ibm敏捷战略框架
Part 1 of 17
17之1
The National Institute of Standards and Technology (NIST) is a US-based, non-regulatory agency that has been around since 1901 and whose mission is to promote innovation and industrial competitiveness. Previously known as “National Bureau of Standards” until it became NIST in 1988, one of its key programs is Information Technology. The Cybersecurity Framework version 1.0 was originally published in 2014 with the current version, 1.1, publicly available since April 2018.
美国国家标准技术研究院(NIST)是一家总部位于美国的非监管机构,成立于1901年,其使命是促进创新和产业竞争力。 以前称为“国家标准局”,直到1988年成为NIST ,其主要计划之一是信息技术。 网络安全 框架 1.0版最初于2014年发布,当前版本为1.1,自2018年4月起公开可用。
Many organisations beyond the US, such as here in Australia, are adopting the framework as a “best practice” towards their own Information Assurance strategies. While originally intended for those responsible for maintaining critical infrastructure, It’s presently receiving broader adoption by a broad range of businesses and organizations as they shift towards being proactive about risk management rather than constantly reactive. It’s always easier to keep a fire from starting than to have to put one out!
美国以外的许多组织(例如澳大利亚的这里)正在将框架作为“最佳实践”,以实现自己的信息保障策略。 虽然最初面向负责维护关键基础结构的人员 ,但由于它们正朝着主动地进行 风险管理而非持续被动的方向发展,目前它已被众多企业和组织广泛采用 。 避免起火总是比必须灭火要容易得多!
In brief, the NIST Cybersecurity Framework is instrumental in helping organisations with five key functions: Identification, Protection, Detection, Response, and Recovery. It’s easy to get bogged down in any of these, so I’ll endeavour to keep this at a fairly high level. One of the main things I find organisations struggling with is the term “compliance” and in version 1.1, NIST has sought to clarify this further where it may have been a bit confusing previously.
简而言之, NIST网络安全框架有助于帮助组织实现五个关键功能:识别, 保护 , 检测 , 响应和恢复。 很容易陷入其中的困境,因此我将尽力将其保持在较高水平。 我发现组织在苦苦挣扎的主要事情之一是“遵从性”一词,在1.1版中,NIST试图进一步澄清这一点,而以前可能会有点令人困惑。
It’s important to remember that NIST themselves mentions “This voluntary framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The Cybersecurity Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.” The key word here is “voluntary”.
重要的是要记住,NIST本身提到“ 此自愿框架由管理网络安全相关风险的标准,指南和最佳实践组成。 网络安全框架的优先,灵活和具有成本效益的方法有助于促进关键基础设施和其他对经济和国家安全至关重要的部门的保护和弹性。 ”最关键的词在这里是‘自愿’。
NIST Cybersecurity Framework?
NIST网络安全框架?
What Is It?
它是什么?
The framework itself consists of three parts: Core, Profile, and Tiers. The “Core” consists of activities, outcomes, and references about elements of and approaches to cybersecurity. The “Profile” consists of outcomes that a business or organisation has selected from the five function categories and subcategories, and these are based on needs and risk assessments. The “Tiers” are used to clarify how cybersecurity risk is perceived and how elaborate the management of these risks is required.
框架本身包含三个部分:核心,配置文件和层。 “核心”包括活动,成果以及有关网络安全要素和方法的参考。 “配置文件”由企业或组织从五个功能类别和子类别中选择的结果组成,这些结果基于需求和风险评估。 “等级”用于阐明如何感知网络安全风险以及需要如何精心管理这些风险 。
I know it gets confusing trying to make sense of the core, profile, and tiers as well as functions, categories, and subcategories, but believe me, it’s worthwhile. Like prospecting for gold, you won’t have a “eureka!” moment until you dig long and hard enough. Hopefully this blog is the shovel you need to get started!
我知道尝试理解核心,配置文件和层以及功能,类别和子类别会令人困惑,但是相信我,这是值得的。 就像寻找黄金一样,您将不会有“尤里卡!” 直到你足够长地努力挖掘的时刻。 希望这个博客是您开始使用的必备工具!
Earlier, I mentioned there are five functions. Each of these “functions” is broken down into categories and subcategories that address the elements of each function. Identification consists of 6 and 29 categories and subcategories respectively. Protection has 6 and 39. Detect has 3 and 18. Respond has 5 and 16, and finally Recover has 3 and 6.
之前,我提到了五个功能。 这些“功能”中的每一个都分为可解决每个功能要素的类别和子类别。 标识分别包括6个和29个类别和子类别。 保护级别为6和39。 检测级别为3和18。响应级别为5和16,最后恢复级别为3和6。
Categories include items such as “Asset Management”, “Identity Management”, “Access Control”, and “Detection Processes”. Subcategories include outcomes of actions (technical or management) such as “systems are catalogued”, “Data at rest is adequately protected”, and “Alerts from perimeter defence systems are investigated”.
类别包括“资产管理”,“身份管理”,“访问控制”和“检测过程”等项目。 子类别包括行动(技术或管理)的结果,例如“对系统进行分类”,“对静态数据进行充分保护”和“对来自外围 防御 系统的警报进行调查”。
NIST’s Excel document will use an abbreviated format to identify the function (F), category ©, and subcategory (S) in the format “F.C-S”. For example, “ID.RA-4” is for “Identify — Risk Assessment — Potential business impacts and likelihoods are identified” followed by several informative references.
NIST的Excel 文档将使用缩写格式,以“ FC-S” 格式标识功能(F),类别©和子类别(S)。 例如,“ ID.RA-4”用于“识别- 风险评估 -识别潜在的业务影响和可能性”,后面是一些参考性参考。
Yes, I know. It seems like a lot, especially when each of these 23 categories and 108 subcategories also has associated references from the International Organisation for Standardisation (ISO), Control Objectives for Information and Related Technologies (COBIT), the Centre for Internet Security (CIS) Critical Security Controls (CSC), and more. This is where you really want to get the right people involved.
是的我知道。 这似乎很多,尤其是当这23个类别和108个子类别中的每一个还具有来自国际标准化组织(ISO),信息和相关技术的控制目标(COBIT), 互联网安全中心(CIS)的重要参考文件时安全控制 (CSC)等。 这是您真正想要让合适的人参与的地方。
Where Do I Start?
我从哪说起呢?
That question alone can be daunting, especially when faced with hundreds of references from the categories and subcategories, but the main thing to do before running off and implementing any controls or making any changes is to understand your current state. Therefore, I highly recommend a Vulnerability Assessment or a Risk Assessment to establish your present security posture. It’s equally important that the assessment is current, so if you haven’t done one recently, its worthwhile to engage an Information Assurance Specialist to assist.
仅这个问题就可能令人生畏 ,尤其是当面对来自类别和子类别的数百个引用时,但是在开始并执行任何控件或进行任何更改之前,要做的主要事情是了解您的当前状态。 因此,我强烈建议您进行漏洞评估或风险评估,以建立当前的安全状况。 同样重要的是,评估必须是最新的,因此,如果您最近没有进行过评估,那么值得聘用信息保证专家来提供帮助。
You may start by using the framework to develop a “Current Profile” to define your current cybersecurity activities and the outcomes being achieved from them. This can be scary, but is necessary. From there, you define a “Target Profile” (or, quite often, adopt an industry-specific baseline profile as the target; there’s nothing wrong with borrowing the good ideas of others. Legally, of course) and define steps to get from here to there. Call it a roadmap, a plan, or a migration, but you need to know where you are before you know where you are going.
您可以首先使用框架来开发“当前配置文件”,以定义您当前的网络安全活动以及从中获得的成果。 这可能很可怕,但是是必要的。 在这里,您可以定义一个“目标配置文件”(或者,通常采用行业特定的基准配置文件作为目标;借用其他人的好想法没有错。当然,这在法律上是正确的)并定义了从此处获取的步骤到那里。 称其为路线图,计划或迁移,但您需要知道自己的位置,然后才能知道要前进的方向。
There are two handy reference documents readily available from NIST, available from their website in the section dedicated to the Cybersecurity Framework. Just head to the “Framework” page (top of the menu on the left) and grab the Version 1.1 PDF and Excel files. I like using the Excel file as a handy-dandy workbook for engagements and the PDF is a thorough reference document and a good read (at 55 pages long, it’s not “War and Peace”, so if you’re serious about NIST, this is a great starting point). Feel free to dig through the NIST website; it’s a goldmine of great information.
NIST随时提供两个方便的参考文档,可从其网站的“网络安全框架”部分中获得。 只需转到“框架”页面(左侧菜单的顶部),即可获取1.1版PDF和Excel文件。 我喜欢将Excel文件用作方便的订婚工作手册 ,而PDF是一个详尽的参考文档,而且读物很好(长达55页,不是“战争与和平”,因此,如果您对NIST认真的话,是一个很好的起点)。 感到自由通过NIST网站挖; 这是一个信息丰富的金矿。
NIST Cybersecurity Framework
NIST网络安全框架
https://www.nist.gov/cyberframework
https://www.nist.gov/cyberframework
I certainly do not expect everyone to download these documents, read them a few times, and magically become experts; that’s absurdity on the level of a Monty Python skit. I’ll say it time and time again — reach out and get the right people involved.
我当然不希望每个人都下载这些文档,阅读几次并神奇地成为专家 ; 在Monty Python短片的水平上,这是荒谬的。 我会一遍又一遍地说-伸出手让合适的人参与。
How do I make It Work?
我该如何运作?
Now that you’re trying to process terms like core, profile, and tiers along with functions, categories, and subcategories, you probably look like me when I get home from IKEA with several boxes, parts everywhere, an Allen Key in one hand and a set of instructions in the other with a cartoon character on every page — but no words. Yes, introducing the NIST Cybersecurity Framework can leave you at a loss like assembling a PAX Wardrobe, so the first step is to find some patience. It also helps that using this framework can become a “common language” to avoid confusion and communicate with others.
既然您正在尝试处理诸如核心,配置文件和层以及功能,类别和子类别之类的术语,当我从宜家回家时,您可能看起来像我,里面有几个盒子,到处都是零件,一只手的艾伦钥匙和另一组则是指令集,每页上都有一个卡通人物-但没有文字。 是的,引入NIST网络安全框架可能使您无所适从,就像组装PAX衣柜一样,因此第一步是要有耐心。 它还有助于使使用该框架成为一种“通用语言”,从而避免混乱并与他人交流。
Let’s begin by creating a “Current Profile” to understand your present cybersecurity posture. This can be achieved by undertaking assessment activities such as Vulnerability Assessments, Risk Assessments, Penetration Tests, External and Internal Audits, and any combination of there or more. The idea is to determine, with reasonable certainty, where you are right now. How you go about this is up to you, but you must identify a starting point. Otherwise, it’s like being stranded on a desert island and just blindly building a raft and setting out in an uncertain direction. Salvation might just be 10 Km in one direction but everywhere else hundreds or thousands of kilometres the other way. Use these assessments as your compass.
让我们从创建“当前配置文件”开始,以了解您当前的网络安全状况。 这可以通过开展评估活动来实现,例如漏洞评估, 风险评估 , 渗透测试 , 内部和内部审计以及其中的任何一项或多项措施。 这个想法是要确定性地确定您现在的位置。 如何进行此操作取决于您,但是您必须确定起点。 否则,就像被困在荒岛上,只是盲目地建造木筏,然后朝不确定的方向出发。 救赎可能只是一个方向的10公里,而到其他地方则成百上千公里。 使用这些评估作为指南针。
Next you can begin creating your “Target Profile” of your own design or duplicating an industry-specific. This is where I find having the spreadsheet handy is beneficial and I’ll add a few columns to identify “Must-Haves”, “Should-Haves”, “Could-Haves”, and “Won’t Haves” (i.e. The MoSCoW Method” and work my way through each Function, Category, and Subcategory. These can change on further review, and it takes a few cuts to get it right, so therefore I emphasis patience. I’ll even add a few more columns to identify integrators, vendors, products, and methods so I can begin having some conversations about the “who, what, when, where, why, and how” of making this a reality.
接下来,您可以开始创建自己设计的“目标配置文件”或复制特定于行业的文件。 在这里,我发现方便使用电子表格是有好处的,我将添加几列来标识“必须拥有”,“应该拥有”,“可能拥有”和“不需要”(即MoSCoW方法”,然后逐一遍历每个功能,类别和子类别。这些可以在以后的检查中更改,并且需要花一些工夫才能正确使用,因此,我强调耐心。我什至还要添加几列来确定集成商 , 供应商 ,产品和方法,这样我就可以开始讨论实现这一目标的“谁,什么,何时,何地,为什么以及如何”。
It’s also worth noting that the “Won’t Haves” are not permanently out of scope; they’re just a very low priority and yield little benefit in the present sense. “Could Haves” are often nice to have but are usually the first things dropped when timelines start slipping. On occasion, a “Should Have” gets elevated or a “Must Have” gets demoted, but it’s crucial to sort out which is which up front to avoid burning budget and wasting time.
还值得注意的是,“ Wo n't Haves”并没有永久超出范围 。 从目前的意义上讲,它们只是一个非常低的优先级,几乎没有收益。 “可以拥有”通常很不错,但通常是时间表开始下滑时首先丢掉的东西。 有时,“应有”会被提高,或者“必须有”会被降级,但是至关重要的是要弄清楚哪个是预先准备的,以避免浪费预算和浪费时间。
You’ve probably noticed that many standards, frameworks, and strategies employ a round visual model and the NIST Cybersecurity Framework is no different. I’ve often wondered if it’s because information assurance is a never-ending endeavour or if it’s just a vicious cycle; that’s up to you. What else is up to you is where you begin on that circle but personally, I always like to start with “Identify” because rare is the organisation that has a full understanding of their present posture and exactly what they need to protect.
您可能已经注意到,许多标准, 框架和策略都采用了圆形视觉模型,而NIST网络安全框架也是如此。 我经常想知道这是因为信息保证是一个永无止境的努力,还是仅仅是一个恶性循环。 随你(由你决定。 在您开始该圈子时,您还有什么需要做的,但就我个人而言,我总是喜欢从“识别”开始,因为很少有组织能够充分了解其当前状况以及需要保护的东西。
Working your way through the five functions and each category and subcategory, you will develop your profile and how to tackle each item. I should also point out that each function deserves equal attention. While the “Identify” and “Protect” functions (i.e. the “Before”) often get all the attention and drive projects ranging from new firewalls to endpoint protection solutions, we cannot discount “Detect” and “Respond” (i.e. the “During”). This is where the rubber meets the road and all the time and money invested earns its keep. Critically, never overlook the function “Recover” (i.e. the “After”) to help you get back on your feet when it all goes pear-shaped. Always think “when”, not “if”. Save your gambling for the Melbourne Cup.
通过五个功能以及每个类别和子类别,您将开发自己的个人资料以及如何处理每个项目。 我还应该指出,每个功能都应得到同等的重视。 尽管“识别”和“保护”功能(即“之前”)通常会引起人们的注意并推动从新防火墙到端点保护 解决方案的项目 ,但我们不能轻视 “检测”和“响应”(即“正在执行”) )。 这是橡胶与道路相遇的地方,所有时间和金钱的投入都可以维持。 至关重要的是,永远不要忽略“恢复”功能(即“之后”),以帮助您在梨形的形状上重新站起来。 总是思考“何时”,而不是“如果”。 保存您的赌博为墨尔本杯。
Now that you have your spiffy new workbook aligned with the MoSCoW method, it’s time to start plugging in solutions and controls, and these can be physical, technical, logical, and administrative controls that are either technically-driven or business-driven. Underpinning this should be your previously-undertaken assessment and the risks, impacts, and recommendations contained within it. Word to the wise: Don’t try to tackle it all at once because it’s a big body of work and should start with your “Must Haves”, and even those may need to be broken up into phases based on budget, resources, and priority. What is important to one is not always top priority for another.
现在,您已经使新的工作簿与MoSCoW方法保持一致,是时候开始插入解决方案和控件了,这些解决方案和控件可以是技术驱动或业务驱动的物理,技术,逻辑和管理控件。 此基础应该是您之前进行的评估以及其中包含的风险,影响和建议。 明智的选择:不要试图立即解决所有问题,因为这是一项艰巨的工作,应该从您的“必备”开始,甚至可能需要根据预算, 资源和资源将其分解为多个阶段优先。 对一个人来说重要的并不总是另一个人的头等大事。
For example, during the “Detect” function, which has 3 categories and 18 subcategories, you may see that the category “Security Continuous Monitoring” (DE.CM) has 8 subcategories, and you consider “DE.CM-8: Vulnerability scans are performed” is a “Must Have” just like “DE.CM-1: The network is monitored to detect potential cybersecurity events” but due to budget, you’ll undertake DE.CM-8 right away and move DE.CM-1 to next year because the systems needed are costly.
例如,在具有3个类别和18个子类别的“检测”功能期间,您可能会看到“安全连续监视”(DE.CM)类别具有8个子类别,并且您考虑了“ DE.CM-8:漏洞扫描”是“必须具备”,就像“ DE.CM-1:要监视网络以检测潜在的网络安全事件”一样,但是由于预算原因,您将立即进行DE.CM-8并转移DE.CM- 1到明年,因为所需的系统昂贵。
Please. Take your time and get the right people involved to help you plan and execute.
请。 花些时间让合适的人参与进来,以帮助您计划和执行。
Pitfalls?
陷阱?
Two major pitfalls when trying to implement the framework are time and money. Trying to blindly implement everything in the framework is nearly impossible for most organisations, and the bit that this is a “voluntary” framework easily gets lost chasing an idea of 100% compliance down the rabbit hole. In fact, so much time can be spent just trying to figure out what the heck to implement. Therefore, you need to assess your current state and use the MoSCoW method in determining your target state.
尝试实施该框架的两个主要陷阱是时间和金钱。 对于大多数组织而言,试图盲目实施框架中的所有内容几乎是不可能的,而这是一个“自愿”框架,很容易迷失方向,因为他们追逐了100% 遵从性的想法。 实际上,仅花很长时间试图找出要实现的目标。 因此,您需要评估当前状态,并使用MoSCoW方法确定目标状态。
We also must realise that because this can be a costly and time-consuming endeavour that the cybersecurity threat landscape is constantly shifting, and technology is evolving, so priorities can change during implementation of the NIST Cybersecurity Framework. Solutions may become more affordable, resources and budget will likely change, and it needs to be a living project, not just a one-off box-checking exercise. For what it’s worth, this type of a project, like most, is not simply an “IT” Responsibility, but rather a “whole of business” responsibility.
我们还必须意识到,因为这可能是一项代价高昂且费时的工作,因为网络安全威胁形势不断变化,技术也在不断发展,因此在实施 NIST网络安全框架期间,优先级可能会发生变化。 解决方案可能变得更加负担得起,资源和预算可能会发生变化,并且它必须是一个有生命的项目 ,而不仅仅是一项一次性的检查工作。 就其价值而言,与大多数项目一样,这种类型的项目不仅仅是“ IT”责任,而是“整个业务”责任。
Ghosts in The Machine?
机器中的鬼魂?
Implementing the NIST Cybersecurity Framework is a big undertaking, without question, but if approached with patience, assistance from the right people, and underpinned by good information derived from a current profile (via assessment and audit activities), there should be few ghosts. One that has appeared for me is getting lost in all the informative references. While there are 5 functions, 23 categories, and 108 subcategories, each of these subcategories has two or more references with many of them having 4 or 5 each.
毫无疑问,实施NIST网络安全框架是一项艰巨的任务,但是如果有耐心,适当人员的协助并得到当前概况(通过评估和审计活动)获得的良好信息的支持,那么应该很少有鬼魂。 对我来说已经出现的一种迷失在所有翔实的参考文献中。 虽然有5个功能,23个类别和108个子类别,但是这些子类别中的每一个都有两个或更多引用,其中许多都有4或5个引用。
Rather than trying to fully understand each of these informative references, I recommend only spending time on the ones based on your MoSCoW method and that can dramatically reduce the number of forks in the road down to a manageable number. In the beginning, I take time to create bookmarks and download & sort anything that is relevant to the task at hand. In some cases, these references are strategies, frameworks, and standards themselves such as CIS CSC and ISO/IEC 27001.
我建议不要花时间在基于您的MoSCoW方法的参考上,而要尝试完全理解这些参考性参考中的每一个,这样可以将行进中的分叉数量大大减少到可管理的数量。 首先,我花时间创建书签并下载和排序与手头任务相关的所有内容。 在某些情况下,这些参考是策略,框架和标准本身,例如CIS CSC和ISO / IEC 27001。
Anything Missing?
缺少什么?
If there are few other items I can throw your way, it’s to be sure about your obligations under The Privacy Act and the General Data Protection Regulation which may drive some of your decisions using the MoSCoW method. I’d also recommend subscribing, where available, to the various frameworks, standards, and strategy sources to ensure you have the latest information on hand and access to changes that may impact the information you’re using.
如果我能提供的其他事项很少,请确保您根据《 隐私法》和《 通用数据保护条例 》所承担的义务,这些义务可能会促使您使用MoSCoW方法做出某些决定。 我还建议您订阅各种框架,标准和策略资源(如果有),以确保您掌握最新信息并可以访问可能影响您所使用信息的变更。
Above all else, breathe and be patient. Look after yourself and realise this is a journey and not a destination. Don’t be afraid to ask for help, ask questions, and get the right people involved.
最重要的是,呼吸并耐心等待。 照顾好自己,意识到这是一段旅程,而不是目的地。 不要害怕寻求帮助,提出问题并让合适的人参与进来。
There is also a recent and informative blog available on the NIST website for further reading.
NIST网站上还有一个最新且内容丰富的博客,可供进一步阅读。
Identify, Protect, Detect, Respond and Recover: The NIST Cybersecurity Framework
识别,保护,检测,响应和恢复:NIST网络安全框架
Stay safe out there!
在那里安全!
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through ShutterStock
免责声明:本博客中提出的想法和观点是我自己的,而不是任何相关第三方的想法。 提供的内容仅用于一般信息,教育和娱乐目的,并不构成法律建议或建议; 绝对不能以此为依据。 在实际情况下应寻求适当的法律咨询。 除非另有说明,否则所有图片均通过ShutterStock授权
翻译自: https://medium.com/swlh/the-strategic-seventeen-nist-cyber-security-framework-e24f85c7649d
ibm敏捷战略框架
1299
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
