NIST CSF Flashcards
What are the different Tiers?
- ) Partial
- ) Risk Informed
- ) Repeatable
- ) Adaptive
What are the three cybersecurity management practice areas being measured under the different Tiers?
- ) Risk Management Process
- ) Integrated Risk Management Program
- ) External Participation
What does Risk Management Process mean?
The functionality and repeatability of the cybersecurity risk management
- How much is the organization involved in the risk management process?
What does Integrated Risk Management Program mean?
The extent to which cybersecurity is considered in broader risk management decisions
- How well is cybersecurity risk integrated into the overall business risk of the organization? How much is cybersecurity considered in overall risk management?
What does External Participation mean?
The degree to which the organization: 1. monitors and manages supply chain risk, and 2. benefits by sharing or receiving information from external parties
- How well does the organization coordinates, collaborates, and shares information back and forth with other organizations?
What is a Profile?
A particular customization of the CSF Core for an organization or sector based on their unique requirements
What are the three main inputs that determine a CSF Profile?
- ) Business Objectives
- ) Security Requirements
- ) Technical Environment
If the CSF is an overall cybersecurity management model, then what is the RMF?
It falls under CSF for Risk Management, which has “tasks” that link back to CSF functions
What are some of the most comparable frameworks to the CSF?
- CIS (Center for Internet Security) CSC
- COBIT 5
- ISA
- ISO/IEC
- NIST SP 800-53
What are the 5 CSF Functions?
- ) Identify (ID)
- ) Protect (PR)
- ) Detect (DE)
- ) Respond (RS)
- ) Recover (RE)
For ID, the organization must identify what?
- Systems and data
- Critical business processes that depend on those systems and data
- The weaknesses and strengths associated with those systems
- All resources (people, technology, money, equipment, facilities)
- Vulnerabilities, threats, likelihood, impact, and frequency and overall risk
- Governance (laws, regulations, etc.)
What are the categories under the Identify (ID) Function?
- ) Asset Management (ID.AM)
- ) Business Environment (ID.BE)
- ) Governance (ID.GV)
- ) Risk Assessment (ID.RA)
- ) Risk Management Strategy (ID.RM)
- ) Supply Chain Risk Management (ID.SC)
How many subcategories support the 6 categories within the Identify Function?
29
What does the Protect (PR) Function focus on?
- Ensuring strong authentication and access control
- Protecting data
- Secure maintenance of assets
- Securing people (security clearances, user authorization, etc.)
- Sound policies and procedures
- Ensuring the right administrative, technical, and physical controls are in place
What are the categories under the Protect (PR) Function?
- ) Identity Management, Authentication, Access Control (PR.AC)
- ) Awareness and Training (PR.AT)
- ) Data Security (PR.DS)
- ) Information Protection Processes and Procedures (PR.IP)
- ) Maintenance (PR.MA)
- ) Protective Technology (PR.PT)
How many subcategories support the 6 categories within the Protect Function?
39
What is the purpose of the “Informative References” portion of the CSF?
Maps the subcategory to other frameworks and controls that tell you how to actually do the subcategory (action)
What does the Detect (DE) Function focus on?
- Focuses on detection processes and technologies
- Looks for anomalies and unusual events
- Ensures continuous security and risk monitoring
What are the categories under the Detect (DE) Function?
- ) Anomalies and Events (DE.AE)
- ) Security Continuous Monitoring (DE.CM)
- ) Detection Processes (DE.DP)
How many subcategories support the 3 categories within the Detect Function?
18
What does the Respond (RS) Function focus on?
- Planning for incident and contingency response
- Ensuring the robustness of incident communications
- Analyzing the root causes of incidents
- Mitigating damage to systems, data, equipment, facilities, and people
- Improving the overall contingency planning and response processes
What are the categories under the Respond (RS) Function?
- ) Response Planning (RS.RP)
- ) Communications (RS.CO)
- ) Analysis (RS.AN)
- ) Mitigation (RS.MI)
- ) Improvements (RS.IM)
How many subcategories support the 5 categories within the Respond Function?
16
What does the Recover (RC) Function focus on?
- Business continuity, incident recovery, and disaster recovery planning
- Maintaining communications during the recovery process
- Improving the recovery effort
What are the categories under the Recover (RC) Function?
- ) Recovery Planning (RC.RP)
- ) Improvements (RC.IM)
- ) Communications (RC.CO)
How many subcategories support the 3 categories within the Recover Function?
6
What is a Tier?
The degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework
What is the purpose of Tiers?
They’re used to measure how well the organization implements different aspects of the CSF, the three cybersecurity management practice areas
What is Tier 1?
Partial
What is Tier 2?
Risk-Informed
What is Tier 3?
Repeatable
What is Tier 4?
Adaptive
What are the CSF Tiers NOT?
They’re not:
- A maturity model
- The same as the RMF Tiers
What is the RMF Three-Tier Risk Model composed of?
- ) Organizational
- ) Mission/Business Process
- ) Information System
They don’t measure anything
What does the “Organization” RMF Risk Tier cover?
Higher-level management processes and overarching risk
What does the “Mission/Business Process” RMF Risk Tier cover?
Risk associated with processes used across the organization
What does the “Information System” RMF Risk Tier cover?
Risk associated with a particular system or systems
How can you explain the measuring differences between CSF Tiers vs. Maturity Models vs. RMF Risk Tiers?
- CSF Tiers measure level of effort
- Maturity Models measure repeatability and definability of processes geared towards that effort
- RMF Risk Tiers measure nothing at all, different cross sections of the organization
What are characteristics of CSF Profiles?
- They align Functions, Categories, and Subcategories with mission/business requirements, risk, and resources
- They allow organizations to establish a unique roadmap to cybersecurity based on their needs
- They describe both current and target states of the organization in terms of cybersecurity posture
For CSF Profiles, what are the inputs combined with to create the Profile output?
Inputs (Business Objectives, Risk, and Technical Environment) + Functions, Categories, Subcategories = Output (CSF Profile)
How many CSF Subcategories are there in total?
108
How does an organization identify assets and risks?
- Make a physical inventory of all assets
- Perform a mission analysis
- Perform a business impact assessment
- Perform a comprehensive risk assessment
How does an organization protect their assets?
- Ensure users are trained on how to protect sensitive data (periodic security training, user agreements and consequences, personnel security processes)
- Test protection mechanisms (Vulnerability assessments, penetration testing, risk assessments)
How does an organization effectively detect?
- Assume a state of breach
- Implement detection controls at multiple layers (Perimeter, interior systems and data, people)
- Be able to detect both unusual and normal events
- Be able to filter useful information from “noise”
- Employ the right people for detection (who know what to look for)
- Continuously monitor for analogies and risk
Use multiple types of controls (physical, tech, operational like following procedure)
How does an organization set up response capabilities?
- Develop incident response plans
- Plan for quick, efficient, and accurate incident communications
- Develop plans to mitigate damage to systems, data, equipment, facilities, and people
- Become proficient at analyzing the root causes of incidents
- Ensure a process to improve contingency planning and response processes in place
- Develop and retain qualified personnel for response effort
- Exercise response capabilities (IR = incident response)
- Refine processes through risk analysis and lessons learned
How does an organization implement recovery?
- Develop, test, and maintain:
1. ) Business Continuity
2. ) Incident Recovery
3. ) Disaster Recovery Plans - Ensure robust communications process during recovery
- Capture lessons learned to improve recovery function
- Select and train qualified people for recovery functions
How do you create your own CSF Profile?
- Develop your mission/business objectives
- Determine risk
- Determine governance (Which laws are applicable)
- Articulate with CSF subcategories
- Produce controls and technical methods
What are the factors of business continuity that matter for the Recovery Function?
- ) Critical process recovery
- ) Timeliness
- ) Redundant capabilities
