“The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront.”

— US President Barack Obama

As cybersecurity increasingly becomes a na onal security issue, governments are taking a more ac ve role in defi ning responses to cyber threats. In an ini a ve to respond to an execu ve order issued by President Obama, the US Na onal Ins tute of Standards and Technology (NIST) has released the fi rst version of its Framework for Improving Cri cal Infrastructure Cybersecurity.

The framework comprises fi ve Func ons of cybersecurity ac vity, with a strong focus on incident response. These Func ons are further divided into Categories, which correspond to various domains of informa on security; and Subcategories, which express various outcomes or control objec ves within these domains.

As a consequence, business execu ves are now asking “Does our informa on security program align with the NIST Cybersecurity Framework?” You want to answer that ques on, but where do you start? Members of the ISF are equipped to give a comprehensive and accurate response.

The ISF has created a mapping between the NIST Cybersecurity Framework and its own Standard of Good Prac ce for Informa on Security (the Standard) – a respected resource that is already implemented by many global organisa ons. Members can use the mapping to determine which of their current controls sa sfy the corresponding control objec ves in the NIST Cybersecurity Framework, and thus demonstrate their alignment with it.

Using the NIST Cybersecurity Framework – together with the ISF’s Standard of Good Prac ce and other informa on risk management tools – will enable you to eff ec vely demonstrate to your stakeholders the progress you have made in building a robust cyber resilience approach.

Implementing the NIST Cybersecurity Framework

What next?

Reference: ISF 14 NIST Copyright © 2014 Information Security Forum Limited. All rights reserved. Classifi cation: Public

The ISF’s Standard of Good Prac ce for Informa on Security (the Standard), Benchmark, ISF Risk Manager and Cyber Resilience Framework Diagnos c Tools – supported by the wide range of ISF materials – are all available from the ISF website.

ISF reports and tools provide in-depth best prac ce guidance that helps business leaders and informa on security prac oners to combat the escala ng security threats from ac vi es such as cybercrime, hack vism, insider crime and espionage by:

• describing the similari es and connec ons between cybersecurity and informa onsecurity

• explaining cyberspace, cybersecurity, the nature of the cyber threat and the concept ofcyber resilience

• providing policy and standards-based advice and guidance through the annually updatedStandard of Good Prac ce for Informa on Security (the Standard)

• introducing the new ISF Benchmark Service which allows organiza ons to assess theirsecurity controls and incidents across a range of diff erent environments and ac vi es

• using the ISF Risk Manager to analyze business informa on risk across your enterpriseand selec ng eff ec ve approaches for trea ng these risks

• outlining prac cal steps organisa ons can take to customise and implement the ISF’sCyber Resilience Framework.

Our research and tools are available at no cost to ISF Member companies. Non-Members are able to purchase reports and use the ISF Benchmark Service and ISF Risk Manager.

ContactFor more informa on, please contact:Steve Durbin, Managing DirectorUS Tel: +1 (347) 767 6772UK Tel: +44 (0)20 3289 5884UK Mobile: +44 (0)7785 953 800Email: steve.durbin@securityforum.orgWeb: www.securityforum.org

About the ISF

Founded in 1989, the Informa on Security Forum (ISF) is an independent, not-for-profi t associa on of leading organiza ons from around the world. It is dedicated to inves ga ng, clarifying and resolving key issues in cyber, informa on security and risk management by developing best prac ce methodologies, processes and solu ons that meet the business needs of its Members.

ISF Members benefi t from harnessing and sharing in-depth knowledge and prac cal experience drawn from within their organiza ons and developed through an extensive research and work programme. The ISF provides a confi den al forum and framework, which ensures that Members adopt leading-edge informa on security strategies and solu ons. And by working together, Members avoid the major expenditure required to reach the same goals on their own.

Disclaimer

This document has been published to provide general informa on only. It is not intended to provide advice of any kind. Neither the Informa on Security Forum nor the Informa on Security Forum Limited accept any responsibility for the consequences of any use you make of the informa on contained in this document.

The ISF can provide you with the necessary support to carry out a cybersecurity assessment on your organisa on through our Services to Assist. By using ISF tools, research and analyst support services ISF Members are able to build a robust cyber resilience capability that is in alignment with the NIST Cybersecurity Framework and other industry standards.

ability Management, CF18.7 Installa on Process

ernal Supplier Management Process

Func on Category Subcategory ISF Standard of Good Prac ce References

(Con nued) PR.IP-9: Response plans (Incident Response and Business Con nuity) and recovery CF20.1 Business Con nuity Strategy, CF20.2 Business Con nuity Programme, CF20.3 Resilience, CF20.4 Crisis

on Security Func on, CF11.1

The Cybersecurity Framework from the US National Institute for Standards and Technology Coverage by Topics in the ISF Standard of Good Practice for Information Security

egories of the NIST Cybersecurity Framework. The Subcategories of the Framework can be understood as control ves. The references in the “ISF Standard of pic names in the Standard of Good Pra ce. These topics provide control guidance which will help members achieve the corresponding control objec ve, and thus demonstrate their

ype should be considered the primary references for each subcategory; other Topics may include supplemental material relevant to the subcategory. While not every

About the ISFFounded methodologies, processes and solu ons that meet the business needs of its Membe

ISF Member leading-edge info on security strategies and solu

DisclaimeThis document has been published to p ained in this document.

Reference: ISF 14 MKG NIST/STANDARD Copyright © 2014 Information Security Forum Limited. All rights reserved. Classi

Information Security Forum • Implementing the NIST Cybersecurity Framework Implementing the NIST Cybersecurity Framework • Information Security Forum

The ISF Standard of Good Practice –

June 2014

Comprehensive coverage of:

The Standard of Good Practice for Information Security

preehhheennssiive coe coverage overage of:f:

2014 Standard of Good Practice for Information Security: Categories and Topics List

WarningThis document is confidential and is intended for the attention of and use by either organisations that are Members of the Information Security Forum (ISF) or by persons who have purchased it from the ISF direct. If you are not a Member of the ISF or have received this document in error, please destroy it or contact the ISF on info@securityforum.org. Any storage or use of this document by organisations which are not Members of the ISF or who have not validly acquired the report directly from the ISF is not permitted and strictly prohibited. This document has been produced with care and to the best of our ability. However, both the Information Security Forum and the Information Security Forum Limited accept no responsibility for any problems or incidents arising from its use.Classification: Restricted to ISF Members, ISF Service Providers and non-Members who have acquired the document from the ISF.

Reference: ISF 14 06 03 Copyright © 2014 Information Security Forum Limited. All rights reserved. www.securityforum.org

SECURITY GOVERNANCE Type

SG1 Security Governance Approach

SG1.1 Security Governance Framework F

SG1.2 Security Direction F

SG2 Security Governance Components

SG2.1 Information Security Strategy S

SG2.2 Stakeholder Value Delivery S

SG2.3 Information Security Assurance Programme F

SECURITY REQUIREMENTS Type

SR1 Information Risk Assessment

SR1.1 Managing Information Risk Assessment F

SR1.2 Information Risk Assessment Methodologies F

SR1.3 dentiality Requirements F

SR1.4 Integrity Requirements F

SR1.5 Availability Requirements F

SR1.6 Information Risk Treatment F

SR2 Compliance

SR2.1 Legal and Regulatory Compliance F

SR2.2 Information Privacy F

CONTROL FRAMEWORK Type

CF1 Security Policy and Organisation

CF1.1 Information Security Policy F

CF1.2 Information Security Function F

CF2 Human Resource Security

CF2.1 Staff Agreements F

CF2.2 Security Awareness Programme F

CF2.3 Security Awareness Messages F

CF2.4 Security Education/Training F

CF2.5 Roles and Responsibilities F

CF3 Asset Management

CF3.1 Information Classi cation S

CF3.2 Document Management S

CF3.3 Sensitive Physical Information F

CF3.4 Asset Register F

CF4 Business Applications

CF4.1 Application Protection F

CF4.2 Browser-based Application Protection F

CF4.3 Information Validation F

CF5 Customer Access

CF5.1 Customer Access Arrangements F

CF5.2 Customer Contracts S

CF5.3 Customer Connections F

CF6 Access Management

CF6.1 Access Control F

CF6.2 User Authorisation F

CF6.3 Access Control Mechanisms F

CF6.4 Access Control Mechanisms – Password S

CF6.5 Access Control Mechanisms – Token S

CF6.6 Access Control Mechanisms – Biometric S

CF6.7 Sign-on Process F

CONTROL FRAMEWORK (continued) Type

CF7 System Management

CF7.1 Computer and Network Installations F

CF7.2 guration F

CF7.3 Virtual Servers S

CF7.4 Network Storage Systems S

CF7.5 Backup F

CF7.6 Change Management F

CF7.7 Service Level Agreements F

CF8 Technical Security Infrastructure

CF8.1 Security Architecture S

CF8.2 Identity and Access Management S

CF8.3 Critical Infrastructure S

CF8.4 Cryptographic Solutions S

CF8.5 Cryptographic Key Management S

CF8.6 Public Key Infrastructure S

CF8.7 Information Leakage Protection S

CF8.8 Digital Rights Management S

CF9 Network Management

CF9.1 guration F

CF9.2 Physical Network Management F

CF9.3 External Network Connections F

CF9.4 Firewalls F

CF9.5 Remote Maintenance F

CF9.6 Wireless Access F

CF9.7 Voice over IP (VoIP) Networks S

CF9.8 Telephony and Conferencing S

CF10 Threat and Vulnerability Management

CF10.1 System and Software Vulnerability Management F

CF10.2 Malware Awareness F

CF10.3 Malware Protection Software F

CF10.4 Security Event Logging F

CF10.5 System/Network Monitoring F

CF10.6 Intrusion Detection F

CF11 Incident Management

CF11.1 Information Security Incident Management F

CF11.2 Cybercrime Attacks S

CF11.3 Emergency Fixes F

CF11.4 Forensic Investigations S

CF12 Local Environments

CF12.1 le S

CF12.2 Local Security Co-ordination S

CF12.3 Of ce Equipment S

CF13 Desktop Applications

CF13.1 Inventory of Desktop Applications S

CF13.2 Protection of Spreadsheets S

CF13.3 Protection of Databases S

CF13.4 Desktop Application Development S

CF14 Mobile Computing

CF14.1 Remote Environments S

CF14.2 guration F

CF14.3 Mobile Device Connectivity F

CF14.4 Portable Storage Devices F

CF14.5 Consumer Devices and BYOD F

CONTROL FRAMEWORK (continued) Type

CF15 Electronic Communications

CF15.1 Email F

CF15.2 Instant Messaging S

CF16 External Supplier Management

CF16.1 External Supplier Management Process F

CF16.2 Hardware/Software Acquisition F

CF16.3 Outsourcing S

CF16.4 Cloud Computing Policy F

CF16.5 Cloud Service Contracts F

CF17 System Development Management

CF17.1 System Development Methodology F

CF17.2 System Development Environments F

CF17.3 Quality Assurance F

CF18 Systems Development Lifecycle

CF18.1 Speci cations of Requirements F

CF18.2 System Design F

CF18.3 System Build F

CF18.4 Systems Testing F

CF18.5 Security Testing F

CF18.6 System Promotion Criteria F

CF18.7 Installation Process F

CF18.8 Post-implementation Review F

CF19 Physical and Environmental Security

CF19.1 Physical Protection F

CF19.2 Power Supplies F

CF19.3 Hazard Protection F

CF20 Business Continuity

CF20.1 Business Continuity Strategy S

CF20.2 Business Continuity Programme S

CF20.3 Resilience S

CF20.4 Crisis Management F

CF20.5 Business Continuity Planning F

CF20.6 Business Continuity Arrangements F

CF20.7 Business Continuity Testing F

SECURITY MONITORING AND IMPROVEMENT

Type

SI1 Security Audit

SI1.1 Security Audit Management F

SI1.2 Security Audit Process – Planning F

SI1.3 Security Audit Process – Fieldwork F

SI1.4 Security Audit Process – Reporting F

SI1.5 Security Audit Process – Monitoring F

SI2 Security Performance

SI2.1 Security Monitoring F

SI2.2 Information Risk Reporting S

SI2.3 Monitoring Information Security Compliance S

KEY F Fundamental topic S Specialised topic

Additional ISF solutions

Benchmark

The ISF Benchmark tool provides an objec ve assessment approach that enables you to measure the eff ec veness of your security investments, and compare your security posture against that of hundreds of other organiza ons.

ISF’s Standard of Good Prac ce for Informa on Security (the Standard) provides a comprehensive control set which will enable you to meet the control objec ves set out in the NIST Cybersecurity Framework. The Standard extends well beyond the topics defi ned in the framework to include coverage of essen al and emerging topics such as informa on security governance, supply chain management, data privacy, cloud security, informa on security audit, and mobile device security.

Features of the ISF’s Standard of Good Prac ce

• A comprehensive control set covering all topics of informa on security• A twenty-year history of frequent updates including the latest emerging topics and issues• Based on real-world experiences of Members as well as other interna onal standards• Scalable, so it can be implemented by organiza ons of all sizes• Prac cal control statements providing specifi c guidance on what to do

Benefi ts of using the ISF’s Standard of Good Prac ce to implement the NIST Cybersecurity Framework

• You can rely on a well-established, robust control set with suffi cient detail to address the control objec ves in the framework

• The Standard of Good Prac ce controls cover not just technical topics, but includes opera onal and governance controls necessary to maintain a resilient informa on security program

• You can assess your exis ng security arrangements against the Standard of Good Prac ce controls to determine how well you are currently sa sfying the control objec ves in the framework

Informa on Risk Analysis Methodology (IRAM)

ISF’s Informa on Risk Analysis Methodology (IRAM) is a comprehensive risk management tool that your organiza on can use to evaluate threats and vulnerabili es, and priori ze and validate investments in informa on security ini a ves accordingly.

Research Program and ISF Accelerator Tools

Organiza ons use the ISF’s extensive Research Program and Accelerator Tools to improve resilience and compe veness as the business environment con nues to change. Topics covered include: Cyber Security Strategies, Engaging with The Board, Securing the Supply Chain, Informa on Security Governance, Managing BYOD Risk, Cloud, Big Data and the Threat Horizon series.

The NIST Cybersecurity Framework organizes cybersecurity ac vi es into fi ve Func ons, which are further subdivided into a structured set of Categories and Subcategories which are equivalent to control objec ves. Although the framework is voluntary and intended as guidance rather than a formal standard, one of its development goals was to provide security prac oners with a common language for cybersecurity. This common language makes use of familiar topics in informa on security, and clearly-expressed control objec ves within those topics.

The ISF has created a mapping between the NIST Cybersecurity Framework and its own Standard of Good Prac ce for Informa on Security (the Standard). Members can use the mapping to determine which of their current controls sa sfy the corresponding control objec ves in the NIST Cybersecurity Framework, and thus demonstrate their alignment with it.

Func o n Category Subcategory ISF Standard of Good Prac c e References

(CoCon nued) PR.IP-9: Response plans (Incident Response and Business Con nuity) and recovery CF20.1 Business Con nuity Strategy, CF20.2 Business Con nuity Programme, CF20.3 Resilience, CF20.4 Crisis

c on, CF11.1

The Cybersecurity Framework from the US Natioational Institute for Standards and Technology CoverCoverage bage by Topy Topics iics in then the ISF ISF Standard of Good PrPractice for Information Security

egoriesegories ofof t tff hehe NNISTIST CybeCybersrsecurityecurity FrFramework.amework. T Thehe S Subcatubcategoriesegories ofof t tff hehe F Frarameworkmework cancan bebe undeunderstrstoodood a ass controlcontrol v v es.es. The T references in the “ISF Standard of pic names in the Standard of Good Pra ce. These topics provide control guidance which will help members achieve the corresponding control objec ve, and thus dem, and thus demonstrate their

ype should be considered the primary references for each subcategory; other Topics may include supplemental material relevant to the subcategory. Whilehile n noto every

sses and solu o ns

o on security

ment.

ernal Supplier Management Process

on S Security Func

About the ISFAbout the ISFFounded methodollogies, procesthat meet the business needs of its Membe

ISF Member leadingng-edge infostrategies and solu

DisclaimeThis document has been published to p ained in tthis docu

Reference: ISF 14 MKG NIST/STANDARD Copyright © 2014 Information Security Forum Limited. All rights reserved. Classi

ability Management, CF18.7 Installa o n Process

Func on Category Subcategory ISF Standard of Good Prac ce References

IDENTIFY

ID

Asset Management (ID.AM): The data, personnel, devices, systems, and fa es that enable the organiz on to achieve business purposes are iden ed and managed consistent with their r ve importance to business

ves and the organiz on’s risk strategy.

ID.AM-1: Physical devices and systems within the organiz on are inventoried CF3.4 Asset Register, CF7.1 Computer and Network Installa o ce Equipment, CF20.5 Business Con nuity Planning

ID ware pla o ons within the organiz on are inventoried CF3.4 Asset Register, CF7.6 Change Management, CF13.1 Inventor ons, CF20.5 Business Con nuity Planning

ID.AM-3: Organiz onal communica on and data ow is mapped CF3.1 Informa on Classi c on, CF8.7 Info on Leakage Protec on, CF8.8 Digital Rights Management, CF9.2 Physical Network Management

ID.AM-4: External info on systems are catalogued CF16.1 External Supplier Management Process, CF16.3 Outsourcing

ID.AM-5: Resources (e.g., hardware, devices, data, and so ware) are zed based on their classi c on, cri cality, and business value

CF3.1 Informa on Classi c on, CF3.4 Asset Register, SR1.3 Con den ality Requirements, SR1.4 Integrity Requirements, SR1.5 Availability Requirements

ID.AM-6: Cybersecurity roles and re es f re workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established

CF2.5 Roles and Responsibili es, CF2.1 St Agreements

Business Environment (ID.BE): The organiz on’s mission, objec ves, stakeholders,

v es are understood and priori zed; this informa on is used to inform cybersecurity roles, r es, and risk management decisions.

ID.BE-1: The organiz on’s r ed and communicated CF16.1 External Supplier Mangement Process, CF16.2 Hardware / So ware Acquisi on, CF16.3 Outsourcing

ID.BE-2: The organiz on’ cal infrastructure and its industry sector is iden ed and communicated

SG2.1 Informa on Security Strategy, SR2.1 Legal and Regulatory Compliance, cal Infrastructure

ID.BE- es for organiz o ves, and ac v es are established and communicated

SG1.2 Security Dir on, SG2.1 Info on Security Strategy, SG2.2 Stakeholder Value Delivery

ID.BE- cal func ons for delivery of cri cal services are established

CF12.1 Local Environment Pr le, CF1.2 Informa on Security Func on, CF2.5 Roles and R es, CF8.1 Security Architecture cal Infrastructure

ID.BE-5: Resilience requirements to support delivery of cri cal services are established

CF20.1 Business Con nuity Strategy, CF20.2 Business Con nuity Programme, CF20.3 Resilience

Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organiz on’s regulatory, legal, risk, environmental, and oper onal requirements are understood and inform the management of cybersecurity risk.

ID.GV-1: Organiz onal info on security policy is established CF1.1 Informa on Security Policy

ID.GV-2: Informa on security roles & r es are coordinated and aligned with internal roles and external partners

SG1.2 Security Dir on, CF1.2 Informa on Security Func on, CF2.5 Roles and Re es, SG1.1 Security Governance Framework

ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy es oblig ons, are understood and managed

SR2.1 Legal and Regulatory Compliance, SR2.2 Informa on Privacy, SI2.3 Monitoring Info on Security Compliance

ID.GV-4: Governance and risk management processes address cybersecurity risks SG1.1 Security Governance Framework, SR1.1 Managing Informa on Risk Assessment, SG2.3 Info on Security Assurance Programme, SR1.2 Info on Risk Assessment Methodologies, SR1.3 Con den ality Requirements, SR1.4 Integrity Requirements, SR1.5 Availability Requirements, SR1.6 Informa on Risk Treatment, SI2.2 Info on Risk Re ng

Risk Assessment (ID.RA): The organiz on understands the cybersecurity risk to organiz onal oper ons (including mission,

ons, image, or reput on), organiz onal assets, and individuals.

ID.RA-1: Asset vulner es are ed and documented SR1.1 Managing Informa on Risk Assessment, CF3.4 Asset Register, CF10.1 System and So ware Vulnerability Management, SI2.2 Info on Risk Repor ng

ID.RA-2: Threat and vulnerability info on is received from informa on sharing forums and sources

SG2.3 Informa on Security Assurance Programme, SR1.1 Managing Info on Risk Assessment, SR1.2 Informa on-Risk Assessment Methodologies, CF10.1 System and So ware Vulnerability Management

ID.RA-3: Threats, both internal and external, are iden ed and documented SG2.3 Informa on Security Assurance Programme, SR1.1 Managing Info on Risk Assessment, SR1.2 Informa on-Risk Assessment Methodologies

ID.RA-4: Poten al business impacts and likelihoods are ed SR1.3 Con den ality Requirements, SR1.4 Integrity Requirements, SR1.5 Availability Requirements

The NIST Cybersecurity Framework

The ISF Standard of Good Prac ce for Informa on Security mapping to the NIST Cybersecurity Framework

your route to alignment with the NIST Cybersecurity Framework