Co-authored by Ken Durbin, CISSP and Kevin McPeak, CISSP, ITILv3
(continued from part two in our series, Canada's Digital Privacy Act: Where Do I Start?)
In February of 2013, President Obama signed an Executive Order for the creation of a cybersecurity framework (CSF) to help strengthen the security posture of US Critical Infrastructure Sectors. The framework was to be voluntary, flexible, and use existing common best practices and standards to make it adaptable to almost any type of organization. While initially designed for Critical Infrastructure, it has proven to be useful across all market segments in the US and even internationally. This next section in our series will show how the CSF can be used to implement Canada’s Digital Privacy Act (DPA.)
The CSF is broken down into three sections; Core, Profile, and Tiers. They allow organizations to:
- Describe their Current and Target cybersecurity posture
- Identify and prioritize improvements
- Assess progress towards their target state
- Communicate cybersecurity risk
Framework Core: According to the National Institute of Standards and Technology (NIST), this “provides a set of activities to achieve specific cybersecurity outcomes, and references examples of guidance to achieve those outcomes.” Broken down into five Core Functions, “Identify, Protect, Detect, Respond, and Recover,” these functions allow an organization to logically focus on their main areas of concern. Each Function is broken down into Categories and then further into Subcategories that allow for a deeper assessment of each Core Function. Finally, each Subcategory is associated with several existing “controls” or “best practices,” which are labeled as Informative References that instruct how to satisfy each Subcategory.
Framework Profile: Consists of a Current and Target Profile. An initial assessment of an organization against the Framework Core provides a Current Profile, or “what is the current state of my cybersecurity posture as it is now?” A Risk Assessment is conducted against the Current Profile to see if it meets the needs of the organization. Changes are then made to bring the Current Profile in line with the organization’s Risk Tolerance. The result is the Target Profile, which guides the organization in improving their cybersecurity posture.
Framework Tiers: Included in the CSF to help organizations rate themselves in terms of Cybersecurity Maturity. They range from Tier1 Partial, to Tier4 Adaptive. It’s up to each individual organization to determine the Tier that’s appropriate for their business/operational needs. The Target Profile can be aligned to help reach a particular Tier.
The CSF is designed to assess the complete cybersecurity posture of an organization. However, you will see in the following posts how it can be tailored to assess against a specific requirement like the DPA.
For more information on how to prepare for DPA, please visit: go.symantec.com/ca/dpa