.
• RecordexpectationsandrequirementsthroughuseoftheTargetProfiletemplatedescribedinSection3,phase3.ThismodelishelpfulforconveyingspecificGovernanceandManagementobligations,forexampletoacloudprovidertowhichthedistrictisexportingdata.
Harmonizationofprocessesandcommunicationsforbothinternalandexternalstakeholdersimprovesconsistencyandsimplifiestracking/reporting.Throughuseofcommontemplatesandcommunicationpractices,achievementofaholisticapproachtogovernanceandmanagementofITwillensurethatgoalsarealignedandeffective.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
76|P a g e
AppendixD:FrameworkCoreAsdescribedinAppendixB,theFrameworkCoreprovidesasetofactivitiestoachievespecificcybersecurityoutcomesandreferencesexamplesofguidancetoachievethoseoutcomes.TheCoreisnotachecklistofactionstoperform.Itpresentskeycybersecurityoutcomesidentifiedbyindustryashelpfulinmanagingcybersecurityrisk.TheCorecomprisesfourelements:Functions,Categories,SubcategoriesandInformativeReferences.
ThefollowingtablerepresentstheFrameworkCoreasprovidedinappendixAoftheNISTFrameworkforImprovingCriticalInfrastructureCybersecurity.Thistableisprovidedforreferenceonly.ActualfunctionalityisfromtheToolkitCCSFdbase.Youcanclickonthelinkslocatetheinformationquickly.
Alargeposterisincludedaspartofthetoolkit.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
77|P a g e
Function Category Subcategory InformationReferencesIden
tify(ID
)
AssetManagement(ID.AM):Thedata,personnel,devices,systems,
andfacilitiesthatenablethe
districttoachievebusiness
purposesareidentifiedand
managedconsistentwiththe
relativeimportancetobusiness
objectivesinthedistrict'srisk
strategy.
ID.AM-1:Physicaldevicesandsystems
withinthedistrictareinventoried.
• CCSCSC1
• COBIT5BAI09.01,BAI09.02
• ISA624438–22–1:20094.2.3.4
• ISA62443.3–3:2013SR7.8
• ISA/IEC27001:20138.8.1.1,8.8.1.2
• NISTSP800–53REV.4CM-8
ID.AM-2:Softwareplatformsand
applicationswithinthedistrictor
inventory
• CCSCSC2
• COBIT5BAI09.01,BAI09.02,BAI09.05
• ISA62443–2–1:20094.2.3.4
• ISA62443.3–3:2013SR7.8
• ISO/IEC27001:2013A.8.1.1,A.8.1.2
• NISTSP800–53REV.4CM
ID.AM-3:Organizationalcommunicationanddataflowsare
mapped
• CCS CSC 1 • COBIT 5 DSS05.02 • ISA 62443-2-1:2009 4.2.3.4 • ISO/IEC 27001:2013 A.13.2.1 • NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9, PL-8
ID.AM-4:Externalinformationsystems
arecatalogued.• CCS CSC 1 • COBIT 5 DSS05.02 • ISA 62443-2-1:2009 4.2.3.4 • ISO/IEC 27001:2013 A.13.2.1 • NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9, PL-8
ID.AM-5:Resources(suchashardware,devices,dataandsoftware)
areprioritizedbasedonthe
classification,criticality,andbusiness
value.
• COBIT 5 APO02.02 • ISO/IEC 27001:2013 A.11.2.6 • NIST SP 800-53 Rev. 4 AC-20, SA-9
ID.AM-6:Cybersecurityrolesandresponsibilitiesfortheentire
workforceandthird-party
stakeholderssuchassuppliers,
customers,andpartnersare
established.
• COBIT 5 APO01.02, DSS06.03 • ISA 62443-2-1:2009 4.3.2.3.3 • ISO/IEC 27001:2013 A.6.1.1
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
78|P a g e
Function Category Subcategory InformationReferences
BusinessEnvironment(ID.BE):Thedistrict'smission,objectives,
stakeholders,andactivitiesare
understoodandprioritized;this
informationisusedtoinform
cybersecurityroles,responsibilities,
andriskmanagementdecisions.
ID.BE-1:Thedistrict'sroleinthesupplychainisidentifiedand
communicated.
• COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05
• ISO/IEC 27001:2013 A.15.1.3, A.15.2.1, A.15.2.2 • NIST SP 800-53 Rev. 4 CP-2, SA-12
ID.BE-2:thedistrict'splaceincriticalinfrastructureandindustrysectoris
identifiedandcommunicated.
• COBIT 5 APO02.06, APO03.01 • NIST SP 800-53 Rev. 4 PM-8
ID.BE-3:Prioritiesfordistrictmission,
objectives,andactivitiesare
establishedandcommunicated.
• COBIT 5 APO02.01, APO02.06, APO03.01 • ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6 • NIST SP 800-53 Rev. 4 PM-11, SA-14
ID.BE-4:Dependenciesandcriticalfunctionsfordeliveryofcritical
servicesareestablished.
• ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, A.12.1.3 • NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14
ID.BE-5:Resiliencerequirementsto
supportdeliveryofcriticalservicesare
established.
• COBIT 5 DSS04.02 • ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, A.17.1.2, A.17.2.1 • NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-14
Governance(ID.GV):Thepolicies,procedures,andprocessesto
manageandmonitorthedistrict's
regulatory,legal,risk,
environmental,andoperational
requirementsareunderstoodand
informthemanagementof
cybersecurityrisk.
ID.GV-1:Organizationalinformation
securitypolicyisestablished.• COBIT 5 APO01.03, EDM01.01, EDM01.02 • ISA 62443-2-1:2009 4.3.2.6 • ISO/IEC 27001:2013 A.5.1.1 • NIST SP 800-53 Rev. 4 -1 controls from all families
ID.GV-2:Informationsecurityroles
andresponsibilitiesarecoordinated
andalignedwithinternalrolesand
externalpartners.
• COBIT 5 APO13.12 • ISA 62443-2-1:2009 4.3.2.3.3 • ISO/IEC 27001:2013 A.6.1.1, A.7.2.1 • NIST SP 800-53 Rev. 4 PM-1, PS-7
ID.GV-3:Legalandregulatoryrequirementsregardingcybersecurity,
includingprivacyandcivilliberty
obligations,areunderstoodand
managed.
• COBIT 5 MEA03.01, MEA03.04 • ISA 62443-2-1:2009 4.4.3.7 • ISO/IEC 27001:2013 A.18.1 • NIST SP 800-53 Rev. 4 -1 controls from all families (except
PM-1) ID.GV-4:Governanceandriskmanagementprocessesaddress
cybersecurityrisks.
• COBIT 5 DSS04.02 • ISA 62443-2-1:2009 4.2.3.1, 4.2.3.3, 4.2.3.8, 4.2.3.9,
4.2.3.11, 4.3.2.4.3, 4.3.2.6.3
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
79|P a g e
Function Category Subcategory InformationReferences
• NIST SP 800-53 Rev. 4 PM-9, PM-11 RiskAssessment(ID.RA):the
districtunderstandsthe
cybersecurityrisktodistrict
operationsincludingmission,
functions,image,orreputation,
districtassetsandindividuals.
ID.RA-1:Assetvulnerabilitiesareidentifiedanddocumented
• CCS CSC 4 • COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04 • ISA 62443-2-1:2009 4.2.3, 4.2.3.7, 4.2.3.9, 4.2.3.12 • ISO/IEC 27001:2013 A.12.6.1, A.18.2.3 • NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, RA-3, RA-5, SA-
5, SA-11, SI-2, SI-4, SI-5 ID.RA-2:Threatandvulnerabilityinformationisreceivedfrom
informationsharingformsand
sources.
• ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 • ISO/IEC 27001:2013 A.6.1.4 • NIST SP 800-53 Rev. 4 PM-15, PM-16, SI-5
ID.RA-3:Threats,bothinternalandexternal,areidentifiedand
documented.
• COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04 • ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 • NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12, PM-16
ID.RA-4:Potentialbusinessimpacts
andlikelihoodsareidentified.• COBIT 5 DSS04.02 • ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 • NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-9, PM-11, SA-14
ID.RA-5:Threats,vulnerabilities,likelihoods,andimpactsareusedto
determinerisk.
• COBIT 5 APO12.02 • ISO/IEC 27001:2013 A.12.6.1 • NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-16
ID.RA-6:Riskresponsesareidentifiedandprioritized.
• COBIT 5 APO12.05, APO13.02 • NIST SP 800-53 Rev. 4 PM-4, PM-9
RiskManagement(ID.RM):Thedistrict'spriority,constraints,risk
tolerances,andassumptionsare
establishedandusedtosupport
operationalriskdecisions.
ID.RM-1:Riskmanagementprocesses
areestablished,managed,andagreed
tobydistrictstakeholders.
• COBIT 5 APO12.04, APO12.05, APO13.02, BAI02.03, BAI04.02
• ISA 62443-2-1:2009 4.3.4.2 • NIST SP 800-53 Rev. 4 PM-9
ID.RM-2:Organizationalrisktoleranceisdeterminedandclearlyexpressed.
• COBIT 5 APO12.06 • ISA 62443-2-1:2009 4.3.2.6.5 • NIST SP 800-53 Rev. 4 PM-9
ID-RM-3:Thedistrict'sdetermination
ofrisktoleranceisinformedbyitsrole• NIST SP 800-53 Rev. 4 PM-8, PM-9, PM-11, SA-14
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
80|P a g e
Function Category Subcategory InformationReferences
incriticalinfrastructureandsector
specificriskanalysis.
Protect(PR
)
AccessControl(PR.AC):Accesstoassetsandassociatedfacilitiesis
limitedtoauthorizedusers,
processes,ordevices,andto
authorizedactivitiesand
transactions.
PR.AC-1:Identitiesandcredentialsaremanagedforauthorizeddevicesand
users.
• CCS CSC 16 • COBIT 5 DSS05.04, DSS06.03 • ISA 62443-2-1:2009 4.3.3.5.1 • ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5,
SR 1.7, SR 1.8, SR 1.9 • ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1,
A.9.4.2, A.9.4.3 • NIST SP 800-53 Rev. 4 AC-2, IA Family
PR.AC-2:Physicalaccesstoassetsismanagedandprotected.
• COBIT 5 DSS01.04, DSS05.05 • ISA 62443-2-1:2009 4.3.3.3.2, 4.3.3.3.8 • ISO/IEC 27001:2013 A.11.1.1, A.11.1.2, A.11.1.4, A.11.1.6,
A.11.2.3 • NIST SP 800-53 Rev. 4 PE-2, PE-3, PE-4, PE-5, PE-6, PE-9
PR.AC-3:Remoteaccessismanaged.• COBIT 5 APO13.01, DSS01.04, DSS05.03 • ISA 62443-2-1:2009 4.3.3.6.6 • ISA 62443-3-3:2013 SR 1.13, SR 2.6 • ISO/IEC 27001:2013 A.6.2.2, A.13.1.1, A.13.2.1 • NIST SP 800-53 Rev. 4 AC�17, AC-19, AC-20
PR.AC-4:Accesspermissionsare
managed,incorporatingtheprinciples
ofleastprivilegeandseparationof
duties.
• CCS CSC 12, 15 • ISA 62443-2-1:2009 4.3.3.7.3 • ISA 62443-3-3:2013 SR 2.1 • ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, A.9.2.3, A.9.4.1,
A.9.4.4 • NIST SP 800-53 Rev. 4 AC-2, AC-3, AC-5, AC-6, AC-16
PR.AC-5:Networkintegrityisprotected,incorporatingnetwork
segregationwhereappropriate.
• ISA 62443-2-1:2009 4.3.3.4 • ISA 62443-3-3:2013 SR 3.1, SR 3.8 • ISO/IEC 27001:2013 A.13.1.1, A.13.1.3, A.13.2.1 • NIST SP 800-53 Rev. 4 AC-4, SC-7
AwarenessandTraining(PR.AT):Thedistrict'spersonneland
PR.AT-1:Allusersareinformedand
trained.• CCS CSC 9 • COBIT 5 APO07.03, BAI05.07
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
81|P a g e
Function Category Subcategory InformationReferences
partnersareprovided
Cybersecurityawarenesseducation
andareadequatelytrainedto
performtheirinformationsecurity-
relateddutiesandresponsibilities
consistentwithrelatedpolicies,
procedures,andagreements.
• ISA 62443-2-1:2009 4.3.2.4.2 • ISO/IEC 27001:2013 A.7.2.2 • NIST SP 800-53 Rev. 4 AT-2, PM-13
PR.AT-2:Privilegedusersunderstandrolesandresponsibilities.
• CCS CSC 9 • COBIT 5 APO07.02, DSS06.03 • ISA 62443-2-1:2009 4.3.2.4.2, 4.3.2.4.3 • ISO/IEC 27001:2013 A.6.1.1, A.7.2.2 • NIST SP 800-53 Rev. 4 AT-3, PM-13
PR.AT-3:Third-partystakeholderssuchassuppliers,customers,and
partnersunderstandrolesand
responsibilities.
• CCS CSC 9 • COBIT 5 APO07.03, APO10.04, APO10.05 • ISA 62443-2-1:2009 4.3.2.4.2 • ISO/IEC 27001:2013 A.6.1.1, A.7.2.2 • NIST SP 800-53 Rev. 4 PS-7, SA-9
PR.AT-4:Seniorexecutivesunderstandrolesandresponsibilities.
• CCS CSC 9 • COBIT 5 APO07.03 • ISA 62443-2-1:2009 4.3.2.4.2 • ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, • NIST SP 800-53 Rev. 4 AT-3, PM-13
PR.AT-5:Physicalandinformation
securitypersonnelunderstandroles
andresponsibilities.
• CCS CSC 9 • COBIT 5 APO07.03 • ISA 62443-2-1:2009 4.3.2.4.2 • ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, • NIST SP 800-53 Rev. 4 AT-3, PM-13
DataSecurity(PR.DS):Information
andrecords(data)aremanaged
consistentwiththedistrict'srisk
strategytoprotectthe
confidentiality,integrity,and
availabilityofinformation.
PR.DS-1:Data-at-restisprotected.• CCS CSC 17 • COBIT 5 APO01.06, BAI02.01, BAI06.01, DSS06.06 • ISA 62443-3-3:2013 SR 3.4, SR 4.1 • ISO/IEC 27001:2013 A.8.2.3 • NIST SP 800-53 Rev. 4 SC-28
PR.DS-2:Data-in-transitisprotected.• CCS CSC 17 • COBIT 5 APO01.06, DSS06.06 • ISA 62443-3-3:2013 SR 3.1, SR 3.8, SR 4.1, SR 4.2
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
82|P a g e
Function Category Subcategory InformationReferences
• ISO/IEC 27001:2013 A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3
• NIST SP 800-53 Rev. 4 SC-8 PR.DS-3:Assetsareformallymanaged
throughoutremoval,transfers,and
disposition.
• COBIT 5 BAI09.03 • ISA 62443-2-1:2009 4. 4.3.3.3.9, 4.3.4.4.1 • ISA 62443-3-3:2013 SR 4.2 • ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.8.3.3,
A.11.2.7 • NIST SP 800-53 Rev. 4 CM-8, MP-6, PE-16
PR.DS-4:Adequatecapacitytoensureavailabilityismaintained.
• COBIT 5 APO13.01 • ISA 62443-3-3:2013 SR 7.1, SR 7.2 • ISO/IEC 27001:2013 A.12.3.1 • NIST SP 800-53 Rev. 4 AU-4, CP-2, SC-5
PR.DS-5:Protectionsagainstdataleaksareimplemented.
• CCS CSC 17 • COBIT 5 APO01.06 • ISA 62443-3-3:2013 SR 5.2 • ISO/IEC 27001:2013 A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1,
A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3
• NIST SP 800-53 Rev. 4 AC-4, AC-5, AC-6, PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC-31, SI-4
PR.DS-6:Integritycheckingmechanismsareusedtoverify
software,firmware,andinformation
integrity.
• ISA 62443-3-3:2013 SR 3.1, SR 3.3, SR 3.4, SR 3.8 • ISO/IEC 27001:2013 A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3 • NIST SP 800-53 Rev. 4 SI-7
PR.DS-7:Thedevelopmentandtesting
environmentsareseparatefromthe
productionenvironment.
• COBIT 5 BAI07.04 • ISO/IEC 27001:2013 A.12.1.4 • NIST SP 800-53 Rev. 4 CM-2
InformationProtectionProcessesandProcedures(PR.IP):Securitypoliciesthataddresspurpose,
scope,roles,responsibilities,
PR.IP-1:Baselineconfigurationofinformationtechnology/industrial
controlsystemsiscreatedand
maintained.
• CCS CSC 3, 10 • COBIT 5 BAI10.01, BAI10.02, BAI10.03, BAI10.05 • ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3 • ISA 62443-3-3:2013 SR 7.6
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
83|P a g e
Function Category Subcategory InformationReferences
managementcommitment,and
coordinationamongdistrict
entities,processes,andprocedures
aremaintainedandusedto
manageprotectionofinformation
systemsandassets.
• ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4
• NIST SP 800-53 Rev. 4 CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9, SA-10
PR.IP-2:ASystemDevelopmentLife
Cycle(SDLC)tomanagesystemsis
implemented.
• COBIT 5 APO13.01 • ISA 62443-2-1:2009 4.3.4.3.3 • ISO/IEC 27001:2013 A.6.1.5, A.14.1.1, A.14.2.1, A.14.2.5 • NIST SP 800-53 Rev. 4 SA-3, SA-4, SA-8, SA-10, SA-11,
SA-12, SA-15, SA-17, PL-8 PR.IP-3:Configurationchangecontrolprocessesareinplace.
• COBIT 5 BAI06.01, BAI01.06 • ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3 • ISA 62443-3-3:2013 SR 7.6 • ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2,
A.14.2.3, A.14.2.4 • NIST SP 800-53 Rev. 4 CM-3, CM-4, SA-10
PR.IP-4:Backupsofinformationare
conducted,maintainedandtested
periodically.
• COBIT 5 APO13.01 • ISA 62443-2-1:2009 4.3.4.3.9 • ISA 62443-3-3:2013 SR 7.3, SR 7.4 • ISO/IEC 27001:2013 A.12.3.1, A.17.1.2A.17.1.3, A.18.1.3 • NIST SP 800-53 Rev. 4 CP-4, CP-6, CP-9
PR.IP-5:Policyandregulationsregardingthephysicaloperating
environmentfordistrictassetsare
met.
• COBIT 5 DSS01.04, DSS05.05 • ISA 62443-2-1:2009 4.3.3.3.1 4.3.3.3.2, 4.3.3.3.3, 4.3.3.3.5,
4.3.3.3.6 • ISO/IEC 27001:2013 A.11.1.4, A.11.2.1, A.11.2.2, A.11.2.3 • NIST SP 800-53 Rev. 4 PE-10, PE-12, PE-13, PE-14, PE-15,
PE-18 PR.IP-6:Dataisdestroyedaccordingto
policy.• COBIT 5 BAI09.03 • ISA 62443-2-1:2009 4.3.4.4.4 • ISA 62443-3-3:2013 SR 4.2 • ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.11.2.7 • NIST SP 800-53 Rev. 4 MP-6
PR.IP-7:Protectionprocessesarecontinuouslyimproved.
• COBIT 5 APO11.06, DSS04.05
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
84|P a g e
Function Category Subcategory InformationReferences
• ISA 62443-2-1:2009 4.4.3.1, 4.4.3.2, 4.4.3.3, 4.4.3.4, 4.4.3.5, 4.4.3.6, 4.4.3.7, 4.4.3.8
• NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-8, PL-2, PM-6 PR.IP-8:Effectivenessofprotectiontechnologiesissharedwith
appropriateparties.
• ISO/IEC 27001:2013 A.16.1.6 • NIST SP 800-53 Rev. 4 AC-21, CA-7, SI-4
PR.IP-9:Responseplans(IncidentResponseandBusinessContinuity)
andrecoveryplans(IncidentRecovery
andDisasterRecovery)areinplace
andmanaged.
• COBIT 5 DSS04.03 • ISA 62443-2-1:2009 4.3.2.5.3, 4.3.4.5.1 • ISO/IEC 27001:2013 A.16.1.1, A.17.1.1, A.17.1.2 • NIST SP 800-53 Rev. 4 CP-2, IR-8
PR.IP-10:Responseandrecoveryplansaretested.
• ISA 62443-2-1:2009 4.3.2.5.7, 4.3.4.5.11 • ISA 62443-3-3:2013 SR 3.3 • ISO/IEC 27001:2013 A.17.1.3 • NIST SP 800-53 Rev.4 CP-4, IR-3, PM-14
PR.IP-11:Cybersecurityisincludedinhumanresourcespracticesuchasde-
provisioningandpersonnelscreening.
• COBIT 5 APO07.01, APO07.02, APO07.03, APO07.04, APO07.05
• ISA 62443-2-1:2009 4.3.3.2.1, 4.3.3.2.2, 4.3.3.2.3 • ISO/IEC 27001:2013 A.7.1.1, A.7.3.1, A.8.1.4 • NIST SP 800-53 Rev. 4 PS Family
PR.IP-12:Avulnerabilitymanagement
planisdevelopedandimplemented• ISO/IEC27001:2013A.12.6.1,A.18.2.2
• NISTSP800-53Rev.4RA-3,RA-5,SI-2
Maintenance(PR.MA):Maintenanceandrepairsof
industrialcontrolsandinformation
systemcomponentsareperformed
consistentwithpoliciesand
procedures.
PR.MA-1:Maintenanceandrepairof
districtassetsisperformedandlogged
inatimelymanner,withapprovedand
controlledtools.
• COBIT 5 BAI09.03 • ISA 62443-2-1:2009 4.3.3.3.7 • ISO/IEC 27001:2013 A.11.1.2, A.11.2.4, A.11.2.5 • NIST SP 800-53 Rev. 4 MA-2, MA-3, MA-5
PR.MA-2:Remotemaintenanceof
districtassetsisapproved,loggedand
performedinamannerthatprevents
unauthorizedaccess.
• COBIT 5 DSS05.04 • ISA 62443-2-1:2009 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.4.4.6.8 • ISO/IEC 27001:2013 A.11.2.4, A.15.1.1, A.15.2.1 • NIST SP 800-53 Rev. 4 MA-4
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
85|P a g e
Function Category Subcategory InformationReferences
ProtectiveTechnology(PR.PT):Technicalsecuritysolutionsare
managedtoensurethesecurity
andresilienceofsystemsand
assets,consistentwithrelated
policies,proceduresand
agreements.
PR.PT-1:Audit/logrecordsaredetermined,documented,
implementedandreviewedin
accordancewithpolicy.
• CCS CSC 14 • COBIT 5 APO11.04 • ISA 62443-2-1:2009 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1,
4.4.2.2, 4.4.2.4 • ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR
2.12 • ISO/IEC 27001:2013 A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4,
A.12.7.1 • NIST SP 800-53 Rev. 4 AU Family
PR.PT-2:Removablemediais
protectedanditsuserestricted
accordingtopolicy.
• COBIT 5 DSS05.02, APO13.01 • ISA 62443-3-3:2013 SR 2.3 • ISO/IEC 27001:2013 A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3,
A.11.2.9 • NIST SP 800-53 Rev. 4 MP-2, MP-4, MP-5, MP-7
PR.PT-3:Accesstosystemsandassets
iscontrolled,incorporatingthe
principleofleastfunctionality.
• COBIT 5 DSS05.02 • ISA 62443-2-1:2009 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4,
4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
• ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7
• ISO/IEC 27001:2013 A.9.1.2 • NIST SP 800-53 Rev. 4 AC-3, CM-7
PR.PT-4:Communicationsandcontrol
networksareprotected.• CCS CSC 7 • COBIT 5 DSS05.02, APO13.01 • ISA 62443-3-3:2013 SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3,
SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 • ISO/IEC 27001:2013 A.13.1.1, A.13.2.1 • NIST SP 800-53 Rev. 4 AC-4, AC-17, AC-18, CP-8, SC-7
Det
ect(
DE) AnomaliesandEvents(DE.AE):
Anomalousactivityisdetectedina
DE.AT-1:Abaselineofnetworkoperationsandexpecteddataflows
• COBIT 5 DSS03.01 • ISA 62443-2-1:2009 4.4.3.3
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
86|P a g e
Function Category Subcategory InformationReferences
timelymannerandthepotential
impactofeventsisunderstood.
forusersandsystemsisestablished
andmanaged.
• NIST SP 800-53 Rev. 4 AC-4, CA-3, CM-2, SI-4
DE.AT-2:Detectedeventsareanalyzedtounderstandattacktargetsand
methods.
• ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8 • ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR
2.12, SR 3.9, SR 6.1, SR 6.2 • ISO/IEC 27001:2013 A.16.1.1, A.16.1.4 • NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, SI-4
DE.AT-3:Eventdataareaggregatedandcorrelatedfrommultiplesources
andsensors.
• ISA 62443-3-3:2013 SR 6.1 • NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, IR-8, SI-4
DE.AT-4:Impactofeventsis
determined.• COBIT 5 APO12.06 • NIST SP 800-53 Rev. 4 CP-2, IR-4, RA-3, SI -4
DE.AT-5:Incidentalertthresholdsareestablished.
• COBIT 5 APO12.06 • ISA 62443-2-1:2009 4.2.3.10 • NIST SP 800-53 Rev. 4 IR-4, IR-5, IR-8
SecurityContinuousMonitoring(DE.CM):Theinformationsystem
andassetsaremonitoredat
discreteintervalstoidentify
cybersecurityeventsandverifythe
effectivenessofproactive
measures.
DE.CM-1:thenetworkismonitoredto
detectpotentialcybersecurityoffense.• CCS CSC 14, 16 • COBIT 5 DSS05.07 • ISA 62443-3-3:2013 SR 6.2 • NIST SP 800-53 Rev. 4 AC-2, AU-12, CA-7, CM-3, SC-5,
SC-7, SI-4 DE.CM-2:Thephysicalenvironmentis
monitoredtodetectpotential
cybersecurityevents.
• ISA 62443-2-1:2009 4.3.3.3.8 • NIST SP 800-53 Rev. 4 CA-7, PE-3, PE-6, PE-20
DE.CM-3:Personnelactivityismonitoredtodetectpotential
cybersecurityevents.
• ISA 62443-3-3:2013 SR 6.2 • ISO/IEC 27001:2013 A.12.4.1 • NIST SP 800-53 Rev. 4 AC-2, AU-12, AU-13, CA-7, CM-10,
CM-11 DE.CM-4:Maliciouscodeisdetected.
• CCS CSC 5 • COBIT 5 DSS05.01 • ISA 62443-2-1:2009 4.3.4.3.8 • ISA 62443-3-3:2013 SR 3.2 • ISO/IEC 27001:2013 A.12.2.1
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
87|P a g e
Function Category Subcategory InformationReferences
• NIST SP 800-53 Rev. 4 SI-3 DE.CM-5:Unauthorizedmobilecodeis
detected.• ISA 62443-3-3:2013 SR 2.4 • ISO/IEC 27001:2013 A.12.5.1 • NIST SP 800-53 Rev. 4 SC-18, SI-4. SC-44
DE.CM-6:Externalserviceprovideractivityismonitoredtodetect
potentialcybersecurityevents.
• COBIT 5 APO07.06 • ISO/IEC 27001:2013 A.14.2.7, A.15.2.1 • NIST SP 800-53 Rev. 4 CA-7, PS-7, SA-4, SA-9, SI-4
DE.CM-7:Monitoringforunauthorized
personnel,connections,devices,and
softwareisperformed.
• NIST SP 800-53 Rev. 4 AU-12, CA-7, CM-3, CM-8, PE-3, PE-6, PE-20, SI-4
DE.CM-8:Vulnerabilityscansareperformed.
• COBIT 5 BAI03.10 • ISA 62443-2-1:2009 4.2.3.1, 4.2.3.7 • ISO/IEC 27001:2013 A.12.6.1 • NIST SP 800-53 Rev. 4 RA-5
DetectionProcesses(DE.DP):detectionprocessesand
proceduresaremaintainedand
testedtoensuretimelyand
adequateawarenessofanomalous
events.
DE.DP-1:Rolesandresponsibilitiesfordetectionarewelldefinedtoensure
accountability.
• CCS CSC 5 • COBIT 5 DSS05.01 • ISA 62443-2-1:2009 4.4.3.1 • ISO/IEC 27001:2013 A.6.1.1 • NIST SP 800-53 Rev. 4 CA-2, CA-7, PM-14
DE.DP-2:Detectionactivitiescomply
withallapplicablerequirements.• ISA 62443-2-1:2009 4.4.3.2 • ISO/IEC 27001:2013 A.18.1.4 • NIST SP 800-53 Rev. 4 CA-2, CA-7, PM-14, SI-4
DE.DP-3:Detectionprocessesaretested.
• COBIT 5 APO13.02 • ISA 62443-2-1:2009 4.4.3.2 • ISA 62443-3-3:2013 SR 3.3 • ISO/IEC 27001:2013 A.14.2.8 • NIST SP 800-53 Rev. 4 CA-2, CA-7, PE-3, PM-14, SI-3, SI-4
DE.DP-4:Eventdetectioninformation
iscommunicatedtoappropriate
parties.
• COBIT 5 APO12.06 • ISA 62443-2-1:2009 4.3.4.5.9 • ISA 62443-3-3:2013 SR 6.1 • ISO/IEC 27001:2013 A.16.1.2
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
88|P a g e
Function Category Subcategory InformationReferences
• NIST SP 800-53 Rev. 4 AU-6, CA-2, CA-7, RA-5, SI-4 DE.DP-5:Detectionprocessesarecontinuouslyimproved.
• COBIT 5 APO11.06, DSS04.05 • ISA 62443-2-1:2009 4.4.3.4 • ISO/IEC 27001:2013 A.16.1.6 • NIST SP 800-53 Rev. 4, CA-2, CA-7, PL-2, RA-5, SI-4, PM-
14
Respon
d(RS)
ResponsePlanning(RS.RP):Responseprocessesand
proceduresareexecutedand
maintained,toensuretimely
responsetodetectedcybersecurity
events.
RS.RP-1:Responseplanisexecutedduringorafteranevent.
• COBIT 5 BAI01.10 • CCS CSC 18 • ISA 62443-2-1:2009 4.3.4.5.1 • ISO/IEC 27001:2013 A.16.1.5 • NIST SP 800-53 Rev. 4 CP-2, CP-10, IR-4, IR-8
Communications(RS.CO):Responseactivitiesarecoordinated
withinternalandexternal
stakeholders,asappropriate,to
includeexternalsupportfromlaw
enforcementagencies.
RS.CO-1:Personnelknowtheirrolesinorderofoperationswhenaresponse
isneeded.
• ISA 62443-2-1:2009 4.3.4.5.2, 4.3.4.5.3, 4.3.4.5.4 • ISO/IEC 27001:2013 A.6.1.1, A.16.1.1 • NIST SP 800-53 Rev. 4 CP-2, CP-3, IR-3, IR-8
RS.CO-2:Eventsarereportedconsistentwithestablishedcriteria.
• ISA 62443-2-1:2009 4.3.4.5.5 • ISO/IEC 27001:2013 A.6.1.3, A.16.1.2 • NIST SP 800-53 Rev. 4 AU-6, IR-6, IR-8
RS.CO-3:Informationisshared
consistentwithresponseplans.• ISA 62443-2-1:2009 4.3.4.5.2 • ISO/IEC 27001:2013 A.16.1.2 • NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-4, IR-8, PE-6,
RA-5, SI-4 RS.CO-4:Coordinationwithstakeholdersoccursconsistentwith
responseplans.
• ISA 62443-2-1:2009 4.3.4.5.5 • NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
RS.CO-5:Voluntaryinformation
sharingoccurswithexternal
stakeholderstoachievebroader
cybersecuritysituationalawareness.
• NIST SP 800-53 Rev. 4 PM-15, SI-5
Analysis(RS.AN):Analysisisconductedtoensureadequate
responseandsupportrecovery
activities.
RS.AN-1:Notificationsfromdetection
systemsareinvestigated.• COBIT 5 DSS02.07 • ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8 • ISA 62443-3-3:2013 SR 6.1 • ISO/IEC 27001:2013 A.12.4.1, A.12.4.3, A.16.1.5
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
89|P a g e
Function Category Subcategory InformationReferences
• NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, PE-6, SI-4 RS.AN-2:Theimpactoftheincidentis
understood.• ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8 • ISO/IEC 27001:2013 A.16.1.6 • NIST SP 800-53 Rev. 4 CP-2, IR-4
RS.AN-3:Forensicsareperformed.• ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR
2.12, SR 3.9, SR 6.1 • ISO/IEC 27001:2013 A.16.1.7 • NIST SP 800-53 Rev. 4 AU-7, IR-4
RS.AN-4:Incidentsarecategorizedconsistentwithresponseplans.
• ISA 62443-2-1:2009 4.3.4.5.6 • ISO/IEC 27001:2013 A.16.1.4 • NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-5, IR-8
Mitigation(RS.MI):Activitiesareperformedtopreventexpansionof
anevent,mitigateitseffects,and
eradicatetheincident.
RS.MI-1:Incidentsarecontained.• ISA 62443-2-1:2009 4.3.4.5.6 • ISA 62443-3-3:2013 SR 5.1, SR 5.2, SR 5.4 • ISO/IEC 27001:2013 A.16.1.5 • NIST SP 800-53 Rev. 4 IR-4
RS.MI-2:Incidentsaremitigated.• ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.10 • ISO/IEC 27001:2013 A.12.2.1, A.16.1.5 • NIST SP 800-53 Rev. 4 IR-4
RS.MI-3:Newlyidentifiedvulnerabilitiesaremitigatedor
documentedasacceptedrisks.
• ISO/IEC 27001:2013 A.12.6.1 • NIST SP 800-53 Rev. 4 CA-7, RA-3, RA-5
Improvements(RS.IM):Organizationalresponseactivities
areimprovedbyincorporating
lessonslearnedfromcurrentand
previousdetection/response
activities.
RS.IM-1:Responseplansincorporatelessonslearned.
• COBIT 5 BAI01.13 • ISA 62443-2-1:2009 4.3.4.5.10, 4.4.3.4 • ISO/IEC 27001:2013 A.16.1.6 • NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
RS.IM-2:Responsestrategiesareupdated.
• NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
Recover
(RC)
RecoveryPlanning(RC.RP):Recoveryprocessesand
proceduresareexecutedand
maintainedtoensuretimely
RC.RP-1:Recoveryplanisexecutedduringorafteranevent.
• CCS CSC 8 • COBIT 5 DSS02.05, DSS03.04 • ISO/IEC 27001:2013 A.16.1.5 • NIST SP 800-53 Rev. 4 CP-10, IR-4, IR-8
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
90|P a g e
Function Category Subcategory InformationReferences
restorationofsystemsorassets
affectedbycybersecurityevents.
Improvements(RC.IM):Recoveryplanningandprocessesare
improvedbyincorporatinglessons
learnedintofutureactivities.
RC.IM-1:Recoveryplansincorporatelessonslearned.
• COBIT 5 BAI05.07 • ISA 62443-2-1 4.4.3.4 • NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
RC.IM-2:Recoverystrategiesareupdated.
• COBIT 5 BAI07.08 • NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
Communication(RC.CO):Restorationactivitiesare
coordinatedwithinternaland
externalparties,suchas
coordinatingcenters,Internet
ServiceProviders,ownersof
attackingsystems,victims,other
districtsandvendors.
RC.CO-1:Publicrelationsaremanaged.
• COBIT 5 EDM03.02
RC.CO-2:Reputationafteraneventisrepaired.
• COBIT 5 MEA03.02
RC.CO-3:Recoveryactivitiesarecommunicatedtointernal
stakeholdersandexecutiveand
managementteams.
• NIST SP 800-53 Rev. 4 CP-2, IR-4
Source:NIST,FrameworkforImprovingCriticalInfrastructureCybersecurity,USA,2014,AppendixA
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
91|P a g e
AppendixE:CCSESACCSFToolkitAsdiscussedinSection1,theCCSESCCSFToolkitisanExcelworkbookthatisbrokendownintothefollowingworksheets:
• ProfileMetadata• CurrentProfile• TargetProfile• ActionPlan
TheToolkitisdesignedtoprovideyouapathwaytoimplementtheindicatorscontainedwithintheCCSF.
ProfileMetadataTheprofilemetadatatable,showninFigureB.1,isusedtocaptureinformationregardingthedistrictandthebusinessunitorsystem(s)thatarerepresentedbytheprofile.Thisinformationistypicallycollectedinphases1and2oftheCCSFimplementationprocess.
Thefollowingisprovidedasanexample
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
92|P a g e
FigureB.1–ProfileMetaTemplate–EasternHighSchoolDistrict EasternConsolidatedSchoolDistrictDistrictInfrastructureSector SeeFigure2forexamplesDistrictBusinessUnit/Sector/Campus
SouthCampus
DistrictCurrentProfileScope
• Policiesandstandardsrelatingtooveralldatasecurityatthenetwork,host,databaseandapplicationlevelshavebeenestablished.
• Policies,standardsandprocedureshavebeenestablishedregardingthehandlingandprotectionofPII(PersonallyIdentifiableInformation)data.
• DataLossPrevention(DLP)measureshavebeendeployed.• EffectiveNetworkAccessControlshavebeenimplemented.• IntrusionPrevention/Detection(IPS/IDS)systemshavebeen
deployed.• Privacytraininghasbeenconducted.• Physicalandlogicalsecuritycontrolshavebeenestablishedat
allsitescontainingPII• data.• Aneffectiveincidentresponseprogramhasbeen
implemented.• CustomerPIIdatahasbeenproperlyseparatedfrom
corporatedata
BusinessRequirements
• Personnelsecurity• Physicalsecurity• Accountandpasswordmanagement• ConfidentialityofSensitivedata• Disaster/Recovery• SecurityAwarenessandeducation• Complianceandaudit
RiskConsiderations
• Enterprisesecurityarchitecture• Areweprotectingwhatreallymatters?• Isgovernancealignedwithsecurity?• Whatthreatsareweupagainst?• Areweplanningforcontinuity?• Dowehaveenoughinformationtoplanforrisk?• Isourdatasecure?
RiskAppetiteDecisions
• Ethicalleadershiphaslowrisk.• Academicreputationhaslowrisk.• Facultyriskishigh.• Studentselectionandretentionhasahighrisk• Communityriskislow.• Financialresourcesarelow.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
93|P a g e
CurrentStateProfileThecurrentstateprofileisusedtotrackthegoalsofthecurrentcybersecurityprogram.Thetemplateincludesacapabilitytoidentifyhoweachsubcategorywithintheframeworkisbeingobtainedandthecurrentimplementationstatusofthatcapability.Inmanycases,districtsupdatetheircurrentsecuritypolicyandimplementthenewpolicyinaphasedapproach.Thecurrentstateprofiletemplateallowsdistrictstoaccuratelyrepresenttheirstatusinimplementingcurrentpoliciesandprocedures.FigureB.2identifiesthedatapointsortopicsrecordedinthecurrentstateprofile.
Topic RequiredInformationfromCCSF ExamplesFunction ApplicableFrameworkFunction Figure11–
ComponentsoftheFrameworkCore
Category ApplicableFrameworkCategory Figure12–FrameworkCoreIdentifiersandCategories
Subcategory ApplicableFrameworkSub-category FromAppendixA:FrameworkCore
RelevantCOBITProcess
TheCOBIT5informativereferenceusedtoidentifythedistrictpracticesrequiredtomeetthegoalsoftheCCSFsubcategory.
FromAppendixA:FrameworkCore
ImplementationStatus
Thecurrentachievementrating Figure17–AchievementRatingScale
OrganizationalPractices
Thedistrictpractice,policyorprocedurethatisrequiredtomeettheintendedgoalofthesubcategory.
Section3:RelevantCOBIT5Practices
Comments/Evidence Narrativedescribinghowtheachievementratingwasdeterminedandanyestablishedongoingactionstowardthegoalofthesubcategory.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
94|P a g e
TargetStateProfileThetargetstateprofileprovidesanopportunitytocapturethedesiredstateofthecybersecurityprogram.Thetargetstateprofileshouldbecompletedinamannerthatidentifiestheprotectionsandcapabilitiesrequiredtomitigatethreatstothedistrict.Thisrisk-basedapproachensuresthatallareasoftheCCSFareaddressed,withafocusbeingappliedtothoseareasmostlikelytobeattacked.
Topic RequiredInformationfroCCSF ExamplesFunction ApplicableFrameworkFunction Figure11–Components
oftheFrameworkCoreCategory ApplicableFrameworkCategory Figure12–Framework
CoreIdentifiersandCategories
Subcategory ApplicableFrameworkSub-category FromAppendixA:FrameworkCore
RelevantCOBITProcess
TheCOBIT5informativereferenceusedtoidentifythedistrictpracticesrequiredtomeetthegoalsoftheCCSFsubcategory.
FromAppendixA:FrameworkCore
ImplementationStatus
Thecurrentachievementrating Figure17–AchievementRatingScale
OrganizationalPractices
Thedistrictpractice,policyorprocedurethatisrequiredtomeettheintendedgoalofthesubcategory.
Section3:RelevantCOBIT5Practices
Comments/Evidence Narrativedescribinghowtheachievementratingwasdeterminedandanyestablishedongoingactionstowardthegoalofthesubcategory.
RecommendedActions
Theactionsrequiredtoachievethetargetstategoals.
Highlevelactionitems(leavethetacticalplanningtoaprojectmanager)
ResourcesRequired Organizationalresourcesrequiredtocompletetherecommendedactions.
Infrastructureandhumanresources
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
95|P a g e
GapAnalysisForeachofthesubcategoriesintheTargetProfile,considerthedifferencebetweenthetargetlevelofachievementandthecurrentlevel.Understandingthegapsbetweenthecurrentandtargetdistrictpoliciesandpracticeswillhighlightopportunitiesforimprovement;understandingtherelativeimpactonriskwillhelpestablishpriority,schedule,andresourceallocation.Usingtheinformationfromthegapanalysis,conducttheActivityPlanning.
ToachievethedesiredoutcomesasdescribedintheCCSFandtoattainthestakeholdergoalsidentifiedinimplementationStep1,acomprehensiveactionplanisnecessary.Aspartoftheplanningprocess,implementersshoulddeterminetheappropriateauthoritieswhowillreview,approveandtracktheactivitiesandactionsdescribed.Itisimportantthatbusiness/missiondriversinformandsupporttheseactions.
Bylinkingtheactionslistedtotheenterpriseandtechnicalgoals(asdescribedintheCOBIT5goalscascadeandasdocumentedaspartofimplementationStep1),actionswillbeassessableandprioritizedtoachievethenecessaryvalueforthedistrict.Theseprioritiesandtheassociatedactions,maybereviewedandadjustedthroughperiodiccheckpointmeetingssuchasquarterlybriefings,programmanagementreviewsandsecuritytrainingexercises.AlistofactionplandatapointsisshowninFigureD.1.
Specificconsiderationsforactionplanningmayincludethefollowing:
• Arethereeducational-specificactionplanprocesses?• Whoisresponsiblefordefiningactionswithintheplan?• Howoftenwillactionplansbereviewedandupdated?Bywhom?• Whatspecificgovernanceandmanagementprocessesapplytoeducationtohelpstayontrack?• Whataretheadvantagestoachievingahigher/lowertier?• Whatarethedisadvantagestoachievingahigher/lowertier?• Whatregulatoryguidanceisavailabletohelpselecttheappropriatetierformydistrictifany?• Whatagencies,groups,orconsortiaexisttosupportdistrictcomplianceandsecurityprograms?• Howisfeedbackcapturedanddisseminatedthroughoutthedistrict?
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
96|P a g e
FigureD.1–ActionPlanDataPointsActionPlanDetail Description
ActionIdentifier UniqueidentifierassignedtoaspecificactionforreferencePriority District-definedpriorityforcompletingtheaction(H/M/L
or1-6)Assumption/Constraints District-definedfactorsthatmayimpacttheabilityto
completetheaction.(Strategiesshouldbeplannedtoovercomeeachconstraint)
Rationale Identifiestherationaleusedtodefinetheaction.LinkstoProfile(s),orregulatoryrequirements,shouldbeincludedwhenavailable.
SpecificAction Thediscrete,outcome-based,actiontobecompleted.ResourcesRequired Thedistrictresourcesneededtocompletetheaction.
(Infrastructureorpeople)Schedule/Milestones Keymilestonesorschedulesassignedtothespecificaction.Status UseRed/Amber/Greenstoplightstosignifythestatusof
theactionandidentificationofissuesthatmaycauseascheduledmilestonetobemissed.
Prerequisites/dependencies Identifiesotheractionsordistrictracto4sthatmustbecompletedpriortothisactionbeingcomplete.Keepinmindthatdependenciescanbeinternalorexternal.
ActionAssignee Pointofcontactassignedtheresponsibilityfortrackingandensuringthatheactioniscompleted.
Stakeholderroles Internalandexternaldistrictstakeholdersoftheaction.
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
97|P a g e
AppendixF:ConsiderationsforCriticalInfrastructureSectorsTheCCSFwasdevelopedasdirectedbyEO13636,indirectsupportofthecriticalinfrastructurecommunity.ForenterprisesthatareidentifiedwithoneofthesixteencriticalinfrastructuresectorslistedinFigure2,orenterprisesthatsupportentitiesinthosesectors,thefollowingconsiderationsmaybehelpfulforimplementingtheCCSFinthatcontext.
RoleIdentificationFromthePresidentoftheSchoolBoardtotheITSystemAdministrator,rolesvarywidelyamongcriticalinfrastructureproviders.TheCCSFgenerallyclassifiestheserolesintothreecategoriesasdescribedinAppendixB.Thereaderisencouragedtodeterminetheapplicabletitlesofeachroleandreferspecificallytothosetitlesinplanning/operations/monitoringdocuments.Doingsowillaidintheeducationandimplementationofcybersecurityactivitieswithoutconfusionaboutdisparateroleidentification.
ImplementationScopeTheapplicablescopeforCCSFimplementationwillvarywitheachenterprise.SomeentitiesmaytakeanexploratoryapproachandapplyCCSFtoasub-entitytogainexperience,whileothersmayapplyittotheentireenterpriseatonce.Suchdecisionsaretypicallybasedondistrictbusinessneedsandbudgets.
Thereadershoulddeterminewhetheranylegaland/orregulatorydriverswillaffectthatscope.Forexample,theHealthInsurancePortabilityandAccountabilityAct(HIPAA)describesspecificobjectivesfor“MeaningfulUse”ofcertifiedelectronichealthrecordtechnology.Jurisdictionalconsiderationsmayalsoimpactthescopedecisions—legalconsiderationsinonecountrymaybequitedifferentfromthoseinanotherportionoftheworld.Theseexternaldriversmayinfluencethegoalsconsideredandtheactionstakentoimprovecybersecurity.
RiskConsiderationsDeterminationoftheenterpriseriskarchitectureisanimportantelementofimplementationStep1becausemanyofthesubsequentactivitiessupportmaintainingabalancebetweenrealizingbenefitsandoptimizingrisklevelsandresourceuse.
Manycriticalinformationsectorsaresubjecttoexternaldriversthatimpactthoseriskdecisions.Thefinancialsector,forexample,hasmanyfactorsthatinfluenceacceptableriskconsiderations.DocumentationoftheseconsiderationsandfactorsduringStep1willsupportsubsequentstepsandwillensurethattheseimportantstakeholdergoalsareattainedandtrackedinaccordancewithregulatorymanagementandreportingrequirements.
QualityManagementQualitymanagementoverlayscloselywitheffectivecybersecuritypractices.COBIT5processAPO11ManagequalitydescribestheuseandmaintenanceofaQualityManagementSystem(QMS).ManagementpracticeAPOl1.01states,“EstablishandmaintainaQMSthatprovidesastandard,formalandcontinuousapproachtoqualitymanagementforinformation,enablingtechnologyandbusinessprocessesthatarealignedwithbusinessrequirementsandenterprisequalitymanagement.”
ApplyingtheAPOl1managementpracticeshelpsthedistrictdefineandmanagequalitystandards,practices,andproceduresinaccordwiththeprioritizationandriskdecisionsagreedonintheCCSFImplementationstepsdescribedearlierinthisdocument.Focusingqualitymanagementoncustomers
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
98|P a g e
andthestakeholdergoals(asestablishedinPhases1and2),andintegratingthosequalitymanagementprocessesaspartoftheactionplanwillhelpensurealignmentwithmissionneeds.Performingqualitymonitoring,controlandreviewshelpsensurethatdistrictprocessesandtechnologyaredeliveringvaluetothebusiness,continuousimprovementandtransparencyforstakeholders.
CriticalinfrastructureprovidersmayhaveadditionalQMSrequirementsforenterprisesystems.TherelevantgoalsformanagementofsuchaQMSshouldbeconsideredwhendevelopingProfilesanddeterminingactions.SuchreadersmaybeguidedbystandardsintheISO9000family,including:
• ISO9001:2008—SetsouttherequirementsofaQMS• ISO9000:2005—Coversthebasicconceptsandlanguage• ISO9004:2009—FocusesonhowtomakeaQMSmoreefficientandeffective• ISO19011:2011—SetsoutguidanceoninternalandexternalauditsofQMS
ThreatandVulnerabilityInformationMembersofthecriticalinfrastructurecommunityareparticulartargetsofcybersecuritythreats,oftenthroughinnovativeattackvectors.USusersareespeciallyencouragedtoworkwithapplicablegroupssuchasInformationSharingandAnalysisCenters(ISACs)andtheDepartmentofHomelandSecurity,includingtheUSComputerEmergencyReadinessTeam(CERT).InfraGard,apartnershipbetweentheFederalBureauofInvestigation(FBI)andtheprivatesector,isalsohelpful.Itisanassociationofpeoplewhorepresentbusinesses,academicinstitutions,stateandlocallawenforcementagencies,andotherparticipantsdedicatedtosharinginformationandintelligencetopreventhostileacts.
TheNationalCouncilofISACs(NCI)maybehelpfulinidentifyingwaystoassistinenterprisethreatandvulnerabilityunderstanding.NCIexiststoadvancethephysicalandcybersecurityofthecriticalinfrastructuresofNorthAmericabyestablishingandmaintainingaframeworkforvaluableinteractionbetweenandamongtheISACsandwithgovernment.
TheIndustrialControlSystemISAC(ICS-ISAC)establishedaprojectknownastheSituationalAwarenessReferenceArchitecture(SARA).SARA’sobjectiveistocompileandpublishanappliedguidetotheprocesses,practices,standardsandtechnologieswhichfacilitiesandotherscanusetoestablishsituationalawareness.
Enterprisesshoulddeterminetheconditionsunderwhichavulnerabilitymaybeaddressed.Forexample,somecriticalsystemsmaynotbeabletobeshutdowntosupportanimportantpatch,somitigatingcontrolsshouldbeidentifiedtoensureappropriatemeanstoachieveenterprisegoalsforbothavailabilityandsecurity.Theseconsiderationsapplytoallpeople,processesandtechnology(asdescribedinSection1)thatenablebusinessfunctions.
AutomatedIndicatorSharingTheNISTRoadmapforImprovingCriticalInfrastructureCybersecurityrecommendstheuseofautomatedsharingofindicatorinformationtoprovidedistrictswithtimely,actionableinformationthattheycanusetodetectandrespondtocybersecurityeventsastheyareoccurring.Recentintrusionshaveindicatedthatadversariesattackmultiplesectorparticipantsatonce,suchasrecentdenial-of-serviceattacksagainstmanymembersofthefinancialsector.
NISTrecommendsthatdistricts“useacombinationofstandardandproprietarymechanismstoexchangeindicatorsthatcanbeusedtobolsterdefensesandtosupportearlydetectionoffutureattack
ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0
99|P a g e
attempts.Thesemechanismshavedifferingstrengthsandweaknessesandoftenrequiredistrictstomaintainspecificprocess,personnel,andtechnicalcapabilities.CCSFimplementersareencouragedtoworkwithNISTandsectorleadershiptoadoptandimprovepracticalapproachestoachieveautomatedindicatorsharing.
SupplyChainRiskManagementSimilarly,NISTpromotesincreasedadoptionofstandardsforsupplychainriskmanagement.NISTsaysthatthe“adoptionofsupplychainriskmanagementstandards,practicesandguidelinesrequiresgreaterawarenessandunderstandingoftheriskassociatedwiththetime-sensitiveinterdependenciesthroughoutthesupplychain,includinginandbetweencriticalinfrastructuresectors/subsectors.Thisunderstandingisvitaltoenabledistrictstoassesstheirrisk,prioritize,andallowfortimelymitigation.”
CSFimplementersareencouragedtoincludesupplychainriskasasubsetofthebroadriskassessmentandriskmanagementactivities.MoreinformationaboutsupplychainriskmanagementisavailablefromNIST’sComputerSecurityDivision.
CurrentandTargetProfilesDuringtheinitialdevelopmentoftheNISTguideline,itwaspointedoutthepotentialthatleadershipofindividualsectors(e.g.,sectorsupportingagencies,sectorcouncils,participatingcompanies)wouldprovidespecificguidanceoncreationandmaintenanceofCurrentandTargetProfiles.Suchguidancemightinclude:mappingfromtheCCSFCoretocomplianceframeworks,criteriafordeterminingthethresholdsdescribedinFigure17orrecommendationsregardingCoreSubcategories.
FrameworkNextStepsInannouncingthelaunchoftheCCSF,theSpecialAssistanttotheUSPresidentandtheUSCybersecurityCoordinator,MichaelDaniel,madethreerequeststhatareespeciallysignificantforUScriticalinfrastructurecommunity:
• “Weneedyoutokickthetires.WeneeddistrictstobeginusingtheFrameworkandseehowwellitcanworkfordifferentsizesandtypesofdistricts.”
• “WeneedyourfeedbacktomaketheFrameworkbetter.WeneedyoutoshareyourexperiencewithusonhowusingtheFrameworkworked—ordidn’twork—foryourdistrict.FeedbackisessentialtoimprovingtheFrameworkandmakingitbetterinfutureversions.”
• “Inshort,weneedyourcontinuedengagement.TheFrameworkisintendedtobealivingdocument.Weneedyourcollectiveexperienceandknowledgetomakeitbetterovertime.”
CCSESAencouragesallwhoimplementthisinitialversionoftheCybersecurityFrameworktohelpimproveitsvalue,toprovidefeedbacktotheCCSFcommunityandhelpthisframeworkachieveitsgoalofimprovingcybersecurityriskmanagement.ThroughCCSESA’sleadershipandthenewCybersecurityNexus(CSX),Californiadistrictscanbeparticularlyhelpfultoachievethatgoalandsafeguardenterprisesaroundtheglobe.