WIXLIB

IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK8Communications (RS.CO), Analysis (RS.AN), Mitigation (RS.MI), and Improvements(RS.IM)” (NIST, 2018, pp. 8, 41-43).5. Recover: The ‘Recover’ Function provides for “activities” relating to “restoring capabilitiesor services impaired due to a cybersecurity incident” (NIST, 2018, p. 8). The standardcategories associated with recovering from an event include “Recovery Planning (RC.RP),Improvements (RC.IM), and Communications (RC.CO)” (NIST, 2018, pp. 8, 43-44).Framework TiersAccording to NIST (2018), the “Framework Implementation Tiers (Tiers)” give anorganization a way to measure how it “views cybersecurity risk and the processes in place tomanage that risk” but are not considered cybersecurity “maturity levels” (p. 8). Someconsiderations in determining the appropriate Framework tier for an organization are “currentrisk management practices, threat environment, legal and regulatory requirements, informationsharing practices, business/mission objectives, supply chain cybersecurity requirements, andorganizational constraints” (NIST, 2018, p. 8). While the highest tier may be desirable, it maynot be “feasible” (NIST, 2018, p. 8). Thus, NIST (2018) recommends “selecting a tier level”that not only “meets organizational goals,” but also “reduces cybersecurity risk to critical assetsand resources to levels acceptable to the organization” (p. 8). Accordingly, an organizationshould strive to attain the tier level that is attainable and “cost-effective in reducing cybersecurityrisk” (NIST, 2018, p. 8). The Tiers are defined as follows:1.Tier 1 – Partial: An organization leveraging a “Partial” Framework has “cybersecurity riskmanagement practices that are not formalized” and conduct “risk management in an ad hocand sometimes reactive manner” (NIST, 2018, p. 9). At the Tier 1 level, organizational

IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK9“cybersecurity awareness” is low, where independent research and collaboration with otherorganizations is not conducted to better understand associated risks (NIST, 2018, p. 9).2. Tier 2 – Risk Informed: An organization leveraging a “Risk Informed” Framework has“cybersecurity risk management practices approved by management, but they may not beestablished as organization-wide policy,” and initiatives to manage risk are deployedinconsistently (NIST, 2018, p. 9). At the Tier 2 level, the organization participatesinformation gathering to understand its’ cybersecurity risks, which is shared “within theorganization on an informal basis” (NIST, 2018, p. 9).3. Tier 3 – Repeatable: An organization leveraging a “Risk Informed” Framework has“cybersecurity risk management practices that are established as organization-wide policy”and updated according to “changes in business/mission requirements, threats, andtechnology” (NIST, 2018, p. 10). At the Tier 3 level, the organization has “consistentmethods” to address cybersecurity risks through well-developed “policies, processes, andprocedures” (NIST, 2018, p. 10). Additionally, the organization performs informationgathering and sharing activities to not only understand its’ cybersecurity risks, but to also“act formally upon those risks” (NIST, 2018, p. 10).4. Tier 4 – Adaptive: An organization leveraging a “Risk Informed” Framework also hasappropriate governance, but “adapts cybersecurity practices” based on historical experienceand “current cybersecurity activities,” where “lessons learned and predictive indicators” areleveraged for constant and ongoing improvement. (NIST, 2018, p. 10). At the Tier 4 level,an “organization-wide approach to managing cybersecurity risk” is deployed, where welldeveloped “policies, processes, and procedures” are also used. At this level, the organizationgoes further by clearly understanding the “relationship between cybersecurity risk and

IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK10organizational objectives,” such that budgeting takes into consideration the “current andpredicted risk environment and risk tolerance” (NIST, 2018, p. 10). Like the Tier 3 level, theorganization performs information gathering and sharing activities and “acts formally uponthose risks,” using “real-time or near real-time” data (NIST, 2018, p. 10).Framework ProfilesThe “Framework Profile” provides an organization with a method to “describe the currentstate or the desired target state of specific cybersecurity activities” (NIST, 2018, p. 11). As such,an organization may leverage more than one profile to represent how “Framework Functions,Categories, and Subcategories” align with “business requirements, risk tolerance, and resources”(NIST, 2018, p. 11). For instance, a profile representing the current state may be created todescribe cybersecurity “outcomes that are currently being achieved” (NIST, 2018, p. 11).Whereas, a profile representing the target state describes “outcomes needed to achieve thedesired cybersecurity risk management goals” (NIST, 2018, p. 11).By utilizing multiple profiles, an organization can perform a “gap” analysis to determinethe risk management activities needed from the Framework Core to mitigate cybersecurity risk(NIST, 2018, p. 11). With appropriate prioritization and planning of Framework Core activities,the organization can develop a strategic “roadmap” to clearly identify timelines and milestonesfor managing cybersecurity risk (NIST, 2018, p. 11). Such a roadmap allows an organization toprepare for the “staffing and funding” resources needed to “achieve its’ cybersecurity goals” andimplement a “cost-effective” cybersecurity risk management program (NIST, 2018, p. 11).According to Expel, the current state of how the organization is performing “with respectto cyber risk management” is determined by evaluating the Framework Core Subcategories

IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK11against “a six-point rating scale” (Potter, n.d., p. 6). The Expel criteria for each point on thescale is:Score 0:Score 1:Score 2:Score 3:Nope, we’re not doing this at all;It’s ad hoc, we only do it in cases where we have to;We do it . . . but it’s not consistent or structured;We do it consistently . . . but it’s not best practice and it could be betteraligned with the business;Score 4:We do it well and I wouldn’t be ashamed to show this to my peers; andScore 5:We’re world class (as in, we’re one of the best in the world)(Potter, n.d., p. 6).Expel suggests that a “self-assessment” of the “98 sub-categories” can be accomplishedin an hour by analyzing “two sub-categories per minute” (Potter, n.d., p. 7). Expel also advisedit is important for the organization to “know where it wants to be,” and recommends performinganother assessment of the desired future state (Potter, n.d., p. 7). Expel cautioned not to setorganizational sights to “world class” for every sub-category because it “takes a lot of effort andresources” (Potter, n.d., p. 7). Instead, Expel advised the middle-ground of doing a sub-category“well”, should generally be sufficient (Potter, n.d., p. 7). With the sub-categories scored, it ispossible to obtain an “average for the category” and allows the organization to use graphs to “seewhere it stands and where it wants to be” (Potter, n.d., p. 8). The information compiled from theself-assessment provides the organization with the details necessary to “prioritize and plan” forcybersecurity risk “based on business needs, risks most concerned about, and gaps theorganization wants to work on” (Potter, n.d., p. 8).Business Coordination to Implement FrameworkNIST (2018), explains how an organization may coordinate among business units, suchas the “Executive” level, “Business/Process” level, and “Implementation/Operations” level toimplement the Framework (p. 12).NIST (2018), explained the “executive level” provides riskgovernance information to the “business/process level” by communicating “mission priorities,

IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK12available resources, and overall risk tolerance” of the organization (p. 12). In turn, the“business/process level” develops appropriate Framework Profiles to convey the desiredcybersecurity end state the organization seeks to achieve and establish risk priorities (NIST,2018, p. 12). Likewise, the “implementation/operations level” uses the profile informationprovided as a guide for changing the cybersecurity risk posture of the organization (NIST, 2018,p. 12).With cybersecurity mitigation implemented, operational changes are communicated tothe “business/process level,” who then conducts an “impact assessment” (NIST, 2018, p. 12).The assessment provides a method for the organization to determine any residual risks remainingafter mitigation and the corresponding affect such risks may have, if realized (NIST, 2018, p.12). Coming full circle, the “business/process level reports the outcomes of that impactassessment” to both the “executive level” and “implementation/operations” level fororganizational awareness.Figure 2 is from the NIST publication, which shows the interaction between each of thebusiness levels in implementing the Framework (NIST, 2018, p. 12).

IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK13Figure 2 (NIST, 2018, p. 12)Method for Implementing FrameworkAccording to NIST (2018), there are seven steps that can be followed “to create a newcybersecurity program or improve an existing program” (p. 14). The steps identified by NIST(2018), are listed below should be performed as a “continuous” process and “repeated asnecessary” (p. 14).1. Step 1: Prioritize and Scope: According to NIST (2018), this step involves developing“business/mission objectives” and establishing “high-level” priorities (p. 14). As such,the organization can make “strategic decisions for implementing cybersecurity” solutionsfor applicable “business processes” (p. 14).

IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK142. Step 2: Orient: NIST (2018), advised this step involves researching “regulatoryrequirements” and discovery of “threats and vulnerabilities applicable to those systemsand assets” related to the business process (p. 14).3. Step 3: Create a Current Profile: Here, a current state profile is developed to understandwhere the organization is performing “Framework Core” cybersecurity activities and the“outcomes achieved” (NIST, 2018, p. 14).4. Step 4: Conduct a Risk Assessment: NIST (2018), advised the risk assessment enablesthe organization to evaluate the “likelihood” that a cybersecurity issue will occur “and theimpact the event may have on the organization” (p. 14).5. Step 5: Create a Target Profile: In this step, a “target profile” is developed to guide theorganization on the “desired cybersecurity outcomes” to achieve by performing“Framework Core” activities (NIST, 2018).6. Step 6: Determine, Analyze, and Prioritize Gaps: With a “current state” and “futurestate” profile, the organization can perform a gap analysis to determine whichcybersecurity areas need additional risk management (NIST, 2018, p. 14). Theorganization can then “create a prioritized action plan” taking into considerationalignment with “mission drivers, costs/benefits”, and available financial and laborresources (NIST, 2018, p. 14).7. Step 7: Implement Action Plan: In this last step, the “organization adjusts its currentcybersecurity practices” to accomplish the end state desired in the “target profile.”Management and Leadership ApproachesBecause Framework implementation requires coordination among business units withinan organization, it is important to discuss the differences between management and leadership.

IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK15Management is about making a repeatable process through “planning, organizing, andcoordinating” to ensure there is order and predictability for an outcome (Sharma & Jain, 2013, p.309). Leadership, on the other hand, involves motivating and inspiring others to achieve certaingoals (Sharma & Jain, 2013, p. 309). There are three theories to how people become leaders.First, people can become leaders based on genetics alone, where leadership is derived through“inherited traits” (Sharma & Jain, 2013, p. 311). Second, leaders can be borne through anextraordinary event where the person “rises to the occasion” (Sharma & Jain, 2013, p. 311).Third, leadership can be by choice, where people learn “leadership skills,” which, according toSharma and Jain (2013), is the main way people become leaders today (p. 311).According to Harvard Business School Online, the differences in Management andLeadership are centered around, “process versus vision, organizing versus aligning, and positionversus quality” (Gavin, 2019). Gavin explained “managers set out to achieve organizationalgoals,” whereas “leadership is about developing what the goals should be” (Gavin, 2019). Thus,leadership is focused on “a vision to guide change, whereas managers . . . implement processes,such as budgeting, organizational structuring, and staffing” to execute such change (Gavin,2019). In relation to organizing and aligning, “managers pursue goals through coordinatedactions and tactical processes,” which involves “organizing people to get work done” (Gavin,2019). Leaders focus less on the actionable work and more on strategic alignment by“innovating, developing, and influencing people” (Gavin, 2019). With respect to position andquality, Gavin (2019) explained managers fulfill a “specific role within an organization’shierarchy” and have “set responsibilities”. Leaders, on the other hand, are not determined by“position or title,” but instead, are a product of their actions (Gavin, 2019). It is the quality of

IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK16the person to “inspire, encourage, or engage others,” which distinguishes a leader from amanager (Gavin, 2019).DISCUSSIONAt the University of Chicago, the “Biological Sciences Division (BSD) is the largestdivision of the university with 5,000 faculty and staff in 23 departments” (BSD UoC, n.d.).Because BSD has a broad “array of information technology resources,” it leverages a“decentralized model using local Information Technology staff, hired to fulfill specificdepartments’ technology needs” (BSD UoC, n.d.). The decentralized governance model wasimplemented to allow individual departments with flexibility to meet their own researchrequirements through tailored IT solutions (BSD UoC, n.d.). The BSD realized such “ITautonomy” produced “security challenges,” because each department had “its own managementand governance processes” (BSD UoC, n.d.). Some of the challenges observed were,“inconsistent applications of security controls, gaps in security controls across departments,increase in spending on security, and duplication of effort” (BSD UoC, n.d.). The BSD selectedthe Framework “for organizing and implementing a new information security program” toresolve these challenges in a “cost-effective and programmatic manner” (BSD UoC, n.d.). Thelarge corporation for this case study probably has a broad base of business units, like BSD’sbroad range of departments. Therefore, the issues present in a decentralized governance modelare more than likely present in the corporation as well.As a new Information Security Officer for a large corporation, I would model myapproach to implementing the Framework after the BSD’s approach. For starters, the BSDconsulted with “G2, Inc.” and built a team consisting of “G2 Subject Matter Experts and BSDSecurity Analysts” (BSD UoC, n.d.). Similarly, I would engage a company with cybersecurity

IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK17expertise, such as G2, Inc., to provide guidance in implementing the Framework. I would alsoengage the executive level, business/process level, and implementation/operations level withinthe corporation to form appropriate teams to assist in the implementation. At the Executivelevel, I would form a Cybersecurity Steering Committee to provide governance oversight andguidance to implementing the Framework. At the Business/Process level, I would form aCybersecurity Planning Team consisting of the contracted cybersecurity experts and internalstaff consisting of business, IT, and cybersecurity managers and senior staff to provide context tothe relevant cyber issues facing the organization. Additionally, I would form a CybersecurityImplementation Team who would execute the necessary business changes to achieve the desiredend state for managing cybersecurity risk within the organization.Cybersecurity Steering CommitteeIn the Department of Defense’s (DOD) guide for implementing the Framework, itfollowed the seven-step approach outlined by NIST, where “Step 1: Prioritize and Scope” isrelevant to the Cybersecurity Steering Committee (DOD, 2019, p. 9). According to the DOD(2019), the “organization first identifies its business or mission objectives and its strategicpriorities as they relate to cybersecurity” (p. 10). The DOD (2019), suggests considering thefollowing “strategic objectives” including how cybersecurity capabilities support theirfulfillment: “Maintain Stability, Create Value for Stakeholders, Preserve Business Operationsand Continuity, and Protect Controlled and Sensitive Information” (DOD, 2019, p. 10).With respect to maintaining stability, the Cybersecurity Steering Committee should focuson those “processes and systems” which directly influence achieving “production and servicegoals” and relate to corporate “profitability and reputation” (DOD, 2019, p. 10).In creatingstakeholder value, the Cybersecurity Steering Committee should consider the fundamental

IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK18activities performed by the corporation to achieve its mission and “create value’ for“stakeholders” (DOD, 2019, p. 10). Regarding operational continuity, the CybersecuritySteering Committee should consider the risk tolerance the corporation has toward “on-goingability to execute” business operations in the wake of disaster (DOD, 2019, p. 10). Similarly, theCybersecurity Steering Committee should also consider the risk tolerance toward breach or lossof “controlled and sensitive information” (DOD, 2019, p. 10). The Cybersecurity SteeringCommittee must balance these issues with corporate budgetary and labor constraints.In evaluating these goals, the Cybersecurity Steering Committee should clearly denotehow the objectives relate to corporate “goals, mission priorities, available resources, and overallrisk tolerance” (NIST, 2018, p. 12). The Cybersecurity Steering Committee should determinethe appropriate Tier level the corporation should pursue to cost-effectively meet its cybersecuritygoals (NIST, 2018, p. 10). Ultimately, the Cybersecurity Steering Committee should provideguidance to the Cybersecurity Planning Team on the funding available and the prioritiesidentified from the strategic objectives.Cybersecurity Planning TeamNIST (2018), implementation steps two through six, in the seven-step approach followedby the DOD, are tasks for the Cybersecurity Planning team. Interestingly, the seven Frameworksteps mentioned relate to the “four distinct stages” followed by the BSD; namely: “Current State,Assessment, Target State, and Roadmap” (BSD UoC, n.d.).In NIST (2018) “Step 2: Orient,” the Planning Team should identify “standards and bestpractices” and consider “threats and vulnerabilities” in relation to business processes of theorganization (DOD, 2019, p. 11). In NIST (2018) steps three and five, the Planning Teamshould follow the quantitative approach proposed by Expel by using a point system to self-rate

IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK19the “98 sub-categories” of the Framework Core to create the “current and target profiles” (Potter,n.d., p. 6). In NIST (2018) “Step 4: Conduct a Risk Assessment,” the Planning Team should“analyze the operational environment” to determine the “likelihood and impact” thatcybersecurity risks pose to the organization (DOD, 2019, p. 12). In the sixth NIST (2018) step,the Planning Team should “compare the current profile and t

cybersecurity risks have little, if any, relationship to economic risks. The same goes with financial risks, where Boitnott (2019) explained involves "credit" and "cash flow" issues, which are also independent of cybersecurity risks. On the other hand, cybersecurity risks have ties to compliance, security, reputation,