Scribd Logo
Upload

Welcome to Scribd!

  • 109 views

    Nist CSF Plan Empty

    Uploaded by

    Karen J Rodriguez
    This document outlines an information security program that includes: 1) A risk framework aligned with NIST cybersecurity guidelines and metrics to measure maturity. 2) An information security service catalog organized by function and category with associated budgets and initiatives for 3 years. 3) A maturity model and action plans showing progress over quarters to achieve higher tiers related to asset management, policies, identity and access management, and reporting.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd

    Nist CSF Plan Empty

    Uploaded by

    Karen J Rodriguez
    109 views19 pages
    This document outlines an information security program that includes: 1) A risk framework aligned with NIST cybersecurity guidelines and metrics to measure maturity. 2) An information security service catalog organized by function and category with associated budgets and initiatives for 3 years. 3) A maturity model and action plans showing progress over quarters to achieve higher tiers related to asset management, policies, identity and access management, and reporting.

    Original Title

    Nist Csf Plan Empty

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document outlines an information security program that includes: 1) A risk framework aligned with NIST cybersecurity guidelines and metrics to measure maturity. 2) An information security service catalog organized by function and category with associated budgets and initiatives for 3 years. 3) A maturity model and action plans showing progress over quarters to achieve higher tiers related to asset management, policies, identity and access management, and reporting.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Download as xlsx, pdf, or txt
    109 views19 pages

    Nist CSF Plan Empty

    Uploaded by

    Karen J Rodriguez
    This document outlines an information security program that includes: 1) A risk framework aligned with NIST cybersecurity guidelines and metrics to measure maturity. 2) An information security service catalog organized by function and category with associated budgets and initiatives for 3 years. 3) A maturity model and action plans showing progress over quarters to achieve higher tiers related to asset management, policies, identity and access management, and reporting.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Download as xlsx, pdf, or txt
    of 19
    At a glance
    Powered by AI
    The document discusses information security frameworks, programs, initiatives and budgets across multiple years.

    The main topics covered include information security frameworks, risk assessments, policies, metrics, budgets, initiatives and maturity models.

    The maturity model is used to assess the process, documentation, automation and improvement levels of controls and initiatives. It is part of determining risk levels and prioritization.

    NIST Risk Priorities & Appetite - Internal/Exter

    Functions metrics

    Service Catalog Policy Alignme


    Information Secu

    Function Category

    Asset Management

    Business Environment

    Identify Governance

    Risk Assessment
    Risk Management
    Supply Chain Risk
    Management

    NIST Identity Management


    and Access Control
    Cybersecurity
    Enterprise-
    Aligned Awareness and Training

    Framework: Data Security

    Protect
    - Risks Information Protection
    - Service Processes and
    Procedures
    Catalog
    - Priorities Maintenance
    - Maturity
    - Metrics
    - 3-Year Protective Technology

    Project,
    Program &
    Initiative
    Roadmap
    - Metrics
    - 3-Year
    Project,
    Program & Anomalies and Events
    Initiative
    Roadmap Detect Security Continuous
    Monitoring

    IT Service Detection Processes

    Management Response Planning


    Life-Cycle Communications
    Analysis
    Respond
    Process Mitigation
    Improvement Improvements
    Recovery Planning

    Recover Improvements

    Communications
    - Internal/External

    Policy Alignment
    Information Security Risk-Aligned Framework Maturity Model

    CSC Top NIST


    InfoSec Service Catalog Risk FY-18 $ FY-19 $ FY-20 $ 0 1 2 3
    20 Pol.

    Ops. Sec. - Asset Management 4 $xxx DI


    - Physical and Environmental 7 1,2 $xxx DM
    Governance - Regulatory, Legal,
    AP Metrics
    Compliance All - $xxx
    AU
    Governance
    PL
    - Security Information Management
    PM
    5 - $xxx
    Security and Risk Assessments 5a 4 $xxx $xxx AR
    Governance - Risk Management 5b - AR

    Vendor contract, Governance


    All -

    Identity and Access Management (IAM)


    5, 9
    - IAM
    11, 12 AC
    - SSO 2 $xxx
    13, 14 IA
    - NAC
    - RBAC
    3
    6
    15, 16
    $xxx
    $xxx Budgets:
    9 $xxx $xxx $xxx Funded -
    Awareness and Training
    10 5,17 $xxx
    Unfunded
    AT
    PS - Metrics

    Security Architecture and Design (Life Proposed -


    CA
    Cycle) 13 1,2 $xxx
    Governance - Proactive Protection -
    - Policies, Standards, Guidelines 3, 4
    7, 9 MP
    - ITSM Process governance and
    10, 11 PE
    maturity SA Metrics (e-discovery)
    - Acquisition, Development and 18, 19
    SC
    Maintenance 11
    - Application development life cycle
    3 ,4
    Operations Security - Asset
    Maintenance 5, 11 MA
    12
    14 $xxx
    Operations Security 5, 6
    - Change Management 7, 8
    CM
    - Information Management and 11, 13
    Encryption 15 14, 16 $xxx $xxx $xxx

    Key initiatives
    nested and aligned
    Monitor, Alerts and Reports - SIEM-
    6, 9
    Vuln
    PCI-PII-PHI
    12, 19 Key initiatives
    SI Metrics
    1b $xxx $xxx $xxx
    nested and aligned
    Monitor, Alerts and Reports 4, 8
    1a 16, 19 $xxx $xxx

    Monitor, Alerts and Reports - DLP $xxx


    1 19 $xxx $xxx $xxx
    Gov. - Bus. Impact Analysis 5c 19
    Incident Response - Alignment 8d 19
    Incident Response - Risk 8a 6,19 $xxx
    Incident Response 8c 4,19 IR
    Incident Response - Maturity 8e 19,20 $xxx
    Ops. Security - Bus. Continuity 8 10 $xxx $xxx CP

    Ops. Security - Downtime Mgmt.


    8b 20
    Ops. Security - Svc. Alignment 12 - $xxx
    "Tiers" -
    Maturity Map

    Maturity Model Action Plan FY2016 Action Plan FY2017 Action Plan FY2018

    FY18 FY18 FY18 FY18 FY19 FY19 FY19 FY19 FY20 FY20 FY20 FY20
    4 5 6
    -Q1 -Q2 -Q3 -Q4 -Q1 -Q2 -Q3 -Q4 -Q1 -Q2 -Q3 -Q4

    Asset Strategy Review Project 7A

    Metrics Risk Program

    Policy Dev. Policy Review

    Automate
    Dashboard
    Integration I1ntegration I2ntegration 3 Review

    NAC SSO - Phase 0 IAM SSO - Phase 3

    Metrics Alignment Review Review

    Report IT Report Report


    Servi
    ce
    Man
    MD age Revi
    Metrics (e-discovery) M ment ew
    -
    Auto Full
    Asse Asse
    mati
    t
    on t
    Man
    age
    Man
    age
    CMM
    ment Revi
    Chan
    ge
    ment
    ew -metrics
    ITSM Chan
    Man
    Align ge
    age
    Mgm
    ment
    t.
    Exter Exter
    nal nal
    Metrics Pen-Test Pen-Test Pen-Test Pen-Test
    Pen- Pen-
    Test Test
    Expand 3 Expand 4 Expand 5

    DLP Phase 2 DLP Phase 3

    BIA - Phase 1 BIA - Phase 3


    Architecture Process Mapping
    Risk Mapping Formal Review Formal Review
    CIRT Test 1 CIRT Full Test CIRT Test 3
    Extern
    Remediate External Risk Assessment Remediate
    DR Plan Test BC Plan Test BC Plan
    Stan Test Test
    dardi Dow Dow
    Document ze ntim ntim
    Train e e
    ing Plan Plan
    LMS Review Mid-year LMS Review Mid-year LMS Review Mid-year Challenges
    identified

    Current State

    F
    S

    Maturity -
    progress
    identified
    Challenges
    identified

    NIST C
    ent State Brian V
    Paidhr
    Revision
    Future
    State

    Maturity -
    progress
    identified
    Functions Sub-Category - Service CSC or NIST Core Policy Alignment Maturity specifics (process, policy, documentation and automation), used to "Tiers" or Maturity Three Year (or more) Action Plan (Implementation) based on "Profiles" -- Identified Risks,
    Catalog Info. References calculate maturity map Map (see legend) Priorities, Maturity, and Capabilities. Quarter-by-quarter initiative or project time-lines and
    Cat. IDs Risk Priorities & Appetite - Funded - Unfunded - Proposed measures of success
    Internal/External metrics
    Information Security Risk-Aligned Framework Maturity Roadmap FY2017
    Category CSC Top NIST Policy Documentation Process
    Function Unique Links Category Priority Organization Service Catalog FY2018 $ FY2019 $ FY2020 $ FY2021 $ FY2022 $ Process Level Policy Level Automation Level Policy Value Document Automate Maturity 1
    In itial
    2
    R epeatable
    3
    Defined
    4
    Managed
    5
    Optimiz ing
    Action Plan FY2018-2019 Action Plan FY2019-2020 Action Plan FY2020-2021
    Identifier Twenty Family Level Value Value Value Score

    CMDB system, Cis co Prime Vulnerabi li ty Manage ment Program Expansi on Networ k Access Co ntrol Eval uation M ap Data Flows
    Vulnerabi li ty Scanner, CMDB s ys tem Vulnerabi li ty Manage ment Pass ive Scan Impl emen tati on CASB Evaluatio n
    AM Infrastructure Asset Management Visi o
    (CASB )
    1, 2 35,000 35,000 10,000 60,000 10,000 DI, DM 26.7% Challenges across Software W hitel isi ng Evaluatio n
    Review Asset Management Rol es and Res ponsi bil ities
    services are
    readily identified
    Vulnerabi li ty Manage ment Program Expansi on
    CMDB system, Cisco Prime 1 Standardized Informal Formal Partial 30% 5% 10% 5% 50% Vulnerabi li ty Manage ment Pass ive Scan Impl emen tati on Network Access Control Evaluation

    Vulnerability Scanner, CMDB system 2 10,000 10,000 10,000 10,000 10,000 Measured None Formal Full 40% 0% 10% 10% 60% CASB Evaluatio n
    Software W hitel isi ng Evaluatio n
    Budget items roll up to
    high level catagory
    Visio 1 Inconsistent None Formal None 10% 0% 10% 0% 20% Map Data Flows

    (CASB) 1 25,000 25,000 0 50,000 0 None None None None 0% 0% 0% 0% 0%

    Inconsistent None Informal None 10% 0% 5% 0% 15%

    Inconsistent Informal None None 10% 5% 0% 0% 15% Review Asset Management Roles and Responsibilities

    Align with Organiz ational Mis sio n

    BE Business Environment 0 0 0 0 0 AP 36.0%


    Sample
    Inconsistent None None None 10% 0% 0% 0% 10%
    Projects
    and
    Initiatives
    Inconsistent Defined Formal Partial 10% 10% 10% 5% 35%

    Standardized None Improvement Partial 30% 0% 20% 5% 55% Align with Organizational Mission
    Process

    Inconsistent Audited Formal Partial 10% 15% 10% 5% 40%

    Inconsistent Audited Metrics and None 10% 15% 15% 0% 40%


    Reporting
    Secu rity Pol icy Review Rol es an d Res pons ibi liti es Review Ro les an d Res pons ibi liti es R evi ew R oles and Respo nsib ili ties
    Secu rity Pol icy, (Eramba GRC) Review Information Securi ty Poli ci es and Ar chi tecture Review Information Securi ty Poli ci es and Ar chi tecture R evi ew Information Secu rity Pol icies and Arch itectu re
    GV Governance Governance Eramba GRC 250,000 100,000 100,000 100,000 100,000 AU, PL, 26.3% GRC Fr amew ork Eval uation and Project GRC Fr amew ork Project Phase 1 and Phase 2 GR C Framework Pro ject Phase 3 and Phase 4
    PM HIPAA and P CI Ass essment HIPAA and P CI Ass essment HIPAA and PCI As sess ment

    Calapse and Expand Security Policy Inconsistent Defined Formal None 10% 10% 10% 0% 30% Review Roles and Responsibilities Review Roles and Responsibilities Review Roles and Responsibilities
    sub-sections and
    columns above
    Security Policy, (Eramba GRC) 250,000 100,000 100,000 100,000 100,000 Inconsistent Defined Formal None 10% 10% 10% 0% 30% Review Information Security Policies and Architecture Review Information Security Policies and Architecture Review Information Security Policies and Architecture

    Eramba GRC Inconsistent Defined Formal None 10% 10% 10% 0% 30% GRC Framework Evaluation and Project GRC Framework Project Phase 1 and Phase 2 GRC Framework Project Phase 3 and Phase 4
    IDENTIFY

    Inconsistent Informal None None 10% 5% 0% 0% 15% HIPAA and PCI Assessment HIPAA and PCI Assessment HIPAA and PCI Assessment

    Vulnerabi li ty Managemen t, P enetration Testin g, R isk Vulnerabi li ty Manage ment Expansi on P roject Evaluate M S-ISAC Th reat In telli gence C ardhol der Data Ri sk Asses sments
    Asses sments Expand Th reat In telli gence Cardh older Data Ris k As sess men ts R isk Ass essment Improvements
    RA Risk Assessments Risk Assessment MS-ISAC Threat Intel igence 3, 20 0 0 0 0 0 AR 35.0% Cardh older Data Ris k As sess men ts Ri sk Asses sment Improvements
    Vulnerabi li ty Managemen t, P enetration Testin g, R isk Ri sk Asses sment Improvements
    Asses sments
    Ri sk Asses sments
    Ri sk Asses sments CMM and
    Ri skVulnerability
    Asses sments Management, Penetration
    Testing, Risk Assessments
    3 Repeatable Informal Informal None 20% 5% 5% 0% 30% metrics Vulnerability Management Expansion Project

    agnostic
    MS-ISAC Threat Inteligence 3 Inconsistent Defined Informal None 10% 10% 5% 0% 25% Expand Threat Intelligence Evaluate MS-ISAC Threat Intelligence

    Vulnerability Management, Penetration 3, 20 Inconsistent Defined Informal Partial 10% 10% 5% 5% 30%
    Testing, Risk Assessments

    Risk Assessments Inconsistent Audited Informal None 10% 15% 5% 0% 30% Cardholder Data Risk Assessments Cardholder Data Risk Assessments Cardholder Data Risk Assessments

    Risk Assessments Repeatable Embedded Informal None 20% 20% 5% 0% 45%

    Risk Assessments Inconsistent Defined Improvement Full 10% 10% 20% 10% 50% Risk Assessment Improvements Risk Assessment Improvements Risk Assessment Improvements
    Process
    Review Ri sk Pro cess Review Ri sk Pro cess R evi ew R isk P roces s
    Review Tol erance Review Tol erance R evi ew To lerance
    RM Risk Management Risk Management 0 0 0 0 0 AR 15.0%

    Repeatable None Informal None 20% 0% 5% 0% 25% Review Risk Process Review Risk Process Review Risk Process

    Inconsistent None None None 10% 0% 0% 0% 10% Review Tolerance Review Tolerance Review Tolerance

    Inconsistent None None None 10% 0% 0% 0% 10%

    Review Suppl y Chain Process Review Suppl y Chain Process R evi ew Sup ply Ch ai n Pr oces s
    Review Ven dors Review Vendors R evi ew Vendor s
    SC Supply Chain Risk
    Supply Chain Risk Management 0 0 0 0 0 SA 26.0%
    Manageme nt

    Repeatable None Informal None 20% 0% 5% 0% 25% Review Supply Chain Process Review Supply Chain Process Review Supply Chain Process

    Repeatable Embedded Metrics and None 20% 20% 15% 0% 55% Review Vendors Review Vendors Review Vendors
    Reporting

    Inconsistent None None None 10% 0% 0% 0% 10% Review Vendors Review Vendors Review Vendors

    Inconsistent None None None 10% 0% 0% 0% 10% Review Vendors Review Vendors Review Vendors

    Repeatable Informal Informal None 20% 5% 5% 0% 30%

    Acti ve Di rector y, ADFS, (IAM) Identity Access Management Evaluati on Pri vl eged Access Managemen t Eval Identi ty Acces s Mgmt P roject
    (VP N), (IAM), (M DM) Remote Acces s Expansi on Networ k Access Co ntrol Eval uation M DM Eval uation
    Identity Management (PAM), (NAC) 5 , 11-14, Review Active Di rector y Review Active Di rector y R evi ew Acti ve Directory
    AC Firew all, W eb Fil ter, (NAC) 520,000 10,000 0 20,000 0 AC, IA 18.0% Web Con tent Fil ter Project Fi rewall Refres h Project
    and Acces s Control 16, 1 8

    Active Directory, ADFS, (IAM) 18 10,000 10,000 Inconsistent Defined Informal None 10% 10% 5% 0% 25% Identity Access Management Evaluation Privleged Access Management Eval Identity Access Mgmt Project

    Inconsistent Informal None None 10% 5% 0% 0% 15%

    (VPN), (IAM), (MDM) 12 500,000 Inconsistent Informal None None 10% 5% 0% 0% 15% Remote Access Expansion MDM Evaluation

    Networ k Access Co ntrol Eval uation


    (PAM), (NAC) 5, 14, 16, 18 Inconsistent Informal None None 10% 5% 0% 0% 15% Review Active Directory
    Review Active Di rector y
    Review Active Directory

    Firewall, Web Filter, (NAC) 11, 12, 13, 10,000 20,000 Inconsistent Defined None None 10% 10% 0% 0% 20% Web Content Filter Project Firewall Refresh Project
    14

    User Awareness, (Phish Training) 17 Repeatable Defined Informal None 20% 10% 5% 0% 35% PCI Edu catio n Review Education Program Review Education Program
    General Education

    Security Policy, (Eramba GRC) 5, 17 Inconsistent Informal None None 10% 5% 0% 0% 15%
    Maturity and
    Security Policy 17 Inconsistent Informal None None 10% 5% 0% 0% 15%
    progress also
    identified
    Security Policy, (Eramba GRC) 17 Inconsistent Informal None None 10% 5% 0% 0% 15%

    Security Policy, (Eramba GRC) 17 Inconsistent Informal None None 10% 5% 0% 0% 15%

    Bi tlocker, Stor age Encrypti on, Certi ficate Services SAN Encrypti on at rest Data Cl as sifi catio n Pro ject En cour age compl iance wi th 100% encryption pol icy
    TLS, Cer tificate Servi ces Wo rks tation Certifi cates Data Lo ss Prevention Eval uation Evalu ate FIM solu tion
    Operati onal Monito ring, External M onitor ing 1, 2, 1 3, Pol icy to en crypt al l n etwork connections (3yr compli ance) Evaluate FIM s oluti on
    DS Data Security Data Loss Prevention , Di gi tal R ights Managemen t 14 0 0 0 0 0 CA 8.6%
    Tri pwir e

    Bitlocker, Storage Encryption, Certificate 14 Inconsistent Defined None None 10% 10% 0% 0% 20% SAN Encrypti on at rest Data Classification Project
    Services Wo rks tation Certifi cates

    TLS, Certificate Services 13, 14 Inconsistent Defined None None 10% 10% 0% 0% 20% Policy to encrypt all network connections (3yr compliance) Encourage compliance with 100% encryption policy

    1 Inconsistent None None None 10% 0% 0% 0% 10%

    Operational Monitoring, External Monitoring None None None None 0% 0% 0% 0% 0%

    Data Loss Prevention, Digital Rights 13 None None None None 0% 0% 0% 0% 0% Data Loss Prevention Evaluation
    Management

    Tripwire 2 Inconsistent None None None 10% 0% 0% 0% 10% Evaluate FIM solution Evaluate FIM solution

    None None None None 0% 0% 0% 0% 0%

    CIS Benchmarks, DISA STIGs Document Pl an R evi ew P lan


    Information P rotection IT Change Control
    IP Process es and Backup/Res tore s olu tion 5, 3 , 7, 0 0 0 0 0 MP, P E, 14.6%
    PROTECT

    Inci dent R espon se Pl an, Bus iness Con tinui ty Plan 11, 1 9 SA, SC
    Procedures Inci dent R espon se Pl an, Bus iness Con tinui ty Plan
    Vulnerabi li ty Managemen t, 3r d Party

    CIS Benchmarks, DISA STIGs 5, 7, 11 Inconsistent None Informal None 10% 0% 5% 0% 15%

    Inconsistent None None None 10% 0% 0% 0% 10%

    IT Change Control Repeatable Informal Formal Partial 20% 5% 10% 5% 40%

    Backup/Restore solution Repeatable None Informal None 20% 0% 5% 0% 25%

    Inconsistent Informal None None 10% 5% 0% 0% 15%

    Inconsistent None None None 10% 0% 0% 0% 10%

    Inconsistent None None None 10% 0% 0% 0% 10% Document Plan Review Plan

    Inconsistent None None None 10% 0% 0% 0% 10%

    Incident Response Plan, Business Continuity None Informal Informal None 0% 5% 5% 0% 10%
    Plan

    Incident Response Plan, Business Continuity 19 None None None None 0% 0% 0% 0% 0%


    Plan

    Inconsistent None None None 10% 0% 0% 0% 10%

    Vulnerability Management, 3rd Party 3 Inconsistent Informal None Partial 10% 5% 0% 5% 20%

    MA Maintenance 4, 12 0 0 0 0 0 MA 22.5%

    Repeatable Informal Informal None 20% 5% 5% 0% 30%

    4, 12 Inconsistent Informal None None 10% 5% 0% 0% 15%

    Log Management, SIEM SIEM man agement/ rul es SIEM Tuni ng


    (IAM) 4, 6 , 8, SIEM Tunin g
    PT Protective Technology 11, 1 3, 0 0 0 0 0 CM 10.0%
    Some Sections Hidden to 14, 1 8
    illustrate function cleanly
    SIEM man agement/ rul es
    Log Management, SIEM 6 Inconsistent None None None 10% 0% 0% 0% 10% SIEM Tunin g SIEM Tuning

    8, 13, 14 None None None None 0% 0% 0% 0% 0%

    (IAM) 4, 14, 18 Inconsistent Defined None None 10% 10% 0% 0% 20%

    11 Inconsistent None None None 10% 0% 0% 0% 10%

    (Vulnerability Management), (Network 12 None None None None 0% 0% 0% 0% 0% Network Analytics


    Analytics)

    19 Inconsistent None None None 10% 0% 0% 0% 10%

    'Log Management, SIEM 6 Inconsistent None None None 10% 0% 0% 0% 10% SIEM Tuning

    'Log Management, SIEM 19 Inconsistent None None None 10% 0% 0% 0% 10% SIEM Tuning

    JSA, (GrayLog) 19 Inconsistent None None None 10% 0% 0% 0% 10% SIEM Tuning

    '(Vulnerability Management), (Network 19 2,000 None None None None 0% 0% 0% 0% 0% Passive Scanner Pilot PVS
    Analytics)

    19 None None None None 0% 0% 0% 0% 0%

    (Network Analytics) 19 None None None None 0% 0% 0% 0% 0%

    Malware Protection 8, 19 Repeatable Defined Informal Partial 20% 10% 5% 5% 40%


    DETECT

    8, 19 None Defined None None 0% 10% 0% 0% 10%

    (CASB) 19 None None None None 0% 0% 0% 0% 0%

    19 Inconsistent Informal None None 10% 5% 0% 0% 15%

    Vulnerability Management 3 Inconsistent Informal None None 10% 5% 0% 0% 15% Vulnerability Management Expansion

    6 Inconsistent Informal None None 10% 5% 0% 0% 15% Networ k Passi ve scanner


    IPS/IDS Revi ew

    Networ k Passi ve scanner


    6 Inconsistent None None None 10% 0% 0% 0% 10% IPS/IDS Revi ew

    6 None None None None 0% 0% 0% 0% 0% Network Passive scanner

    6 Inconsistent None None None 10% 0% 0% 0% 10%

    6 None None None None 0% 0% 0% 0% 0%

    19 Inconsistent Informal Informal None 10% 5% 5% 0% 20% Build IR Plan Review IR Plan Review IR Plan

    19 Inconsistent Informal None None 10% 5% 0% 0% 15% Tabiletop IR Tabiletop IR

    19 Inconsistent None Informal None 10% 0% 5% 0% 15%

    19 Inconsistent None None None 10% 0% 0% 0% 10%

    19 Inconsistent None None None 10% 0% 0% 0% 10%

    19 Inconsistent None None None 10% 0% 0% 0% 10%

    19 Inconsistent None None None 10% 0% 0% 0% 10%


    RESPOND

    19 Inconsistent None None None 10% 0% 0% 0% 10%

    3rd party vendor, MS-ISAC 19 40,000 40,000 40,000 Inconsistent None Informal None 10% 0% 5% 0% 15% Perform forensic tests Perform forensic tests

    19 Inconsistent None Informal None 10% 0% 5% 0% 15%

    19 Inconsistent Defined Informal None 10% 10% 5% 0% 25%

    19 Inconsistent Informal Informal None 10% 5% 5% 0% 20%

    3 Inconsistent Informal None None 10% 5% 0% 0% 15% Exception Review Exception review Exception review

    19 None None None None 0% 0% 0% 0% 0%

    19 None None None None 0% 0% 0% 0% 0% Update IR procedures Update IR procedures Update IR procedures

    19 None None None None 0% 0% 0% 0% 0% COOP Project

    19 None None None None 0% 0% 0% 0% 0%

    19 5,000 None None None None 0% 0% 0% 0% 0%


    RECOVER

    CO Communications 19 0 0 0 0 0 10.0%

    4 19 Inconsistent None None None 10% 0% 0% 0% 10%

    3 19 Inconsistent None None None 10% 0% 0% 0% 10%

    2 19 Inconsistent None None None 10% 0% 0% 0% 10%

    Proposed Funded Current State Progress Areas


    Unfunded Future State Challenge Areas

    NIST Cybersecurity Framework, Brian Maturity level of "Defined",


    Ventura, Christopher Paidhrin, and Dean "Relational", or "Managed" (3,
    Musson or mid-line), is 'realistic' near-
    Revision 11.0 - 2013-2017 term goal
    Maturity level of "Defined",
    "Relational", or "Managed" (3,
    or mid-line), is 'realistic' near-
    term goal
    Information Security Risk-Aligned Framework Maturity Roadmap FY2021
    Category CSC Top
    Function Unique Links Category Cybersecurity Framework Control Priority Organization Service Catalog FY2020 $ FY2021 $ FY2022 $ FY2023 $ FY2024 $ NIST Policy Process Level Policy Level Documentation Automation Level Process Policy Value Document Automate Maturity 1
    Initi al
    2
    Repeatabl e
    3
    Defi ned
    4
    Managed
    5
    Opti mi zi ng Action Plan FY2020-2021 Action Plan FY2021-2022 Action Plan FY2022-2023 Action Plan FY2023-2024 Action Plan FY2024-2025
    Identifier Twenty Family Level Value Value Value Score

    AM Infrastructure Asset Management Operational Security - Asset Management 1, 2 0 0 0 0 0 DI, DM 0.0%

    ID.AM-1: Physical devices and systems within the organization are


    inventoried 1 None None None None 0% 0% 0% 0% 0%

    ID.AM-2: Software platforms and applications within the organization


    are inventoried 2 None None None None 0% 0% 0% 0% 0%

    ID.AM-3: Organizational communication and data flows are mapped 1 None None None None 0% 0% 0% 0% 0%

    ID.AM-4: External information systems are catalogued 1 None None None None 0% 0% 0% 0% 0%

    ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and


    software) are prioritized based on their classification, criticality, and None None None None 0% 0% 0% 0% 0%
    business value
    ID.AM-6: Cybersecurity roles and responsibilities for the entire
    workforce and third-party stakeholders (e.g., suppliers, customers, None None None None 0% 0% 0% 0% 0%
    partners) are established

    BE Governance Business Environment Strategic Security - Business Environment 0 0 0 0 0 AP 0.0%

    ID.BE-1: The organization’s role in the supply chain is identified and None None None None 0% 0% 0% 0% 0%
    communicated

    ID.BE-2: The organization’s place in critical infrastructure and its None None None None 0% 0% 0% 0% 0%
    industry sector is identified and communicated

    ID.BE-3: Priorities for organizational mission, objectives, and activities None None None None 0% 0% 0% 0% 0%
    are established and communicated

    ID.BE-4: Dependencies and critical functions for delivery of critical None None None None 0% 0% 0% 0% 0%
    services are established

    ID.BE-5: Resilience requirements to support delivery of critical services


    are established for all operating states (e.g. None None None None 0% 0% 0% 0% 0%
    under duress/attack, during recovery, normal operations)

    GV Governance Governance Strategic Security - Governance and Compliance 0 0 0 0 0 AU, P L, 0.0%


    PM
    IDENTIFY

    ID.GV-1: Organizational cybersecurity policy is established None None None None 0% 0% 0% 0% 0%


    and communicated

    ID.GV-2: CyberSecurity roles and responsibilities are coordinated and None None None None 0% 0% 0% 0% 0%
    aligned with internal roles and external partners

    ID.GV-3: Legal and regulatory requirements regarding cybersecurity,


    including privacy and civil liberties obligations, are understood and None None None None 0% 0% 0% 0% 0%
    managed

    ID.GV-4: Governance and risk management processes address None None None None 0% 0% 0% 0% 0%
    cybersecurity risks
    IDENTIFY

    RA Risk Assessments Risk Assessment Strategic Security - Risk Assessments 3, 20 0 0 0 0 0 AR 0.0%

    ID.RA-1: Asset vulnerabilities are identified and documented 3 None None None None 0% 0% 0% 0% 0%

    ID.RA-2: Cyber Threat inteligence is received from information sharing 3 None None None None 0% 0% 0% 0% 0%
    forums and sources

    ID.RA-3: Threats, both internal and external, are identified and 3, 20 None None None None 0% 0% 0% 0% 0%
    documented

    ID.RA-4: Potential business impacts and likelihoods are identified None None None None 0% 0% 0% 0% 0%

    ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to None None None None 0% 0% 0% 0% 0%
    determine risk

    ID.RA-6: Risk responses are identified and prioritized None None None None 0% 0% 0% 0% 0%

    RM Risk Management Risk Management Strategic Security - Risk Management 0 0 0 0 0 AR 0.0%

    ID.RM-1: Risk management processes are established, managed, and None None None None 0% 0% 0% 0% 0%
    agreed to by organizational stakeholders

    ID.RM-2: Organizational risk tolerance is determined and clearly None None None None 0% 0% 0% 0% 0%
    expressed

    ID.RM-3: The organization’s determination of risk tolerance is informed None None None None 0% 0% 0% 0% 0%
    by its role in critical infrastructure and sector specific risk analysis

    SC Supply Chain Risk Supply Chain Ris k Strategic Security - Supply Chain Risk Management 0 0 0 0 0 AR 0.0%
    Ma nagement Management
    ID.SC-1: Cyber supply chain risk
    management processes are identified,
    established, assessed, managed, and agreed None None None None 0% 0% 0% 0% 0%
    to by organizational stakeholders

    ID.SC-2: Suppliers and third party


    partners of information systems,
    components, and services are identified, None None None None 0% 0% 0% 0% 0%
    prioritized, and assessed using a cyber
    supply chain risk assessment process

    ID.SC-3: Contracts with suppliers and


    third-party partners are used to implement
    appropriate measures designed to meet the
    objectives of an organization’s None None None None 0% 0% 0% 0% 0%
    cybersecurity program and Cyber Supply
    Chain Risk Management Plan.

    ID.SC-4: Suppliers and third-party


    partners are routinely assessed using
    audits, test results, or other forms of None None None None 0% 0% 0% 0% 0%
    evaluations to confirm they are meeting
    their contractual obligations.

    ID.SC-5: Response and recovery planning


    and testing are conducted with suppliers None None None None 0% 0% 0% 0% 0%
    and third-party providers

    Identity M anagement and 4, 11 -14 ,


    AC Access Control Operational Security - Access Control 16 , 18 0 0 0 0 0 AC, IA 0.0%

    PR.AC-1: Identities and credentials are issued, managed , verified,


    revoked, and audited for authorized devices, users 18 None None None None 0% 0% 0% 0% 0%
    and processes

    PR.AC-2: Physical access to assets is managed and protected None None None None 0% 0% 0% 0% 0%

    PR.AC-3: Remote access is managed 12 None None None None 0% 0% 0% 0% 0%

    PR.AC-4: Access permissions and authorizations are managed,


    incorporating the principles of least privilege and separation of duties 4, 14, 16, 18 None None None None 0% 0% 0% 0% 0%

    PR.AC-5: Network integrity is protected (e.g. network segregation, 11, 12, 13,
    network segmentation) 14 None None None None 0% 0% 0% 0% 0%

    PR.AC-6: Identities are proofed and bound to credentials and asserted in


    interactions None None None None 0% 0% 0% 0% 0%

    PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-
    factor, multi-factor) commensurate with the risk
    of the transaction (e.g., individuals’ security and privacy risks and other None None None None 0% 0% 0% 0% 0%
    organizational risks)

    AT Awareness Awareness and Training Strategic Security - Awareness and Training 4, 17 0 0 0 0 0 AT, PS 0.0%

    PR.AT-1: All users are informed and trained 17 None None None None 0% 0% 0% 0% 0%

    PR.AT-2: Privileged users understand their roles and responsibilities 4, 17 None None None None 0% 0% 0% 0% 0%

    PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners)


    understand their roles and responsibilities 17 None None None None 0% 0% 0% 0% 0%

    PR.AT-4: Senior executives understand their roles and responsibilities 17 None None None None 0% 0% 0% 0% 0%

    PR.AT-5: Physical and CyberSecurity personnel understand their roles


    and responsibilities 17 None None None None 0% 0% 0% 0% 0%

    1, 2 , 13,
    DS Data Security Operational Security - Encryption and Data Integrity 0 0 0 0 0 CA 0.0%
    14

    PR.DS-1: Data-at-rest is protected 14 None None None None 0% 0% 0% 0% 0%

    PR.DS-2: Data-in-transit is protected 13, 14 None None None None 0% 0% 0% 0% 0%

    PR.DS-3: Assets are formally managed throughout removal, transfers, 1 None None None None 0% 0% 0% 0% 0%
    and disposition

    PR.DS-4: Adequate capacity to ensure availability is maintained None None None None 0% 0% 0% 0% 0%

    PR.DS-5: Protections against data leaks are implemented 13 None None None None 0% 0% 0% 0% 0%

    PR.DS-6: Integrity checking mechanisms are used to verify software, 2 None None None None 0% 0% 0% 0% 0%
    firmware, and information integrity

    PR.DS-7: The development and testing environment(s) are separate None None None None 0% 0% 0% 0% 0%
    from the production environment
    PROTECT

    PR.DS-8: Integrity checking mechanisms are used to verify hardware None None None None 0% 0% 0% 0% 0%
    integrity

    Information Protection 5 , 3, 7, MP , PE,


    IP Operational Security - Processes and Procedures 0 0 0 0 0 0.0%
    Proce sses and P rocedures 11 , 19 SA, SC

    PR.IP-1: A baseline configuration of information technology/industrial


    control systems is created and maintained incorporating security 5, 7, 11 None None None None 0% 0% 0% 0% 0%
    principles (e.g. concept of least functionality)

    PR.IP-2: A System Development Life Cycle to manage systems is None None None None 0% 0% 0% 0% 0%
    implemented

    PR.IP-3: Configuration change control processes are in place None None None None 0% 0% 0% 0% 0%

    PR.IP-4: Backups of information are conducted, maintained, and tested None None None None 0% 0% 0% 0% 0%

    PR.IP-5: Policy and regulations regarding the physical operating None None None None 0% 0% 0% 0% 0%
    environment for organizational assets are met

    PR.IP-6: Data is destroyed according to policy None None None None 0% 0% 0% 0% 0%

    PR.IP-7: Protection processes are improved None None None None 0% 0% 0% 0% 0%

    PR.IP-8: Effectiveness of protection technologies is shared None None None None 0% 0% 0% 0% 0%

    PR.IP-9: Response plans (Incident Response and Business Continuity)


    and recovery plans (Incident Recovery and Disaster Recovery) are in None None None None 0% 0% 0% 0% 0%
    place and managed

    PR.IP-10: Response and recovery plans are tested 19 None None None None 0% 0% 0% 0% 0%

    PR.IP-11: Cybersecurity is included in human resources practices (e.g., None None None None 0% 0% 0% 0% 0%
    deprovisioning, personnel screening)

    PR.IP-12: A vulnerability management plan is developed and 3 None None None None 0% 0% 0% 0% 0%
    implemented

    MA Maintenance Operational Security - Asset Maintenance 4, 12 0 0 0 0 0 MA 0.0%

    PR.MA-1: Maintenance and repair of organizational assets are performed None None None None 0% 0% 0% 0% 0%
    and logged, with approved and controlled tools

    PR.MA-2: Remote maintenance of organizational assets is approved, 4, 12 None None None None 0% 0% 0% 0% 0%
    logged, and performed in a manner that prevents unauthorized access

    4 , 6, 8,
    PT Protective Technology Operational Security - Protect Assets 11 , 13, 0 0 0 0 0 CM 0.0%
    14 , 18

    PR.PT-1: Audit/log records are determined, documented, implemented, 6 None None None None 0% 0% 0% 0% 0%
    and reviewed in accordance with policy

    PR.PT-2: Removable media is protected and its use restricted according 8, 13, 14 None None None None 0% 0% 0% 0% 0%
    to policy

    PR.PT-3: The principle of least functionality is incorporated by 4, 14, 18 None None None None 0% 0% 0% 0% 0%
    configuring systems to provide only essential capabilities

    PR.PT-4: Communications and control networks are protected 11 None None None None 0% 0% 0% 0% 0%

    PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are


    implemented to achieve resilience requirements in normal and adverse 11 None None None None 0% 0% 0% 0% 0%
    situations

    AE Anomalies and Events Operational Security - Monitor, Analyze and Detect Events 6, 12, 19 0 0 0 0 0 SI 0.0%

    DE.AE-1: A baseline of network operations and expected data flows for 12 None None None None 0% 0% 0% 0% 0%
    users and systems is established and managed

    DE.AE-2: Detected events are analyzed to understand attack targets and 19 None None None None 0% 0% 0% 0% 0%
    methods

    DE.AE-3: Event data are collected and correlated from multiple sources 6 None None None None 0% 0% 0% 0% 0%
    and sensors

    DE.AE-4: Impact of events is determined 19 None None None None 0% 0% 0% 0% 0%

    DE.AE-5: Incident alert thresholds are established 19 None None None None 0% 0% 0% 0% 0%

    Security Continuous
    CM M onitoring Operational Security - Security Continuous Monitoring 5, 8, 19 0 0 0 0 0 0.0%

    DE.CM-1: The network is monitored to detect potential cybersecurity 19 None None None None 0% 0% 0% 0% 0%
    events

    DE.CM-2: The physical environment is monitored to detect potential 19 None None None None 0% 0% 0% 0% 0%
    cybersecurity events

    DE.CM-3: Personnel activity is monitored to detect potential 19 None None None None 0% 0% 0% 0% 0%
    cybersecurity events
    DETECT

    DE.CM-4: Malicious code is detected 8, 19 None None None None 0% 0% 0% 0% 0%

    DE.CM-5: Unauthorized mobile code is detected 8, 19 None None None None 0% 0% 0% 0% 0%

    DE.CM-6: External service provider activity is monitored to detect 19 None None None None 0% 0% 0% 0% 0%
    potential cybersecurity events

    DE.CM-7: Monitoring for unauthorized personnel, connections, devices, 19 None None None None 0% 0% 0% 0% 0%
    and software is performed

    DE.CM-8: Vulnerability scans are performed 3 None None None None 0% 0% 0% 0% 0%

    DP Detection Processes Operational Security - Detection Processes 6 0 0 0 0 0 0.0%

    DE.DP-1: Roles and responsibilities for detection are well defined to 6 None None None None 0% 0% 0% 0% 0%
    ensure accountability

    DE.DP-2: Detection activities comply with all applicable requirements 6 None None None None 0% 0% 0% 0% 0%

    DE.DP-3: Detection processes are tested 6 None None None None 0% 0% 0% 0% 0%

    DE.DP-4: Event detection information is communicated 6 None None None None 0% 0% 0% 0% 0%

    DE.DP-5: Detection processes are continuously improved 6 None None None None 0% 0% 0% 0% 0%

    RP Response Planning Operational Security - Response Planning 19 0 0 0 0 0 0.0%

    RS.RP-1: Response plan is executed during or after an incident 19 None None None None 0% 0% 0% 0% 0%

    CO Communications Operational Security - Communications 19 0 0 0 0 0 0.0%

    RS.CO-1: Personnel know their roles and order of operations when a 19 None None None None 0% 0% 0% 0% 0%
    response is needed

    RS.CO-2: Incidents are reported consistent with established criteria 19 None None None None 0% 0% 0% 0% 0%

    RS.CO-3: Information is shared consistent with response plans 19 None None None None 0% 0% 0% 0% 0%

    RS.CO-4: Coordination with stakeholders occurs consistent with 19 None None None None 0% 0% 0% 0% 0%
    response plans

    RS.CO-5: Voluntary information sharing occurs with external 19 None None None None 0% 0% 0% 0% 0%
    stakeholders to achieve broader cybersecurity situational awareness

    AN Analysis Operational Security - Analysis 19 0 0 0 0 0 0.0%

    RS.AN-1: Notifications from detection systems are investigated  19 None None None None 0% 0% 0% 0% 0%
    RESPOND

    RS.AN-2: The impact of the incident is understood 19 None None None None 0% 0% 0% 0% 0%

    RS.AN-3: Forensics are performed 19 None None None None 0% 0% 0% 0% 0%

    RS.AN-4: Incidents are categorized consistent with response plans 19 None None None None 0% 0% 0% 0% 0%

    RS.AN-5: Processes are established to receive, analyze and respond to


    vulnerabilities disclosed to the organization from internal and external 19 None None None None 0% 0% 0% 0% 0%
    sources (e.g. internal testing, security bulletins, or security researchers)
    RESPOND
    MI Mitigation Operational Security - Mitigation 3, 19 0 0 0 0 0 IR 0.0%

    RS.MI-1: Incidents are contained 19 None None None None 0% 0% 0% 0% 0%

    RS.MI-2: Incidents are mitigated 19 None None None None 0% 0% 0% 0% 0%

    RS.MI-3: Newly identified vulnerabilities are mitigated or documented 3 None None None None 0% 0% 0% 0% 0%
    as accepted risks

    IM-D Improvements Operational Security - Improvements 19 0 0 0 0 0 0.0%

    RS.IM-1: Response plans incorporate lessons learned 19 None None None None 0% 0% 0% 0% 0%

    RS.IM-2: Response strategies are updated 19 None None None None 0% 0% 0% 0% 0%

    RP Recovery Planning Operational Security - Recovery Planning 19 0 0 0 0 0 CP 0.0%

    RC.RP-1: Recovery plan is executed during or after a cybersecurity 19 None None None None 0% 0% 0% 0% 0%
    incident

    IM-R Improvements Operational Security - Improvements 19 0 0 0 0 0 0.0%


    RECOVER

    RC.IM-1: Recovery plans incorporate lessons learned 19 None None None None 0% 0% 0% 0% 0%

    RC.IM-2: Recovery strategies are updated 19 None None None None 0% 0% 0% 0% 0%

    CO Communications Operational Security - Communications 19 0 0 0 0 0 0.0%

    RC.CO-1: Public relations are managed 19 None None None None 0% 0% 0% 0% 0%

    RC.CO-2: Reputation is repaired after an incident 19 None None None None 0% 0% 0% 0% 0%

    RC.CO-3: Recovery activities are communicated to internal and external 19 None None None None 0% 0% 0% 0% 0%
    stakeholders as well as executive and management teams

    Rev. 11.0 Proposed Funded Current State Progress Areas


    2/6/2017 Unfunded Future State Challenge Areas
    Process Value Policy Level Value

    None 0% None 0%

    Inconsistent 10% Informal 5%

    Repeatable 20% Defined 10%

    Standardized 30% Audited 15%

    Measured 40% Embedded 20%

    Optimized 50%
    Documentation Level Value Automation Level Value

    None 0% None 0%

    Informal 5% Partial 5%

    Formal 10% Full 10%

    Metrics and Reporting 15% Unavailable 10%

    Improvement Process 20%


    Likelihood

    Adversary is almost certain to initiate attack.


    9-10 Very High Accident or error is almost certain; occurs more than 100
    times a year.
    Almost certain to have adverse impacts.

    Adversary is highly likely to initiate attack.


    Accident or error is highly likely; occurs between 10-100 times
    7-8 High
    a year.
    Highly likely to have adverse impacts.

    Adversary is somewhat likely to initiate attack.


    Accident or error is somewhat likely to occur; between 1-10
    4-6 Moderate
    times a year.
    Somewhat likely to have adverse impacts.

    Adversary is unlikely to initiate attack.


    Accident or error is unlikely to occur; less than once a year,
    2-3 Low
    but more than once every 10.
    Unlikely to have adverse impacts.

    Adversary is highly unlikely to initiate attack.


    Accident or error is highly unlikely to occur; less than once
    0-1 Very Low
    every 10 years.
    Highly unlikely to have adverse impacts.

    Priority

    Critical control or foundational to a critical control; lack of this


    9-10 Very High control would have multiple severe or catastrophic adverse
    effects on the organization

    Very important or foundational to a very important control;


    7-8 High lack of this control would have severe or catastrophic adverse
    effects on the organization

    Control is important or foundational to an important control;


    4-6 Moderate lack of this control would have serious adverse effects on the
    organization

    Control is of low importance or foundational to a low


    2-3 Low importance control; lack of this control would have limited
    adverse effects on the organization

    Control is not a priority nor a foundational control; lack of this


    0-1 Very Low control would have neglible adverse effects on the
    organization
    Impact

    Multiple severe or catastrophic adverse effects on the


    organization.

    Severe or catastrophic adverse effects on the organization.

    Serious adverse effects on the organization.

    Limited adverse effects on the organization.

    Negligible adverse effects on the organization.


    Risk Level

    Event could be expected to have multiple severe or


    catastrophic adverse effects.

    Event could be expected to have a severe or catastrophic


    adverse effect.

    Event could be expected to have a serious adverse effect.

    Event could be expected to have a limited adverse effect.

    Event could be expected to have a negligble adverse effect.

    You might also like