NIST Cybersecurity Framework Friday June 8, 2018
A Working Session
As companies and organizations struggle to protect themselves from the increasing threats to their infrastructure, they are realizing the need for a consistent framework that is based on best practices, is cost-effective, and decreases their overall attack surface, thus reducing their exposure to cybersecurity threats.
The NIST Cybersecurity Framework (CSF) was developed utilizing best-practice models to create an effective and manageable program that can be implemented by any size organization. The framework was designed to assist organizations in controlling costs and increasing awareness across the organization to the importance of cybersecurity.
Workshop Goal
Participants will leave the workshop with an actionable document. This document will include their Current Profile (what they have currently in relation to the framework), and a list of steps needed (action items they will need to do) to produce their Target Profile (where they need to be based on their specific organization and their needs) and a GAP analysis (the things they will need to do to reach their target – helpful for budgeting purposes).
Workshop Requirements
Each participant will need to bring with them a laptop with wireless capabilities and the ability to view an edit Microsoft Excel compatible worksheets. A Microsoft Word compatible word processor will also be needed.
Workshop Outline
- A brief overview of the NIST Cybersecurity Framework
- Walk through of the documents to be used during the workshop
- Conducting Step 1 – Prioritize and Scope
- Conducting Step 2 – Orient
- Conducting Step 3 – Creating a Current Profile
- Detailed walk through of the Functions (Identify, Protect, Detect, Respond, Recover), the Categories (Asset Management, Business Environment, Governance, Risk Assessment, Risk Management Strategy, Supply Chain Risk Management, Identity Management and Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, Maintenance, Protective Technology, Anomalies and Events, Security Continuous Monitoring, Detection Processes, Response Planning, Communications, Analysis, Mitigation, Improvements, Recovery Planning, Improvements, Communications) and the Sub-categories.
- Discussion of open-source/free tools to achieve some of the sub-categories requirements
- Discussion of additional resources available
- How to Develop a Target Profile
- How to Conduct an Information Security Risk Assessment
- The Importance of Metrics – what to measure/what not to measure
- How the CSF relates to the budget and expenditures