2017 - ccsesa · the following text describes the use of the ccsf to accomplish the seven cobit...

1 | P a g e

2017

ImplementingtheCCSESACybersecurityFramework

ImplementingtheCCSESACybersecurityFramework(CCSF)–Version1.0

2|P a g e

CCSESACybersecurityGuidebookProudtocollaborateinsupportofresponsibletechnologyprojectingourchildrenandemployees.

CCSESA’smissionistostrengthentheserviceandleadershipcapabilitiesofCalifornia’s58CountySuperintendentsinsupportofstudent,schools,districtsandcommunities.

Empoweringeducationthroughassessmentandsecurity.

Bothgroupsworkingtosupportthethoughtful,responsibleandeffectiveintegrationofeducation,securityandtechnologytoincreasestudenteffectivenessandachievement.

SpecialThankstoanadvisorygroupthatprovidedqualitycontrolthroughoutthedevelopmentofthisproject:

• RajSra-Administrator,InformationSystems&TechnologyatFresnoCOE

• JustinNorcross-ChiefTechnologyOfficeratInyoCOE• GregLindner-ChiefTechnologyOfficeratLosAngeles

COE• DaneLancaster-SeniorDirector,Information

TechnologyatMarinCOE• NanetteWaggoner-Director,InformationTechnology

ServicesatMercedCOE• CarlFong-ExecutiveDirectorITatOrangeCOE• KarenConnaghan-AssistantSuperintendent/CTOat

SanDiegoCOE• LorrieOwens-Administrator,InformationTechnology

ServicesatSanMateoCOE• DavidWu-ChiefTechnologyOfficer/Asst.

SuperintendentatSantaClaraCOE• SallySavona-DivisionDirector,Technology&Learning

ResourcesatStanislausCOE

• StephenCarr-ChiefTechnologyOfficeratVenturaCOE• MarkArchon-Director,InstructionalTechnology

ServicesatFresnoCOE• VernAlvarado-InfrastructureManageratMercedCOE• PeterSkibitzki-DirectorofInformationTechnology

andCommunicationsatPlacerCOE• RichardD'Souza–InformationSecurityOfficer-

InformationTechnologyServicesatRiversideCOE• DavidEvans-SystemsSecurityandResearchOfficerat

SanBernardinoCOE• MitchHsu–DirectorofTechnologyServicesatVentura

COE• LuisWong–CEOK12HighSpeedNetwork


3|P a g e

ExecutiveSummaryInformationisakeyresourceforalleducationalinstitutions.Instructionaltechnologyandinformationtechnologythatsupportinformationareincreasinglyallencompassing,advanced,andconnected.Becauseofthis,informationsystemsareconstantlybeingattacked.Destructiveassaultsagainstschools,schooldistrictsandothereducationalinstitutionspointtowardareneweddedicationtomanagementofriskatanacceptablelevel.Manyschoolsaresteppinguptothischallenge;butthereisaneedtohelpindevelopingroadmapstoprotecteducationalassets.Onesolutionisanindustry-standardapproachthatlookstowardotherinstitutionsbeingsuccessfulthroughacombinationofmanageableprocessesandquantitativeimprovements.Thisguidebookwasdevelopedtodescribejustsuchpracticestoallowschoolsandschooldistrictstobetterunderstandriskinthemanagementofthatrisk.ThetextenablesthereadertoimplementindustryprovenmethodstoimplementtheprovidedCCSESACybersecurityFrameworkwhichisbuiltuponlegislationandpresidentialordersdescribedbelow.Applicationofthisframeworkfacilitatescommunicationaboutprioritiesandactivitiesinsimple,easytounderstandtermsmitigatingdistrictrisk.Inadditiontothetext,accompanyinge-Learningmoduleswillguidethereaderthroughthisprocess.

Asearlyas2013,Pres.BarackObamaissuedExecutiveOrder(EO)13636,ImprovingCriticalInfrastructureCybersecurity.Recallthatpriortothisexecutiveordertherehadbeenseveralsecuritybreachestargetingfinancialinstitutionsandretailestablishmentsresultinginsignificantlossestothedistricts.ThisExecutiveOrdercalledforthedevelopmentofa"voluntary"risk-basedframeworkcenteredonmanagingsecuritythatcouldprovideseveralcharacteristics:

• Theframeworkwouldbeprioritized.• Theframeworkwouldbeflexible.• Implementationoftheframeworkwouldberepeatable.• Theframeworkitselfisperformance-based.• Theframeworkwouldbecost-effective.

VariouspartnersdevelopedtheframeworkthroughpartnershipsincludinginternationalpartnershipsofbothFortune100andsmallerorganizations,whichincludedmanyoftheownersandoperatorsofcriticalinfrastructurethroughoutthenation.LeadershipforthedevelopmentoftheframeworkwasprovidedbytheNationalInstituteofStandardsandTechnology(NIST).Theframeworkprovidedarisk-basedapproachtoenablerapidsuccessinstepstoimprovetheoverallsecuritymaturitywithindistricts.CCSESArecognizesthatthevaluescloselyheldthroughthedistrictmirrorsthegovernanceandmanagementpracticesfosteredformanyyears.Collaboratingwithaknownindustry-standard,ControlObjectivesforInformationandrelatedTechnology(COBIT)5,providedforthedevelopmentandkeyprinciplesofthetwoframeworksallowedeachtomeldintoasinglesecurityframeworkinvolvingimplementationbyavarietyofaudiencesfromsmallschoolstolargeschoolstoCountyOfficesofEducation.

ThisdocumentmapseachoftheNISTstepsandactivitiesdevelopedbecauseoftheExecutiveOrderthusextendingCCSESA’sguidancewithpracticalandmeasurableactivities.Achievingtheobjectivesprescribedinthisframeworkwillallowschooldistrictstoleverageoperationalriskwhileunderstandingthatriskinamorebusiness-likecontextthusenablingdistrictstobeveryproactiveinmanagingrisk.


4|P a g e

Thisapproachprovidesaproactivevaluetothestakeholdersofthedistricttranslatinghigh-levelstrategicorenterprisegoalsintoamoremanageable,specificobjectiveratherthanasimpledisconnectedchecklistmodel.

WhiletheintentionofCCSESASecurityFrameworkistosupporteducationalservices,itisapplicabletoanyorganizationthatwishestobettermanageandreducecybersecurityrisk.Schoolsarenotimmunetocybersecurityattacks.Districtsareconnectedtocriticalfunctionsthroughvarioustelecommunicationservicesthatcanrenderthemvulnerabletohackingandothermaliciousattacks.Improvingtheoverallriskmanagementcapabilitiesbyeachmemberoftheschooldistrictwillultimatelyreducecybersecurityrisk.

CCSESA’sFrameworkprovidesdistrictswithauniqueandvaluableunderstandingofhowtoimplementtheNISTFrameworksandcorrelatethoseindicatorsprovidedintheframeworktoCOBIT5standardsaswellasISO27001specifications.TheISO270001standardsdefineaninformationsystemsmanagementprogram.Thislevelofunderstandingispresentedthroughouttheguidebookandprovidedtemplatesintheformofatoolkitaspartofthiseffort.WhiletheNISTFrameworkprovidesreferencestoimportantsecuritycontrols,theCCSESAFrameworkhelpstoapplythosesecuritycontrolsthroughconceptssuchastheCOBITgoalscascade.ThiscascadesupportstheidentificationofneedsandenterprisegoalsthatareachievedbyoutcomessupportingthesuccessfuluseoftheCOBITenablingprocessesandgovernancestructures.Byfollowingtheguidelinesspecifiedwithinthisframework,schooldistrictsareguidedtoattainoutcomesinamoremeasurablewaythanwithouttheunderlyingprocesses.Theuseofthisdocumentcanresultinadistrictunderstandingpotentialriskandbeingpreparedtodealwithunforeseencircumstancesandpotentialdisastersallowingthemtominimizetheirlossesintheeventofasecuritybreachordisaster.


5|P a g e

TableofContentsExecutiveSummary......................................................................................................................................3TableofContents.........................................................................................................................................5Section1.FrameworkImplementation........................................................................................................7

RelationshipoftheCOBIT5GoalsCascadetotheCCSF..........................................................................7StepsofImplementation........................................................................................................................10CSFStep1:PrioritizeandScope............................................................................................................13CSFStep2:Orient..................................................................................................................................17CSFStep3:CreateaCurrentProfile......................................................................................................18CSFStep4:ConductaRiskAssessment................................................................................................22CSFStep5:CreateaTargetProfile........................................................................................................23CSFStep6:Determine,Analyze,andPrioritizeGaps...........................................................................26CSFStep7:ImplementActionPlan.......................................................................................................30CSFActionPlanReview.........................................................................................................................36CSFLifecycleManagement....................................................................................................................38

AppendixA.Introduction...........................................................................................................................43Background............................................................................................................................................43GovernanceandManagementofEnterpriseInformationTechnology.................................................45IntroductiontotheFrameworkforImprovingCriticalInfrastructureCybersecurity.............................46IntroductiontoCOBIT5.........................................................................................................................48COBIT5GovernanceandManagement.................................................................................................49COBIT5GoalsCascade...........................................................................................................................49COBIT5Enablers....................................................................................................................................49COBIT5ProcessReferenceModel.........................................................................................................50COBIT5ImplementationGuidance........................................................................................................53ScopeandApproach..............................................................................................................................53

AppendixB.IntroductiontoNISTCybersecurityFramework1.0...............................................................55FrameworkBackground.........................................................................................................................55CoordinationofFrameworkImplementation........................................................................................62FrameworkCore.....................................................................................................................................63FrameworkImplementationTiers..........................................................................................................67FrameworkProfiles................................................................................................................................70RiskConsiderationsfromCOBITandtheCCSF.......................................................................................71


6|P a g e

TheRiskFunctionPerspective(COBIT5)................................................................................................72TheRiskManagementPerspective........................................................................................................73

AppendixC.CommunicatingCybersecurityRequirementswithStakeholders..........................................75AppendixD:FrameworkCore....................................................................................................................76AppendixE:CCSESACCSFToolkit...............................................................................................................91

ProfileMetadata....................................................................................................................................91CurrentStateProfile...............................................................................................................................93TargetStateProfile.................................................................................................................................94GapAnalysis...........................................................................................................................................95

AppendixF:ConsiderationsforCriticalInfrastructureSectors..................................................................97RoleIdentification..................................................................................................................................97ImplementationScope...........................................................................................................................97RiskConsiderations................................................................................................................................97QualityManagement.............................................................................................................................97ThreatandVulnerabilityInformation....................................................................................................98AutomatedIndicatorSharing.................................................................................................................98SupplyChainRiskManagement.............................................................................................................99CurrentandTargetProfiles....................................................................................................................99FrameworkNextSteps...........................................................................................................................99


7|P a g e

Section1.FrameworkImplementationThefollowingsectiondescribestheuseofCCSESA-suppliedmethodologiestoaccomplishtheimplementationguidanceintheCCSF“HowtoUse”SectionCCSFandCOBITeachprovidesevenhigh-levelsteps,orphases.Thesegenerallyalign,althoughCOBITprovidesapostexecutionassessment(Phase6—DidWeGetThere?)andongoinglifecyclemaintenanceactivities(Phase7—HowDoWeKeeptheMomentumGoing?)thatareimplicit,butnotfullydescribedintheCCSF.Itisimportanttonotethatimplementationisnotan“allornothing”endeavor.Thoseadoptingtheprocessesdescribedmayselectwhicheveroneswillassistinaccomplishingenterprisegoals.Inthissense,theprocessesareavailabletoselectfrom,notachecklisttoimplement.

ThefollowingtextdescribestheuseoftheCCSFtoaccomplishthesevenCOBITimplementationphases,providingthefollowinginformationabouteachphase:

• Thepurposeofthephase• Keyactivitiesinthephase• COBIT5practice(s)andprocess(s)thatsupport(s)applicationofthatphase(i.e.,realizationof

theapplicableCCSFCoreCategory/SubcategoryOutcome)

Theactivitiesandprocessesdescribedareinformativeandmayhelptheimplementationteamtodeterminewhattodoforeachphase,buttheyarenotprescriptiveandtheyshouldbetailoredtoachieveindividualdistrictgoalsandapproach.Keepinmindavailablebudget,resourceexpertiseandimplementationcosts.

RelationshipoftheCOBIT5GoalsCascadetotheCCSFTheCCSFrecognizesthat,becauseeveryschooldistrictfacesuniquechallengesandopportunities,includinghavingnumerousinternalandexternalstakeholders,eachhasuniquerequirementsforgovernanceandmanagementactivities.Thesestakeholdersdriverequirementsfortheenterprise,andthusthecybersecurityrisk.Asthoserequirementsareset,thedistrictcanusetheCOBIT5frameworkgoalscascadeandfurtherrefinethoserequirements.

TheCOBIT5frameworkdescribesthegoalscascadeas

“themechanismtotranslatestakeholderneedsintospecific,actionableandcustomizedenterprisegoals,IT-relatedgoalsandenablergoals.Thistranslationallowssettingspecificgoalsateven’levelandineveryareaoftheenterpriseinsupportoftheoverallgoalsandstakeholderrequirements,andthuseffectivelysupportsalignmentbetweenenterpriseneedsandITsolutionsandservices!'

TheCOBIT5goalscascadeisshowninFigure16.


8|P a g e

Thegoalscascadesupportstheidentificationofstakeholderneedsandenterprisegoals,whichthemselvescontributetounderstandingoftheoveralldistrictdriverssuchas“compliancewithexternallawsandregulations”or“businessservicecontinuityandavailability.”Theachievementofenterprisegoalsissupportedbytechnicaloutcomes,which,inturn,requiresuccessfulapplicationanduseofanumberofenablers.TheenablerconceptisdetailedwithintheCOBIT5framework.Enablersincludeprocesses,districtstructuresandinformation,andforeachenabler,asetofspecificrelevantgoalsdefinedinsupportoftechnicalgoals.InrelationtotheCCSF,theenablerssupportactivitiestoattainoutcomesintheCorecategoriesandsubcategories.

AnimportantnotethatwashighlightedthroughoutCCSFdevelopmentexerciseswasthattheremaybelayersofkeystakeholderswithvaryingenterprisegoals.Inthecriticalinfrastructurecommunity,forexample,districtgoalsmayincludedriversfromnationalpriorities,stakeholdersfromcriticalsector-


9|P a g e

specificagenciesorofficialsfromsectorcoordinatingcouncils.Thesearenotunlikeexistingenterprisegoals,suchas

“Compliancewithexternallawsandregulations.”

Examiningthedistrictgoalsinthisstepshouldincludeunderstandingbalancedprioritiesamongwhatisbestfortheenterpriseandanyexternalcommitments,suchasprovisioningofcriticalservices.


10|P a g e

StepsofImplementationThestepsoftheCCSFincludethefollowing:

1.PrioritizeandScope

2.Orient

3.CreateaCurrentProfile

4.ConductaRiskAssessment

5.CreateaTargetProfile

6.Determine,Analyzeand

PrioritizeGaps

7.ImplementActionPlans


11|P a g e

ThestepsofCOBIT5GoalsCascadeincludethefollowing

Thefollowingpagesrepresentanattemptatprovidingsomeconsiderationstoreviewinfollowingthe7-stepprocessofimplementingtheCCSESACybersecurityFramework.EachcomponentincludestherelevantcomponentofCOBIT5.TheCOBIT5referencesprovidedwillbecodedtoallowforeasyaccessusingtheCCSFdbase.Forexample:

EDM01.01translatestoEvaluating,DirectingMonitoringportionoftheCOBIT5ProcessMapforthegovernanceofenterpriseIT.AchartofthevariouscorrelationsarefoundattheconclusionofthisSection.

Phase1- Whatarethedrivers?

Phase2- Wherearewenow?

Phase3- Wheredowewanttobe?

Phase4- Whatneedstobedone?

Phase5- Howdowegetthere

Phase6- Didwegetthere?

Phase7- Howdowekeepthe

momentum going?


12|P a g e

COBIT5ProcessReferenceModel


13|P a g e

CSFStep1:PrioritizeandScope.COBITPhase1—WhatAretheDriversTheITGovernanceInstitute’sgovernanceguidanceforBoardsofDirectorsandExecutiveManagementpointsoutthat

“Informationsecuritygovernanceistheresponsibilityoftheboardofdirectorsandseniorexecutives.”

ItmustbeanintegralandtransparentpartofdistrictgovernanceandbealignedwiththeITgovernanceframework.Toexerciseeffectiveenterpriseandinformationsecuritygovernance,BoardsandSeniorExecutivesmusthaveaclearunderstandingofwhattoexpectfromtheirdistrict’sinformationsecurityprogram.ReviewerspointedoutthateffectivealignmentofbusinessdriverswithITGovernanceandManagementresultedinimprovedsecurityandbetterunderstandingofenterprisesecurityrequirements.ITGovernanceandManagement’sbasisinmissionsupportstheuseoflanguageandterminologythatarefamiliartotheexecutivelevel,ratherthantheuseoftechnicaljargonandbuzzwordsthataremisalignedwithcommonbusinessterms.Understandingofthegovernanceissuesandbenefits,inbusinessterms,supportsbuy-inandcommitmentfromseniormanagement.

Throughthesemethods,accomplishmentoftheCoreoutcomesthroughselecteddistrictgoalsandprocessesdirectlysupportstakeholdergoalsanddrivers,movingITGovernanceandManagementfrommerelyacomplianceexercisetoamethodtoprovidevaluetothedistrict.


14|P a g e

ImplementationConsiderationsforCCSFStep1Purpose

• Toobtainanunderstandingofthedistrictgovernanceapproach(includingriskarchitecture,businessdriversandcompliancerequirements)toinformriskassessmentactivitiesandtoprioritizesecurityactivity.

Inputs

• Enterprisepolicies,strategies,governanceandbusinessplans• Riskarchitecturestrategy• Currententerpriseenvironmentandbusinessprocesses• Enterprisevisionandmissionstatements

High-levelActivities

• Identifythekeyexecutiveboard-levelstakeholdersthatauthoritativelyspeaktomissiondriversandriskappetite.

• DeterminethescopetobeaddressedthroughapplicationoftheCCSF.Thislevelcouldbedistrictwideoranysubsectionofthedistrict.

• Identifydistrictmissionand/orservicesaddressedthroughuseoftheCCSF.• Identifytheapplicableriskarchitectureforthedistrictandavailablemethodsforrisk

identification,measurement,assessment,reportingandmonitoring.• Definerolesandresponsibilitiesforconveyingprioritizationandresourceavailability,

andforimplementingactionstoachieveITvalue.• Determinethesystems(people,processesandtechnology)requiredtoattainmissiongoals.• UsetheCOBIT5goalscascadetotranslatestakeholderneedsintospecific,actionable

andcustomizedenterprisegoals.ThiseffectivelysupportsalignmentamongenterpriseneedsandtheCCSFoutcomesfromsubsequentphases,andaidsinreportingprogresstowardgoals.

• Documenttheprioritizationdecisionsandresourcesavailableformanagingrisktotheappropriatelevel.Documentationshouldincludeaccountability,deadlinesandreportingmethod.

Outcomes

• Enterprisearchitecturevision• Organizationalmissionanddrivers• Organizationaldirectionregardingfundingandotherresources• Qualitymanagementsystem(QMS)• Understandingofthedistrict’spresentandfutureattitudetowardriskandITriskposition


15|P a g e

COBIT5Practice

CCSFDescription

COBIT5CORR

ELLATIONTOCCSESA

CYB

ERSECURITYFRA

MEW

ORK

IMPLEM

ENTA

TIONSTEP1

EDM01.01Evaluatethegovernancesystem.Continuallyidentifyengagewiththedistrict’sstakeholders,documentingandunderstandingofallrequirements,andmakeajudgmentonthecurrentandfuturedesignofgovernanceofthedistrict’sITenvironment.

APO01(ALL)Provideaconsistentmanagementapproachtoenablethedistrictgovernmentrequirementstobemet,coveringmanagementprocesses,districtstructures,rolesandresponsibilities,reliableandrepeatableactivities,andskillsandcompetencies.

APO02.01Understandenterprisedirection.Considerthecurrententerpriseenvironmentandbusinessprocesses,aswellastheenterprisestrategyandfutureobjectives.Consideralsotheexternalenvironmentofthedistrict(drivers,regulationsandbasisforcompetition).

APO03.01

Developthedistrictarchitecturalvision.Thearchitecturalvisionprovidesafirst-cut,high-leveldescriptionofthebaselineandtargetarchitectures,coveringthedistrict,information,data,applicationsandtechnologydomainsITdirectorswiththekeytooltosellthebenefitsoftheproposedcapabilitytostakeholderswithinthedistrict.Thearchitecturevisiondescribeshowthenewcapabilitywillmeetenterprisegoalsandstrategicobjectivesandaddressstakeholderconcernswhenimplemented.

APO04.02Maintainanunderstandingoftheenterpriseenvironment.Workwithrelevantstakeholderstounderstandthechallenges.Maintainanadequateunderstandingofdistrictstrategyinthecompetitiveenvironmentorotherconstraintssothatopportunitiesenabledbythenewtechnologiescanbeidentified

APO05.01

Establishthetargetinvestmentmix.ReviewandensureclarityoftheenterpriseinITstrategiesandcurrentservices.Defineanappropriateinvestmentmixedoncost,alignmentwithstrategyandfinancialmeasuressuchascostandexpectedROIoverthefulleconomiclifecycle,degreeofriskandtypeofbenefitfortheprogramsintheportfolio.AdjusttheenterpriseandITstrategieswerenecessary.

APO05.02Determinetheavailabilityofsourcesoffunds.Determinepotentialsourcesoffunds,differentfundingoptionsandtheimplicationsofthefundingsourceontheinvestmentreturnexpectations.

APO05.03Evaluateandselectprogramstobefunded.Basedontheoverallinvestmentportfoliomixrequirements,evaluateandprioritizeprogrambusinesscases,anddecideoninvestmentproposals.Allocatefundsandinitiateprograms.

APO06.01

Managefinanceandaccounting.EstablishingandmaintainingamethodtoaccountforallIT-relatedcosts,investmentsanddepreciationisanintegralpartoftheenterprisefinancialsystemsandchartofaccountstomanageinvestmentsandcostofIT.Captureandallocateactualcosts,analyzingvariancesbetweenforecastandactualcost,andreportusingtheenterprise’sfinancialmeasurementsystems.

APO06.02Prioritizeresourceallocation.Implementadecision-makingprocesstoprioritizetheallocationofresourcesandrulesfordiscretionaryinvestmentsbyindividualbusinessunits.Includethepotentialuseofexternalserviceprovidersandconsiderthebuy,develop,andrentoptions.

APO06.04Createmaintainbudgets.PrepareabudgetreflectingtheinvestmentprioritiessupportingstrategicobjectivesbasedontheportfolioofIT-enableprogramsandITservices.

APO06.05

Modelandallocatecosts.EstablishanduseanITcostingmodelbasedontheservicedefinition,ensuringtheallocationofcostsforservicesasidentifiable,measurableandpredictable,toencouragetheresponsibleuseofresourcesincludingthoseprovidedbyserviceproviders.Regularlyreviewingbenchmarktheappropriatenessofthecost/chargebackmodeltomaintainitsrelevanceandappropriatenesstotheevolvingbusinessandITactivities.

APO06.05Managecosts.Implementacostmanagementprocesscomparingactualcostofbudgets.Costshouldbemonitoredandreportedand,inthecaseofdeviations,identifiedinatimelymannerandtheirimpactonenterpriseprocessesandservicesassessed.

APO07.01

Maintainadequateandappropriatestaffing.EvaluatestaffingrequirementsandregularbasisoronmajorchangestotheenterpriseoroperationalorITenvironmentstoensurethattheenterprisehassufficienthumanresourcestosupportenterprisegoalsandobjectives.Staffingincludesbothinternalandexternalresources.

APO08.01 Understandbusinessexpectations.UnderstandcurrentbusinessissuesandobjectivesofbusinessexpectationsforIT.Ensurethatrequirementsareunderstood,managedandcommunicated,andtheirstatusagreedonandapproved.


16|P a g e

COBIT5Practice

CCSFDescription

APO08.03 Managethebusinessrelationship.Managetherelationshipwithcustomers(businessrepresentatives).Ensurethatrelationshiprolesandresponsibilitiesaredefinedandassigned,andcommunicationisfacilitated.

APO10.01 Identifyandevaluatesupplierrelationshipsandcontracts.Identifysuppliersandassociatedcontracts,thencategorizethemintotype,significanceandcriticality.Establishsupplierandcontractevaluationcriteriaandevaluatetheoverallportfolioofexistingalternativesuppliersandcontracts.


17|P a g e

CSFStep2:OrientCOBITPhase2—WhereAreWeNow?Havingidentifiedthedistrictmissionanddriversthatsupportstakeholderobjectives,thedistrictidentifiesrelatedsystemsandassetsthatenableachievingthosestakeholderneeds.ItisimportanttonotethattheCCSFdoesnotlimitthesesystemsandassetstopurelyITwhicharesubsetsoftheoveralllistofassetstobeconsidered.ExamplesofassetstoconsiderintheOrientstepinclude:

• facilitiesinwhichtechnologyresides,• operatorsthatensureequipmentfunctionssafelyandinfrastructurethatdeliversproductsto

customers.

Havinggainedanunderstandingofthecascadinggoals,andhowthebusinessandITfunctionneedtodelivervaluefromITinsupportoftheenterprisegoals,thedistrictthenidentifiesthreatsto,andvulnerabilitiesof,thosesystemsandassets.Thismustbeconductedwithanunderstandingofthedistrict’spresentandfutureattitudetowardriskandITriskposition.

BeforecreatingtheCurrentProfile,theimplementershouldreviewtheFrameworkImplementationTiersasdescribedinFigure13,p.68.SelectionoftheappropriateTierthatwillattainstakeholderneedsinanoptimalwaywillestablishthescaleforansweringthequestion,“Wherearewenow?”ThegoaloftheprocessistoestablishtheappropriatelevelsofgovernanceandmanagementtoaccomplishtheriskobjectivesdefinedinCOBITphase1andCCSFStep1.SelectionofaTierthatislessthansuitablemayresultinthelackofsufficientprocessestoaddressriskortocoordinatewithotherentities.ImproperselectionofthehighestTier,however,mayimposecostlydistrict-wideprogramsandprocesseswhosebenefitsarenotcommensuratewiththephase1goalsdefined.Thedialoguetodetermineappropriategoals,Tiersandactivities,inconsiderationoftheuniqueorganizationalcontextisoneofthekeybenefitsofapplyingthisframework.


18|P a g e

CSFStep3:CreateaCurrentProfileCOBITPhase2—WhereAreWeNow?(ContinuationfromCCSFStep2)TheCCSESACCSFCorecontainsapproximately100subcategoriesofoutcomes(don’tgetoverwhelmed),manyofwhicharesupportedbyoneormoreCOBITprocess.FortheCCSF,theusershouldcreatetheCurrentProfileforallthesubcategories.Viewedthroughthelensofthedistricttier,whichhelpsinformhowtoaccomplishanoutcome,theimplementerreviewseachsubcategoryanddeterminestheleveltowhichthatoutcomehasbeenattainedtofulfillstakeholdergoals.Foreachrowinthetemplate,determineandrecordthecurrentlevelofachievement,asguidedbytheprinciplesintheCOBITPAM(ProcessAssessmentModel,seep.67)andinCOBITAssessor’sGuide:UsingCOBIT5.Theassessor’sguideprovidesdetailedcriteriafordeterminingappropriateactivitiestoachievetheoutcomes.Inconsiderationofthatguidance,selecttheappropriatelevelofachievementforeachsubcategoryaccordingtothescaledetailedinFigure17.

Figure17-AchievementRatingScaleAbbreviation Description %Achieved

N NotAchieved 0-15

P PartiallyAchieved >15-50

L LargelyAchieved >50-85

F FullyAchieved >85-100

Source:ThistableisadaptedfromISO15504-2:2003,Section5.7.2andisusedextensivelyforquantifyingachievementduringassessment.

AppendixBprovidesafullCOBITCurrentProfiletemplatebasedontheCCSESCCSFCore,includingadetaileddescriptionoftheCurrentProfileelementsinFigureB.2.


19|P a g e

ImplementationConsiderationsforCCSESACCSFSteps2and3Purpose

1. Togainanunderstandingofthedistrictsystemsandassetsthatenablethemissiondescribedinphase1,determiningspecificITgoalsforprotectingthosesystems(inaccordancewithbusinessimpactrequirements).

2. Tounderstandoverarchingthreatsto,andvulnerabilitiesout,thosesystemsandassets,andusetheCurrentProfiletemplatetorecordcurrentoutcomeachievementlevels.

Inputs

• Organizationalmissionanddrivers• Understandingofthecascadinggoals• StatementofhowbusinessandITfunctiondelivervaluefromIT• Understandingofthedistrict’spresentandfutureattitudetowardriskandITriskposition• FrameworkImplementationTiers


• Determinebusinessandoperationalsystemsonwhichstakeholderdrivers(asdescribedinphase1)depend.Determinationshouldincludeanydownstreamdependenciesforidentifiedsystemsandassets.

• Ascertainavailabilitygoalsand/orrecoverygoalsforidentifiedsystemsandassetsinordertoprovidestakeholdervalueandfulfilldistrictobligations(suchascontractualavailabilityrequirements,criticalinfrastructureservicerequirements,andservicelevelagreements).

• ReviewtheFrameworkImplementationTiersandrecordtheTierselectedforthedistrict(withinthescopedeterminedinphase1).

• ConsideringthecharacteristicsofthedesiredTier,usingtheCOBIT5assessmentmethodology(basedonISO15504),completetheCurrentProfiletemplate,reviewingthrougheachsubcategoryandrecordingcurrentstatusrangingfromNotAchievedtoFullyAchieved.Ensurethatappropriaterationale/evidenceisincludedforeachcomponent.

Outputs

• Threatsto,andvulnerabilitiesof,importantsystemsandassets• Organizationalriskassessment• CurrentprofileIT-enabledservicecatalog• Serviceagreements• Availability,performanceandcapacitybaselinesforfuturecomparison


20|P a g e

COBIT 5 Practice

CCSFDescriptionCO

BIT5CO

RRELLATIONTOCCSESACYB

ERSECU

RITYFRA

MEW

ORK

IMPLEM

ENTA

TIONSTEP2

APO02.01 Understandenterprisedirection.Considerthecurrententerpriseenvironmentandbusinessprocesses,aswellastheenterprisestrategyandfutureobjectives.Consideralsotheexternalenvironmentoftheenterprise(industrydrivers,relevantregulations,basisforcompetition).

APO02.02 Assessthecurrentenvironment,capabilitiesandperformance.AssesstheperformanceofcurrentinternalbusinessandITcapabilitiesandexternalITservices,anddevelopanunderstandingoftheenterprisearchitectureinrelationtoIT.Identifyissuescurrentlybeingexperiencedanddeveloprecommendationsandareasthatcouldbenefitfromimprovement.Considerserviceproviderdifferentiatorsandoptionsandthefinancialimpactandpotentialcostandbenefitsofusingexternalservices.

APO03.02 Definereferencearchitecture.Thereferencearchitecturedescribesthecurrentandtargetarchitecturesforthebusiness,information,data,applicationandtechnologydomains.

APO04.01 Createanenvironmentconducivetoinnovation.Createanenvironmentthatisconducivetoinnovation,consideringissuessuchasculture,reward,collaboration,technologyforums,andmechanismstopromoteandcaptureemployeeideas.

APO07.02 IdentifykeyITpersonnel.IdentifykeyITpersonnelwhileminimizingrelianceonasingleindividualperformingacriticaljobfunctionthroughknowledgecapture(documentation),knowledgesharing,successionplanningandstaffbackup.

APO07.03 Maintaintheskillsandcompetenciesofpersonnel.Defineandmanagetheskillsandcompetenciesrequiredofpersonnel.Regularlyverifythatpersonnelhavethecompetenciestofulfilltheirrolesbasedontheireducation,training,and/orexperience,andverifythatthesecompetenciesarebeingmaintained,usingqualificationandcertificationprogramswereappropriate.Provideemployeeswithongoinglearningandopportunitiestomaintaintheirknowledge,skillsandcompetenciesatalevelrequiredtoachieveenterprisegoals.

APO007.05 PlanandtracktheusageofITandbusinesshumanresources.UnderstandandtrackthecurrentandfuturedemandforbusinessandIThumanresourceswithresponsibilitiesforenterpriseIT.Identifyshortfallsandprovideinputintosourcingplans,enterpriseandITrecruitmentprocessessourcingplans,andbusinessandITrecruitmentprocesses.

APO09.01 IdentifyITservices.AnalyzebusinessrequirementsandthewayinwhichIT-enabledservicesandservicelevelssupportbusinessprocesses.Discussandagreeonpotentialservicesandservicelevelswiththebusiness,andcomparethemwiththecurrentserviceportfoliotoidentifyneworchangedservicesorserviceleveloptions.

APO09.02 CatalogIT-enabledservices.Defineandmaintainoneormoreservicecatalogforrelevanttargetgroups.PublishandmaintainliveIT-enabledservicesintheservicecatalog.

APO09.03 Defineandprepareserviceagreements.Defineandprepareserviceagreementsbasedontheoptionsintheservicecatalog.Includeinternaloperationalagreements.

APO11.02 Defineandmanagequalitystandards,practicesandprocedures.Identifyandmaintainrequirements,standards,proceduresandpracticesforkeyprocessestoguidetheenterpriseinmeetingtheintentontheagreed-onQMS.ThisshouldbeinlinewiththeITcontrolframeworkrequirements.Considercertificationforkeyprocesses,districtunits,productsorservices.

APO12.01 Collectdata.IdentifyandcollectrelevantdatatoenableeffectiveIT-relatedriskidentification,analysisandreporting.

BAI03.11 DefineITservicesandmaintaintheserviceportfolio.DefineandagreeonneworchangedITservicesandserviceleveloptions.Documentneworchangedservicedefinitionsandserviceleveloptionstobeupdatedintheservicesportfolio.


21|P a g e

COBIT 5 Practice

CCSFDescription

BAR04.01 Assesscurrentavailability,performanceandcapacityandcreateabaseline.Assessavailability,performanceandcapacityofservicesandresourcestoensurethatcost-justifiablecapacityandperformanceareavailabletosupportbusinessneedsanddeliveragainstservicelevelagreements.Createavailability,performanceandcapacitybaselinesforfuturecomparison.

BAI04.03 Planforneworchangedservicerequirements.Planandprioritizeavailabilityperformanceandcapacityimplicationsofchangingbusinessneedsandservicerequirements.

BAI09.01 Identifyandrecordcurrentassets.Maintainanup-to-dateandaccuraterecordofallITassetsrequiredtodeliverservicesandensurealignmentwithconfigurationmanagementandfinancialmanagement.

BAI09.02 Managecriticalassets.Identifyassetsthatarecriticalinprovidingservicecapabilityandtakestepstomaximizethereliabilityandavailabilitytosupportbusinessneeds.

BAI10.01 Establishandmaintainaconfigurationmodel.Establishandmaintainalogicalmodeloftheservices,assetsandinfrastructureandhowtorecordconfigurationitems(CI)andtherelationshipsamongthem.IncludetheCISconsiderednecessarytomaintainserviceseffectivelyandtoprovideasinglereliabledescriptionoftheassetsinaservice.

BAI10.02 Establishandmaintainaconfigurationrepositoryandbaseline.Establishandmaintainaconfigurationmanagementrepositoryandcreatecontrolconfigurationbaselines.

BAI10.03 Maintainandcontrolconfigurationitems.Maintainanup-to-daterepositoryofconfigurationitemsbypopulatingwithchanges.

MEA03.01 Identifyexternalcompliancerequirements.Onacontinuousbasis,identifyandmonitorforchangesinlocalandinternationallaws,regulationsandotherexternalrequirementsthatmustbecompliedwithfromanITperspective.

MEA03.02 Optimizeresponsetoexternalrequirements.Reviewandadjustpolicies,principles,standards,proceduresandmethodologiestoensurethatlegal,regulatoryandcontractualrequirementsareaddressedandcommunicated.Considerindustrystandards,codesofgoodpracticeandgoodpracticeguidanceforadoptionandadaption.


22|P a g e

CSFStep4:ConductaRiskAssessmentCOBITPhase3-WhereDoWeWanttoBeBasedontheassessedCurrentProfileprocesscapabilitylevels,anappropriatetargetcapabilitylevelshouldbedeterminedforeachprocess.Thechosenlevelshouldconsideranyrelevantexternalandinternalbenchmarks(Forexample,government-providedtemplatesorguidance).Withtheunderstandingofvulnerabilitiesandthreatstovaluableassets,asdeterminedinphase2,performacomprehensiveriskassessmenttodeterminehowbesttoprotectthoseassets,detectandrespondtoattacksonthem,andrecoverfromanydegradationorinterruption.ManagedSecurityRiskAssessmentsshouldbeconductedbyanoutsideagencyskilledinthedevelopmentofservicebenchmarksforsecurity.

InadditiontothetwoCOBIT5processesthatdealspecificallywithrisk,EDM03EnsureRiskOptimizationandAPO12ManageRisk,thereisanadditionalCOBIT5guideforRISKwhichdealswithtwoperspectives

1. theriskfunctionand2. theriskmanagementprocess.

TheriskfunctionperspectivedescribeshowtheuseofCOBIT5enablerstoimplementeffectiveandefficientriskgovernanceandmanagement.

TheCOBIT5genericenablersareStakeholders,Goals,Life-cycleandGoodPractices.TheyprovideageneralperspectiveofwhattheRiskfunctionshouldconsiderwhenfulfillingtheirresponsibilities.Morespecificguidancecanbefoundintheenablersthemselves:

• Principles,PoliciesandFrameworks• Processes• Organizationalstructures• Culture,EthicsandBehavior• Information• Services,InfrastructureandApplications• People,SkillsandCompetencies.

TheuseofCOBIT5forRiskcombinesthisknowledgeintoanapproachtoriskmanagementisbotheffectiveandefficient.Aswithallprocesses,theriskmanagementfunctionanditsprocessesaredesignedtoachievespecificoutcomesthatalignwiththebusinessesgoalsandthedistrict’sstrategicobjectives.ThisapproachcombinesthebestpracticesofCOSOandISO31000withtheCOBIT5riskmanagementknowledgepooltobuildcapabilityinmanagingriskinaccordancewiththeISO15504standardforcapabilityimprovement.


23|P a g e

CSFStep5:CreateaTargetProfileCOBITPhase3-WhereDoWeWanttoBe(Continued)Theintentionofthedistrict’sTier,whichhelpsinformhowanoutcomeshouldbeaccomplished,reviewthrougheachofthesubcategoriesanddeterminetheleveltowhichthatoutcomeshouldbeattainedinamannerthatfulfillsdistrictgoals.

UsingtheinformationinAppendixBandtheCOBITTargetProfiletemplateprovidedinthetoolkit,theimplementershoulddeveloptheTargetProfilebasedontheCCSFCore,includingadetaileddescriptionoftheTargetProfileelements.

ImplementationConsiderationsforCCSESACCSFSteps4and5Purpose

1. Togainanunderstandingofthesecurity-specificgoals,fordistrictsystemsandassetsthatenablethemissiondescribedinphase1,toattainstakeholderriskmanagementgoals.

2. Thosesystemsandassets,todiscernthelikelihoodofcybersecurityeventsandthepotentialdistrictimpact.

Inputs

• CurrentProfile• Processcapabilitylevels/FrameworkImplementationTiers• Resultsofgoalsanalysis/processidentification• Security-relatedgoalsforapplicablesystemsandassets


• Basedonrecordedsecurity-relatedgoalsforapplicablesystemsandassets,conductriskanalysisactivitiestocatalogpotentialsecurityriskeventstothosesystemsandassets.

• Foreachpotentialeventrecordedabove,determinethelikelihoodofthatpotentialbeingrealizedandthepotentialimpactonthedistrict.TheCCSFnotesthatitisimportantthatdistrictsseektoincorporateemergingrisk,threatvulnerabilitydatatofacilitatearobustunderstandingofthelikelihoodandimpactofcybersecurityevents.

• DeterminewhetheranyFrameworkCoresubcategoriesareNotApplicabletothesystemsandassetsidentifiedasthescopeasanoutputfrom4-WhatNeedstoBeDone?1.

• Determinewhetheradditionalcategories/subcategories(assecurity-specificgoals)shouldbeaddedtotheTargetProfiletoaccountforuniquedistrictrisk.

• ConsideringthecharacteristicsofthedesiredTierdescription.Ensurethatappropriaterationale/evidenceisincludedforeachcomponent.

Outputs

• Catalogpotentialsecurityriskeventstocriticalsystemsandassets• Targetcapabilitylevel• Comprehensiveriskassessment• Targetprofile• Businessimpactassessmentresults• Referencearchitecture


24|P a g e

COBIT5Practice

CCSFDescriptionCOBIT5CORR

ELLATIONTOCCSESA

CYB

ERSECURITYFRA

MEW

ORK

IMPLEM

ENTA

TIONSTEP4and5

APO02.01 Understandenterprisedirection.Considerthecurrententerpriseenvironmentandbusinessprocesses,aswellastheenterprisestrategyandfutureobjectives.Consideralsotheexternalenvironmentoftheenterprise(industrydrivers,relevantregulations,basisforcompetition).

APO02.02 Assessthecurrentenvironment,capabilitiesandperformance.AssesstheperformanceofcurrentinternalbusinessandITcapabilitiesandexternalITservices,anddevelopanunderstandingoftheenterprisearchitectureinrelationtoIT.Identifyissuescurrentlybeingexperiencedanddeveloprecommendationsandareasthatcouldbenefitfromimprovement.Considerserviceproviderdifferentiatorsandoptionsandthefinancialimpactandpotentialcostandbenefitsofusingexternalservices.

APO03.02 Definereferencearchitecture.Thereferencearchitecturedescribesthecurrentandtargetarchitecturesforthebusiness,information,data,applicationandtechnologydomains.

APO04.01 Createanenvironmentconducivetoinnovation.Createanenvironmentthatisconducivetoinnovation,consideringissuessuchasculture,reward,collaboration,technologyforums,andmechanismstopromoteandcaptureemployeeideas.

APO07.02 IdentifykeyITpersonnel.IdentifykeyITpersonnelwhileminimizingrelianceonasingleindividualperformingacriticaljobfunctionthroughknowledgecapture(documentation),knowledgesharing,successionplanningandstaffbackup.

APO07.03 Maintaintheskillsandcompetenciesofpersonnel.Defineandmanagetheskillsandcompetenciesrequiredofpersonnel.Regularlyverifythatpersonnelhavethecompetenciestofulfilltheirrolesbasedontheireducation,training,and/orexperience,andverifythatthesecompetenciesarebeingmaintained,usingqualificationandcertificationprogramswereappropriate.Provideemployeeswithongoinglearningandopportunitiestomaintaintheirknowledge,skillsandcompetenciesatalevelrequiredtoachieveenterprisegoals.

APO07.05 PlanandtracktheusageofITandbusinesshumanresources.UnderstandandtrackthecurrentandfuturedemandforbusinessandIThumanresourceswithresponsibilitiesforenterpriseIT.Identifyshortfallsandprovideinputintosourcingplans,enterpriseandITrecruitmentprocessessourcingplans,andbusinessandITrecruitmentprocesses.

APO09.01 IdentifyITservices.AnalyzebusinessrequirementsandthewayinwhichIT-enabledservicesandservicelevelssupportbusinessprocesses.Discussandagreeonpotentialservicesandservicelevelswiththebusiness,andcomparethemwiththecurrentserviceportfoliotoidentifyneworchangedservicesorserviceleveloptions.

APO09.02 CatalogIT-enabledservices.Defineandmaintainoneormoreservicecatalogforrelevanttargetgroups.PublishandmaintainliveIT-enabledservicesintheservicecatalog.

APO09.03 Defineandprepareserviceagreements.Defineandprepareserviceagreementsbasedontheoptionsintheservicecatalog.Includeinternaloperationalagreements.

APO011.02 Defineandmanagequalitystandards,practicesandprocedures.Identifyandmaintainrequirements,standards,proceduresandpracticesforkeyprocessestoguidetheenterpriseinmeetingtheintentontheagreed-onQMS.ThisshouldbeinlinewiththeITcontrolframeworkrequirements.Considercertificationforkeyprocesses,districtunits,productsorservices.

APO012.01 Collectdata.IdentifyandcollectrelevantdatatoenableeffectiveIT-relatedriskidentification,analysisandreporting.

BAI03.11 DefineITservicesandmaintaintheserviceportfolio.DefineandagreeonneworchangedITservicesandserviceleveloptions.Documentneworchangedservicedefinitionsandserviceleveloptionstobeupdatedintheservicesportfolio.

BAR04.01 Assesscurrentavailability,performanceandcapacityandcreateabaseline.Assessavailability,performanceandcapacityofservicesandresourcestoensurethatcost-justifiablecapacityandperformanceareavailabletosupportbusinessneedsanddeliveragainstservicelevelagreements.Createavailability,performanceandcapacitybaselinesforfuturecomparison.

BAI04.03 Planforneworchangedservicerequirements.Planandprioritizeavailabilityperformanceandcapacityimplicationsofchangingbusinessneedsandservicerequirements.

BAI09.01 Identifyandrecordcurrentassets.Maintainanup-to-dateandaccuraterecordofallITassetsrequiredtodeliverservicesandensurealignmentwithconfigurationmanagementandfinancialmanagement.

BAI09.02 Managecriticalassets.Identifyassetsthatarecriticalinprovidingservicecapabilityandtakestepstomaximizethereliabilityandavailabilitytosupportbusinessneeds.

BAI10.01 Establishandmaintainaconfigurationmodel.Establishandmaintainalogicalmodeloftheservices,assetsandinfrastructureandhowtorecordconfigurationitems(CI)andtherelationshipsamongthem.IncludetheCISconsiderednecessarytomaintainserviceseffectivelyandtoprovideasinglereliabledescriptionoftheassetsinaservice.

BAI10.02 Establishandmaintainaconfigurationrepositoryandbaseline.Establishandmaintainaconfigurationmanagementrepositoryandcreatecontrolconfigurationbaselines.



25|P a g e

COBIT5Practice

CCSFDescription

MEA03.01 Identifyexternalcompliancerequirements.Onacontinuousbasis,identifyandmonitorforchangesinlocalandinternationallaws,regulationsandotherexternalrequirementsthatmustbecompliedwithfromanITperspective.

MEA03.02 Optimizeresponsetoexternalrequirements.Reviewandadjustpolicies,principles,standards,proceduresandmethodologiestoensurethatlegal,regulatoryandcontractualrequirementsareaddressedandcommunicated.Considerindustrystandards,codesofgoodpracticeandgoodpracticeguidanceforadoptionandadaption.


26|P a g e

CSFStep6:Determine,Analyze,andPrioritizeGapsCOBIT5Phase4-WhatNeedstoBeDoneForeachofthesubcategoriesintheTargetProfile,considerthedifferencebetweenthetargetlevelofachievementinthecurrentlevel.Theresultofthisgapassessmentwillhelpidentifydistrictstrengthsandweaknesses.COBIT5highlightsseveralimportantconsiderationsforthisphase:

• Thisphasemayidentifysomerelativelyeasy-to-achieveimprovementssuchasimprovedtraining,thesharingofgoodpracticesinstandardizingprocedures;however,thegapanalysisislikelytorequireconsiderableexpertiseinbusinessandITmanagementtechniquestodeveloppracticalsolutions.Experienceinundertakingbehavioralanddistrictchangewillalsobeneeded.

• Understandingofprocesstechniques,advancedbusinessandtechnicalexpertise,andknowledgeofbusinessandsystemmanagementsoftwareapplicationsandservicesmaybeneeded.Toensurethatthisphaseisexecutedeffectively,itisimportantfortheteamtothebusinessandITprocessownersandotherrequiredstakeholders,engaginginternalexpertise.Ifnecessary,externaladviceshouldalsobeobtained.Riskthatwillnotbemitigatedafterclosingthegapsshouldbeidentifiedand,ifacceptable,formallyacceptedbymanagement.

Theopportunitiesforimprovementshouldbedocumentedinaprioritizedactionplantoaddressgaps.Theplanshoulddrawonmissiondrivers,andcost/benefitanalysis,anunderstandingofimpactandlikelihoodofrisktoachievetheoutcomesasdescribedintheTargetProfile.Theplanshouldalsoincludeconsiderationoftheresourcesnecessarytoaddressthegaps.UsingProfilesinthismannerenablesthedistricttomakeinformeddecisionsaboutcybersecurityactivities;supportsriskmanagement;enablesthedistricttoperformcost-effective,targetedimprovements.


27|P a g e

ImplementationConsiderationsforCCSFStep6:Determine,Analyze,andPrioritizeGaps

Purpose

Tounderstandwhatactionsarerequiredtoattainstakeholdergoalsthroughidentificationofgapsbetweenthecurrentandtargetenvironmentsandalignmentwithdistrictprioritiesandresources.

Inputs

• TargetProfile• Process,businessandtechnicalexpertise• Resourcerequirements


• ForeachsubcategorylistedintheTargetProfile,recordthedifferencebetweenadesiredcapabilitylevelandthecurrentstateasrecordedintheCurrentProfile,ifany.

• ForeachsubcategorywhereadifferencebetweenCurrentandTargetstatewasrecorded,utilizingCOBIT5:EnablingProcesses(asincludedintheFrameworkCore),determinerequiredactivitiesanddetailedactivities.ThesearedescribedinCOBIT5:EnablingProcessesasthehow,whyandwhattoimplementforeachgovernanceofmanagementpracticetoimproveITperformanceand/oraddressITsolutionandservicedeliveryrisk.AdditionalinformativereferencesfromtheFrameworkCoremayassistwithdeterminingappropriatecontrolsoractivities.

• Reviewingthepotentialactivitiesdefined,determinetheappropriatepriorityofthoseactivitiestoenableoptimalvaluerealizationwhileprovidingreasonableassuranceofriskmanagementpracticesareappropriatetoensurethattheactualITriskdoesnotexceedagreeduponriskappetite.

• Determinetheresourcesnecessarytoaccomplishtheactivitiesdescribed,inconsiderationofstakeholderguidancefromphase1regardingavailableresourcessuchasbudget,personnelandexpertise.

• Createandrecordanactionplanofactivitieswithmilestones,ensuringappropriateresponsibilityandaccountability,toachievethedesiredoutcomesaccordingtothedeterminepriorities.

Outputs

• Profilegapassessment• Prioritizedactionplan• Riskacceptancedocumentation• Performanceandconformancetargets


28|P a g e

RelevantCOBIT5Practices:CCSFStep6COBIT5PRACTICE

CCSFDescription

EDM01.02 Directthegovernancesystem.Informleadersandobtaintheirsupport,bi-inandcommitment.Guidetostructures,processesandpracticesforthegovernanceofITinlinewithagreed-upongovernessdesignprinciples,decision-makingmodelsandauthoritylevels.Definetheinformationrequiredforinformeddecisionmaking.

EDM02.02 Directvalueoptimization.DirectvaluemanagementprinciplesandpracticestoenableoptimalvaluerealizationfromIT-enabledinvestmentsthroughoutthefulleconomiclifecycle.

EDM03.02 Directriskmanagement.DirecttheestablishmentofriskmanagementpracticestoprovidereasonableassurancethatITriskmanagementpracticesareappropriatetoensurethattheactualITriskdoesnotexceedtheboard'sriskappetite.

EDM04.02 DirectresourcemanagementensuringtheadoptionofresourcemanagementprinciplestoenableoptimaluseofITresourcesthroughouttheirfulleconomiclifecycle.

EDEM05.02 Directstakeholdercommunicationandreportingensuringtheestablishmentofeffectivestakeholdercommunicationandreporting,includingmechanismsforensuringthequalityandcompletenessofinformation,oversightofmandatoryreporting,andcreatingacommunicationstrategyforstakeholders.

APO02.05 Definethestrategicplanandroadmap.Createastrategicplanthatdefines,incooperationwithrelevantstakeholders,howIT-relatedgoalswillcontributetotheenterprise'sstrategicgoals.IncludehowITwillsupportIT-enabledinvestmentprograms,businessprocesses,ITservicesandITassets.DirectITtodefinetheinitiativesthatwillberequiredtoclosethegaps,thesourcingstrategyandthemeasurementstobeusedtomonitorachievementofgoals,thenprioritizetheinitiativesandcombinetheminahigh-levelroadmap.

APO02.06 CommunicatetheITstrategyanddirection.CreateawarenessandunderstandingofthebusinessandITobjectivesanddirection,ascapturedintheITstrategy,throughcommunicationtoappropriatestakeholdersandusersthroughouttheenterprise.

APO08.04 Coordinateandcommunicate.Workwithstakeholdersandcoordinatetheend-to-enddeliveryofITservicesandsolutionsprovidedtothebusiness.

APO11.05 Integratequalitymanagementintosolutionsfordevelopmentandservicedelivery.Incorporaterelevantqualitymanagementpracticesandthedefinition,monitoring,reportingandongoingmanagementsolutionsdevelopmentandserviceofferings.

BAI02.04 Obtainapprovalofrequirementsandsolutions.Coordinatefeedbackfromaffectedstakeholdersand,atpredeterminedkeystages,obtainbusinesssponsororproductownerapprovalandsignoffonfunctionalandtechnicalrequirements,feasibilitystudies,riskanalysesandrecommendedsolutions.

BAI03.01 Designhigh-levelsolutions.Developanddocumenthigh-leveldesignsusingagreeduponandappropriatelyphasedorrapidagiledevelopmenttechniques.EnsurealignmentwiththeITstrategyandenterprisearchitecture.Reassessandupdatethedesignswhensignificantissuesoccurduringdetaileddesignorbuildingphasesorasasolutionevolves.Ensurethatstakeholdersactivelyparticipateinthedesignandapprovedversion.

BAI03.02R Designdetailedsolutioncomponents.Develop,documentandelaboratedetaileddesignsprogressivelyusingagreed-onandappropriatephasedorrapidagiledevelopmenttechniques,addressingallcomponents(businessprocessesandrelatedautomatedandmanualcontrols,supportingITapplications,infrastructureservicesandtechnologyproducts,andpartners/suppliers).Ensurethatthedetaileddesignincludesinternalandexternalservicelevelagreements(SLAs)andoperatinglevelagreements(OLAs).

BAI03.03 Developsolutioncomponents.Developsolutioncomponentsprogressivelyinaccordancewithdetaileddesignsfollowingdevelopmentmethodsanddocumentationstandards,qualityassurance(QA)requirements,andapprovalstandards.Ensurethatallcontrolrequirementsinthebusinessprocesses,supportingITapplicationsandinfrastructureservices,servicesandtechnologyproducts,andpartners/suppliersareaddressed.

BAI03.04 Procuresolutioncomponents.Procuresolutioncomponentsbasedontheacquisitionplaninaccordancewithrequirementsanddetaileddesigns,architectureprinciplesandstandards,andtheenterprise’soverallprocurementandcontractprocedures,QArequirements,andapprovalstandards.Ensurethatalllegalandcontractualrequirementsareidentifiedandaddressedbythesupplier.

BAI03.05 Buildsolutions.Installandconfiguresolutionsandintegratewithbusinessprocessactivities.Implementcontrol,securityandauditabilitymeasuresduringconfiguration,andduringintegrationofhardwareandinfrastructuralsoftware,toprotectresourcesandensureavailabilityanddataintegrity.Updatetheservicescataloguetoreflectthenewsolutions.

BAI03.06 PerformQA.DevelopresourceandexecuteaQAplanalignedwiththeQMStoobtainthequalityspecifiedintherequirementsdefinitionandtheenterprise’squalitypoliciesandprocedures.

BAI03.07 Prepareforsolutiontesting.Establishatestplanandrequiredenvironmentstotesttheindividualandintegratedsolutioncomponents,includingthebusinessprocessesandsupportingservices,applicationsandinfrastructure.

BARI03.08 Executesolutiontesting.Executetestingcontinuallyduringdevelopment,includingcontroltesting,inaccordancewiththedefinedtestplananddevelopmentpracticesintheappropriateenvironment.Engagebusinessprocessownersandendusersinthetestteam.Identify,logandprioritizeerrorsandissuesidentifiedduringtesting.

BAI05.01 Establishthedesiretochange.Understandthescopeandimpactoftheenvisionedchangeandstakeholderreadiness/willingnesstochange.Identifyactionstomotivatestakeholderstoacceptandwanttomakethechangeworksuccessfully.


29|P a g e

BAI05.02 Formaneffectiveimplementationteam.Establishaneffectiveimplementationteambyassemblingappropriatemembers,creatingtrust,andestablishingcommongoalsandeffectivenessmeasures.

BAI05.03 Communicatedesiredvision.Communicatethedesiredvisionforthechangeinthelanguageofthoseaffectedbyit.Thecommunicationshouldbemadebyseniormanagementandincludetherationalefor,andbenefitsof,thechange,theimpactsofnotmakingthechange;andthevision,theroadmapandtheinvolvementrequiredofthevariousstakeholders.

BAI05.04 Empowerroleplayersandidentifyshort-termwins.(HR)processes.Identifyandcommunicateshort-termwinsempowerthosewithimplementationrulesbyensuringthataccountabilitiesareassigned,providingtraining,andaligningdistrictstructuresandhumanresourcesthatcanberealizedandareimportantfromachangeenablementperspective.

BAI05.05 Enableoperationsinuse.Planandimplementalltechnical,operationalandusageaspectssuchthatallthosewhoareinvolvedinthefuturestateenvironmentcanexercisetheirresponsibility.

BAI05.06 Embednewapproaches.Embedthenewapproachesbytrackingimplementedchanges,addressingtheeffectivenessoftheoperationtakecorrectivemeasuresasappropriate,whichmayincludeenforcingcompliance.Inaddition,useplan,andsustainingongoingawarenesstoregulareducation.

MEA01.01 Establishamonitoringapproach.Engagewithstakeholderstoestablishandmaintainamonitoringapproachtodefinetheobjectives,scopeandmethodformeasuringbusinesssolutionservicedeliveryandcontributiontoenterpriseobjectives.Integratethisapproachwiththecorporateperformancemanagementsystem.

MEA01.02 Setperformanceandconformancetargets.Workwithstakeholderstodefine,periodicallyreview,updateandapproveperformanceandconformaltargetswithintheperformancemeasurementsystem.


30|P a g e

CSFStep7:ImplementActionPlanCOBITPhase5—HowDoWeGetTherePhase5includestheactualexecutionoftheprioritizedactionplan,asdefinedinphase4.Actionplanexecutionprovidesanopportunityforfrequentstakeholdercommunications,whichshoulduselanguageandterminologyappropriateforeachaudience.Forexample,ITmanagementdiscussionsmayconsiderspecificfacilitiesandprocesses,whileboardandexecutivediscussionsmaybemorerelatedtoannualizedlossexpectancyormarketopportunities.

Actionplanexecutionmaybegraduallyimplemented,buildingonthemomentumofprojectsuccess,buildingfurthercredibilityandimprovingsuccess.Theexecutionoftheactionplanprovidesanopportunitytofosteraneffectiveriskmanagementculturethroughoutthedistrict.Performancemeasuresandincrementalmetricswillhelpdocumentsuccessandsupportanyadjustmentsrequired.ManysuchmeasuresaredescribedintheCOBIT5processes,especiallythoseintheBuild,AcquireandImplement(BAI)andDeliver,ServiceandSupport(DSS)domains.


31|P a g e

ImplementationConsiderationCCSFStep7:ImplementActionPlanPurpose

Toexecutetheplan,asdefinedinphase4,toaddressgapsandimprovesecuritytoachievestakeholdergoalsinaprioritizedandcost-effectivemanner.

Inputs

• Prioritizedactionplan• Organizationalmissionanddrivers• Performanceandconformancetargets


• Executetheactionplanasdefinedinphase4.ConsiderrootcausesandsuccessfactorsfromthechallengeslistedintheCOBIT5implementationguideincluding:

o Makesmallimprovementstotesttheapproachandmakesureitworks.o Involvetheprocessownersandotherstakeholdersindevelopmentofthe

improvement.o Applyadequatetrainingwhererequired.o Developprocessesbeforeattemptingtoautomate.o Reorganize,ifrequired,toenablebetterownershipofprocesses.o Matchroles(specificallythosethatarekeyforsuccessfuladoption)toindividual

capabilitiesandcharacteristics.o Setclear,measurableandrealisticgoals(outcomeexpectedfromtheimprovement).o Setpracticalperformancemetrics(tomonitorwhethertheimprovementisdriving

achievementofgoals).o Producescorecardsshowinghowperformanceisbeingmeasured.o Communicateinbusinessimpacttermstheresultsandbenefitsbeinggained.o Implementquickwinsanddeliversolutionsinshorttimescales.o Assessperformanceinmeetingtheoriginalobjectivesandconfirmrealizationof

desiredoutcomes.• Considertheneedtoredirectfutureactivitiesandtakecorrectiveaction.• Assistintheresolutionofsignificantissues,ifrequired.• Ifnecessary,returntophase3andadjustTargetProfile,GapAssessmentandActionPlan.

Outputs

• Operatingproceduresforimplementedactionitems• Performancecommunicationsreports• Performancemetricsresults


32|P a g e

RelevantCOBIT5PracticeCCSFStep7:ImplementActionPlanCOBIT5Practices

CCSFDescription

EDM01.02 Directthegovernancesystem.Informleadersandobtaintheirsupport,buy-inandcommitment.Guidethestructures,processesandpracticesforthegovernanceofITinlinewithagreed-ongovernancedesignprinciples,decision-makingmodelsandauthoritylevels.Definetheinformationrequiredforinformeddecisionmaking.

EDM02.02 Directvalueoptimization.DirectvaluemanagementprinciplesandpracticestoenableoptimalvaluerealizationfromIT-enabledinvestmentsthroughouttheirfulleconomiclifecycle.

EDM03.02 Directriskmanagement.DirecttheestablishmentofriskmanagementpracticestoprovidereasonableassurancethatITriskmanagementpracticesareappropriatetoensurethattheactualITriskdoesnotexceedtheboard’sriskappetite.

EDM04.02 Directresourcemanagement.EnsuretheadoptionofresourcemanagementprinciplestoenableoptimaluseofITresourcesthroughouttheirfulleconomiclifecycle.

EDM05.02 Directstakeholdercommunicationandreporting.Ensuretheestablishmentofeffectivestakeholdercommunicationandreporting,includingmechanismsforensuringthequalityandcompletenessofinformation,oversightofmandatoryreporting,andcreatingacommunicationstrategyforstakeholders.

APO02.05 Definethestrategicplanandroadmap.Createastrategicplanthatdefines,inco-operationwithrelevantstakeholders,howIT-relatedgoalswillcontributetotheenterprise’sstrategicgoals.IncludehowITwillsupportIT-enabledinvestmentprograms,businessprocesses,ITservicesandITassets.DirectITtodefinetheinitiativesthatwillberequiredtoclosethegaps,thesourcingstrategyandthemeasurementstobeusedtomonitorachievementofgoals,thenprioritizetheinitiativesandcombinetheminahigh-levelroadmap.

APO02.06 CommunicatetheITstrategyanddirection.CreateawarenessandunderstandingofthebusinessandITobjectivesanddirection,ascapturedintheITstrategy,throughcommunicationtoappropriatestakeholdersandusersthroughouttheenterprise.

APO08.04 Co-ordinateandcommunicate.Workwithstakeholdersandco-ordinatetheend-to-enddeliveryofITservicesandsolutionsprovidedtothebusiness.

APO11.05 Integratequalitymanagementintosolutionsfordevelopmentandservicedelivery.Incorporaterelevantqualitymanagementpracticesintothedefinition,monitoring,reportingandongoingmanagementofsolutionsdevelopmentandserviceofferings.

BAI02.04 Obtainapprovalofrequirementsandsolutions.Co-ordinatefeedbackfromaffectedstakeholdersand,atpredeterminedkeystages,obtainbusinesssponsororproductownerapprovalandsign-offonfunctionalandtechnicalrequirements,feasibilitystudies,riskanalysesandrecommendedsolutions.

BAI02.01 Designhigh-levelsolutions.Developanddocumenthigh-leveldesignsusingagreed-onandappropriatephasedorrapidagiledevelopmenttechniques.EnsurealignmentwiththeITstrategyandenterprisearchitecture.Reassessandupdatethedesignswhensignificantissuesoccurduringdetaileddesignorbuildingphasesorasthesolutionevolves.Ensurethatstakeholdersactivelyparticipateinthedesignandapproveeachversion.

BAI03.02 Designdetailedsolutioncomponents.Develop,documentandelaboratedetaileddesignsprogressivelyusingagreed-onandappropriatephasedorrapidagiledevelopmenttechniques,addressingallcomponents(businessprocessesandrelatedautomatedandmanualcontrols,supportingITapplications,infrastructureservicesandtechnologyproducts,andpartners/suppliers).EnsurethatthedetaileddesignincludesinternalandexternalSLAsandOLAs.

BAI03.03 Developsolutioncomponents.Developsolutioncomponentsprogressivelyinaccordancewithdetaileddesignsfollowingdevelopmentmethodsanddocumentationstandards,QArequirements,andapprovalstandards.Ensurethatallcontrolrequirementsinthebusinessprocesses,supportingITapplicationsandinfrastructureservices,servicesandtechnologyproducts,andpartners/suppliersareaddressed.

BAI03.05 Procuresolutioncomponents.Procuresolutioncomponentsbasedontheacquisitionplaninaccordancewithrequirementsanddetaileddesigns,architectureprinciplesandstandards,andtheenterprise'soverallprocurementandcontractprocedures,QArequirements,andapprovalstandards.Ensurethatalllegalandcontractualrequirementsareidentifiedandaddressedbythesupplier.

BAI03.05 Buildsolutions.Installandconfiguresolutionsandintegratewithbusinessprocessactivities.Implementcontrol,securityandauditabilitymeasuresduringconfiguration,andduringintegrationofhardwareandinfrastructuralsoftware,toprotectresourcesandensureavailabilityanddataintegrity.Updatetheservicescataloguetoreflectthenewsolutions.

BAI03.06 PerformQA.Develop,resourceandexecuteaQAplanalignedwiththeQMS(seep.96)toobtainthequalityspecifiedintherequirementsdefinitionandtheenterprise’squalitypoliciesandprocedures.

BAI03.07 Prepareforsolutiontesting.Establishatestplanandrequiredenvironmentstotesttheindividualandintegratedsolutioncomponents,includingthebusinessprocessesandsupportingservices,applicationsandinfrastructure.

BAI03.08 Executesolutiontesting.Executetestingcontinuallyduringdevelopment,includingcontroltesting,inaccordancewiththedefinedtestplananddevelopmentpracticesintheappropriateenvironment.Engagebusinessprocessownersandendusersinthetestteam.Identify,logandprioritizeerrorsandissuesidentifiedduringtesting.

BAI.05.01 Establishthedesiretochange.Understandthescopeandimpactoftheenvisionedchangeandstakeholderreadiness/willingnesstochange.Identifyactionstomotivatestakeholderstoacceptandwanttomakethechangeworksuccessfully.


33|P a g e


CCSFDescription

BAI05.02 Formaneffectiveimplementationteam.Establishaneffectiveimplementationteambyassemblingappropriatemembers,creatingtrust,andestablishingcommongoalsandeffectivenessmeasures.

BAI05.03 Communicatedesiredvision.Communicatethedesiredvisionforthechangeinthelanguageofthoseaffectedbyit.Thecommunicationshouldbemadebyseniormanagementandincludetherationalefor,andbenefitsof,thechange,theimpactsofnotmakingthechange;andthevision,theroadmapandtheinvolvementrequiredofthevariousstakeholders.

BAI05.04 Empowerroleplayersandidentifyshort-termwins.Empowerthosewithimplementationrolesbyensuringthataccountabilitiesareassigned,providingtraining,andaligningdistrictstructuresandHRprocesses.Identifyandcommunicateshort-termwinsthatcanberealizedandareimportantfromachangeenablementperspective.

BAI05.05 Enableoperationanduse.Planandimplementalltechnical,operationalandusageaspectssuchthatallthosewhoareinvolvedinthefuturestateenvironmentcanexercisetheirresponsibility.

BAI05.06 Embednewapproaches.Embedthenewapproachesbytrackingimplementedchanges,assessingtheeffectivenessoftheoperationanduseplan,andsustainingongoingawarenessthroughregularcommunication.Takecorrectivemeasuresasappropriate,whichmayincludeenforcingcompliance.

MEA01.01 Establishamonitoringapproach.Engagewithstakeholderstoestablishandmaintainamonitoringapproachtodefinetheobjectives,scopeandmethodformeasuringbusinesssolutionandservicedeliveryandcontributiontoenterpriseobjectives.Integratethisapproachwiththecorporateperformancemanagementsystem.

MEA01.02 Setperformanceandconformancetargets.Workwithstakeholderstodefine,periodicallyreview,updateandapproveperformanceandconformancetargetswithintheperformancemeasurementsystem.

MEA01.03 Collectandprocessperformanceandconformancedata.Collectandprocesstimelyandaccuratedataalignedwithenterpriseapproaches.

DSS01.01 Performoperationalprocedures.Maintainandperformoperationalproceduresandoperationaltasksreliablyandconsistently.

DSS01.02 ManageoutsourcedITservices.ManagetheoperationofoutsourcedITservicestomaintaintheprotectionofenterpriseinformationandreliabilityofservicedelivery.

DSS01.04 Managetheenvironment.Maintainmeasuresforprotectionagainstenvironmentalfactors.Installspecializedequipmentanddevicestomonitorandcontroltheenvironment.

DSS01.05 Managefacilities.Managefacilities,includingpowerandcommunicationsequipment,inlinewithlawsandregulations,technicalandbusinessrequirements,vendorspecifications,andhealthandsafetyguidelines.

DSS02.02 Record,classifyandprioritizerequestsandincidents.Identify,recordandclassifyservicerequestsandincidents,andassignapriorityaccordingtobusinesscriticalityandserviceagreements.

DSS02.03 Verify,approveandfulfillservicerequests.Selecttheappropriaterequestproceduresandverifythattheservicerequestsfulfilldefinedrequestcriteria.Obtainapproval,ifrequired,andfulfilltherequests.

DSS02.04 Investigate,diagnoseandallocateincidents.Identifyandrecordincidentsymptoms,determinepossiblecauses,andallocateforresolution.

DSS02.05 Resolveandrecoverfromincidents.Document,applyandtesttheidentifiedsolutionsorworkaroundsandperformrecoveryactionstorestoretheIT-relatedservice.

DSS02.06 Closeservicerequestsandincidents.Verifysatisfactoryincidentresolutionand/orrequestfulfillment,andclose.DSS02.07 Trackstatusandproducereports.Regularlytrack,analyzeandreportincidentandrequestfulfillmenttrendstoprovide

informationforcontinualimprovement.DSS03.01 Identifyandclassifyproblems.Defineandimplementcriteriaandprocedurestoreportproblemsidentified,including

problemclassification,categorizationandprioritization.DSS03.02 Investigateanddiagnoseproblems.Investigateanddiagnoseproblemsusingrelevantsubjectmanagementexpertsto

assessandanalyzerootcauses.DSS03.03 Raiseknownerrors.Assoonastherootcausesofproblemsareidentified,createknown-errorrecordsandan

appropriateworkaround,andidentifypotentialsolutions.DSS03.04 Resolveandcloseproblems.Identifyandinitiatesustainablesolutionsaddressingtherootcause,raisingchange

requestsviatheestablishedchangemanagementprocessifrequiredtoresolveerrors.Ensurethatthepersonnelaffectedareawareoftheactionstakenandtheplansdevelopedtopreventfutureincidentsfromoccurring.

DSS03.05 Performproactiveproblemmanagement.Collectandanalyzeoperationaldata(especiallyincidentandchangerecords)toidentifyemergingtrendsthatmayindicateproblems.Logproblemrecordstoenableassessment.

DSS04.02 Maintainacontinuitystrategy.Evaluatebusinesscontinuitymanagementoptionsandchooseacost-effectiveandviablecontinuitystrategythatwillensureenterpriserecoveryandcontinuityinthefaceofadisasterorothermajorincidentordisruption.

DSS04.03 Developandimplementabusinesscontinuityresponse.Developabusinesscontinuityplan(BCP)basedonthestrategythatdocumentstheproceduresandinformationinreadinessforuseinanincidenttoenabletheenterprisetocontinueitscriticalactivities.


34|P a g e


CCSFDescription

DSS04.04 Exercise,testandreviewtheBCP.Testthecontinuityarrangementsonaregularbasistoexercisetherecoveryplansagainstpredeterminedoutcomesandtoallowinnovativesolutionstobedevelopedandhelptoverifyovertimethattheplanwillworkasanticipated.

DSS04.05 Review,maintainandimprovethecontinuityplan.Conductamanagementreviewofthecontinuitycapabilityatregularintervalstoensureitscontinuedsuitability,adequacyandeffectiveness.Managechangestotheplaninaccordancewiththechangecontrolprocesstoensurethatthecontinuityplaniskeptuptodateandcontinuallyreflectsactualbusinessrequirements.

DSS04.06 Conductcontinuityplantraining.Provideallconcernedinternalandexternalpartieswithregulartrainingsessionsregardingtheproceduresandtheirrolesandresponsibilitiesincaseofdisruption.

DSS04.07 Managebackuparrangements.Maintainavailabilityofbusiness-criticalinformation.DSS04.08 Conductpost-resumptionreview.AssesstheadequacyoftheBCPfollowingthesuccessfulresumptionofbusiness

processesandservicesafteradisruption.DSS05.01 Protectagainstmalware.Implementandmaintainpreventive,detectiveandcorrectivemeasuresinplace(especially

up-to-datesecuritypatchesandviruscontrol)acrosstheenterprisetoprotectinformationsystemsandtechnologyfrommalware(e.g.,viruses,worms,spyware,spam).

DSS05.02 Managenetworkandconnectivitysecurity.Usesecuritymeasuresandrelatedmanagementprocedurestoprotectinformationoverallmethodsofconnectivity.

DSS05.03 Manageendpointsecurity.Ensurethatendpoints(e.g.,laptop,desktop,server,andothermobileandnetworkdevicesorsoftware)aresecuredatalevelthatisequaltoorgreaterthanthedefinedsecurityrequirementsoftheinformationprocessed,storedortransmitted.

DSS05.04 Manageuseridentityandlogicalaccess.Ensurethatallusershaveinformationaccessrightsinaccordancewiththeirbusinessrequirementsandco-ordinatewithbusinessunitsthatmanagetheirownaccessrightswithinbusinessprocesses.

DSS05.05 ManagephysicalaccesstoITassets.Defineandimplementprocedurestogrant,limitandrevokeaccesstopremises,buildingsandareasaccordingtobusinessneeds,includingemergencies.Accesstopremises,buildingsandareasshouldbejustified,authorized,loggedandmonitored.Thisshouldapplytoallpersonsenteringthepremises,includingstaff,temporarystaff,clients,vendors,visitorsoranyotherthirdparty.

DSS05.06 Managesensitivedocumentsandoutputdevices.Establishappropriatephysicalsafeguards,accountingpracticesandinventorymanagementoversensitiveITassets,suchasspecialforms,negotiableinstruments,special-purposeprintersorsecuritytokens.

DSS05.07 Monitortheinfrastructureforsecurity-relatedevents.Usingintrusiondetectiontools,monitortheinfrastructureforunauthorizedaccessandensurethatanyeventsareintegratedwithgeneraleventmonitoringandincidentmanagement.

DSS06.02 Controltheprocessingofinformation.Operatetheexecutionofthebusinessprocessactivitiesandrelatedcontrols,basedonenterpriserisk,toensurethatinformationprocessingisvalid,complete,accurate,timely,andsecure(i.e.,reflectslegitimateandauthorizedbusinessuse).

DSS06.03 Manageroles,responsibilities,accessprivilegesandlevelsofauthority.Managethebusinessroles,responsibilities,levelsofauthorityandsegregationofdutiesneededtosupportthebusinessprocessobjectives.Authorizeaccesstoanyinformationassetsrelatedtobusinessinformationprocesses,includingthoseunderthecustodyofthebusiness,ITandthirdparties.Thisensuresthatthebusinessknowswherethedataareandwhoishandlingdataonitsbehalf.

DSS06.04 Manageerrorsandexceptions.Managebusinessprocessexceptionsanderrorsandfacilitatetheircorrection.Includeescalationofbusinessprocesserrorsandexceptionsandtheexecutionofdefinedcorrectiveactions.Thisprovidesassuranceoftheaccuracyandintegrityofthebusinessinformationprocess.

DSS06.05 EnsuretraceabilityofInformationeventsandaccountabilities.Ensurethatbusinessinformationcanbetracedtotheoriginatingbusinesseventandaccountableparties.Thisenablestraceabilityoftheinformationthroughitslifecycleandrelatedprocesses.Thisprovidesassurancethatinformationthatdrivesthebusinessisreliableandhasbeenprocessedinaccordancewithdefinedobjectives.

DSS06.06 Secureinformationassets.Secureinformationassetsaccessiblebythebusinessthroughapprovedmethods,includinginformationinelectronicform(suchasmethodsthatcreatenewassetsinanyform,portablemediadevices,userapplicationsandstoragedevices),informationinphysicalform(suchassourcedocumentsoroutputreports)andinformationduringtransit.Thisbenefitsthebusinessbyprovidingend-to-endsafeguardingofinformation.

MEA01.05 Ensuretheimplementationofcorrectiveactions.Assiststakeholdersinidentifying,initiatingandtrackingcorrectiveactionstoaddressanomalies.

MEA02.02 Reviewbusinessprocesscontrolseffectiveness.Reviewtheoperationofcontrols,includingareviewofmonitoringandtestevidence,toensurethatcontrolswithinbusinessprocessesoperateeffectively.Includeactivitiestomaintainevidenceoftheeffectiveoperationofcontrolsthroughmechanismssuchasperiodictestingofcontrols,continuouscontrolsmonitoring,independentassessments,commandandcontrolcenters,andnetworkoperationscenters.Thisprovidesthebusinesswiththeassuranceofcontroleffectivenesstomeetrequirementsrelatedtobusiness,regulatoryandsocialresponsibilities.


35|P a g e


CCSFDescription

MEA02.03 Performcontrolself-assessments.Encouragemanagementandprocessownerstotakepositiveownershipofcontrolimprovementthroughacontinuingprogramofself-assessmenttoevaluatethecompletenessandeffectivenessofmanagement’scontroloverprocesses,policiesandcontracts.

MEA02.04 Identifyandreportcontroldeficiencies.Identifycontroldeficienciesandanalyzeandidentifytheirunderlyingrootcauses.Escalatecontroldeficienciesandreporttostakeholders.

MEA02.05 Ensurethatassuranceprovidersareindependentandqualified.Ensurethattheentitiesperformingassuranceareindependentfromthefunction,groupsordistrictsinscope.Theentitiesperformingassuranceshoulddemonstrateanappropriateattitudeandappearance,competenceintheskillsandknowledgenecessarytoperformassurance,andadherencetocodesofethicsandprofessionalstandards.

MEA02.06 Planassuranceinitiatives.Planassuranceinitiativesbasedonenterpriseobjectivesandstrategicpriorities,inherentrisk,resourceconstraints,andsufficientknowledgeoftheenterprise.

MEA02.08 Executeassuranceinitiatives.Executetheplannedassuranceinitiative.Reportonidentifiedfindings.Providepositiveassuranceopinions,whereappropriate,andrecommendationsforimprovementrelatingtoidentifiedoperationalperformance,externalcomplianceandinternalcontrolsystemresidualrisk.

MEA03.03 Confirmexternalcompliance.Confirmcomplianceofpolicies,principles,standards,proceduresandmethodologieswithlegal,regulatoryandcontractualrequirements.

MEA03.04 Obtainassuranceofexternalcompliance.Obtainandreportassuranceofcomplianceandadherencewithpolicies,principles,standards,proceduresandmethodologies.Confirmthatcorrectiveactionstoaddresscompliancegapsareclosedinatimelymanner.


36|P a g e

CSFActionPlanReviewCOBITPhase6—DidWeGetThere?Phase6providesthemechanismstoreviewtheexecutionoftheactionplanandconsiderperformanceregardingthemonitoringapproachpreviouslyestablished(e.g.,MEA01processesfromphases4and5).Thoseimplementingshouldconsiderhowwellthedistrictachievedperformanceandconformancetargets,updatingongoingimprovementandcommunicationactivitiesinaccordancewithestablishedchangemanagementprocesses.Thisreviewphaseprovidestheopportunitytosharebothpositiveandnegativeresultswithstakeholders,fosteringconfidenceinplannedsolutionsandensuringalignmentwithdistrictdriversandgoals.

Performanceandconformancedatamaybesharedwithinternalteamstoimprovesubsequentprocesses.Appropriatelysanitizedrisk,activityandperformanceresultsmaybesharedwithexternalpartners,consistentwiththedistricts’documentclassificationpolicyforpublicdocuments,tohelpimprovegeneralunderstandingofITriskmanagement.

ImplementationConsiderationCCSFActionPlanReview

Purpose

Toreviewapplicationoftheimprovegovernancemanagementpracticesandconfirmthattheactionplandeliverstheexpectedbenefits.

Inputs

• Operatingproceduresforimplementedactionitems• Communicationartifacts• Performancemetrics• Actionplanstatusreports


• Assesstheactivitiesforphase5toassurethatimprovementsandadditionsachievetheanticipatedgoalsandattainriskmanagementobjectives.

• Documentlessonslearnedfromimplementationactivitiestoimprovefuturecyclesandassistotherdistrictsandsimilarexercises.

• Identifyanyspecificongoingmonitoringneedsinsupportofphase7.

Outputs

• Organizationalassessment• Correctiveactionreports• Performanceresultstostakeholders• Lessonslearnedreports• resultsinformationsharing


37|P a g e

RelevantCOBIT5PracticesCCSFActionPlanReviewCOBIT5Practice

CCSFDescription

APO02.02 Assessisthecurrentenvironment,capabilitiesandperformance.AssesstheperformanceofcurrentinternalbusinessandITcapabilitiesandextendITservices,anddevelopanunderstandingoftheenterprisearchitectureinrelationtoIT.Identifyissuescurrentlybeingexperiencedanddeveloprecommendationsandareasthatcouldbenefitfromimprovement.Considerserviceproviderdifferentiatorsandoptionsandthefinancialimpactofpotentialcostsandbenefitsofusingexternalservices.


MEA02.02 Reviewbusinessprocesscontrolseffectiveness.Reviewtheoperationofcontrols,includingareviewofmonitoringandtestevidence,toensurethatcontrolswithinthebusinessprocessesoperateeffectively.Includeactivitiestomaintainevidenceoftheeffectiveoperationofcontrolthroughmechanismssuchasperiodictestingcontrols,continuouscontrolmonitoring,independentassessments,command-and-controlcenters,andnetworkoperationscenters.Thisprovidesthebusinesswiththeassuranceofcontroleffectivenesstomeetrequirementsrelatedtobusiness,regulatoryandsocialresponsibilities.

MEA02.03 Performcontrolself-assessments.Encouragemanagementprocessownerstotakepositiveownershipofcontrolledimprovementthroughacontinuingprogramofself-assessmenttoevaluatethecompletenessandeffectivenessofmanagement’scontroloverprocesses,policiesandcontracts.

MEA02.04 Identifyandreportcontroldeficiencies.Identifycontroldeficienciesandanalyzeandidentifytheirunderlyingrootcauses.Escalatecontroldeficienciesandreporttostakeholders.

MEA02.05 Ensurethatinsuranceprovidersareindependentandqualified.Ensurethattheentitiesperformingassuranceareindependentfromthefunction,groupsordistrictsinscope.Theentitiesperformingassuranceshoulddemonstrateanappropriateattitudeandappearance,competenceandtheskillsandknowledgenecessarytoperforminsurance,andadherencetocodesofethicsandprofessionalstandards.

MEA02.08 Executeassuranceinitiatives.Executetheplannedinsuranceinitiative.Reportonidentifiedfindings.Providepositiveassuranceopinions,whereappropriate,andrecommendationsforimprovementrelatingtoidentifiedoperationalperformance,externalcomplianceandinternalcontrolsystemresidualrisk.

MEA03.04 Obtainassuranceofexternalcompliance.Obtainandreportassuranceofcomplianceandadherencewithpolicies,principles,standards,proceduresandmethodologies.Confirmthatcorrectiveactionstoaddresscompliancegapsareclosedinatimelymanner.


38|P a g e

CSFLifecycleManagementCOBITPhase7-HowDoWeKeeptheMomentumGoingAneffectiveframeworkforgovernanceandmanagementofITaddressesthecompletelifecycleofITinvestment,ensuringthatitcreatesvalueinalignmentwithenterpriseobjectives.CombiningtheCCSFprinciplesandCOBIT5practiceshelpsensurevalue,managingriskandsupportingmissiondriversinaccordancewiththedirectionandsupportoftheexecutiveboardanddistrictbusinessmanagers.

Phase7providestheopportunitytoclosetheloopforcommunicationworkflowisintroducedinSection1-Implementation.Astechnicalassessmentisreported(suchasherperformancemetricssuchasthoseestablishedprocessesMEA01)tobusinessprocessowners,they,inturn,reportprogresstowardenterprisegoalsandmissionpriorities,usinglanguage,approachesandcommunicationsthataremeaningfultoexecutivemanagement.Momentum,gainbyprogressineffectivecommunication,drivesubsequentiterationsofthelifecycle.Updatedchallengesandopportunitiesleadtoupdatedriskassessmentsandpriorities,fosteringdistrictcommitmentandownershipofallaccountabilitiesandresponsibilities.Inthisway,successfulgovernanceandmanagementprocessesbecomeinstitutionalizedintheculture.


39|P a g e

ImplementationConsiderationCCSFLifeCycleManagementPurpose

Toprovideongoingreview/assessmentoftheoverallsuccessoftheinitiative,identifyfurthergovernanceorrequirements,andsupportcontinualimprovement.

Inputs

• Operatingprocedures• Monitoringplan• Performancemetrics


• Continuallymonitortheactivitiesforphase5toassurethatimprovementsandadditionsachievetheanticipatedgoalsandattainriskmanagementobjectives.

• Revieweffectivenessofimprovedgovernanceandmanagementpracticesanddocumentbenefitsprovided.

• Documentlessonslearnedfromimplementationactivitiestofurtherimprovefuturecyclesandassistotherdistrictsandsimilarexercises.

Outputs

• Assuranceofexternalcompliance• Lessonslearnedreports• Performanceresultstostakeholders• Investmentportfolioperformancereports• Servicelevelreports• Supplierperformanceandcompliancereports• Customersatisfaction/QMSreports• Informationsecuritymanagementsystem• Projectperformancereportsagainstkeyprojectperformancecriteria• Changecontrolplansandresults• Ongoingstatusandconfigurationreports


40|P a g e

RelevantCOBIT5PracticeCCSFLifeCycleManagementCOBIT5PRACTICES

CCSFDescription

EDM01.03 Monitorthegovernancesystem.Monitortheeffectivenessandperformanceoftheenterprise’sgovernanceofIT.Assesswhetherthegovernancesystemandimplementedmechanisms(includingstructures,principlesandprocesses)areoperatingeffectivelyandprovideappropriateoversightofIT.

EDM02.01 Evaluatevalueoptimization.ContinuallyevaluatetheportfolioofIT-enabledinvestments,servicesandassetstodeterminethelikelihoodofachievingenterpriseobjectivesanddeliveringvalueatareasonablecost.Identifyandmakejudgmentonanychangesindirectionthatneedtobegiventomanagementtooptimizevaluecreation.

EDM02.03 Monitorvalueoptimization.MonitorthekeygoalsandmetricstodeterminetheextenttowhichthebusinessisgeneratingtheexpectedvalueandbenefitstotheenterprisefromIT-enabledinvestmentsandservices.Identifysignificantissuesandconsidercorrectiveactions.

EDM03.03 Monitorriskmanagement.Monitorthekeygoalsandmetricsoftheriskmanagementprocessesandestablishhowdeviationsorproblemswillbeidentified,trackedandreportedforremediation.

EDM04.03 Monitorresourcemanagement.Monitorthekeygoalsandmetricsoftheresourcemanagementprocessesandestablishhowdeviationsorproblemswillbeidentified,trackedandreportedforremediation.

EDM05.03 Monitorstakeholdercommunication.Monitortheeffectivenessofstakeholdercommunication.Assessmechanismsforensuringaccuracy,reliabilityandeffectiveness,andascertainwhethertherequirementsofdifferentstakeholdersaremet.

APO04.03 Monitorandscanthetechnologyenvironment.Performsystematicmonitoringandscanningoftheenterprise’sexternalenvironmenttoidentifyemergingtechnologiesthathavethepotentialtocreatevalue(e.g.,byrealizingtheenterprisestrategy,optimizingcosts,avoidingobsolescence,andbetterenablingenterpriseandITprocesses).Monitorthemarketplace,competitivelandscape,industrysectors,andlegalandregulatorytrendstobeabletoanalyzeemergingtechnologiesorinnovationideasintheenterprisecontext.

APO04.04 Assessthepotentialofemergingtechnologiesandinnovationideas.Analyzeidentifiedemergingtechnologiesand/orotherITinnovationsuggestions.Workwithstakeholderstovalidateassumptionsonthepotentialofnewtechnologiesandinnovation.

APO04.05 Recommendappropriatefurtherinitiatives.Evaluateandmonitortheresultsofproof-of-conceptinitiativesand,iffavorable,generaterecommendationsforfurtherinitiativesandgainstakeholdersupport.

APO04.06 Monitortheimplementationanduseofinnovation.Monitortheimplementationanduseofemergingtechnologiesandinnovationsduringintegration,adoptionandforthefulleconomiclifecycletoensurethatthepromisedbenefitsarerealizedandtoidentifylessonslearned.

APO05.04 Monitor,optimizeandreportoninvestmentportfolioperformance.Onaregularbasis,monitorandoptimizetheperformanceoftheinvestmentportfolioandindividualprogramsthroughouttheentireinvestmentlifecycle.

APO05.05 Maintainportfolios.Maintainportfoliosofinvestmentprogramsandprojects,ITservicesandITassets.

APO05.06 Managebenefitsachievement.MonitorthebenefitsofprovidingandmaintainingappropriateITservicesandcapabilities,basedontheagreed-onandcurrentbusinesscase.

APO07.05T TracktheusageofITandbusinesshumanresources.TrackthecurrentandfuturedemandforbusinessandIThumanresourceswithresponsibilitiesforenterpriseIT.Identifyshortfallsandprovideinputintosourcingplans,enterpriseandITrecruitmentprocessessourcingplans,andbusinessandITrecruitmentprocesses.

APO07.06 Managecontractstaff.EnsurethatconsultantsandcontractpersonnelwhosupporttheenterprisewithITskillsknowandcomplywiththedistrict'spoliciesandmeetagreed-oncontractualrequirements.

APO08.05 Provideinputtothecontinualimprovementofservices.ContinuallyimproveandevolveIT-enabledservicesandservicedeliverytotheenterprisetoalignwithchangingenterpriseandtechnologyrequirements.

APO09.04 Monitorandreportservicelevels.Monitorservicelevels,reportonachievementsandidentifytrends.Providetheappropriatemanagementinformationtoaidperformancemanagement.

APO09.05 Reviewserviceagreementsandcontracts.Conductperiodicreviewsoftheserviceagreementsandrevisewhenneeded.

APO10.03 Managesupplierrelationshipsandcontracts.Formalizeandmanagethesupplierrelationshipforeachsupplier.Manage,maintainandmonitorcontractsandservicedelivery.Ensurethatneworchangedcontractsconformtoenterprisestandardsandlegalandregulatoryrequirements.Dealwithcontractualdisputes.

APO10.04 Managesupplierrisk.Identifyandmanageriskrelatingtosuppliers’abilitytocontinuallyprovidesecure,efficientandeffectiveservicedelivery.

APO10.05 Monitorsupplierperformanceandcompliance.Periodicallyreviewtheoverallperformanceofsuppliers,compliancetocontractrequirements,andvalueformoney,andaddressidentifiedissues.

APO11.04 Performqualitymonitoring,controlandreviews.MonitorthequalityofprocessesandservicesonanongoingbasisasdefinedbytheQMS.Define,planandimplementmeasurementstomonitorcustomersatisfactionwithqualityaswellasthevaluetheQMSprovides.Theinformationgatheredshouldbeusedbytheprocessownertoimprovequality.


41|P a g e


CCSFDescription

APO11.06 Maintaincontinuousimprovement.Maintainandregularlycommunicateanoverallqualityplanthatpromotescontinuousimprovement.Thisshouldincludetheneedfor,andbenefitsof,continuousimprovement.CollectandanalyzedataabouttheQMS,andimproveitseffectiveness.Correctnon-conformitiestopreventrecurrence.Promoteacultureofqualityandcontinualimprovement.

APO13.01 Establishandmaintainaninformationsecuritymanagementsystem(ISMS).EstablishandmaintainanISMSthatprovidesastandard,formalandcontinuousapproachtosecuritymanagementforinformation,enablingsecuretechnologyandbusinessprocessesthatarealignedwithbusinessrequirementsandenterprisesecuritymanagement.

APO13.02 Maintainaninformationsecurityplanthatdescribeshowinformationsecurityriskistobemanagedandalignedwiththeenterprisestrategyandenterprisearchitecture.Ensurethatrecommendationsforimplementingsecurityimprovementsarebasedonapprovedbusinesscasesandimplementedasanintegralpartofservicesandsolutionsdevelopment,thenoperatedasanintegralpartofbusinessoperation.

APO13.03 MonitorandreviewtheISMS.Maintainandregularlycommunicatetheneedfor,andbenefitsof,continuousinformationsecurityimprovement.CollectandanalyzedataabouttheISMS,andimprovetheeffectivenessoftheISMS.Correctnon-conformitiestopreventrecurrence.Promoteacultureofsecurityandcontinualimprovement.

BAI01.06 Monitor,controlandreportontheprogramoutcomes.Monitorandcontrolprogram(solutiondelivery)andenterprise(value/outcome)performanceagainstplanthroughoutthefulleconomiclifecycleoftheinvestment.Reportthisperformancetotheprogramsteeringcommitteeandthesponsors.

BAI01.10 Manageprogramandprojectrisk.Eliminateorminimizespecificriskassociatedwithprogramsandprojectsthroughasystematicprocessofplanning,identifying,analyzing,respondingto,andmonitoringandcontrollingtheareasoreventsthathavethepotentialtocauseunwantedchange.Riskfacedbyprogramandprojectmanagementshouldbeestablishedandcentrallyrecorded.

BAI01.11 Monitorandcontrolprojects.Measureprojectperformanceagainstkeyprojectperformancecriteriasuchasschedule,quality,costandrisk.Identifyanydeviationsfromtheexpected.Assesstheimpactofdeviationsontheprojectandoverallprogram,andreportresultstokeystakeholders.

BAI01.12 Manageprojectresourcesandworkpackages.Manageprojectworkpackagesbyplacingformalrequirementsonauthorizingandacceptingworkpackages,andassigningandco-coordinatingappropriatebusinessandITresources.

BAI03.09 Managechangestorequirements.Trackthestatusofindividualrequirements(includingallrejectedrequirements)throughouttheprojectlifecycleandmanagetheapprovalofchangestorequirements.

BAI03.10 Maintainsolutions.Developandexecuteaplanforthemaintenanceofsolutionandinfrastructurecomponents.Includeperiodicreviewsagainstbusinessneedsandoperationalrequirements.

BAI.04.04 Monitorandreviewavailabilityandcapacity.Monitor,measure,analyze,reportandreviewavailability,performanceandcapacity.Identifydeviationsfromestablishedbaselines.Reviewtrendanalysisreportsidentifyinganysignificantissuesandvariances,initiatingactionswherenecessary,andensuringthatalloutstandingissuesarefollowedup.

BAI05.07 Sustainchanges.Sustainchangesthrougheffectivetrainingofnewstaff,ongoingcommunicationcampaigns,continuedtopmanagementcommitment,adoptionmonitoringandsharingoflessonslearnedacrosstheenterprise.

BAI06(ALL) Manageallchangesinacontrolledmanner,includingstandardchangesandemergencymaintenancerelatingtobusinessprocesses,applicationsandinfrastructure.Thisincludeschangestandardsandprocedures,impactassessment,prioritizationandauthorization,emergencychanges,tracking,reporting,closureanddocumentation.

BAI07(ALL) Formallyacceptandmakeoperationalnewsolutions,includingimplementationplanning,systemanddataconversion,acceptancetesting,communication,releasepreparation,promotiontoproductionofneworchangedbusinessprocessesandITservices,earlyproductionsupport,andapost-implementationreview.

BAI08(ALL) Maintaintheavailabilityofrelevant,current,validatedandreliableknowledgetosupportallprocessactivitiesandtofacilitatedecisionmaking.Planfortheidentification,gathering,organizing,maintaining,useandretirementofknowledge.


BAI10.04 Producestatusandconfigurationreports.Defineandproduceconfigurationreportsonstatuschangesofconfigurationitems.

BAI10.05 Verifyandreviewintegrityoftheconfigurationrepository.Periodicallyreviewtheconfigurationrepositoryandverifycompletenessandcorrectnessagainstthedesiredtarget.

DSS01(ALL) CoordinateandexecutetheactivitiesandoperationalproceduresrequiredtodeliverinternalandoutsourcedITservices,includingtheexecutionofpre-definedstandardoperatingproceduresandtherequiredmonitoringactivities.

DSS02(ALL) Providetimelyandeffectiveresponsetouserrequestsandresolutionofalltypesofincidents.Restorenormalservice;recordandfulfilluserrequests;andrecord,investigate,diagnose,escalateandresolveincidents.


42|P a g e


CCSFDescription

DSSS03(ALL) Identifyandclassifyproblemsandtheirrootcausesandprovidetimelyresolutiontopreventrecurringincidents.Providerecommendationsforimprovements.

DSS04(ALL) EstablishandmaintainaplantoenablethebusinessandITtorespondtoincidentsanddisruptionsinordertocontinueoperationofcriticalbusinessprocessesandrequiredITservicesandmaintainavailabilityofinformationatalevelacceptabletotheenterprise.

MEA01.04 Analyzeandreportperformance.Periodicallyreviewandreportperformanceagainsttargets,usingamethodthatprovidesasuccinctall-aroundviewofITperformanceandfitswithintheenterprisemonitoringsystem.


MEA02(ALL) Continuouslymonitorandevaluatethecontrolenvironment,includingself-assessmentsandindependentassurancereviews.Enablemanagementtoidentifycontroldeficienciesandinefficienciesandtoinitiateimprovementactions.Plan,organizeandmaintainstandardsforinternalcontrolassessmentandassuranceactivities.


43|P a g e

AppendixA.IntroductionBackgroundSecuritythreatstoeducationalsystemsarenotnew.Countyofficesofeducationandindividualschooldistrictshavebeenmanagingoperationalandinformationtechnologysecuritysystemsandvulnerabilityforanumberofyears.Theproblemisthattheopposition,thatisthosewhowishtoexploitschooldistrictinformationareadvancingatsucharapidratethatthemanagementofsecurityriskandvulnerabilitycanbeandisoverwhelming.Attacksoneducationalsystemsandtheincreasingrateofthoseattackspointtowardsadifficultfuturemanagingrisk.Thisisevidencedbytheincreasingdenialofserviceattacksagainstschooldistrictsinthepastfiveyearswhichinsomeinstanceshavebroughtthedistricttoastandstillandaffectedtheoveralleducationalprocess.Theseattackersarewell-organized,financiallystableandcanimplementsomeverysophisticatedtechniquesthatrenderattemptsatpreventionextremelydifficult.Yetschoolsanddistrictsarebecomingincreasinglymoredependentupontechnology,telecommunicationsandoverallconnectivity.Thistrendoftechnologydependencydoesnotappeartobeslowingandasnewtechnologyinnovationssuchasmobiledevicemanagement,BringYourOwnDevice(BYOD)andtheInternetofThings(iOT)becomecommonplace.Thisnecessitatestheneedtoprotecteducationalsystemsagainstcybersecurityattacks.

Tohelpaddresspotentialrisk,mitigatesecurityandvulnerabilityissuesandprovideoveralldirection,CCSESAhasdevelopedthisguidebooktoassistschools,districtsandCountyOfficesofEducationintheimplementationoftheNISTFrameworkforImprovingCriticalInfrastructurebetterknownastheCybersecurityFrameworkorCSF.

WhiletheCCSFwasoriginallycreatedtosupportinfrastructureproviders,theconcepts,practicesandproceduresareveryapplicabletoeducationalinstitutionsdesiringsomeformalityinmanagingandreducingoverallsecurityrisk.Theconnectednatureofourschoolsystemsandthesupportofdistrict-widecriticalinfrastructurecanbetterbeaddressedthroughaformalizedprocesstoallowsomelevelofstructure,servicesandcompliancy.Anyefforttomanageoverallsecurityriskwillultimatelyhelpreducecybersecurityattacks.

ThisguidebookaddressessomeofthetechnicalrequirementsneededtoapplytheNISTCybersecurityFramework,utilizingselecteddocumentsfromindustry-standards,principlesandpracticessuchasmanyofthosepracticesdevelopedbytheITGovernanceInstitute.TheanticipatedaudiencesutilizingthisguidebooktoestablishstandardswillrangefromBoardsofEducationtodistrict/campusmanagement,ITservicepersonnelanddistrictfaculty.ThefollowingFigure1identifiesseveraloftheprincipalrolesorfunctionsandpotentialbenefitstheycanexpectfromutilizingtheCCSF.


44|P a g e

Figure1-CSFImplementation-TargetAudienceandBenefitsRole Function PotentialBenefit

Executive BoardofEducationandExecutiveManagement

• Understandingresponsibilitiesandrolesincybersecuritywithinthedistrict.

• Betterunderstandingofcurrentcybersecurityposture.

• Betterunderstandingofcybersecurityrisktothedistrict.

• Betterunderstandingofthecybersecuritytargetstatetobedeveloped.

• Understandingofactionsrequiredtoclosegapsbetweencurrentcybersecuritypostureandthetargetstate.

Educational/Processes ITManagement • Awarenessofeducationalimpacts.• Understandingtherelationshipof

educationalsystemsandtheirassociatedriskappetite.

Educational/Processes ITProcessManagement

• Understandingofeducationalrequirementsandmissionobjectivesandtheirpriorities.

Educational/Processes RiskManagement • Enhancedviewoftheoperationalenvironmenttodiscernthelikelihoodofacybersecurityevent.

Educational/Processes LegalExperts • Understandingofcyberthreatstoeducationalunitsandtheirmissionobjectives.

• Understandingofallcompliancerequirementsforeacheducationalunit.

Implementation/Operator ImplementationTeams

• Understandingofsecuritycontrolsandtheimportanceinmanagingoperationalsecurityrisk.

• Detailedunderstandingofrequiredactionstoclosegapsincybersecurityrequirements.

Implementation/Operator Employees • Understandingofcybersecurityrequirementsfortheirassociatededucationalsystems


45|P a g e

GovernanceandManagementofEnterpriseInformationTechnologyCCSESAisdedicatedtosupportingtheknowledgeandskillstohelpeducatorsdetermineandachievestrategicgoalsandrealizepotentialeducationalbenefitsthroughtheeffectiveandinnovativeuseoftechnology.Throughoutthisguidebook,standardvocabularywillbeusedtodescribethevariousprocesses,activitiesplanning:

• Enterprise-Agroupofindividualsworkingtogetherforacommonpurpose,typicallywithinthecontextofaneducationalinstitutionsuchasaschool,districtorCountyofficeofeducation.

• Organization-Thestructureofrelatedorconnectedcomponentsofanenterprisedefinedbyaparticularscope.

• Governance-Ensuresthateducationalneeds,conditionsandoptionsareevaluatedtodeterminebalanced,agreed-onenterpriseobjectivestobeachieved;settingdirectionthroughprioritizationanddecision-makingandmonitoringperformanceacomplianceagainstagreed-upondirectionandobjectives.

• Management-Planning,building,operatingandmonitoringactivitiesinalignmentwiththedirectionssetforthbythegovernancebodytoachievetheenterpriseobjectives.

ThedocumentsincludedwithinthisguidebookroutinelyreferenceInformationTechnologyorIT.Whenusedinthiscontext,ITisreferringtothetechnicalprocessesandsolutionsinvolvinghardwareandsoftwarethatenableeducationalfunctionstoachievestrategicorenterpriseobjectives.Thereadershouldrealizethattechnologyincludes3components:

• InstructionalTechnology-specifictechnologiesusedintheeducationalprocessesofinstructingstudents.• OperationalTechnology-automatedmachineryorcontrolsystemssuchasenvironmentalcontrols.• InformationTechnology-Hardware/Software

Someoftheplanningandmanagementprocessesdescribedinthisguidebookwillbehelpfulinorganizingandevaluatingsupportingconvergenceofoperationaltechnology,instructionaltechnologyandinformationtechnology.Itisimportantthatthosewhoutilizetheprocessesinthisguidebookadoptanoverallcomprehensiveviewoftechnologyandnotisolatethetechnologybaseduponscopeorprocess.Averybroadviewofenterprisetechnologywillhelpsupportoveralleffectivecybersecuritymanagementinallphasesoftheeducationalprocess.


46|P a g e

IntroductiontotheFrameworkforImprovingCriticalInfrastructureCybersecurityBaseduponhighlyvisiblesituationsoccurringwithinthesecuritystructuresofourgovernment,retailestablishmentsandfinancialdistricts,therecognitionthatbroadsafeguardstoprotecttheseenterpriseswouldberequiredtopreventcompromiseofcriticalinfrastructure.Pres.BarackObamaissuedExecutiveOrder(EO)136361.ThisdirectedtheexecutivebranchoftheUSgovernmenttocollaboratewithindustrialandinternationalpartnerstoworkonthefollowinginitiatives:

1. Developatechnology-neutralvoluntarycybersecurityframework.2. Promoteandincentivizetheadoptionofcybersecuritypractices.3. Increasethevolume,timelinesandqualityofcyberthreatinformationsharing.4. Incorporatestrongprivacyandcivillibertiesprotectionsintoeveryinitiativetosecureour

criticalinfrastructure.5. Exploretheuseofexistingregulationtopromotecybersecurity.

InadditiontoEO13636,Pres.ObamaalsocreatedPresidentialPolicyDirective(PPD)-21:CriticalInfrastructureSecurityandResiliencewhichreplacedHomelandSecurityPresidentialDirective7.ThisimportantchangedirectedtheExecutiveBranchoftheUSGovernmenttotakethefollowingactionsforanyUScriticalinfrastructuresuchasthatlistedinFigure2.

• Developasituationalawarenesscapabilitythataddressesbothphysicalandcyberaspectsofourinfrastructureisfunctioninginnearrealtime.

• Understandthecascadingconsequencesofinfrastructurefailures.• Evaluateandmaturethepublic-privatepartnership.• UpdatetheNationalInfrastructureProtectionPlan.• Developacomprehensiveresearchanddevelopmentplan.

Figure2-Sector-SpecificAgenciesAsDescribedInPPD-21Sector SectorSpecificAgencyOrAgencies

Chemical DepartmentOfHomelandSecurityCommercialFacilities DepartmentOfHomelandSecurityCommunications DepartmentOfHomelandSecurityCriticalManufacturing DepartmentOfHomelandSecurityDams DepartmentOfHomelandSecurityDefenseIndustrialBase DepartmentOfDefenseEmergencyServices DepartmentOfHomelandSecurityEnergy DepartmentOfEnergyFinancialServices DepartmentOfTheTreasuryFoodAndAgriculture DepartmentsOfAgricultureAndHealthAndHumanServicesGovernmentFacilities DepartmentOfHomelandSecurityAndGen.ServicesAdministrationHealthcareAndPublicHealth DepartmentOfHealthAndHumanServicesInformationTechnology DepartmentOfHomelandSecurityNuclearReactors,MaterialsAndWaste DepartmentOfHomelandSecurityTransportationSystems DepartmentOfHomelandSecurityAndTransportationWaterAndWastewaterSystems EnvironmentalProtectionAgency

1ExecutiveOrder(EO)13636isavailablefromtheUSGovernmentPrintingOfficeatwww.gpo.gov/fdsys/pkg/FR-2013–02–19/pdf/2013-03915.pdf


47|P a g e

Section7oftheEO13636directedtheSecretaryofCommercetoaskNISTtoleaddevelopmentofaframework(theCCSF)toreducecyberrisktocriticalinfrastructure.Thisframeworkincludedasetofstandards,methodologies,proceduresandprocessesthatalignpolicy,businessandtechnologicalapproachestoaddresscyberrisk.TheEOdirectsNISTtoincorporatevoluntaryconsensusstandardsandindustrybestpractices,andtobeconsistentwithvoluntaryinternationalstandardswhensuchinternationalstandardswilladvancetheobjectivesoftheEO:

• CriticalsuccessfactorsoftheCCSFinsection7ofEO13636.ItrequiresthattheCCSF:• Provideaprioritized,flexible,repeatable,performance-basedandcost-effectiveapproach,

includinginformationsecuritymeasuresandcontrols,tohelpownersandoperatorsofcriticalinfrastructureidentify,assessandmanagecyberrisk.

• Focusonidentifyingcross-sectorsecuritystandardsandguidelinesapplicabletocriticalinfrastructure.

• Identifyareasforimprovementtofuturecollaborationwithparticularsectorsandstandards-developingdistricts.

• Provideguidancethatistechnologyneutralandthatenablescriticalinfrastructuresectorstobenefitfromacompetitivemarketforproductsandservicesthatmeetthestandards,methodologies,proceduresandprocessesdevelopedtoaddresscyberrisk.

• IncludeguidanceformeasuringtheperformanceofanentityandimplementingthecybersecurityFramework.

Toanswerthesegovernmentaldirectives,theNationalInstituteforStandardsandTechnology(NIST)releasedvariousrequestforinformation(RFI)in2013askingabroadarrayofquestionstogatherrelevantinputfromcross-sectorindustrypartners,academiaandotherstakeholders.NISTrequestedinformationonhowdistrictsarecurrentlyassessingriskandthreatstotheirdistrict;howcybersecurityfactorsintothatriskassessment;thecurrentusageofexistingcybersecurityframeworks,standardsandguidelines;andothermanagementpracticesrelatedtocybersecurity.Inaddition,NISTrequestedinformationaboutlegal/regulatoryaspectsofparticularframeworks,standards,guidelinesand/orbestpracticesandthechallengesdistrictsperceiveinmeetingthoserequirements.ThousandsofdatapointswereassembledandanalyzedbykeystakeholderswithintheNISTFramework.

Inordertoclarifymanyofthedatapointsreceived,NISTconductedseveralworkshopstorefinethefeedbackandgeneraterequiredreportingandpreparationforRFQdevelopment.BasedontheresponsestotheRFI,resultsofworkshopsandinterviews,andadditionalcommissionedresearch,NISTdevelopedaCybersecurityFrameworkthatidentifiedtheexistingpracticesinordertohelpadistrict’sriskmanagementpracticesasitrelatedtothepreventionanddetectionofaswellasresponsetoincludingrecoveryfromthevariousidentifiedcybersecurityissues.

ThefirstdraftoftheCCSFwasreleasedin2014identifyingthreeprimarycomponents:

• FrameworkCore• FrameworkImplementationTiers• FrameworkProfiles

Theguidebookprovidesdescriptionselsewhere.Initialresponsesfromdistrictsattemptingtoimplementtheframeworkweremixed.Alotofinformationbutnotalotofdetailonhowtoimplement


48|P a g e

thevariousimplementationtiersandprofiles.Theconceptswerenewandnotfullyunderstoodbythoseimplementationteamstaskedwiththeresponsibilityofimplementingastandardizedsecurityframework.Whatwasmissingappeartobeapracticalapproachtowardsimplementation.SeveralgroupsoptedtointegratetheNISTFrameworkwithanexisting,standardizedpracticedesignedtoassistvariousenterprisesinachievinggovernanceobjectivesandITmanagement.ThisstandardizedpracticeisrelatedtoCOBIT5.

IntroductiontoCOBIT5RecognitionoftheCOBITstandardshavebeeninexistenceforanumberofyearsbymostenterprisedistrictsasacomprehensiveframeworkdesignedtohelpdistrictsachievegovernanceandmanagementobjectivesforIT.Severalmodelsforimplementationareavailablerangingfromagradualapproachstartingsmallandbuildinguponinitialsuccessesorultimatelymanagedfortheentireenterprisetakingthefullintoendapproach.RegardlessofhowadistrictapproachestheimplementationoftheCOBITstandards.OptimalvaluefromITisobtainedbymaintainingabalancebetweenbenefitrealizationandoptimizingriskandresources.ThecurrentiterationofCOBITisversion5.0.Thisstandardisgenericinnatureandusefulforanyverticalsectormarketincludingeducationofallsizesfromsmallschooldistricts,twocharterschools,tothelargestofourschooldistricts.TheCOBIT5productfamilyisbelowinFigure3.

Figure3

COBIT5providesacomprehensiveframeworkassistingschooldistrictsinachievingtheirobjectivesforthegovernanceandmanagementoftheirtechnologyprogram.Theframeworkmaybeimplementedinagradualapproach,startingsmallandbuildingoninitialsuccess,ormanagedinaholisticmannerfortheentireschooldistricttakinginthefullend-to-endbusinessandITfunctionalareasofresponsibility.Ineitherapproach,coverthelpsenterprisescreateoptimalvaluefromITbymaintainingabalance

Figure3-CO

BIT5Prod

ctFa

mily

COBIT5

COBIT5EnablerGuides

COBIT5EnablighProcesses

COBIT5EnablingINformation

OtherEnablerGuides

COBIT5ProfessionalGuides

COBIT5Implementation

COBIT5forInformationSecurity

COBIT5forAssurance

COBIT5forRisk

OtherProfessionalGuides


49|P a g e

betweenrealizingbenefitsandoptimizingrisklevelsandresourceuse.Initself,COBIT5isverygenericandusefulforallenterprisesofallsizeswheretheschooldistricts,CountyofficeofeducationorevenHigherEducation.

ThebasisfortheCOBIT5frameworkisfivekeyprinciplesofgovernanceandmanagementofeducationalITenvironments:

1. Principle1:MeetingStakeholderNeeds(student,staff,administrationandevenparents)2. Principle2:CoveringtheEnterpriseTechnologyenvironment

(Information/Operation/Educational)3. Principal3:ApplyingaSingle,IntegratedFrameworkforallAudiencesandStakeholders4. Principle4:EnablingaHolisticApproach5. Principle5:SeparatingGovernancefromManagement

Together,thesefiveprinciplesenabletheenterprisetobuildaneffectivegovernanceandmanagementframeworkthatoptimizesinformationandtechnologyinvestmentandusethatforthebenefitofeducationalstakeholders.

Schooldistrictsexisttocreatevaluefortheirstudents.Consequently,anydistrictwillhavevaluecreationisagovernanceobjective.Valuecreationmeansrealizingbenefitsatanoptimalresourcecostwhileoptimizingrisk.Benefitscantakemanyformssuchasfinancialforcommercialenterprisesortaxpayerbenefitsandimprovepublicserviceforgovernmententities.

COBIT5GovernanceandManagementTheCOBIT5frameworkmakesacleardistinctionbetweengovernanceandmanagement.Thesetwodisciplinesencompassdifferenttypesofactivities,requiredifferentdistrictstructuresandservedifferentpurposes.TheCOBIT5viewonthekeydistinctionbetweengovernanceandmanagementis:

Governance-Governanceensuresthatstakeholderneeds,conditionsandoptionsareevaluatedtodeterminebalanced,agreed-onenterpriseobjectistobeachieved:settingdirectiontoprioritizationanddecision-making;andmonitoring.

Management-Managementplans,builds,runsandmonitorsactivitiesinalignmentwiththedirectionsetbythegovernancebodytoachievetheenterpriseobjectives.

COBIT5GoalsCascadeStakeholderneedshavetobetransformedintoadistrict’sactionablestrategy.TheCOBIT5goalscascadeisthemechanismtotranslatestakeholderneedsintospecific,actionableandcustomizedenterprisegoals,IT-relatedgoalsandenablergoals.Thistranslationallowssettingspecificgoalsateverylevelandineveryareaoftheenterpriseinsupportoftheoverallgoalsandstakeholderrequirements,andthuseffectivelysupportsalignmentbetweenenterpriseneedsandITsolutionsands3ervices.

COBIT5EnablersCOBIT5providesaholisticandsystemicviewongovernanceandmanagement,basedonanumberofenablers.Enablersarefactorsthat,individuallyandcollectively,influencewhethersomethingwillwork—inthiscase,governanceandmanagementoverenterpriseIT.Enablersaredrivenbythegoalscascade,i.e.,higher-levelIT-relatedgoalsdefinewhatthedifferentenablersshouldachieve.


50|P a g e

TheCOBIT5frameworkdescribessevencategoriesofenablers:

1. Principles,policiesandframeworks2. Processes3. Organizationalstructures4. Culture,ethicsandbehavior5. Information6. Services,infrastructureandapplications7. People,skillsandcompetencies

Anyenterprisemustalwaysconsideraninterconnectedsetofenablers.Eachenabler…

…needstheinputofotherenablerstobefullyeffective,e.g.,processesneedinformation,districtstructuresneedskillsandbehaviorand

…deliversoutputtothebenefitofotherenablers,e.g.,processesdeliverinformation,skillsandbehaviormakeprocessesefficient.

COBIT5ProcessReferenceModelProcessesareoneofthesevenenablercategoriesforGovernanceandManagement.COBIT5includesaprocessreferencemodel,defininganddescribingindetailanumberofgovernanceandmanagementprocesses.ThemodelprovidesaprocessreferencetoolthatrepresentsalloftheprocessesthatrelatetoITactivitiesnormallyfoundindistrict,offeringacommonreferencemodelunderstandabletooperationalITandbusinessmanagers.Theproposedprocessmodelisacomplete,comprehensivemodel,butitisnottheonlypossibleprocessmodel.Eachenterprisemustdefineitsownprocessset,takingintoaccountthespecificsituation.

IncorporatinganoperationalmodelandacommonlanguageforallpartsofthedistrictinvolvedinITactivitiesisoneofthemostimportantandcriticalstepstowardgoodgovernance.ItalsoprovidesaframeworkformeasuringandmonitoringITperformance,communicatingwithserviceproviders,andintegratingbestmanagementpractices.

COBIT5advocatesthatthedistrictimplementsgovernanceandmanagementprocessessuchthatthekeyareasarecovered,showninFigure4.


51|P a g e

Figure5belowshowsthecompletesetof37governanceandmanagementprocesseswithinCOBIT5.


52|P a g e


53|P a g e

COBIT5ImplementationGuidanceOptimalvaluecanberealizedfromleveragingCOBITonlyifitiseffectivelyadoptedandadaptedtosuit

eachschoolordistrict’suniqueenvironment.Eachimplementationapproachwillalsoneedtoaddress

specificchallenges,includingmanagingchangestocultureandbehavior.

CCSESAprovidespracticalandextensiveimplementationguidancethroughitsimplementationofthis

frameworkandCOBIT5,whichisbasedonacontinualimprovementlifecycle.Itisnotintendedtobea

prescriptiveapproachnoracompletesolution,butratheraguidetoavoidcommonlyencountered

pitfalls,leveragegoodpracticesandassistinthecreationofsuccessfuloutcomes.Theguideisalso

supportedbyanimplementationtoolkitcontainingavarietyofresourcesthatwillbecontinually

enhanced.Itscontentincludes:

• Self-assessment,measurementanddiagnostictools

• TheNISTFrameworkindbaseformatwithimplementationreferences

• E-Learningmodules

ThefollowingareimportanttopicscoveredinCOBIT5Implementation:

1. Makingabusinesscasefortheimplementationandimprovementofthegovernanceand

managementofIT

2. Recognizingtypicalpainpointsandtriggerevents

3. Creatingtheappropriateenvironmentforimplementation

4. LeveragingCOBITtoidentitygapsandguidethedevelopmentofenablerssuchaspolicies,

processes,principles,districtstructures,androlesandresponsibilities.

ScopeandApproachTheguidanceinthisframeworkisintendedtoassistschoolsordistrictswithunderstandingstepsfor

FrameworkimplementationusingCCSESAandCOBITmethodsandapproach.Theguideprovides

processes,exampletemplatesandguidanceforusingFrameworktoidentifyandachieveenterpriseand

districtobjectivesforthegovernanceandmanagementofIT.

Theinformationisorganizedasfollows:

ü Section1.FrameworkImplementation–Describestheapproachtoimplementation

withsupportingtemplates

ü AppendixA.Introduction–ProvidesthebackgroundofthedevelopmentoftheNIST,

COBITandotherframeworksandstandards

ü AppendixB.IntroductiontoNISTCybersecurityFramework1.0 -Providesadetailed

introductionintotheNISTCybersecurityFramework1.0anditsthreecomponents:

FrameworkCore,ImplementationTiersandProfiles

ü AppendixC.CommunicatingCybersecurityRequirementswithStakeholders–Providessamplesofcommunicationstrategies

ü AppendixD:FrameworkCore–AprintedcopyoftheCCSESAFrameworkCorefor

reference

ü AppendixE:CCSESCCSFToolkit–Providessamplesofspreadsheetsanddatabasesused

intheimplementationoftheCCSESACyberSecurityFramework

ü AppendixF:ConsiderationsforCriticalInfrastructureSectors


54|P a g e

Figure-6providesanoverviewofthisdocumentandthelocationofinformationtoanswersome

commonquestionsregardingtheimplementationoftheFramework.


55|P a g e

AppendixB.IntroductiontoNISTCybersecurityFramework1.0FrameworkBackgroundTheNISTCybersecurityFramework(akaCCSF)wasdevelopedinresponsetoUSPresidentialExecutive

Order13636,whichstates,

"Repeatedcyberintrusionsintocriticalinfrastructuredemonstratetheneedforimprovedcybersecurity.Thecyberthreattocriticalinfrastructurecontinuestogrowandrepresentsoneofthemostseriousnationalsecuritychallengeswemustconfront.”

KeepinmindwhatwasoccurringjustpriortothereleaseoftheEOin2013.Someveryhighprofile

districtssuchasTarget,HomeDepotandMichaelsencounteredsomeveryhighlyvisiblesecurity

breachesresultinginthecompromiseoflargeamountsofcustomerdataincludingcreditcard

information.Thedistrictsreactedaccordinglybutwithoutalotofdirectionorstandardization.

ThegoalsoftheObamaExecutiveOrderalignwellwiththeCOBIT5framework,whichrecognizesthat

“informationisakeyresourceforallenterprises,”and“informationtechnologyisincreasinglyadvanced

andhasbecomepervasiveinenterprisesandinsocial,publicandbusinessenvironments.”COBIT5

helpsenterprisestocreateoptimalvaluefromITbymaintainingabalancebetweenrealizingbenefits

andoptimizingrisklevelsandresourceuse.TheframeworkenablesITtobegovernedandmanagedina

holisticmannerfortheentireenterprise,takingintoaccountthefullend-to-endbusinessandIT

functionalareasofresponsibilityandconsideringtheIT-relatedinterestsofinternalandexternal

stakeholders.

Overthenextfewmonths,stafffromNIST(NationalInstituteofStandardsandTechnology)metwith

industrypartnerswithintheSMBandHighEdcommunitytoconsiderresponsestotheFebruary2013

RFI,andfurtherrefinedguidancetocreatearisk-basedframeworkforreducingrisk.

Participationandcommentsubmissionsincludedsignificantcontributionfromsmall-andmedium-sized

businesses(SMBs),andfromEducation(primarilyHigherEd).Thisinputgreatlyimprovedthe

understandingofthechallengesandrootcausesunderlyingrisk.ThesupportfromSMBsandHighEd

contributedtoabroadandflexibleframework.EachRFIresponseandeachsubsequentworkshop

commentwasreviewedandanalyzedbyNIST.Throughanalysisofresponsecoverageacrosscritical

infrastructuresectorsanddistricttypesandconsiderationoftermsandphrasesthatidentifiedkey

responsepoints,NISTidentifiedcommonalitiesandrecurringthemes.Thesethemeswereleveragedand

incorporatedthroughtheCCSFduringitsdevelopment.


56|P a g e

Figure7-NISTInitialFrameworkConsiderationsCategories FrameworkPrinciples CommonPoints InitialGroups

Them

es

• Flexibility

• Impactonglobal

operations

• Riskapproaches

• Leverage

approaches,

standardsand

bestpractices

• Senior

management

engagement

• Understanding

threatenvironment

• Businessrisk/risk

assessment

• Separationof

businessand

operational

systems

• Models/levelsof

maturity

• Incidentresponse

• Cybersecurity

workforce

• Metrics

• Privacy/civil

liberties

• Tools

• Dependencies

• Industrybest

practices

• Resiliency

• Critical

infrastructure

cybersecurity

nomenclature

Source:NIST,2013InitialAnalysisofCybersecurityFrameworkRFIResponses,USA,Figure1

TheCCSFisarisk-based(vscompliance-based)approachtomanagingcybersecurityriskandis

comprisedofthreeparts:

1. TheFrameworkCore,

2. TheFrameworkImplementationTiersand

3. TheFrameworkProfiles.

EachCCSFcomponentreinforcestheconnectionbetweenbusinessdriversandcybersecurityactivities.

TheFrameworkCore(detailedlaterinthisguidebook)isasetofcybersecurityactivities,desiredoutcomesandapplicablereferencesthatarecommonacrosscriticalinfrastructuresectors

includingEducation.

TheFrameworkImplementationTiersprovidecontextonhowadistrictviewscybersecurityriskandtheprocessesinplacetomanagethatrisk.Tiersdescribethedegreetowhichadistrict’s

cybersecurityriskmanagementpracticesexhibitthecharacteristicsdefinedintheFramework

(e.g.,risk-andthreat-aware,repeatable,andadaptive).TheTierscharacterizeadistrict’s

practicesoverarange,fromPartial(Tier1)toAdaptive(Tier4).

AFrameworkProfilerepresentstheoutcomesbasedonbusinessneedsthatadistricthas

selectedfromtheFrameworkCategoriesandSubcategories.TheProfilecanbecharacterizedas

thealignmentofstandards,guidelinesandpracticestotheFrameworkCoreinaparticular

implementationscenario.Profilescanbeusedtoidentifyopportunitiesforimproving

cybersecurityposturebycomparingaCurrentProfile(the“asis”state)withaTargetProfile(the

“tobe”state).


57|P a g e

InadditiontoprovidingacybersecurityFramework,theFrameworkforImprovingCriticalInfrastructure

cybersecurityalsoprovidesbasicimplementationguidancethroughaseven-stepprocess.


58|P a g e

Step7:ImplementActionPlan—Afterthegapsareidentifiedandprioritized,therequiredactionsaretakentoclosethegaps

andworktowardobtainingthetargetstate.

Step6:Determine,Analyze,andPrioritizeGaps—Organizationsconductagapanalysistodetermineopportunitiesfor

improvingthecurrentstate.Thegapsareidentifiedbyoverlayingthecurrentstateprofilewiththetargetstateprofile.

Step5:CreateaTargetProfile—Allowsdistrictstodeveloparisk-informedtargetstateprofile.Thetargetstateprofilefocuses

ontheassessmentoftheFrameworkCategoriesandSubcategoriesdescribingthedistrict’sdesiredcybersecurityoutcomes.

Step4:ConductaRiskAssessment—Allowsdistrictstoconductariskassessmentusingtheircurrentlyacceptedmethodology.

TheinformationusedfromthisstepintheprocessisusedinStep5.

Step3:CreateaCurrentProfile—Identifiestherequirementtodefinethecurrentstateofthedistrict’scybersecurityprogram

byestablishingacurrentstateprofile.

Step2:Orient—Providesdistrictsanopportunitytoidentifythreatsto,andvulnerabilitiesof,systemsidentifiedinthe

PrioritizeandScopestep.

Step1:PrioritizeandScope—Requeststhatdistrictsscopeandprioritizebusiness/missionobjectivesandhigh-leveldistrictal

priorities.Thisinformationallowsdistrictstomakestrategicdecisionsregardingthescopeofsystemsandassetsthatsupport

theselectedbusinesslinesorprocesseswithinthedistrict.


59|P a g e

WhilehundredsoforganizationsprovidedinputintothedesignoftheCybersecurity

Framework,COBITprincipleswasdeeplyengagedintheCCSFdevelopmentateachstage.Many

COBITprinciplesarevisibleintheCCSFimplementationsteps.Figure8illustratessomeparallelsbetweenCCSFimplementationstepsandCOBIT5frameworkprinciples.


60|P a g e

Figure8-ComparisonoftheCCSFImplementationStepswithCOBIT5PrincipalsCSFSteps1-7 COBITPrinciples1-5

Step1:PrioritizeandScope—Requeststhatdistrictsscopeandprioritizebusiness/missionobjectivesandhigh-leveldistrictpriorities.Thisinformationallowsdistrictstomakestrategicdecisionsregardingthescopeofsystemsandassetsthatsupporttheselectedbusinesslinesorprocesseswithinthedistrict.

Principle1:MeetingStakeholderNeeds—Enterprisesexisttocreatevaluefortheirstakeholdersbymaintainingabalancebetweentherealizationofbenefitsandtheoptimizationofriskanduseofresources.AnenterprisecancustomizeCOBIT5tosuititsowncontextthroughthegoalscascade,translatinghigh-levelenterprisegoalsintomanageable,specificgoalsandmapthesetospecificprocessesandpractices.

Step2:Orient—Providesdistrictsanopportunitytoidentifythreatsto,andvulnerabilitiesof,systemsidentifiedinthePrioritizeandScopestep.Step3:CreateaCurrentProfile—Identifiestherequirementtodefinethecurrentstateofthedistrict’scybersecurityprogrambyestablishingacurrentstateprofile.

Principle2:CoveringtheEnterpriseEnd-to-end—COBIT5integratesgovernanceofenterpriseITintoenterprisegovernance:

• Itcoversallfunctionsandprocesseswithintheenterprise;COBIT5doesnotfocusonlyonthe“ITfunction,"buttreatsinformationandrelatedtechnologiesasassetsthatneedtobedealtwithjustlikeanyotherassetbyeveryoneintheenterprise.

• ItconsidersallIT-relatedgovernanceandmanagementenablerstobeenterprise-wideandend-to-end,i.e.,inclusiveofeverythingandeveryone—internalandexternal—thatisrelevanttogovernanceandmanagementofenterpriseinformationandrelatedIT.

Step4:ConductaRiskAssessment—Allowsdistrictstoconductariskassessmentusingtheircurrentlyacceptedmethodology.TheinformationusedfromthisstepintheprocessisusedinStep5.

Principle3:ApplyingaSingle,IntegratedFramework—TherearemanyIT-relatedstandardsandgoodpractices,eachprovidingguidanceonasubsetofITactivities.COBIT5alignswithotherrelevantstandardsandframeworksatahighlevel,andthuscanserveastheoverarchingframeworkforgovernanceandmanagementofenterpriseIT.

Continuedonnextpage


61|P a g e

Figure8-ComparisonoftheCCSFImplementationStepswithCOBIT5PrincipalsCSFSteps1-7 COBITPrinciples1-5

Step5:CreateaTargetProfile—Allowsdistrictstodeveloparisk-informedtargetstateprofile.ThetargetstateprofilefocusesontheassessmentoftheFrameworkCategoriesandSubcategoriesdescribingthedistrict’sdesiredcybersecurityoutcomes.

Principle4:EnablingaHolisticApproach-EfficientandeffectivegovernanceandmanagementofenterpriseITrequireaholisticapproach,takingintoaccountseveralinteractingcomponents.COBIT5definesasetofenablerstosupporttheimplementationofacomprehensivegovernanceandmanagementsystemforenterpriseIT.Enablersarebroadlydefinedasanythingthatcanhelptoachievetheobjectivesoftheenterprise.TheCOBIT5frameworkdefinessevencategoriesofenablers:

1. Principles,PoliciesandFrameworks2. Processes3. OrganizationalStructures4. Culture,EthicsandBehavior5. Information6. Services,InfrastructureandApplications7. People,SkillsandCompetencies

Step6:Determine,Analyze,andPrioritizeGaps—Organizationsconductagapanalysistodetermineopportunitiesforimprovingthecurrentstate.Thegapsareidentifiedbyoverlayingthecurrentstateprofilewiththetargetstateprofile.

Principle5:SeparatingGovernancefromManagement—TheCOBIT5frameworkmakesacleardistinctionbetweengovernanceandmanagement.Thesetwodisciplinesencompassdifferenttypesofactivities,requiredifferentdistrictstructuresandservedifferentpurposes.

Step7:ImplementActionPlan—Afterthegapsareidentifiedandprioritized,therequiredactionsaretakentoclosethegapsandworktowardobtainingthetargetstate.


62|P a g e

CoordinationofFrameworkImplementationAnotherimportantaspectoftheCCSFisitsguidanceregardingstakeholdercommunications.NIST’sanalysisofindustryfeedbackduringthedevelopmentperiodindicatedthatriskdecisions,inmanydistricts,hadalignmentproblemswithenterprisedriversandgoals.AsCOBIT5forRiskpointsout,whenboardandexecutivemanagementattheenterpriselevel(seeCOBIT5processEDM03-EnsureRiskOptimization)defineriskcapacityandriskappetite,theprioritizationandapprovalprocessofriskresponseactionsareimproved.

TheCCSFcommonflowofinformationanddecisionsatthefollowinglevelswithinadistrictaresimilartothosedescribedinCOBIT5’sstakeholderroles,showninFigure9.

Figure9-ComparisonoCCSFandCOBITRolesCSFRole COBIT5Roles

ExecutiveLevel BoardofDirectorsandExecutiveManagementBusiness/Process Businessmanagementandbusinessprocessowners

Implementation/Operations

ITmanagementandITprocessowners(e.g.,headofoperations,chiefarchitect,ITsecuritymanager,businesscontinuitymanagementspecialist)andotherimplementationteammembers

TheExecutiveLevelcommunicatesinformationaboutdistrictgoalsandmissionpriorities,usinglanguage,approachesandcommunicationsthataremeaningfultoexecutivemanagement.ThisactivityiscomparabletotheCOBITimplementationphase“Phase1—WhatAretheDrivers?”Dialoguewithbusinessmanagementandbusinessprocessownersincludesdefinitionofappropriaterisktolerancesandavailableresources.TheBusiness/Processlevel,inturn,usestheinformationasinputsintotheriskmanagementprocess,andthencollaborateswiththeITmanagementandITprocessownerstocommunicatebusinessneeds.

ThesetwolevelsofmanagementdeterminethecurrentcybersecuritystateusingaFrameworkProfiletemplate(describedlaterinthisdocument.)TheCurrentProfileandTargetProfileprovideconsiderationscomparabletoCOBIT’snexttwoimplementationphases,“Phase2—WhereAreWeNow?”and“Phase3—WhereDoWeWantToBe?”Throughcomparisonofthetargetwiththecurrentstate,theimplementationteamisabletorecommendspecificandprioritizedactionstoachievestakeholdergoals,alignedwiththephase1businessdrivers,resourcerequirementsanddistrictriskappetite.Thisactionplan,comparabletoCOBITimplementationphases4and5,“Phase4—WhatNeedstoBeDone?”and“Phase5—“HowDoWeGetThere?”,providesacost-effective,agilegovernanceofenterpriseITapproachthatisscalabletoanysizedistrict.

AsFigure10illustrates,theinformationflowiscyclical,withongoingmonitoringasacriticalstep.TheCOBITimplementationphases“Phase6—DidWeGetThere?”and“Phase7—HowDoWeKeeptheMomentumGoing?”provideimportantconsiderationstoensureongoing,cost-effectivegovernanceandmanagement.Forexample,astechnicalchangesoccur(e.g.,changestophysical,processandtechnicalassets;updatedthreats;discoveredorremediatedvulnerabilities),theimplementation/operationslevelcommunicatestheProfileimplementationprogresstothebusiness/processlevel.


63|P a g e

Thebusiness/processlevelusesthisinformationtoperformanimpactassessmentinconsiderationofthebusinessdrivers.Business/processlevelmanagementreportstheoutcomesofthatimpactassessmenttotheexecutivelevel,usinglanguageandmethodsappropriatefortheboardofdirectors/executivemanagementcommunications,toinformthedistrict’soverallriskmanagementprocess.

FrameworkCoreTheFrameworkCoreisasetofcybersecurityactivitiessuitableforeducationalpractices,desiredoutcomesandapplicablereferences(notonlyeducationalbutotherSMB)thatarecommonacrosscriticalinfrastructuresectors.TheCorepresentsindustrystandards,guidelinesandpracticesinamannerthatallowsforcommunicationofcybersecurityactivitiesandoutcomesacrossthedistrictfromtheexecutivelevel(includingschoolboards)totheimplementation/operationslevelwithintheITDepartment.TheFrameworkCoreconsistsoffiveconcurrentandcontinuousFunctions:


64|P a g e

• Identify,• Protect,• Detect,• Respond,

• Recover.

Whenconsideredtogether,theseFunctionsprovideahigh-level,strategicviewofthelifecycleofaschooldistrict’smanagementofcybersecurityrisk.TheFrameworkCorethenidentifiesunderlyingkeyCategoriesandSubcategoriesforeachFunction,andmatchesthemwithexampleInformativeReferencessuchasexistingstandards,guidelinesandpracticesforeachSubcategory,asdepictedinFigure11.

NoticethehierarchicalfashionontheFramework.Thisisbestdepictedinavarietyofdbasetools,manyofwhichareavailablefromvariouslocationsontheweb(https://www.nist.gov/cyberframework/csf-reference-tool).Whatismissingisadetailedbreakdownofcriticalreferencesincludingstatespecificreferences.Thedbasetoolprovidedinthistoolkitcontainsanumberoftheselocalreferences.ThedbasehasbeendevelopedwithinaMicrosoftAccessformattoallowforeasyeditingandaugmentingwithadditionalresources.Inadditiontothedbasetool,anExcelversionoftheCorecomponentsisprovidedinmoredetailinthetoolkit.


65|P a g e

TheoutcomesintheCorehelpthereadertoanswerthefollowingquestions:

• Whatpeople,processesandtechnologiesareessentialtoprovidetherightservicestotherightstakeholders?

• WhatdoweneedtodotoprotectthoseassetsfromtheriskdiscoveredintheIdentifyfunction?• Whatdetectioncapabilitycanweimplementtorecognizepotentialorrealizedrisktodistrict

assetsfromidentifiedrisk?• Whatresponseandrecoveryactivitiesareappropriateandnecessarytocontinueoperations

(albeitdiminished)orrestoreservicesdescribedabove?

TheCCSFdescribesthefiveCorefunctionsas:

• Identify—developthedistrictunderstandingtomanagecybersecurityrisktosystems,assets,dataandcapabilities.TheactivitiesintheIdentifyFunctionarefoundationalforeffectiveuseoftheFramework.Understandingthebusinesscontext,theresourcesthatsupportcriticalfunctionsandtherelatedcybersecurityriskenablesadistricttofocusandprioritizeitsefforts,consistentwithitsriskmanagementstrategyandbusinessneeds.ExamplesofoutcomeCategorieswithinthisFunctioninclude:AssetManagement;BusinessEnvironment;Governance;RiskAssessment;andRiskManagementStrategy.

• Protect—developandimplementtheappropriatesafeguardstoensuredeliveryofcriticalinfrastructureservices.TheProtectFunctionsupportstheabilitytolimitorcontaintheimpactofapotentialcybersecurityevent.ExamplesofoutcomeCategorieswithinthisFunctioninclude:AccessControl;AwarenessandTraining;DataSecurity;InformationProtectionProcessesandProcedures;Maintenance;andProtectiveTechnology.

• Detect—developandimplementtheappropriateactivitiestoidentifytheoccurrenceofacybersecurityevent.TheDetectFunctionenablestimelydiscoveryofcybersecurityevents.ExamplesofoutcomeCategorieswithinthisFunctioninclude:AnomaliesandEvents;SecurityContinuousMonitoring;andDetectionProcesses.

• Respond—developandimplementtheappropriateactivitiestotakeactionregardingadetectedcybersecurityevent.TheRespondFunctionsupportstheabilitytocontaintheimpactofapotentialcybersecurityevent.ExamplesofoutcomeCategorieswithinthisFunctioninclude:ResponsePlanning;Communications;Analysis;Mitigation;andImprovements.

• Recover—developandimplementtheappropriateactivitiestomaintainplansforresilienceandtorestoreanycapabilitiesorservicesthatwereimpairedduetoacybersecurityevent.TheRecoverFunctionsupportstimelyrecoverytonormaloperationstoreducetheimpactfromacybersecurityevent.ExamplesofoutcomeCategorieswithinthisFunctionincludeRecoveryPlanning,Improvements,andCommunications.

EachFunctioniscomprisedofoneormoreCategories,process-specificoutcomesthatsupportcybersecuritymanagement.TheseCategories,inturn,arecomprisedofnumerousspecificSubcategoriesthatprovideprocessassessmenttodeterminecurrentstateandtargetgoals.Figure12belowprovidesanoverviewoftheFrameworkCategories.Pleasenote:MostdepictionsoftheNISTFrameworkare“heavily”codedusing2charactercodes.Whilethiswillgeneratesomeissues,itisprobablythebestwaytodepictsomethingofthisnature.Figure12alsoprovidesthenormalcodingschemeforyourreview.BeforelaunchingintotheCCSESAFrameworktool,familiarizeyourselfwiththisschemeforeaseofoperation.


66|P a g e

WhilemanydistrictsmaintaininternalprocessesandprocedurestoachievetheoutcomesinstantiatedbytheFrameworkCore,othersrequestedspecificguidanceastohowtogainthatachievement.Asillustrativeexamplesofpracticeswhichsomedistrictsusetoachievetheoutcomes,NISTprovidedinformativereferencestocross-sector,internationallyrecognizedguidance(includingCOBIT5)thatassistinaccomplishingeachSubcategory.


67|P a g e

FrameworkImplementationTiersTheCCSFincludesseverallevelsofImplementationTiers(Partial/RiskInformed/Repeatable/Adaptive)thatassistinconductingassessmentandplanningofcybersecurityactivities.TheTiersdescribeattributestoconsiderwhencreatingaTargetProfile(TO-BE)orcompletingaCurrentProfile(AS-IS).TheAdescriptionoftheTiersareprovidedindetailinFigure13.Whilenotconsideredamaturitymodel,theTiercharacteristicsdescribeaprogressionfromadhoctoadaptiveinthreecategories:

• RiskManagementProcess—Considerstheleveltowhichthedistrictcybersecurityriskmanagementpracticesareformalizedandinstitutionalized.Theattributesconsidertheextenttowhichprioritizationofcybersecurityactivitiesareinformedbydistrictriskobjectives,thethreatenvironmentandstakeholderrequirements.

• IntegratedRiskManagementProgram—Reviewsthecybersecurityriskawarenessatthedistrictlevel.Levelsincreaseasrisk-informed,management-approvedprocessesandproceduresaredefinedandimplementedandastheyareadaptedbasedoninformationsharingandlessonslearnedfrompreviousactivities.

• ExternalParticipation—Considerstheleveltowhichthedistrictactivelysharesinformationwithexternalpartnerstoimprovesecuritybeforeasecurityeventoccursandinformsthosepartnersaboutindicators,observationsorevents.


68|P a g e

Figure13-FrameworkImplementationTiersTier RiskManagement

ProcessIntegratedRisk

ManagementProgramExternalParticipation

Tier1:P

artia

lOrganizationalcybersecurityriskmanagementpracticesarenotformalized,andriskismanagedinanadhocandsometimesreactivemanner.Prioritizationofcybersecurityactivitiesmaynotbedirectlyinformedbydistrictriskobjectives,thethreatenvironmentorbusiness/missionrequirements.

Thereislimitedawarenessofcybersecurityriskatthedistrictlevelandadistrict-wideapproachtomanagingcybersecurityriskhasnotbeenestablished.Thedistrictimplementscybersecurityriskmanagementonanirregular,case-by-casebasisduetovariedexperienceorinformationgainedfromoutsidesources.Thedistrictmaynothaveprocessesthatenablecybersecurityinformationsharedwithinthedistrict.

Adistrictmaynothavetheprocessesinplacetoparticipateincoordinationorcollaborationwithotherentities.

Tier2:R

iskIn

form

ed

Riskmanagementpracticesareapprovedbymanagementbutmaynotbeestablishedasdistrict-widepolicy.Prioritizationofcybersecurityactivitiesisdirectlyinformedbydistrictriskobjectives,thethreatenvironmentorbusiness/missionrequirements.

Thereisanawarenessofcybersecurityriskatthedistrictlevelbutadistrict-wideapproachtomanagingcybersecurityriskhasnotbeenestablished.Risk-informed,management-approvedprocessesandproceduresaredefinedandimplemented,andstaffhasadequateresourcestoperformtheircybersecurityduties.Cybersecurityinformationsharedwithinthedistrictonaninformalbasis.

Thedistrictunderstandsitsroleinthelargerecosystem,buthasnotformalizeditscapabilitiestointeractandshareinformationexternally.

Tier3:R

epeatable

Thedistrict’sriskmanagementpracticesareformallyapprovedandexpressedaspolicy.Organizationalcybersecuritypracticesareregularlyupdatedbasedontheapplicationofriskmanagementprocessestochangesinbusiness/missionrequirementsandachangingthreatandtechnologylandscape.

Thereisadistrict-wideapproachtomanagecybersecurityrisk.Risk-informedpolicies,processesandproceduresaredefined,implementedasintendedandreviewed.Consistentmethodsareinplacetorespondeffectivelytochangesinrisk.Personnelpossesstheknowledgeandskillstoperformtheirappointedrolesandresponsibilities.

Thedistrictunderstandsitsdependenciesandpartnersandreceivesinformationfromthesepartnersthatenablescollaborationandrisk-basedmanagementdecisionswithinthedistrictinresponsetoevents.


69|P a g e

Figure13-FrameworkImplementationTiersTier RiskManagement

ProcessIntegratedRisk

ManagementProgramExternalParticipation

Tier4:A

daptive

Thedistrictadaptsitscybersecuritypracticesbasedonlessonslearnedandpredictiveindicatorsderivedfrompreviousandcurrentcybersecurityactivities.Throughaprocessofcontinuousimprovementincorporatingadvancedcybersecuritytechnologiesandpractices,thedistrictactivelyadaptstoachangingcybersecuritylandscapeandrespondstoevolvingandsophisticatedthreatsinatimelymanner.

Thereisadistrict-wideapproachtomanagingcybersecurityriskthatusesrisk-informedpolicies,processesandprocedurestoaddresspotentialcybersecurityevents.Cybersecurityriskmanagementispartofthedistrictcultureandevolvesfromanawarenessofpreviousactivities,informationsharedbyothersourcesandcontinuousawarenessofactivitiesontheirsystemsandnetworks.

Thedistrictmanagesriskandactivelysharesinformationwithpartnerstoensurethataccurate,currentinformationisbeingdistributedandconsumedtoimprovecybersecuritybeforeacybersecurityeventoccurs.

TheCCSFprovidesneitherdescriptiveguidanceregardinghowtomeasuretheseattributes,noraquantitativemethodtodeterminetheapplicableTier.NISTreceivednumerouscommentsduringthedevelopmentprocess,manysupportingamaturitymodelsimilartothatusedinElectricitySubsectorCybersecurityCapabilityMaturityModel(ES-C2M2)ortheCarnegie-MellonMaturityMatrixIndex.Strictcriteriaaredifficult,however,acrossabroadarrayofusers,andNISTisnotauthoritativefordecidingmandatorythresholds…youare!!!!Forthatreason,theTiersaresubjective,butaredesignedtohelpadistrictconsidercurrentriskmanagementpractices,threatenvironment,legalandregulatoryrequirements,business/missionobjectives,anddistrictconstraints.ThelackofaconcretemeasurementstandardiCCSFversion1.0isnotintendedtopreventsuchmeasurement;districts(andorganizedgroups,suchascriticalinfrastructuresectors)maydevelopcriteriatoaidincomparisonandcommunicationofTierselection.Tocorrectthis,CCSESArecommendsthatdistrictsparticipateinaSecurityRiskAssessmentfromareputablesecuritycompany.UsingthisFrameworkandotherstandardsprescribedbytheassessmentgroup,anadequateprofilecanbedeveloped.

TheFrameworkImplementationTiersaresimilartoCOBIT’sProcessCapabilityLevels(PCLs).WhilePCLsareassessed(inaccordancewiththeCOBITProcessAssessmentModel[PAM]publication)attheindividualprocess,thetiersapplytothedistrictitself,orasub-componentofthedistrict,dependingonthescopeoftheimplementation.ConsiderationsofthePCLsmayassistwithdeterminingtheappropriateFrameworktier.

RatingtheoutcomesdescribedinFigure13willrequireprofessionaljudgmentbytheimplementer.Thereasonsforselectingatier,andforagreeing/disagreeingwithanoutcomestatementintheProfiles,shouldbeclearlydocumentedsothatadvicecanbegivenonareasinwhichtheprocessescanbeimproved.

Specifically,thetierscompareinthefollowingways:


70|P a g e

Figure13-ComparisonoCCSFTierstoCOBIT5ProcessCapabilityLevels(PCLs)CSFTier Descriptor Description COBIT5PCL

1 Partial TheRiskManagementandinformationsharingprocessesareeithernotimplementtedorarenotyetformalenoughtoprovideconsistentdistrictbenefit.

PCL0-IncompletePCL1-Performed

2 RiskInformed

Theoutcomesimplementedinamanagedfashion,informedbydistrictriskprocessesandprovidingsignificantdistrictawarenessofcybersecurityriskmanagement.

PCL2-Managed

3 Repeatable Themanagedprocessimplementedusingadefinedmethodthatiscapableofachievingintendedoutcomes.

PCL3-Established

4 Adaptive Theoutcomesareachievedproactively,learningfromtheexperienceofinternalandexternalstakeholders,perhapsinformedthroughexternalinformationsources.

PCL4-PredicablePCL5-Optimizing

TheroleoftheTiersindeterminingriskapproachiscloselyrelatedtoCOBIT’sEDM03EnsureRiskOptimization.Asthedistrictadaptsitscybersecuritypracticesbasedonlessonslearnedandpredictiveindicators,andasthedistrictorschoolbuildsanenterpriseapproachtoriskmanagement,thedistrictisbetterabletoensureidentificationandmanagementofrisktotheenterprisevalue.Thisinturn,enablestheEDM03goalsof:ensuringthattechnology-relatedenterpriseriskdoesnotexceedriskappetiteandrisktolerance,theimpactoftechnologyrisktoenterprisevalueisidentifiedandmanaged,andthepotentialforcompliancefailuresisminimized.

FrameworkProfilesAFrameworkProfile(“Profile”)representstheoutcomesbasedonbusinessneedsthatadistricthasselectedfromtheFrameworkCategoriesandSubcategories.TheProfilecanbecharacterizedasthealignmentofstandards,guidelinesandpracticestotheFrameworkCoreinaparticularimplementationscenario.ProfilescanbeusedtoidentifyopportunitiesforimprovingcybersecurityposturebycomparingaCurrentProfile(the“asis”state)withaTargetProfile(the“tobe”state).ThisisreferredtoastheAS-IS/TO-BETransformation.

TodevelopaProfile,adistrictcanrevieweachoftheCoreCategoriesandSubcategoriesand,basedonbusinessdriversandariskassessment(usuallyconductedthrougha3rdparty),determinewhicharemostimportant;thedistrictaddsCategoriesandSubcategoriesasneededtoaddressitsrisk.TheCurrentProfilecanthenbeusedtosupportprioritizationandmeasurementofprogresstowardtheTargetProfile,factoringinbusinessneedsincludingcost-effectivenessandinnovation.Thegenerationofabusinesscasetosupportadditionalinvestmentinsecuritytechnology(hardware/processes/people)canbemade.TheuseofProfilestoconductself-assessmentsandtocommunicatewithinadistrictorbetweendistrictsarecommon.


71|P a g e

ToassistdistrictsinadoptingandimplementingtheFrameworkCCSFthenextSectionofthisguidebooklaysoutarecommendedseven-stepimplementationprocess.Eachstepisaprecursortothefollowingstep,althoughsomedistrictsmayconductsomestepsinadifferentorder.Forexample,adistrictmayadoptaTargetProfilebeforeperformingaCurrentProfile,ormightperformariskassessmentbeforedevelopingaCurrentProfile.Thesesteps,summarizedandwithdetailedimplementationrecommendationsdescribedlaterinthisguide,shouldberepeatedasnecessarytocontinuouslyimproveadistrict’scybersecurityandriskavoidance.

RiskConsiderationsfromCOBITandtheCCSFMaintaininganunderstandingofenterprisesecurityriskisakeycomponentoftheCCSF.StepfouroftheCCSFimplementationprocessincludestherequirementforperformingariskassessment.Riskassessmentsprovidestakeholdersandmanagersanopportunitytoweighsecurityvulnerabilities,threatstotheenterpriseandtechnologiesagainstoperationalrequirements.Riskassessmentsassistindefiningthesubcategoriesrequiredtoadequatelymitigatetherisktothedistrictandidentifytherigorinwhichthemitigationbeapplied.TherigorforimplementingcybersecuritycontrolsisattainedthroughImplementationTiersasdescribedinthisguidebook.

TheInstituteofRiskManagement(IRM)definesriskas“thecombinationoftheprobabilityofaneventanditsconsequence.Consequencescanrangefrompositivetonegative.”TheInternationalOrganizationforStandardizationdefinesriskintheinternationallyrecognizedISOGuide73,asthe“effectofuncertaintyonobjectives,”notingthataneffectmaybepositive,negativeoradeviationfromtheexpected.InthecontextofapplyingtheCCSF,then,theprimaryconsequencetobeconsideredisthelikelihoodofachievingstakeholdergoals.Similarly,COBIT5forRiskdefinesITriskasbusinessrisk,specifically,thebusinessriskassociatedwiththeuse,ownership,operation,involvement,influenceandadoptionofITwithinanenterprise.ITriskconsistsofIT-relatedeventsthatcouldpotentiallyimpactthebusiness.ITriskcanoccurwithbothuncertainfrequencyandimpact,andcreateschallengesinmeetingstrategicgoalsandobjectives.ITriskalwaysexists,whetheritisrecognizedbyanenterprise.

AsdescribedinCOBIT5forRiskandillustratedinFigure14,managedriskenablesbusinessdrivers,enhancesopportunities,andprovidesexecutivesandmanagerswithanunderstandingofthesecuritystrengthsandweaknesseswithinthedistrict.Whenriskispoorlymanaged,businessvalueisreduced,ITismisused,andexecutivesandmanagersareunawareofpotentialsecuritythreatsandvulnerabilitiesthatcouldleadtolostrevenueorreputation.


72|P a g e

TheRiskFunctionPerspective(COBIT5)COBIT5isanend-to-endframeworkthatconsidersoptimizationofriskasakeyvalueobjective.COBIT5considersgovernanceandmanagementofriskaspartoftheoverallgovernanceandmanagementforIT.Foreachenabler,theriskfunctionperspectivedescribeshowtheenablercontributestotheoverallriskgovernanceandmanagementfunction.Forexample,which:

• Processesarerequiredtodefineandsustaintheriskfunction,governandmanagerisk—EDMO1,APO01,etc.

• Informationflowsarerequiredtogovernandmanagerisk—riskuniverse,riskprofile,etc.• Organizationalstructuresarerequiredtogovernandmanagerisk—ERMcommittee,risk

function,etc.

Sections2through8ofCOBIT5forRiskcontainexamplesforeachenabler.TheseexamplesarefurtherelaboratedinappendixBofCOBIT5forRisk.ThedetailsofthefullscopeofCOBIT5forRiskisprovidedinFigure15.


73|P a g e

COBIT5forRiskprovidesspecificguidancerelatedtoallenablers:

1. Riskprinciples,policiesandframeworks2. Processesincludingrisk-function-specificdetailsandactivities3. Risk-specificdistrictstructures4. Intermsofculture,ethicsandbehavior,factorsdeterminingthesuccessofriskgovernance5. Risk-specificinformationtypesforenablingriskgovernanceandmanagementwithinthe

enterprise6. Withregardtoservices,infrastructureandapplications,servicecapabilitiesrequiredtoprovide

riskandrelatedfunctionstoanenterprise.7. Forthepeople,skillsandcompetenciesenabler,skillsandcompetenciesspecificforrisk

TheRiskManagementPerspectiveTheriskmanagementperspectiveaddressesgovernanceandmanagement,i.e.,howtoidentify,analyzeandrespondtoriskandhowtousetheCOBIT5frameworkforthatpurpose.Thisperspectiverequirescoreriskprocesses(COBIT5processesEDM03EnsureriskoptimizationandAPO12Managerisk)tobeimplemented.

TheCCSFleveragestheriskassessmentprocesstodefinehowdistrictswillimplementeachCoreSubcategory.Completingariskassessmentprovidesanunderstandingofthelikelihoodthatariskeventwilloccurandwhattheresultingimpactwillbe.Foreachpotentialeventrecordedabove,determinethelikelihoodofthateventoccurringandtheimpactifitoccurred.Districtsmaychoosetocompleteseveralriskassessmentsforeachbusinessareaandaggregatetheinformationtoformenterpriseriskassessments.

Forsomedistricts,aseparateriskassessmentmaybeconductedforeachbusinessarea(e.g.humanresources,accounting,customersupport)asdefinedbythePrioritizeandScopestep.SeparateriskassessmentsallowseparateTargetProfilestoensurethattheriskforthebusinessareaisaddressed


74|P a g e

withoutovercompensating.Theenterpriseriskassessmentprovidesabaselinetoensurethataminimumthresholdisdefined.Thisensuresthatlesssensitivebusinessareasarenotneglectedandthusprovideanavenueofattackformalicioususers.

Aftertheriskassessmentiscomplete,districtscandeterminetheacceptablelevelofriskforITassetsandsystems,expressedastheirrisktolerance,budgetandresources.TherisktoleranceisusedtodefinethecontrolsrequiredforeachSubcategoryandtherigorrequiredforimplementingthecontrolbydefiningthetargetstateprofile.


75|P a g e

AppendixC.CommunicatingCybersecurityRequirementswithStakeholdersAnimportantcomponentofboththeCCSFandtheCOBIT5frameworkinvolvesthegovernanceandmanagementofsuppliersandbusinesspartners.Asingledistrictmayentaildozensofexternalstakeholdersandsupplychain/serviceproviders.EachofthesestakeholdersbringsopportunitiestofulfillenterpriseandIT-relatedgoals;theyalsoaddadditionalvulnerabilityandpotentialrisktobeconsidered.ImplementationoftheCCSFusingCOBITprinciplesandprocessesprovidesacommonlanguagetocommunicatestakeholderneedsandrequirements.

TheresultingprocessenablesITtobegovernedandmanagedinaholisticmannerfortheentireenterprise,supportingtheprimarydistrictaswellasitssupplychainpartners,inapplyinganintegratedframework.ManyCOBIT5practicesincludesuppliercomponents,guidedbymanyelementsofAPOIOManagesuppliers.SpecificexamplesofusingtheCCSFthroughCOBIT5withexternalbusinesspartnersinclude:

• Documentsuppliermanagementaspects.Cooperativeagreementsprovideanopportunitytodocumentthedrivers,riskagreementsandgoals,usingasubsetoftheprocessesinphase1(Section3).

• Recordtheresultofsupplier/partnerassessmentsusingtheCurrentProfiletemplate.AlignmentaroundthisCCSF/COBITmodelsupportsCOBIT’sprincipleofasingleintegratedframeworkmodeltorecordandcommunicategoalsandperformance.

• RecordexpectationsandrequirementsthroughuseoftheTargetProfiletemplatedescribedinSection3,phase3.ThismodelishelpfulforconveyingspecificGovernanceandManagementobligations,forexampletoacloudprovidertowhichthedistrictisexportingdata.

Harmonizationofprocessesandcommunicationsforbothinternalandexternalstakeholdersimprovesconsistencyandsimplifiestracking/reporting.Throughuseofcommontemplatesandcommunicationpractices,achievementofaholisticapproachtogovernanceandmanagementofITwillensurethatgoalsarealignedandeffective.


76|P a g e

AppendixD:FrameworkCoreAsdescribedinAppendixB,theFrameworkCoreprovidesasetofactivitiestoachievespecificcybersecurityoutcomesandreferencesexamplesofguidancetoachievethoseoutcomes.TheCoreisnotachecklistofactionstoperform.Itpresentskeycybersecurityoutcomesidentifiedbyindustryashelpfulinmanagingcybersecurityrisk.TheCorecomprisesfourelements:Functions,Categories,SubcategoriesandInformativeReferences.

ThefollowingtablerepresentstheFrameworkCoreasprovidedinappendixAoftheNISTFrameworkforImprovingCriticalInfrastructureCybersecurity.Thistableisprovidedforreferenceonly.ActualfunctionalityisfromtheToolkitCCSFdbase.Youcanclickonthelinkslocatetheinformationquickly.

Alargeposterisincludedaspartofthetoolkit.


77|P a g e

Function Category Subcategory InformationReferencesIden

tify(ID

)

AssetManagement(ID.AM):Thedata,personnel,devices,systems,

andfacilitiesthatenablethe

districttoachievebusiness

purposesareidentifiedand

managedconsistentwiththe

relativeimportancetobusiness

objectivesinthedistrict'srisk

strategy.

ID.AM-1:Physicaldevicesandsystems

withinthedistrictareinventoried.

• CCSCSC1

• COBIT5BAI09.01,BAI09.02

• ISA624438–22–1:20094.2.3.4

• ISA62443.3–3:2013SR7.8

• ISA/IEC27001:20138.8.1.1,8.8.1.2

• NISTSP800–53REV.4CM-8

ID.AM-2:Softwareplatformsand

applicationswithinthedistrictor

inventory

• CCSCSC2

• COBIT5BAI09.01,BAI09.02,BAI09.05

• ISA62443–2–1:20094.2.3.4

• ISA62443.3–3:2013SR7.8

• ISO/IEC27001:2013A.8.1.1,A.8.1.2

• NISTSP800–53REV.4CM

ID.AM-3:Organizationalcommunicationanddataflowsare

mapped

• CCS CSC 1 • COBIT 5 DSS05.02 • ISA 62443-2-1:2009 4.2.3.4 • ISO/IEC 27001:2013 A.13.2.1 • NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9, PL-8

ID.AM-4:Externalinformationsystems

arecatalogued.• CCS CSC 1 • COBIT 5 DSS05.02 • ISA 62443-2-1:2009 4.2.3.4 • ISO/IEC 27001:2013 A.13.2.1 • NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9, PL-8

ID.AM-5:Resources(suchashardware,devices,dataandsoftware)

areprioritizedbasedonthe

classification,criticality,andbusiness

value.

• COBIT 5 APO02.02 • ISO/IEC 27001:2013 A.11.2.6 • NIST SP 800-53 Rev. 4 AC-20, SA-9

ID.AM-6:Cybersecurityrolesandresponsibilitiesfortheentire

workforceandthird-party

stakeholderssuchassuppliers,

customers,andpartnersare

established.

• COBIT 5 APO01.02, DSS06.03 • ISA 62443-2-1:2009 4.3.2.3.3 • ISO/IEC 27001:2013 A.6.1.1


78|P a g e

Function Category Subcategory InformationReferences

BusinessEnvironment(ID.BE):Thedistrict'smission,objectives,

stakeholders,andactivitiesare

understoodandprioritized;this

informationisusedtoinform

cybersecurityroles,responsibilities,

andriskmanagementdecisions.

ID.BE-1:Thedistrict'sroleinthesupplychainisidentifiedand

communicated.

• COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05

• ISO/IEC 27001:2013 A.15.1.3, A.15.2.1, A.15.2.2 • NIST SP 800-53 Rev. 4 CP-2, SA-12

ID.BE-2:thedistrict'splaceincriticalinfrastructureandindustrysectoris

identifiedandcommunicated.

• COBIT 5 APO02.06, APO03.01 • NIST SP 800-53 Rev. 4 PM-8

ID.BE-3:Prioritiesfordistrictmission,

objectives,andactivitiesare

establishedandcommunicated.

• COBIT 5 APO02.01, APO02.06, APO03.01 • ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6 • NIST SP 800-53 Rev. 4 PM-11, SA-14

ID.BE-4:Dependenciesandcriticalfunctionsfordeliveryofcritical

servicesareestablished.

• ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, A.12.1.3 • NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14

ID.BE-5:Resiliencerequirementsto

supportdeliveryofcriticalservicesare

established.

• COBIT 5 DSS04.02 • ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, A.17.1.2, A.17.2.1 • NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-14

Governance(ID.GV):Thepolicies,procedures,andprocessesto

manageandmonitorthedistrict's

regulatory,legal,risk,

environmental,andoperational

requirementsareunderstoodand

informthemanagementof

cybersecurityrisk.

ID.GV-1:Organizationalinformation

securitypolicyisestablished.• COBIT 5 APO01.03, EDM01.01, EDM01.02 • ISA 62443-2-1:2009 4.3.2.6 • ISO/IEC 27001:2013 A.5.1.1 • NIST SP 800-53 Rev. 4 -1 controls from all families

ID.GV-2:Informationsecurityroles

andresponsibilitiesarecoordinated

andalignedwithinternalrolesand

externalpartners.

• COBIT 5 APO13.12 • ISA 62443-2-1:2009 4.3.2.3.3 • ISO/IEC 27001:2013 A.6.1.1, A.7.2.1 • NIST SP 800-53 Rev. 4 PM-1, PS-7

ID.GV-3:Legalandregulatoryrequirementsregardingcybersecurity,

includingprivacyandcivilliberty

obligations,areunderstoodand

managed.

• COBIT 5 MEA03.01, MEA03.04 • ISA 62443-2-1:2009 4.4.3.7 • ISO/IEC 27001:2013 A.18.1 • NIST SP 800-53 Rev. 4 -1 controls from all families (except

PM-1) ID.GV-4:Governanceandriskmanagementprocessesaddress

cybersecurityrisks.

• COBIT 5 DSS04.02 • ISA 62443-2-1:2009 4.2.3.1, 4.2.3.3, 4.2.3.8, 4.2.3.9,

4.2.3.11, 4.3.2.4.3, 4.3.2.6.3


79|P a g e


• NIST SP 800-53 Rev. 4 PM-9, PM-11 RiskAssessment(ID.RA):the

districtunderstandsthe

cybersecurityrisktodistrict

operationsincludingmission,

functions,image,orreputation,

districtassetsandindividuals.

ID.RA-1:Assetvulnerabilitiesareidentifiedanddocumented

• CCS CSC 4 • COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04 • ISA 62443-2-1:2009 4.2.3, 4.2.3.7, 4.2.3.9, 4.2.3.12 • ISO/IEC 27001:2013 A.12.6.1, A.18.2.3 • NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, RA-3, RA-5, SA-

5, SA-11, SI-2, SI-4, SI-5 ID.RA-2:Threatandvulnerabilityinformationisreceivedfrom

informationsharingformsand

sources.

• ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 • ISO/IEC 27001:2013 A.6.1.4 • NIST SP 800-53 Rev. 4 PM-15, PM-16, SI-5

ID.RA-3:Threats,bothinternalandexternal,areidentifiedand

documented.

• COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04 • ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 • NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12, PM-16

ID.RA-4:Potentialbusinessimpacts

andlikelihoodsareidentified.• COBIT 5 DSS04.02 • ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 • NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-9, PM-11, SA-14

ID.RA-5:Threats,vulnerabilities,likelihoods,andimpactsareusedto

determinerisk.

• COBIT 5 APO12.02 • ISO/IEC 27001:2013 A.12.6.1 • NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-16

ID.RA-6:Riskresponsesareidentifiedandprioritized.

• COBIT 5 APO12.05, APO13.02 • NIST SP 800-53 Rev. 4 PM-4, PM-9

RiskManagement(ID.RM):Thedistrict'spriority,constraints,risk

tolerances,andassumptionsare

establishedandusedtosupport

operationalriskdecisions.

ID.RM-1:Riskmanagementprocesses

areestablished,managed,andagreed

tobydistrictstakeholders.

• COBIT 5 APO12.04, APO12.05, APO13.02, BAI02.03, BAI04.02

• ISA 62443-2-1:2009 4.3.4.2 • NIST SP 800-53 Rev. 4 PM-9

ID.RM-2:Organizationalrisktoleranceisdeterminedandclearlyexpressed.

• COBIT 5 APO12.06 • ISA 62443-2-1:2009 4.3.2.6.5 • NIST SP 800-53 Rev. 4 PM-9

ID-RM-3:Thedistrict'sdetermination

ofrisktoleranceisinformedbyitsrole• NIST SP 800-53 Rev. 4 PM-8, PM-9, PM-11, SA-14


80|P a g e


incriticalinfrastructureandsector

specificriskanalysis.

Protect(PR

)

AccessControl(PR.AC):Accesstoassetsandassociatedfacilitiesis

limitedtoauthorizedusers,

processes,ordevices,andto

authorizedactivitiesand

transactions.

PR.AC-1:Identitiesandcredentialsaremanagedforauthorizeddevicesand

users.

• CCS CSC 16 • COBIT 5 DSS05.04, DSS06.03 • ISA 62443-2-1:2009 4.3.3.5.1 • ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5,

SR 1.7, SR 1.8, SR 1.9 • ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1,

A.9.4.2, A.9.4.3 • NIST SP 800-53 Rev. 4 AC-2, IA Family

PR.AC-2:Physicalaccesstoassetsismanagedandprotected.

• COBIT 5 DSS01.04, DSS05.05 • ISA 62443-2-1:2009 4.3.3.3.2, 4.3.3.3.8 • ISO/IEC 27001:2013 A.11.1.1, A.11.1.2, A.11.1.4, A.11.1.6,

A.11.2.3 • NIST SP 800-53 Rev. 4 PE-2, PE-3, PE-4, PE-5, PE-6, PE-9

PR.AC-3:Remoteaccessismanaged.• COBIT 5 APO13.01, DSS01.04, DSS05.03 • ISA 62443-2-1:2009 4.3.3.6.6 • ISA 62443-3-3:2013 SR 1.13, SR 2.6 • ISO/IEC 27001:2013 A.6.2.2, A.13.1.1, A.13.2.1 • NIST SP 800-53 Rev. 4 AC�17, AC-19, AC-20

PR.AC-4:Accesspermissionsare

managed,incorporatingtheprinciples

ofleastprivilegeandseparationof

duties.

• CCS CSC 12, 15 • ISA 62443-2-1:2009 4.3.3.7.3 • ISA 62443-3-3:2013 SR 2.1 • ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, A.9.2.3, A.9.4.1,

A.9.4.4 • NIST SP 800-53 Rev. 4 AC-2, AC-3, AC-5, AC-6, AC-16

PR.AC-5:Networkintegrityisprotected,incorporatingnetwork

segregationwhereappropriate.

• ISA 62443-2-1:2009 4.3.3.4 • ISA 62443-3-3:2013 SR 3.1, SR 3.8 • ISO/IEC 27001:2013 A.13.1.1, A.13.1.3, A.13.2.1 • NIST SP 800-53 Rev. 4 AC-4, SC-7

AwarenessandTraining(PR.AT):Thedistrict'spersonneland

PR.AT-1:Allusersareinformedand

trained.• CCS CSC 9 • COBIT 5 APO07.03, BAI05.07


81|P a g e


partnersareprovided

Cybersecurityawarenesseducation

andareadequatelytrainedto

performtheirinformationsecurity-

relateddutiesandresponsibilities

consistentwithrelatedpolicies,

procedures,andagreements.

• ISA 62443-2-1:2009 4.3.2.4.2 • ISO/IEC 27001:2013 A.7.2.2 • NIST SP 800-53 Rev. 4 AT-2, PM-13

PR.AT-2:Privilegedusersunderstandrolesandresponsibilities.

• CCS CSC 9 • COBIT 5 APO07.02, DSS06.03 • ISA 62443-2-1:2009 4.3.2.4.2, 4.3.2.4.3 • ISO/IEC 27001:2013 A.6.1.1, A.7.2.2 • NIST SP 800-53 Rev. 4 AT-3, PM-13

PR.AT-3:Third-partystakeholderssuchassuppliers,customers,and

partnersunderstandrolesand

responsibilities.

• CCS CSC 9 • COBIT 5 APO07.03, APO10.04, APO10.05 • ISA 62443-2-1:2009 4.3.2.4.2 • ISO/IEC 27001:2013 A.6.1.1, A.7.2.2 • NIST SP 800-53 Rev. 4 PS-7, SA-9

PR.AT-4:Seniorexecutivesunderstandrolesandresponsibilities.

• CCS CSC 9 • COBIT 5 APO07.03 • ISA 62443-2-1:2009 4.3.2.4.2 • ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, • NIST SP 800-53 Rev. 4 AT-3, PM-13

PR.AT-5:Physicalandinformation

securitypersonnelunderstandroles

andresponsibilities.

• CCS CSC 9 • COBIT 5 APO07.03 • ISA 62443-2-1:2009 4.3.2.4.2 • ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, • NIST SP 800-53 Rev. 4 AT-3, PM-13

DataSecurity(PR.DS):Information

andrecords(data)aremanaged

consistentwiththedistrict'srisk

strategytoprotectthe

confidentiality,integrity,and

availabilityofinformation.

PR.DS-1:Data-at-restisprotected.• CCS CSC 17 • COBIT 5 APO01.06, BAI02.01, BAI06.01, DSS06.06 • ISA 62443-3-3:2013 SR 3.4, SR 4.1 • ISO/IEC 27001:2013 A.8.2.3 • NIST SP 800-53 Rev. 4 SC-28

PR.DS-2:Data-in-transitisprotected.• CCS CSC 17 • COBIT 5 APO01.06, DSS06.06 • ISA 62443-3-3:2013 SR 3.1, SR 3.8, SR 4.1, SR 4.2


82|P a g e


• ISO/IEC 27001:2013 A.8.2.3, A.13.1.1, A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3

• NIST SP 800-53 Rev. 4 SC-8 PR.DS-3:Assetsareformallymanaged

throughoutremoval,transfers,and

disposition.

• COBIT 5 BAI09.03 • ISA 62443-2-1:2009 4. 4.3.3.3.9, 4.3.4.4.1 • ISA 62443-3-3:2013 SR 4.2 • ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.8.3.3,

A.11.2.7 • NIST SP 800-53 Rev. 4 CM-8, MP-6, PE-16

PR.DS-4:Adequatecapacitytoensureavailabilityismaintained.

• COBIT 5 APO13.01 • ISA 62443-3-3:2013 SR 7.1, SR 7.2 • ISO/IEC 27001:2013 A.12.3.1 • NIST SP 800-53 Rev. 4 AU-4, CP-2, SC-5

PR.DS-5:Protectionsagainstdataleaksareimplemented.

• CCS CSC 17 • COBIT 5 APO01.06 • ISA 62443-3-3:2013 SR 5.2 • ISO/IEC 27001:2013 A.6.1.2, A.7.1.1, A.7.1.2, A.7.3.1,

A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.3, A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3

• NIST SP 800-53 Rev. 4 AC-4, AC-5, AC-6, PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC-31, SI-4

PR.DS-6:Integritycheckingmechanismsareusedtoverify

software,firmware,andinformation

integrity.

• ISA 62443-3-3:2013 SR 3.1, SR 3.3, SR 3.4, SR 3.8 • ISO/IEC 27001:2013 A.12.2.1, A.12.5.1, A.14.1.2, A.14.1.3 • NIST SP 800-53 Rev. 4 SI-7

PR.DS-7:Thedevelopmentandtesting

environmentsareseparatefromthe

productionenvironment.

• COBIT 5 BAI07.04 • ISO/IEC 27001:2013 A.12.1.4 • NIST SP 800-53 Rev. 4 CM-2

InformationProtectionProcessesandProcedures(PR.IP):Securitypoliciesthataddresspurpose,

scope,roles,responsibilities,

PR.IP-1:Baselineconfigurationofinformationtechnology/industrial

controlsystemsiscreatedand

maintained.

• CCS CSC 3, 10 • COBIT 5 BAI10.01, BAI10.02, BAI10.03, BAI10.05 • ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3 • ISA 62443-3-3:2013 SR 7.6


83|P a g e


managementcommitment,and

coordinationamongdistrict

entities,processes,andprocedures

aremaintainedandusedto

manageprotectionofinformation

systemsandassets.

• ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4

• NIST SP 800-53 Rev. 4 CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9, SA-10

PR.IP-2:ASystemDevelopmentLife

Cycle(SDLC)tomanagesystemsis

implemented.

• COBIT 5 APO13.01 • ISA 62443-2-1:2009 4.3.4.3.3 • ISO/IEC 27001:2013 A.6.1.5, A.14.1.1, A.14.2.1, A.14.2.5 • NIST SP 800-53 Rev. 4 SA-3, SA-4, SA-8, SA-10, SA-11,

SA-12, SA-15, SA-17, PL-8 PR.IP-3:Configurationchangecontrolprocessesareinplace.

• COBIT 5 BAI06.01, BAI01.06 • ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3 • ISA 62443-3-3:2013 SR 7.6 • ISO/IEC 27001:2013 A.12.1.2, A.12.5.1, A.12.6.2, A.14.2.2,

A.14.2.3, A.14.2.4 • NIST SP 800-53 Rev. 4 CM-3, CM-4, SA-10

PR.IP-4:Backupsofinformationare

conducted,maintainedandtested

periodically.

• COBIT 5 APO13.01 • ISA 62443-2-1:2009 4.3.4.3.9 • ISA 62443-3-3:2013 SR 7.3, SR 7.4 • ISO/IEC 27001:2013 A.12.3.1, A.17.1.2A.17.1.3, A.18.1.3 • NIST SP 800-53 Rev. 4 CP-4, CP-6, CP-9

PR.IP-5:Policyandregulationsregardingthephysicaloperating

environmentfordistrictassetsare

met.

• COBIT 5 DSS01.04, DSS05.05 • ISA 62443-2-1:2009 4.3.3.3.1 4.3.3.3.2, 4.3.3.3.3, 4.3.3.3.5,

4.3.3.3.6 • ISO/IEC 27001:2013 A.11.1.4, A.11.2.1, A.11.2.2, A.11.2.3 • NIST SP 800-53 Rev. 4 PE-10, PE-12, PE-13, PE-14, PE-15,

PE-18 PR.IP-6:Dataisdestroyedaccordingto

policy.• COBIT 5 BAI09.03 • ISA 62443-2-1:2009 4.3.4.4.4 • ISA 62443-3-3:2013 SR 4.2 • ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2, A.11.2.7 • NIST SP 800-53 Rev. 4 MP-6

PR.IP-7:Protectionprocessesarecontinuouslyimproved.

• COBIT 5 APO11.06, DSS04.05


84|P a g e


• ISA 62443-2-1:2009 4.4.3.1, 4.4.3.2, 4.4.3.3, 4.4.3.4, 4.4.3.5, 4.4.3.6, 4.4.3.7, 4.4.3.8

• NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-8, PL-2, PM-6 PR.IP-8:Effectivenessofprotectiontechnologiesissharedwith

appropriateparties.

• ISO/IEC 27001:2013 A.16.1.6 • NIST SP 800-53 Rev. 4 AC-21, CA-7, SI-4

PR.IP-9:Responseplans(IncidentResponseandBusinessContinuity)

andrecoveryplans(IncidentRecovery

andDisasterRecovery)areinplace

andmanaged.

• COBIT 5 DSS04.03 • ISA 62443-2-1:2009 4.3.2.5.3, 4.3.4.5.1 • ISO/IEC 27001:2013 A.16.1.1, A.17.1.1, A.17.1.2 • NIST SP 800-53 Rev. 4 CP-2, IR-8

PR.IP-10:Responseandrecoveryplansaretested.

• ISA 62443-2-1:2009 4.3.2.5.7, 4.3.4.5.11 • ISA 62443-3-3:2013 SR 3.3 • ISO/IEC 27001:2013 A.17.1.3 • NIST SP 800-53 Rev.4 CP-4, IR-3, PM-14

PR.IP-11:Cybersecurityisincludedinhumanresourcespracticesuchasde-

provisioningandpersonnelscreening.

• COBIT 5 APO07.01, APO07.02, APO07.03, APO07.04, APO07.05

• ISA 62443-2-1:2009 4.3.3.2.1, 4.3.3.2.2, 4.3.3.2.3 • ISO/IEC 27001:2013 A.7.1.1, A.7.3.1, A.8.1.4 • NIST SP 800-53 Rev. 4 PS Family

PR.IP-12:Avulnerabilitymanagement

planisdevelopedandimplemented• ISO/IEC27001:2013A.12.6.1,A.18.2.2

• NISTSP800-53Rev.4RA-3,RA-5,SI-2

Maintenance(PR.MA):Maintenanceandrepairsof

industrialcontrolsandinformation

systemcomponentsareperformed

consistentwithpoliciesand

procedures.

PR.MA-1:Maintenanceandrepairof

districtassetsisperformedandlogged

inatimelymanner,withapprovedand

controlledtools.

• COBIT 5 BAI09.03 • ISA 62443-2-1:2009 4.3.3.3.7 • ISO/IEC 27001:2013 A.11.1.2, A.11.2.4, A.11.2.5 • NIST SP 800-53 Rev. 4 MA-2, MA-3, MA-5

PR.MA-2:Remotemaintenanceof

districtassetsisapproved,loggedand

performedinamannerthatprevents

unauthorizedaccess.

• COBIT 5 DSS05.04 • ISA 62443-2-1:2009 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.4.4.6.8 • ISO/IEC 27001:2013 A.11.2.4, A.15.1.1, A.15.2.1 • NIST SP 800-53 Rev. 4 MA-4


85|P a g e


ProtectiveTechnology(PR.PT):Technicalsecuritysolutionsare

managedtoensurethesecurity

andresilienceofsystemsand

assets,consistentwithrelated

policies,proceduresand

agreements.

PR.PT-1:Audit/logrecordsaredetermined,documented,

implementedandreviewedin

accordancewithpolicy.

• CCS CSC 14 • COBIT 5 APO11.04 • ISA 62443-2-1:2009 4.3.3.3.9, 4.3.3.5.8, 4.3.4.4.7, 4.4.2.1,

4.4.2.2, 4.4.2.4 • ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR

2.12 • ISO/IEC 27001:2013 A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4,

A.12.7.1 • NIST SP 800-53 Rev. 4 AU Family

PR.PT-2:Removablemediais

protectedanditsuserestricted

accordingtopolicy.

• COBIT 5 DSS05.02, APO13.01 • ISA 62443-3-3:2013 SR 2.3 • ISO/IEC 27001:2013 A.8.2.2, A.8.2.3, A.8.3.1, A.8.3.3,

A.11.2.9 • NIST SP 800-53 Rev. 4 MP-2, MP-4, MP-5, MP-7

PR.PT-3:Accesstosystemsandassets

iscontrolled,incorporatingthe

principleofleastfunctionality.

• COBIT 5 DSS05.02 • ISA 62443-2-1:2009 4.3.3.5.1, 4.3.3.5.2, 4.3.3.5.3, 4.3.3.5.4,

4.3.3.5.5, 4.3.3.5.6, 4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2, 4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6, 4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1, 4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4

• ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9, SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 2.1, SR 2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7

• ISO/IEC 27001:2013 A.9.1.2 • NIST SP 800-53 Rev. 4 AC-3, CM-7

PR.PT-4:Communicationsandcontrol

networksareprotected.• CCS CSC 7 • COBIT 5 DSS05.02, APO13.01 • ISA 62443-3-3:2013 SR 3.1, SR 3.5, SR 3.8, SR 4.1, SR 4.3,

SR 5.1, SR 5.2, SR 5.3, SR 7.1, SR 7.6 • ISO/IEC 27001:2013 A.13.1.1, A.13.2.1 • NIST SP 800-53 Rev. 4 AC-4, AC-17, AC-18, CP-8, SC-7

Det

ect(

DE) AnomaliesandEvents(DE.AE):

Anomalousactivityisdetectedina

DE.AT-1:Abaselineofnetworkoperationsandexpecteddataflows

• COBIT 5 DSS03.01 • ISA 62443-2-1:2009 4.4.3.3


86|P a g e


timelymannerandthepotential

impactofeventsisunderstood.

forusersandsystemsisestablished

andmanaged.

• NIST SP 800-53 Rev. 4 AC-4, CA-3, CM-2, SI-4

DE.AT-2:Detectedeventsareanalyzedtounderstandattacktargetsand

methods.

• ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8 • ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR

2.12, SR 3.9, SR 6.1, SR 6.2 • ISO/IEC 27001:2013 A.16.1.1, A.16.1.4 • NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, SI-4

DE.AT-3:Eventdataareaggregatedandcorrelatedfrommultiplesources

andsensors.

• ISA 62443-3-3:2013 SR 6.1 • NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, IR-8, SI-4

DE.AT-4:Impactofeventsis

determined.• COBIT 5 APO12.06 • NIST SP 800-53 Rev. 4 CP-2, IR-4, RA-3, SI -4

DE.AT-5:Incidentalertthresholdsareestablished.

• COBIT 5 APO12.06 • ISA 62443-2-1:2009 4.2.3.10 • NIST SP 800-53 Rev. 4 IR-4, IR-5, IR-8

SecurityContinuousMonitoring(DE.CM):Theinformationsystem

andassetsaremonitoredat

discreteintervalstoidentify

cybersecurityeventsandverifythe

effectivenessofproactive

measures.

DE.CM-1:thenetworkismonitoredto

detectpotentialcybersecurityoffense.• CCS CSC 14, 16 • COBIT 5 DSS05.07 • ISA 62443-3-3:2013 SR 6.2 • NIST SP 800-53 Rev. 4 AC-2, AU-12, CA-7, CM-3, SC-5,

SC-7, SI-4 DE.CM-2:Thephysicalenvironmentis

monitoredtodetectpotential

cybersecurityevents.

• ISA 62443-2-1:2009 4.3.3.3.8 • NIST SP 800-53 Rev. 4 CA-7, PE-3, PE-6, PE-20

DE.CM-3:Personnelactivityismonitoredtodetectpotential

cybersecurityevents.

• ISA 62443-3-3:2013 SR 6.2 • ISO/IEC 27001:2013 A.12.4.1 • NIST SP 800-53 Rev. 4 AC-2, AU-12, AU-13, CA-7, CM-10,

CM-11 DE.CM-4:Maliciouscodeisdetected.

• CCS CSC 5 • COBIT 5 DSS05.01 • ISA 62443-2-1:2009 4.3.4.3.8 • ISA 62443-3-3:2013 SR 3.2 • ISO/IEC 27001:2013 A.12.2.1


87|P a g e


• NIST SP 800-53 Rev. 4 SI-3 DE.CM-5:Unauthorizedmobilecodeis

detected.• ISA 62443-3-3:2013 SR 2.4 • ISO/IEC 27001:2013 A.12.5.1 • NIST SP 800-53 Rev. 4 SC-18, SI-4. SC-44

DE.CM-6:Externalserviceprovideractivityismonitoredtodetect

potentialcybersecurityevents.

• COBIT 5 APO07.06 • ISO/IEC 27001:2013 A.14.2.7, A.15.2.1 • NIST SP 800-53 Rev. 4 CA-7, PS-7, SA-4, SA-9, SI-4

DE.CM-7:Monitoringforunauthorized

personnel,connections,devices,and

softwareisperformed.

• NIST SP 800-53 Rev. 4 AU-12, CA-7, CM-3, CM-8, PE-3, PE-6, PE-20, SI-4

DE.CM-8:Vulnerabilityscansareperformed.

• COBIT 5 BAI03.10 • ISA 62443-2-1:2009 4.2.3.1, 4.2.3.7 • ISO/IEC 27001:2013 A.12.6.1 • NIST SP 800-53 Rev. 4 RA-5

DetectionProcesses(DE.DP):detectionprocessesand

proceduresaremaintainedand

testedtoensuretimelyand

adequateawarenessofanomalous

events.

DE.DP-1:Rolesandresponsibilitiesfordetectionarewelldefinedtoensure

accountability.

• CCS CSC 5 • COBIT 5 DSS05.01 • ISA 62443-2-1:2009 4.4.3.1 • ISO/IEC 27001:2013 A.6.1.1 • NIST SP 800-53 Rev. 4 CA-2, CA-7, PM-14

DE.DP-2:Detectionactivitiescomply

withallapplicablerequirements.• ISA 62443-2-1:2009 4.4.3.2 • ISO/IEC 27001:2013 A.18.1.4 • NIST SP 800-53 Rev. 4 CA-2, CA-7, PM-14, SI-4

DE.DP-3:Detectionprocessesaretested.

• COBIT 5 APO13.02 • ISA 62443-2-1:2009 4.4.3.2 • ISA 62443-3-3:2013 SR 3.3 • ISO/IEC 27001:2013 A.14.2.8 • NIST SP 800-53 Rev. 4 CA-2, CA-7, PE-3, PM-14, SI-3, SI-4

DE.DP-4:Eventdetectioninformation

iscommunicatedtoappropriate

parties.

• COBIT 5 APO12.06 • ISA 62443-2-1:2009 4.3.4.5.9 • ISA 62443-3-3:2013 SR 6.1 • ISO/IEC 27001:2013 A.16.1.2


88|P a g e


• NIST SP 800-53 Rev. 4 AU-6, CA-2, CA-7, RA-5, SI-4 DE.DP-5:Detectionprocessesarecontinuouslyimproved.

• COBIT 5 APO11.06, DSS04.05 • ISA 62443-2-1:2009 4.4.3.4 • ISO/IEC 27001:2013 A.16.1.6 • NIST SP 800-53 Rev. 4, CA-2, CA-7, PL-2, RA-5, SI-4, PM-

14

Respon

d(RS)

ResponsePlanning(RS.RP):Responseprocessesand

proceduresareexecutedand

maintained,toensuretimely

responsetodetectedcybersecurity

events.

RS.RP-1:Responseplanisexecutedduringorafteranevent.

• COBIT 5 BAI01.10 • CCS CSC 18 • ISA 62443-2-1:2009 4.3.4.5.1 • ISO/IEC 27001:2013 A.16.1.5 • NIST SP 800-53 Rev. 4 CP-2, CP-10, IR-4, IR-8

Communications(RS.CO):Responseactivitiesarecoordinated

withinternalandexternal

stakeholders,asappropriate,to

includeexternalsupportfromlaw

enforcementagencies.

RS.CO-1:Personnelknowtheirrolesinorderofoperationswhenaresponse

isneeded.

• ISA 62443-2-1:2009 4.3.4.5.2, 4.3.4.5.3, 4.3.4.5.4 • ISO/IEC 27001:2013 A.6.1.1, A.16.1.1 • NIST SP 800-53 Rev. 4 CP-2, CP-3, IR-3, IR-8

RS.CO-2:Eventsarereportedconsistentwithestablishedcriteria.

• ISA 62443-2-1:2009 4.3.4.5.5 • ISO/IEC 27001:2013 A.6.1.3, A.16.1.2 • NIST SP 800-53 Rev. 4 AU-6, IR-6, IR-8

RS.CO-3:Informationisshared

consistentwithresponseplans.• ISA 62443-2-1:2009 4.3.4.5.2 • ISO/IEC 27001:2013 A.16.1.2 • NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-4, IR-8, PE-6,

RA-5, SI-4 RS.CO-4:Coordinationwithstakeholdersoccursconsistentwith

responseplans.

• ISA 62443-2-1:2009 4.3.4.5.5 • NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8

RS.CO-5:Voluntaryinformation

sharingoccurswithexternal

stakeholderstoachievebroader

cybersecuritysituationalawareness.

• NIST SP 800-53 Rev. 4 PM-15, SI-5

Analysis(RS.AN):Analysisisconductedtoensureadequate

responseandsupportrecovery

activities.

RS.AN-1:Notificationsfromdetection

systemsareinvestigated.• COBIT 5 DSS02.07 • ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8 • ISA 62443-3-3:2013 SR 6.1 • ISO/IEC 27001:2013 A.12.4.1, A.12.4.3, A.16.1.5


89|P a g e


• NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-5, PE-6, SI-4 RS.AN-2:Theimpactoftheincidentis

understood.• ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7, 4.3.4.5.8 • ISO/IEC 27001:2013 A.16.1.6 • NIST SP 800-53 Rev. 4 CP-2, IR-4

RS.AN-3:Forensicsareperformed.• ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR

2.12, SR 3.9, SR 6.1 • ISO/IEC 27001:2013 A.16.1.7 • NIST SP 800-53 Rev. 4 AU-7, IR-4

RS.AN-4:Incidentsarecategorizedconsistentwithresponseplans.

• ISA 62443-2-1:2009 4.3.4.5.6 • ISO/IEC 27001:2013 A.16.1.4 • NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-5, IR-8

Mitigation(RS.MI):Activitiesareperformedtopreventexpansionof

anevent,mitigateitseffects,and

eradicatetheincident.

RS.MI-1:Incidentsarecontained.• ISA 62443-2-1:2009 4.3.4.5.6 • ISA 62443-3-3:2013 SR 5.1, SR 5.2, SR 5.4 • ISO/IEC 27001:2013 A.16.1.5 • NIST SP 800-53 Rev. 4 IR-4

RS.MI-2:Incidentsaremitigated.• ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.10 • ISO/IEC 27001:2013 A.12.2.1, A.16.1.5 • NIST SP 800-53 Rev. 4 IR-4

RS.MI-3:Newlyidentifiedvulnerabilitiesaremitigatedor

documentedasacceptedrisks.

• ISO/IEC 27001:2013 A.12.6.1 • NIST SP 800-53 Rev. 4 CA-7, RA-3, RA-5

Improvements(RS.IM):Organizationalresponseactivities

areimprovedbyincorporating

lessonslearnedfromcurrentand

previousdetection/response

activities.

RS.IM-1:Responseplansincorporatelessonslearned.

• COBIT 5 BAI01.13 • ISA 62443-2-1:2009 4.3.4.5.10, 4.4.3.4 • ISO/IEC 27001:2013 A.16.1.6 • NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8

RS.IM-2:Responsestrategiesareupdated.

• NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8

Recover

(RC)

RecoveryPlanning(RC.RP):Recoveryprocessesand

proceduresareexecutedand

maintainedtoensuretimely

RC.RP-1:Recoveryplanisexecutedduringorafteranevent.

• CCS CSC 8 • COBIT 5 DSS02.05, DSS03.04 • ISO/IEC 27001:2013 A.16.1.5 • NIST SP 800-53 Rev. 4 CP-10, IR-4, IR-8


90|P a g e


restorationofsystemsorassets

affectedbycybersecurityevents.

Improvements(RC.IM):Recoveryplanningandprocessesare

improvedbyincorporatinglessons

learnedintofutureactivities.

RC.IM-1:Recoveryplansincorporatelessonslearned.

• COBIT 5 BAI05.07 • ISA 62443-2-1 4.4.3.4 • NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8

RC.IM-2:Recoverystrategiesareupdated.

• COBIT 5 BAI07.08 • NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8

Communication(RC.CO):Restorationactivitiesare

coordinatedwithinternaland

externalparties,suchas

coordinatingcenters,Internet

ServiceProviders,ownersof

attackingsystems,victims,other

districtsandvendors.

RC.CO-1:Publicrelationsaremanaged.

• COBIT 5 EDM03.02

RC.CO-2:Reputationafteraneventisrepaired.

• COBIT 5 MEA03.02

RC.CO-3:Recoveryactivitiesarecommunicatedtointernal

stakeholdersandexecutiveand

managementteams.

• NIST SP 800-53 Rev. 4 CP-2, IR-4

Source:NIST,FrameworkforImprovingCriticalInfrastructureCybersecurity,USA,2014,AppendixA


91|P a g e

AppendixE:CCSESACCSFToolkitAsdiscussedinSection1,theCCSESCCSFToolkitisanExcelworkbookthatisbrokendownintothefollowingworksheets:

• ProfileMetadata• CurrentProfile• TargetProfile• ActionPlan

TheToolkitisdesignedtoprovideyouapathwaytoimplementtheindicatorscontainedwithintheCCSF.

ProfileMetadataTheprofilemetadatatable,showninFigureB.1,isusedtocaptureinformationregardingthedistrictandthebusinessunitorsystem(s)thatarerepresentedbytheprofile.Thisinformationistypicallycollectedinphases1and2oftheCCSFimplementationprocess.

Thefollowingisprovidedasanexample


92|P a g e

FigureB.1–ProfileMetaTemplate–EasternHighSchoolDistrict EasternConsolidatedSchoolDistrictDistrictInfrastructureSector SeeFigure2forexamplesDistrictBusinessUnit/Sector/Campus

SouthCampus

DistrictCurrentProfileScope

• Policiesandstandardsrelatingtooveralldatasecurityatthenetwork,host,databaseandapplicationlevelshavebeenestablished.

• Policies,standardsandprocedureshavebeenestablishedregardingthehandlingandprotectionofPII(PersonallyIdentifiableInformation)data.

• DataLossPrevention(DLP)measureshavebeendeployed.• EffectiveNetworkAccessControlshavebeenimplemented.• IntrusionPrevention/Detection(IPS/IDS)systemshavebeen

deployed.• Privacytraininghasbeenconducted.• Physicalandlogicalsecuritycontrolshavebeenestablishedat

allsitescontainingPII• data.• Aneffectiveincidentresponseprogramhasbeen

implemented.• CustomerPIIdatahasbeenproperlyseparatedfrom

corporatedata

BusinessRequirements

• Personnelsecurity• Physicalsecurity• Accountandpasswordmanagement• ConfidentialityofSensitivedata• Disaster/Recovery• SecurityAwarenessandeducation• Complianceandaudit

RiskConsiderations

• Enterprisesecurityarchitecture• Areweprotectingwhatreallymatters?• Isgovernancealignedwithsecurity?• Whatthreatsareweupagainst?• Areweplanningforcontinuity?• Dowehaveenoughinformationtoplanforrisk?• Isourdatasecure?

RiskAppetiteDecisions

• Ethicalleadershiphaslowrisk.• Academicreputationhaslowrisk.• Facultyriskishigh.• Studentselectionandretentionhasahighrisk• Communityriskislow.• Financialresourcesarelow.


93|P a g e

CurrentStateProfileThecurrentstateprofileisusedtotrackthegoalsofthecurrentcybersecurityprogram.Thetemplateincludesacapabilitytoidentifyhoweachsubcategorywithintheframeworkisbeingobtainedandthecurrentimplementationstatusofthatcapability.Inmanycases,districtsupdatetheircurrentsecuritypolicyandimplementthenewpolicyinaphasedapproach.Thecurrentstateprofiletemplateallowsdistrictstoaccuratelyrepresenttheirstatusinimplementingcurrentpoliciesandprocedures.FigureB.2identifiesthedatapointsortopicsrecordedinthecurrentstateprofile.

Topic RequiredInformationfromCCSF ExamplesFunction ApplicableFrameworkFunction Figure11–

ComponentsoftheFrameworkCore

Category ApplicableFrameworkCategory Figure12–FrameworkCoreIdentifiersandCategories

Subcategory ApplicableFrameworkSub-category FromAppendixA:FrameworkCore

RelevantCOBITProcess

TheCOBIT5informativereferenceusedtoidentifythedistrictpracticesrequiredtomeetthegoalsoftheCCSFsubcategory.

FromAppendixA:FrameworkCore

ImplementationStatus

Thecurrentachievementrating Figure17–AchievementRatingScale

OrganizationalPractices

Thedistrictpractice,policyorprocedurethatisrequiredtomeettheintendedgoalofthesubcategory.

Section3:RelevantCOBIT5Practices

Comments/Evidence Narrativedescribinghowtheachievementratingwasdeterminedandanyestablishedongoingactionstowardthegoalofthesubcategory.


94|P a g e

TargetStateProfileThetargetstateprofileprovidesanopportunitytocapturethedesiredstateofthecybersecurityprogram.Thetargetstateprofileshouldbecompletedinamannerthatidentifiestheprotectionsandcapabilitiesrequiredtomitigatethreatstothedistrict.Thisrisk-basedapproachensuresthatallareasoftheCCSFareaddressed,withafocusbeingappliedtothoseareasmostlikelytobeattacked.

Topic RequiredInformationfroCCSF ExamplesFunction ApplicableFrameworkFunction Figure11–Components

oftheFrameworkCoreCategory ApplicableFrameworkCategory Figure12–Framework

CoreIdentifiersandCategories

Subcategory ApplicableFrameworkSub-category FromAppendixA:FrameworkCore

RelevantCOBITProcess

TheCOBIT5informativereferenceusedtoidentifythedistrictpracticesrequiredtomeetthegoalsoftheCCSFsubcategory.

FromAppendixA:FrameworkCore

ImplementationStatus

Thecurrentachievementrating Figure17–AchievementRatingScale

OrganizationalPractices

Thedistrictpractice,policyorprocedurethatisrequiredtomeettheintendedgoalofthesubcategory.

Section3:RelevantCOBIT5Practices

Comments/Evidence Narrativedescribinghowtheachievementratingwasdeterminedandanyestablishedongoingactionstowardthegoalofthesubcategory.

RecommendedActions

Theactionsrequiredtoachievethetargetstategoals.

Highlevelactionitems(leavethetacticalplanningtoaprojectmanager)

ResourcesRequired Organizationalresourcesrequiredtocompletetherecommendedactions.

Infrastructureandhumanresources


95|P a g e

GapAnalysisForeachofthesubcategoriesintheTargetProfile,considerthedifferencebetweenthetargetlevelofachievementandthecurrentlevel.Understandingthegapsbetweenthecurrentandtargetdistrictpoliciesandpracticeswillhighlightopportunitiesforimprovement;understandingtherelativeimpactonriskwillhelpestablishpriority,schedule,andresourceallocation.Usingtheinformationfromthegapanalysis,conducttheActivityPlanning.

ToachievethedesiredoutcomesasdescribedintheCCSFandtoattainthestakeholdergoalsidentifiedinimplementationStep1,acomprehensiveactionplanisnecessary.Aspartoftheplanningprocess,implementersshoulddeterminetheappropriateauthoritieswhowillreview,approveandtracktheactivitiesandactionsdescribed.Itisimportantthatbusiness/missiondriversinformandsupporttheseactions.

Bylinkingtheactionslistedtotheenterpriseandtechnicalgoals(asdescribedintheCOBIT5goalscascadeandasdocumentedaspartofimplementationStep1),actionswillbeassessableandprioritizedtoachievethenecessaryvalueforthedistrict.Theseprioritiesandtheassociatedactions,maybereviewedandadjustedthroughperiodiccheckpointmeetingssuchasquarterlybriefings,programmanagementreviewsandsecuritytrainingexercises.AlistofactionplandatapointsisshowninFigureD.1.

Specificconsiderationsforactionplanningmayincludethefollowing:

• Arethereeducational-specificactionplanprocesses?• Whoisresponsiblefordefiningactionswithintheplan?• Howoftenwillactionplansbereviewedandupdated?Bywhom?• Whatspecificgovernanceandmanagementprocessesapplytoeducationtohelpstayontrack?• Whataretheadvantagestoachievingahigher/lowertier?• Whatarethedisadvantagestoachievingahigher/lowertier?• Whatregulatoryguidanceisavailabletohelpselecttheappropriatetierformydistrictifany?• Whatagencies,groups,orconsortiaexisttosupportdistrictcomplianceandsecurityprograms?• Howisfeedbackcapturedanddisseminatedthroughoutthedistrict?


96|P a g e

FigureD.1–ActionPlanDataPointsActionPlanDetail Description

ActionIdentifier UniqueidentifierassignedtoaspecificactionforreferencePriority District-definedpriorityforcompletingtheaction(H/M/L

or1-6)Assumption/Constraints District-definedfactorsthatmayimpacttheabilityto

completetheaction.(Strategiesshouldbeplannedtoovercomeeachconstraint)

Rationale Identifiestherationaleusedtodefinetheaction.LinkstoProfile(s),orregulatoryrequirements,shouldbeincludedwhenavailable.

SpecificAction Thediscrete,outcome-based,actiontobecompleted.ResourcesRequired Thedistrictresourcesneededtocompletetheaction.

(Infrastructureorpeople)Schedule/Milestones Keymilestonesorschedulesassignedtothespecificaction.Status UseRed/Amber/Greenstoplightstosignifythestatusof

theactionandidentificationofissuesthatmaycauseascheduledmilestonetobemissed.

Prerequisites/dependencies Identifiesotheractionsordistrictracto4sthatmustbecompletedpriortothisactionbeingcomplete.Keepinmindthatdependenciescanbeinternalorexternal.

ActionAssignee Pointofcontactassignedtheresponsibilityfortrackingandensuringthatheactioniscompleted.

Stakeholderroles Internalandexternaldistrictstakeholdersoftheaction.


97|P a g e

AppendixF:ConsiderationsforCriticalInfrastructureSectorsTheCCSFwasdevelopedasdirectedbyEO13636,indirectsupportofthecriticalinfrastructurecommunity.ForenterprisesthatareidentifiedwithoneofthesixteencriticalinfrastructuresectorslistedinFigure2,orenterprisesthatsupportentitiesinthosesectors,thefollowingconsiderationsmaybehelpfulforimplementingtheCCSFinthatcontext.

RoleIdentificationFromthePresidentoftheSchoolBoardtotheITSystemAdministrator,rolesvarywidelyamongcriticalinfrastructureproviders.TheCCSFgenerallyclassifiestheserolesintothreecategoriesasdescribedinAppendixB.Thereaderisencouragedtodeterminetheapplicabletitlesofeachroleandreferspecificallytothosetitlesinplanning/operations/monitoringdocuments.Doingsowillaidintheeducationandimplementationofcybersecurityactivitieswithoutconfusionaboutdisparateroleidentification.

ImplementationScopeTheapplicablescopeforCCSFimplementationwillvarywitheachenterprise.SomeentitiesmaytakeanexploratoryapproachandapplyCCSFtoasub-entitytogainexperience,whileothersmayapplyittotheentireenterpriseatonce.Suchdecisionsaretypicallybasedondistrictbusinessneedsandbudgets.

Thereadershoulddeterminewhetheranylegaland/orregulatorydriverswillaffectthatscope.Forexample,theHealthInsurancePortabilityandAccountabilityAct(HIPAA)describesspecificobjectivesfor“MeaningfulUse”ofcertifiedelectronichealthrecordtechnology.Jurisdictionalconsiderationsmayalsoimpactthescopedecisions—legalconsiderationsinonecountrymaybequitedifferentfromthoseinanotherportionoftheworld.Theseexternaldriversmayinfluencethegoalsconsideredandtheactionstakentoimprovecybersecurity.

RiskConsiderationsDeterminationoftheenterpriseriskarchitectureisanimportantelementofimplementationStep1becausemanyofthesubsequentactivitiessupportmaintainingabalancebetweenrealizingbenefitsandoptimizingrisklevelsandresourceuse.

Manycriticalinformationsectorsaresubjecttoexternaldriversthatimpactthoseriskdecisions.Thefinancialsector,forexample,hasmanyfactorsthatinfluenceacceptableriskconsiderations.DocumentationoftheseconsiderationsandfactorsduringStep1willsupportsubsequentstepsandwillensurethattheseimportantstakeholdergoalsareattainedandtrackedinaccordancewithregulatorymanagementandreportingrequirements.

QualityManagementQualitymanagementoverlayscloselywitheffectivecybersecuritypractices.COBIT5processAPO11ManagequalitydescribestheuseandmaintenanceofaQualityManagementSystem(QMS).ManagementpracticeAPOl1.01states,“EstablishandmaintainaQMSthatprovidesastandard,formalandcontinuousapproachtoqualitymanagementforinformation,enablingtechnologyandbusinessprocessesthatarealignedwithbusinessrequirementsandenterprisequalitymanagement.”

ApplyingtheAPOl1managementpracticeshelpsthedistrictdefineandmanagequalitystandards,practices,andproceduresinaccordwiththeprioritizationandriskdecisionsagreedonintheCCSFImplementationstepsdescribedearlierinthisdocument.Focusingqualitymanagementoncustomers


98|P a g e

andthestakeholdergoals(asestablishedinPhases1and2),andintegratingthosequalitymanagementprocessesaspartoftheactionplanwillhelpensurealignmentwithmissionneeds.Performingqualitymonitoring,controlandreviewshelpsensurethatdistrictprocessesandtechnologyaredeliveringvaluetothebusiness,continuousimprovementandtransparencyforstakeholders.

CriticalinfrastructureprovidersmayhaveadditionalQMSrequirementsforenterprisesystems.TherelevantgoalsformanagementofsuchaQMSshouldbeconsideredwhendevelopingProfilesanddeterminingactions.SuchreadersmaybeguidedbystandardsintheISO9000family,including:

• ISO9001:2008—SetsouttherequirementsofaQMS• ISO9000:2005—Coversthebasicconceptsandlanguage• ISO9004:2009—FocusesonhowtomakeaQMSmoreefficientandeffective• ISO19011:2011—SetsoutguidanceoninternalandexternalauditsofQMS

ThreatandVulnerabilityInformationMembersofthecriticalinfrastructurecommunityareparticulartargetsofcybersecuritythreats,oftenthroughinnovativeattackvectors.USusersareespeciallyencouragedtoworkwithapplicablegroupssuchasInformationSharingandAnalysisCenters(ISACs)andtheDepartmentofHomelandSecurity,includingtheUSComputerEmergencyReadinessTeam(CERT).InfraGard,apartnershipbetweentheFederalBureauofInvestigation(FBI)andtheprivatesector,isalsohelpful.Itisanassociationofpeoplewhorepresentbusinesses,academicinstitutions,stateandlocallawenforcementagencies,andotherparticipantsdedicatedtosharinginformationandintelligencetopreventhostileacts.

TheNationalCouncilofISACs(NCI)maybehelpfulinidentifyingwaystoassistinenterprisethreatandvulnerabilityunderstanding.NCIexiststoadvancethephysicalandcybersecurityofthecriticalinfrastructuresofNorthAmericabyestablishingandmaintainingaframeworkforvaluableinteractionbetweenandamongtheISACsandwithgovernment.

TheIndustrialControlSystemISAC(ICS-ISAC)establishedaprojectknownastheSituationalAwarenessReferenceArchitecture(SARA).SARA’sobjectiveistocompileandpublishanappliedguidetotheprocesses,practices,standardsandtechnologieswhichfacilitiesandotherscanusetoestablishsituationalawareness.

Enterprisesshoulddeterminetheconditionsunderwhichavulnerabilitymaybeaddressed.Forexample,somecriticalsystemsmaynotbeabletobeshutdowntosupportanimportantpatch,somitigatingcontrolsshouldbeidentifiedtoensureappropriatemeanstoachieveenterprisegoalsforbothavailabilityandsecurity.Theseconsiderationsapplytoallpeople,processesandtechnology(asdescribedinSection1)thatenablebusinessfunctions.

AutomatedIndicatorSharingTheNISTRoadmapforImprovingCriticalInfrastructureCybersecurityrecommendstheuseofautomatedsharingofindicatorinformationtoprovidedistrictswithtimely,actionableinformationthattheycanusetodetectandrespondtocybersecurityeventsastheyareoccurring.Recentintrusionshaveindicatedthatadversariesattackmultiplesectorparticipantsatonce,suchasrecentdenial-of-serviceattacksagainstmanymembersofthefinancialsector.

NISTrecommendsthatdistricts“useacombinationofstandardandproprietarymechanismstoexchangeindicatorsthatcanbeusedtobolsterdefensesandtosupportearlydetectionoffutureattack


99|P a g e

attempts.Thesemechanismshavedifferingstrengthsandweaknessesandoftenrequiredistrictstomaintainspecificprocess,personnel,andtechnicalcapabilities.CCSFimplementersareencouragedtoworkwithNISTandsectorleadershiptoadoptandimprovepracticalapproachestoachieveautomatedindicatorsharing.

SupplyChainRiskManagementSimilarly,NISTpromotesincreasedadoptionofstandardsforsupplychainriskmanagement.NISTsaysthatthe“adoptionofsupplychainriskmanagementstandards,practicesandguidelinesrequiresgreaterawarenessandunderstandingoftheriskassociatedwiththetime-sensitiveinterdependenciesthroughoutthesupplychain,includinginandbetweencriticalinfrastructuresectors/subsectors.Thisunderstandingisvitaltoenabledistrictstoassesstheirrisk,prioritize,andallowfortimelymitigation.”

CSFimplementersareencouragedtoincludesupplychainriskasasubsetofthebroadriskassessmentandriskmanagementactivities.MoreinformationaboutsupplychainriskmanagementisavailablefromNIST’sComputerSecurityDivision.

CurrentandTargetProfilesDuringtheinitialdevelopmentoftheNISTguideline,itwaspointedoutthepotentialthatleadershipofindividualsectors(e.g.,sectorsupportingagencies,sectorcouncils,participatingcompanies)wouldprovidespecificguidanceoncreationandmaintenanceofCurrentandTargetProfiles.Suchguidancemightinclude:mappingfromtheCCSFCoretocomplianceframeworks,criteriafordeterminingthethresholdsdescribedinFigure17orrecommendationsregardingCoreSubcategories.

FrameworkNextStepsInannouncingthelaunchoftheCCSF,theSpecialAssistanttotheUSPresidentandtheUSCybersecurityCoordinator,MichaelDaniel,madethreerequeststhatareespeciallysignificantforUScriticalinfrastructurecommunity:

• “Weneedyoutokickthetires.WeneeddistrictstobeginusingtheFrameworkandseehowwellitcanworkfordifferentsizesandtypesofdistricts.”

• “WeneedyourfeedbacktomaketheFrameworkbetter.WeneedyoutoshareyourexperiencewithusonhowusingtheFrameworkworked—ordidn’twork—foryourdistrict.FeedbackisessentialtoimprovingtheFrameworkandmakingitbetterinfutureversions.”

• “Inshort,weneedyourcontinuedengagement.TheFrameworkisintendedtobealivingdocument.Weneedyourcollectiveexperienceandknowledgetomakeitbetterovertime.”

CCSESAencouragesallwhoimplementthisinitialversionoftheCybersecurityFrameworktohelpimproveitsvalue,toprovidefeedbacktotheCCSFcommunityandhelpthisframeworkachieveitsgoalofimprovingcybersecurityriskmanagement.ThroughCCSESA’sleadershipandthenewCybersecurityNexus(CSX),Californiadistrictscanbeparticularlyhelpfultoachievethatgoalandsafeguardenterprisesaroundtheglobe.