what every community association needs to know about data ... · in the age of hacking and cyber...

DIGITAL SURVIVAL MANUALWhat Every Community Association

Needs to Know About Data Protectionin the Age of Hacking and Cyber Crime

by,

Matthew C. Collins, Esq.Stark & Stark

Tuesday, April 3, 20182018 Annual Condo Staff Training Symposium

CAI Regional Council: Philadelphia

www.Stark-Stark.com1-800-53-LEGAL • [email protected]

TABLE OF CONTENTS

1. Commonwealth v. Uber teChnologies, inC.

2. small bUsiness gUide: FormUlating a Comprehensive written inFormation seCUrity program. Massachusetts Office Of cOnsuMer affairs & Business regulatiOn.

3. inFormation seCUrity & breaCh notiFiCation gUidanCe. illinOis attOrney general.

4. best praCtiCes For viCtim response & reporting oF Cyber inCidents. u.s. DepartMent Of Justice, cyBersecurity unit.

5. Framework For improving CritiCal inFrastrUCtUre CyberseCUrity. natiOnal institute Of stanDarDs & technOlOgy.

Case ID: 180300004

Filed and Attested by theOffice of Judicial Records

05 MAR 2018 09:08 amM. BRYANT

Case ID: 180300004

COMMONWEALTH OF MASSACHUSETTS

OFFICE OF CONSUMER AFFAIRS AND BUSINESS REGULATION

10 Park Plaza – Suite 5170, Boston MA 02116 (617) 973-8700 FAX (617) 973-8799

www.mass.gov/consumer

DEVAL L. PATRICK GOVERNOR

TIMOTHY P. MURRAY LIEUTENANT GOVERNOR

GREGORY BIALECKI SECRETARY OF HOUSING AND

ECONOMIC DEVELOPMENT

BARBARA ANTHONY

UNDERSECRETARY

A Small Business Guide:

Formulating A Comprehensive Written Information Security Program

While the contents of any comprehensive written information security program required

by 201 CMR 17.00 must always satisfy the detailed provisions of those regulations; and while

the development of each individual program will take into account (i) the size, scope and type of

business of the person obligated to safeguard the personal information under such comprehensive

information security program, (ii) the amount of resources available to such person, (iii) the

amount of stored data, and (iv) the need for security and confidentiality of both consumer and

employee information, the Office of Consumer Affairs and Business Regulation is issuing this

guide to help small businesses in their compliance efforts. This Guide is not a substitute for

compliance with 201 CMR 17.00. It is simply a tool designed to aid in the development of a

written information security program for a small business, including the self employed, that

handles “personal information.”

Having in mind that wherever there is a conflict found between this guide and the

provisions of 201 CMR 17.00, it is the latter that will govern. We set out below this “guide” to

devising a security program (references below to “we” and “our” are references to the small

business to whom the real WISP will relate):

COMPREHENSIVE WRITTEN INFORMATION SECURITY PROGRAM

I. OBJECTIVE:

Our objective, in the development and implementation of this comprehensive written

information security program (“WISP”), is to create effective administrative, technical and

physical safeguards for the protection of personal information of residents of the Commonwealth

of Massachusetts, and to comply with obligations under 201 CMR 17.00. The WISP sets forth

our procedure for evaluating our electronic and physical methods of accessing, collecting,

storing, using, transmitting, and protecting personal information of residents of the

Commonwealth of Massachusetts. For purposes of this WISP, “personal information” means a

Massachusetts resident's first name and last name or first initial and last name in combination

with any one or more of the following data elements that relate to such resident: (a) Social

Security number; (b) driver's license number or state-issued identification card number; or (c)

financial account number, or credit or debit card number, with or without any required security

code, access code, personal identification number or password, that would permit access to a

resident’s financial account; provided, however, that “personal information” shall not include

information that is lawfully obtained from publicly available information, or from federal, state

or local government records lawfully made available to the general public.

II. PURPOSE:

The purpose of the WISP is to:

(a) Ensure the security and confidentiality of personal information;

(b) Protect against any anticipated threats or hazards to the security or integrity of such

information

(c) Protect against unauthorized access to or use of such information in a manner that creates a

substantial risk of identity theft or fraud.

III. SCOPE:

In formulating and implementing the WISP, (1) identify reasonably foreseeable internal

and external risks to the security, confidentiality, and/or integrity of any electronic, paper or

other records containing personal information; (2) assess the likelihood and potential damage of

these threats, taking into consideration the sensitivity of the personal information; (3) evaluate

the sufficiency of existing policies, procedures, customer information systems, and other

safeguards in place to control risks; (4) design and implement a WISP that puts safeguards in

place to minimize those risks, consistent with the requirements of 201 CMR 17.00; and (5)

regularly monitor the effectiveness of those safeguards:

IV. DATA SECURITY COORDINATOR:

We have designated ____________________ to implement, supervise and maintain the

WISP. That designated employee (the “Data Security Coordinator”) will be responsible for:

a. Initial implementation of the WISP;

b. Training employees;

c. Regular testing of the WISP’s safeguards;

d. Evaluating the ability of each of our third party service providers to implement and maintain

appropriate security measures for the personal information to which we have permitted them

access, consistent with 201 CMR 17.00; and requiring such third party service providers by

contract to implement and maintain appropriate security measures.

e. Reviewing the scope of the security measures in the WISP at least annually, or whenever there

is a material change in our business practices that may implicate the security or integrity of

records containing personal information.

f. Conducting an annual training session for all owners, managers, employees and independent

contractors, including temporary and contract employees who have access to personal

information on the elements of the WISP. All attendees at such training sessions are required to

certify their attendance at the training, and their familiarity with the firm’s requirements for

ensuring the protection of personal information.

V. INTERNAL RISKS:

To combat internal risks to the security, confidentiality, and/or integrity of any electronic,

paper or other records containing personal information, and evaluating and improving, where

necessary, the effectiveness of the current safeguards for limiting such risks, the following

measures are mandatory and are effective immediately. To the extent that any of these measures

require a phase-in period, such phase-in must be completed on or before March 1, 2010:

Internal Threats

A copy of the WISP must be distributed to each employee who shall,

upon receipt of the WISP, acknowledge in writing that he/she has received

a copy of the WISP.

There must be immediate retraining of employees on the detailed

provisions of the WISP.

Employment contracts must be amended immediately to require all

employees to comply with the provisions of the WISP, and to prohibit any

nonconforming use of personal information during or after employment;

with mandatory disciplinary action to be taken for violation of security

provisions of the WISP (The nature of the disciplinary measures may depend

on a number of factors including the nature of the violation and the nature

of the personal information affected by the violation).

The amount of personal information collected should be limited to

that amount reasonably necessary to accomplish our legitimate business

purposes, or necessary to us to comply with other state or federal

regulations.

Access to records containing personal information shall be limited

to those persons who are reasonably required to know such information in

order to accomplish your legitimate business purpose or to enable us

comply with other state or federal regulations.

Electronic access to user identification after multiple unsuccessful

attempts to gain access must be blocked.

All security measures shall be reviewed at least annually, or

whenever there is a material change in our business practices that may

reasonably implicate the security or integrity of records containing

personal information. The Data Security Coordinator shall be responsible

for this review and shall fully apprise management of the results of that

review and any recommendations for improved security arising out of that

review.

Terminated employees must return all records containing personal

information, in any form, that may at the time of such termination be in

the former employee’s possession (including all such information stored

on laptops or other portable devices or media, and in files, records, work

papers, etc.)

A terminated employee’s physical and electronic access to

personal information must be immediately blocked. Such terminated

employee shall be required to surrender all keys, IDs or access codes or

badges, business cards, and the like, that permit access to the firm’s

premises or information. Moreover, such terminated employee’s remote

electronic access to personal information must be disabled; his/her

voicemail access, e-mail access, internet access, and passwords must be

invalidated. The Data Security Coordinator shall maintain a highly

secured master list of all lock combinations, passwords and keys.

Current employees’ user ID’s and passwords must be changed

periodically.

Access to personal information shall be restricted to active users

and active user accounts only.

Employees are encouraged to report any suspicious or

unauthorized use of customer information.

Whenever there is an incident that requires notification under

M.G.L. c. 93H, §3, there shall be an immediate mandatory post-incident

review of events and actions taken, if any, with a view to determining

whether any changes in our security practices are required to improve the

security of personal information for which we are responsible.

Employees are prohibited from keeping open files containing

personal information on their desks when they are not at their desks.

At the end of the work day, all files and other records containing

personal information must be secured in a manner that is consistent with

the WISP’s rules for protecting the security of personal information.

Each department shall develop rules (bearing in mind the business

needs of that department) that ensure that reasonable restrictions upon

physical access to records containing personal information are in place,

including a written procedure that sets forth the manner in which physical

access to such records in that department is to be restricted; and each

department must store such records and data in locked facilities, secure

storage areas or locked containers.

Access to electronically stored personal information shall be

electronically limited to those employees having a unique log-in ID; and

re-log-in shall be required when a computer has been inactive for more

than a few minutes.

Visitors’ access must be restricted to one entry point for each

building in which personal information is stored, and visitors shall be

required to present a photo ID, sign-in and wear a plainly visible

“GUEST” badge or tag. Visitors shall not be permitted to visit unescorted

any area within our premises that contains personal information.

Paper or electronic records (including records stored on hard

drives or other electronic media) containing personal information shall be

disposed of only in a manner that complies with M.G.L. c. 93I.

VI. EXTERNAL RISKS

To combat external risks to the security, confidentiality, and/or integrity of any

electronic, paper or other records containing personal information, and evaluating and

improving, where necessary, the effectiveness of the current safeguards for limiting such risks,

the following measures must be completed on or before March 1, 2010:

External Threats

There must be reasonably up-to-date firewall protection and

operating system security patches, reasonably designed to maintain the

integrity of the personal information, installed on all systems processing

personal information.

There must be reasonably up-to-date versions of system security

agent software which must include malware protection and reasonably

up-to-date patches and virus definitions, installed on all systems

processing personal information.

To the extent technically feasible, all personal information stored

on laptops or other portable devices must be encrypted, as must all records

and files transmitted across public networks or wirelessly, to the extent

technically feasible. Encryption here means the transformation of data into

a form in which meaning cannot be assigned without the use of a confidential

process or key, unless further defined by regulation by the Office of Consumer Affairs

and Business Regulation.

All computer systems must be monitored for unauthorized use of or

access to personal information.

There must be secure user authentication protocols in place, including:

(1) protocols for control of user IDs and other identifiers; (2) a reasonably

secure method of assigning and selecting passwords, or use of unique identifier

technologies, such as biometrics or token devices; (3) control of data security

passwords to ensure that such passwords are kept in a location.

Information Security and Security Breach Notification Guidance | 1

INFORMATION SECURITY AND SECURITY BREACH NOTIFICATION GUIDANCEPreventing, Preparing for, and Responding to Breaches of Information Security

The Office of Illinois Attorney General Lisa Madigan has created this guide for businesses and governmental agencies in Illinois subject to the Personal Information Protection Act. The Illinois Personal Information Pro-tection Act requires notification to Illinois residents in the event of an unauthorized acquisition of their personal information.

Entities that collect, maintain, store, use, and ultimately dispose of personal information should take steps to protect that information and reduce the risk of suffering a security breach. Although it may be impossible to prevent every breach, good data security can reduce the likelihood of some breaches, thereby helping entities to avoid the costly notification process.

This guide is meant to provide guidance, and not to provide legal advice. It is also important to recognize that due to the ever-changing aspect of information security and technology, more may be required of businesses and governmental agencies than is explained in this guide.

Businesses and governmental agencies are encouraged to stay abreast of industry best practices for data security and prevention of data breaches.

This guide begins by providing guidance for strong data security practices. Because not all prevention is fool-proof, it then provides information on how to plan ahead so that a response plan can be implemented immedi-ately upon discovery of a breach. It then provides guidance for responding to breaches and complying with the Personal Information Protection Act.

PREVENTING SECURITY BREACHES

Safeguarding sensitive data in files and on computers makes good business sense. After all, if that information falls into the wrong hands, it can lead to fraud or identity theft. A sound data security plan is built on the follow-ing five key principles: (1) take stock; (2) scale down; (3) lock it; (4) pitch it; and (5) plan ahead.

TAKE STOCKKnow what personal information you have in your files and on your computers. Understanding how personal information moves into, through, and out of your business and who has—or could have—access to it is essential to assessing security vulnerabilities. Conduct a thorough information assessment of all departments and divi-sions within your business or governmental agency.

When conducting the information assessment, you should follow these steps: • Review human resources and personnel records and files and determine what personal employee information is collected, used, maintained, and stored. • Review internal forms and computer systems that are used by employees for expense reports, trainings, reimbursement requests, and other administrative functions. • Review all requests for personal information from clients, customers, vendors, and the general public.

SCALE DOWNKeep only what you need for your business. If you don’t have a legitimate business need for sensitive person-ally identifiable information, don’t keep it. Maintaining Social Security numbers (SSNs) on personnel records is required for tax purposes and may be required for other purposes. Other uses may not be required and can be phased out as appropriate.

2 | Illinois Personal Information Protection Act

In order to reduce unnecessary reliance on personal information, especially SSNs, consider phasing out the use of personal information, especially SSNs, for administrative purposes and internal identification; explore the feasibility of replacing the SSN with a unique identification number; and if you determine that you do not need an SSN from clients, customers, vendors, or the general public with which you do business or interact, change your forms so that the SSN is not being requested.

LOCK IT Protect the information that you keep. This includes physical and electronic security, and employee training regarding the handling of the information.

Physical and Electronic Security • Know where sensitive customer information is stored and store it securely. Make sure only authorized employees have access. For example: o Ensure that storage areas are protected against destruction or damage from physical hazards, like fire or floods. o Store records in a room or cabinet that is locked when unattended. • When customer information is stored on a server or other computer, ensure that the computer is accessible only with a strong password and is kept in a physically secure area. • Change default passwords on all software. • Where possible, avoid storing sensitive customer data on a computer with an Internet connection. • Implement strong access controls. For example: o Limit access to customer information to employees who have a business reason to see it. For example, give employees who respond to customer inquiries access to customer files, but only to the extent they need it to do their jobs. o Control access to sensitive information by requiring employees to use “strong” passwords that must be changed on a regular basis. Strong passwords are a minimum of eight characters in length, and contain numeric characters, symbols, and a mixture of upper- and lower-case alphabetic characters. An employee’s username and password should never be the same. • Develop policies for employees who telecommute or travel often. o Consider whether or how employees should be allowed to keep or access customer data at home. o Require employees who use personal computers to store or access customer data to use protections against viruses, spyware, and other unauthorized intrusions. o Allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access. • Maintain secure backup records and keep archived data secure by storing it off-line and in a physically secure area. • Maintain a careful inventory of your company’s computers and any other equipment on which customer information may be stored. • Encrypt, using National Institute of Standards and Technology (NIST) certified cryptographic modules, all data on mobile computers/devices carrying sensitive data and all data that is transmitted via public networks. • Use a “time-out” function for all internal computers that house sensitive information, remote access, and mobile devices. Time-out functions require users to re-authenticate after periods of inactivity. • Log all computer-readable data extracts from databases holding sensitive information and verify each extract. Logs should be reviewed and inappropriate data extracts should be further investigated. • Ensure all individuals with authorized access to personally identifiable information and their supervisors sign a document clearly describing their responsibilities. • Maintain current updates to all software. • Maintain strong firewalls, anti-virus, and anti-spyware protections. • Do not allow employees to download and utilize peer-to-peer (P2P) software. • Develop policies for appropriate use and protection of laptops, PDAs, cell phones, or other mobile devices.


Security for Transmission of Payment Information The Payment Card Industry (PCI) standards require businesses to maintain secure networks and dictate the proper storage and destruction of transmittable payment information. By complying with the PCI Data Se-curity Standards, merchants and service providers not only meet their obligations to the payment system, but also build a culture of security that benefits everyone. The PCI Data Security Standards consist of twelve basic requirements categorized as follows: Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes

Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel

Employee TrainingEmployees with access to sensitive personal information must be trusted to maintain that information without taking advantage of their position. By some accounts, employee theft is a major cause of security breaches and subsequent identity theft. It is important to take the following steps to keep information out of the hands of rogue employees who steal or sell information: • Check references or order background checks before hiring employees who will have access to customer information. • Ask every new employee to sign an agreement to follow your company’s confidentiality and security standards for handling customer information. • Train employees to take basic steps to maintain the security, confidentiality, and integrity of customer information, including: o Lock rooms and file cabinets where records are kept; o Do not share or openly post employee passwords in work areas; o Protect laptops, PDAs, cell phones, and other mobile devices according to policy; o Refer calls or other requests for customer information to designated individuals who have been trained in how your company safeguards personal data; and o Report suspicious attempts to obtain customer information to designated personnel. • Regularly remind all employees of your company’s policy—and the legal requirement—to keep customer information secure and confidential. For example, consider posting reminders about their responsibility for security in areas where customer information is stored, like file rooms. • Impose disciplinary measures for security policy violations.


• Prevent terminated employees from accessing customer information by immediately deactivating their passwords and user names and taking other appropriate measures.

PITCH ITDispose of customer information in a secure way. For example: • Consider designating or hiring a records retention manager to supervise the disposal of records containing customer information. If you hire an outside disposal company, conduct due diligence beforehand by checking references or requiring that the company be certified by a recognized industry group. • Burn, pulverize, or shred papers containing customer information so that the information cannot be read or reconstructed. • Destroy or erase data when disposing of computers, disks, CDs, magnetic tapes, hard drives, laptops, PDAs, cell phones, or any other electronic media or hardware containing customer information.

Proper DisposalAs of January 1, 2012, the Illinois Personal Information Protection Act requires the proper disposal of materials containing personal information. Proper disposal of material that contains personal information is a necessary step in protecting individuals against identity theft and financial fraud. Incidents of identity theft occur when “dumpster divers” find troves of valuable personal information in publicly available garbage bins. In addition, personal information left on computers and other electronic media can be accessed and misused with relative ease. • A person must dispose of the materials containing personal information in a manner that renders the personal information unreadable, unusable, and undecipherable. Proper disposal methods include, but are not limited to, the following: o Paper documents containing personal information may be either redacted, burned, pulverized, or shredded so that personal information cannot practicably be read or reconstructed. o Electronic media and other non-paper media containing personal information may be destroyed or erased so that personal information cannot practicably be read or reconstructed. • “Person” means: a natural person; a corporation, partnership, association, or other legal entity; a unit of local government or any agency, department, division, bureau, board, commission, or committee thereof; or the State of Illinois or any constitutional officer, agency, department, division, bureau, board, commission, or committee thereof. • Any person disposing of materials containing personal information may contract with a third party to dispose of such materials in accordance with this Section. Any third party that contracts with a person to dispose of materials containing personal information must implement and monitor compliance with policies and procedures that prohibit unauthorized access to, acquisition of, or use of personal information during the collection, transportation, and disposal of materials containing personal information.


PREPARING FOR SECURITY BREACHES

Even entities that take all appropriate precautions against security breaches may find themselves in the unenvi-able position of learning that sensitive personal information has been lost, stolen, or otherwise accessed inappro-priately. A company or agency should not be caught off guard when a breach is discovered. In order to ensure compliance with breach notification laws, and to provide all affected individuals an opportunity to protect against identity theft, it is important that all entities establish a plan for responding to breaches. For that reason, the Federal Trade Commission (FTC) identifies “plan ahead” as the fifth key principle for a strong data security plan. Planning ahead can be part of a larger information security program.

INFORMATION SECURITY PROGRAMSFederal law imposes data storage and destruction requirements on financial institutions and creditors who ac-cess consumer credit reports. As part of its implementation of the Gramm-Leach-Bliley (GLB) Act and the Fair Credit Reporting Act (FCRA), the FTC issued the Safeguards Rule, which requires financial institutions and users of credit reports under FTC jurisdiction to have measures in place to keep customer information secure.

The Safeguards Rule requires entities to establish, maintain, and update individual Information Security Pro-grams. The Safeguards Rule can be used as a model for all businesses and governmental agencies. In creating an Information Security Program, consideration should be paid to the following steps: • Designate an employee or employees to coordinate the information security program. • Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each area of operations, including: o Employee training and management; o Information systems, including network and software design, as well as information processing, storage, transmission, and disposal; and o Detecting, preventing, and responding to attacks, intrusions, or other systems failures. • Design and implement information safeguards to control the risks identified through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures. • Oversee service providers, by: o Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and o Requiring service providers by contract to implement and maintain such safeguards. • Evaluate and adjust the information security program in light of the results of testing and monitoring; any material changes to business operations or business arrangements; or any other circumstances that may have a material impact on the information security program.


• PLANAHEAD. Create a plan to respond to security incidents. The Government Accountability Office recommends that government agencies develop a plan to respond to security breaches. Private entities should establish plans in line with these same recommendations: o Develop a uniform response policy and standard operating procedures for data breach response capabilities. o Identify a core response group that can be convened in the event of a breach to evaluate the situation and help guide further response. • Train employees to notify the appropriate personnel in the event of lost or compromised data. If a problem has been detected, it must be reported to the appropriate member of the response group so that a response can be implemented. o Conduct risk analyses to determine when to offer credit monitoring and when to contract for an alternative form of monitoring. • Credit monitoring may not be appropriate in all breach situations. Many consumers have come to expect some offer of free credit monitoring, though. Before a breach occurs, talk to private companies that offer credit monitoring to discuss your options. o Implement an announcement strategy in preparing for inquiries about the incident by considering a call center staffed with individuals prepared to answer the most frequently asked questions. • A call center may be appropriate where large amounts of data are compromised and notification is sent nationwide. Many businesses and agencies do not have the capability to respond to thousands of inquiries. o Require service providers and business partners who handle personal information for the agency to follow the agency’s security policies and procedures.


RESPONDING TO SECURITY BREACHES

Businesses and government agencies learn of security breaches in a variety of ways. For example, an employee may notify his supervisor that a laptop containing sensitive customer data was lost or stolen. Information technology, properly monitoring its intrusion detection systems, may learn that an unauthorized individual has accessed the computer network. The business or agency may learn that a rogue employee has been selling data to identity thieves. There are many different ways that sensitive personal information belonging to employees, clients, customers, or consumers can be compromised. Regardless of the type of breach, the following steps should be taken upon discovery of a breach. 1. Implement the appropriate incident response plan. a. Notify the appropriate internal response team of the nature of the breach. ***Note: It is important that every employee understands what security incidents need to be reported, and to whom they should be reported. A response plan cannot be implemented without the proper individuals first having sufficient knowledge of a problem. b. Assess what happened and follow your pre-set plan. ***Note: Following the pre-set plan may include setting up a call center and establishing credit monitoring service for affected individuals. It may also include notifying the three major credit reporting agencies of the breach. 2. Secure the data immediately. a. Contact your information technology department and determine how to secure the data so that the minimum amount of data is compromised. b. Take all appropriate measures to secure the data. 3. Involve law enforcement immediately. a. Once the data is secure and isolated, if necessary, contact your local police, the FBI, or the U.S. Secret Service. ***Note: It might be prudent to notify law enforcement first, if an intruder has hacked into your computer network and you suspect that the intruder is still present in the system. Although you do not want additional information to be compromised, you also want to give law enforcement an opportunity to learn more about the thief while he is actively stealing data. b. Cooperate in any law enforcement investigation. 4. Consider hiring an outside forensic analyst to determine the extent of the breach and the individuals affected. 5. If you are handling the data for another entity, immediately contact that entity and any other entities from which you may have obtained the data. a. The Illinois law requires the entity that owns or licenses the data to notify affected individuals. The entity that maintains the data must report any breach to the owner/licenser of the data, which in turn will notify affected individuals. 6. Notify consumers about the breach without unreasonable delay. a. Notification can be delayed upon request by law enforcement. 7. Consider notifying the Illinois Attorney General’s Identity Theft Hotline. a. Although notification to the Office of the Attorney General is not required, it may help affected individuals to know that they can turn to the Identity Theft Hotline for assistance. Notifying the Attorney General’s Office before giving out the Identity Theft Hotline number will help us better prepare for the influx of calls.


ILLINOIS LAW REQUIRING NOTIFICATION IN THE EVENT OF A SECURITY BREACH

Personal Information Protection Act815 ILCS 530/

Security Breach“Breach of the security of the system data” means unauthorized acquisition of computerized data that compro-mises the security, confidentiality, or integrity of personal information maintained by the data collector. “Breach of the security of the system data” does not include good faith acquisition of personal information by an em-ployee or agent of the data collector for a legitimate purpose of the data collector, provided that the personal information is not used for a purpose unrelated to the data collector’s business or subject to further unauthorized disclosure.

Type of Information“Personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: 1. Social Security number. 2. Driver’s license number or State identification card number. 3. Account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account. “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, State, or local government records.

***Note: If the breach involves the unauthorized acquisition of protected health information, notification may be required under the federal Health Insurance Portability and Accountability Act (HIPAA).

Whom to NotifyAny Illinois resident whose personal information has been breached. Any data collector that owns or licenses personal information concerning an Illinois resident shall notify the resident at no charge that there has been a breach of the security of the system data following discovery or notification of the breach.

*** Note: State agencies that collect personal information concerning an Illinois resident must notify the resi-dent where there has been a breach of written material in addition to computerized data. There is a distinction here between data collectors and State agencies.

Any State agency that collects personal data and has had a breach of security of the system data or written mate-rial shall submit a report within 5 business days of the discovery or notification of the breach to the General As-sembly listing the breaches and outlining any corrective measures that have been taken to prevent future breach-es of the security of the system data or written material. Any State agency that has submitted a report under this Section shall submit an annual report listing all breaches of security of the system data or written materials and the corrective measures that have been taken to prevent future breaches.

When to NotifyThe disclosure notification shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integ-rity, security, and confidentiality of the data system.


The notification may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the data collector with a written request for the delay. How-ever, the data collector must notify the Illinois resident as soon as notification will no longer interfere with the investigation.

How to NotifyNotice to consumers may be provided by one of the following methods: 1. Written notice; 2. Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures for notices legally required to be in writing as set forth in Section 7001 of Title 15 of the United States Code; or 3. Substitute notice, if the data collector demonstrates that the cost of providing notice would exceed $250,000 or that the affected class of subject persons to be notified exceeds 500,000, or the data collector does not have sufficient contact information. Substitute notice shall consist of all of the following: (i) e-mail notice if the data collector has an e-mail address for the subject persons; (ii) conspicuous posting of the notice on the data collector’s Web site if the data collector maintains one; and (iii) notification to major statewide media.

Other Legal RequirementsAny State agency that collects personal data and has had a breach of security of the system data or written mate-rial shall submit a report within 5 business days of the discovery or notification of the breach to the General As-sembly listing the breaches and outlining any corrective measures that have been taken to prevent future breach-es of the security of the system data or written material. Any State agency that has submitted a report under this Section shall submit an annual report listing all breaches of security of the system data or written materials and the corrective measures that have been taken to prevent future breaches.

Any Illinois State agency that collects personal data that is no longer needed or stored at the agency shall dis-pose of the personal data or written material it has collected in such a manner as to ensure the security and confidentiality of the material.

A data collector that does not own or license the data shall provide such notification of the breach to the owner or licensee. In addition, the data collector shall cooperate with the owner or licensee in matters relating to the breach. That cooperation shall include, but need not be limited to, (i) informing the owner or licensee of the breach, including giving notice of the date or approximate date of the breach and the nature of the breach, and (ii) informing the owner or licensee of any steps the data collector has taken or plans to take relating to the breach. PracticalConsiderationsforNotificationoftheBreach • What does the law require the letter to include? The disclosure notification to an Illinois resident shall include, but need not be limited to: o The toll-free numbers and addresses for consumer reporting agencies: ü Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241 ü Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9532, Allen, TX 75013 ü TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790 o The toll-free number, address, and Web site address for the Federal Trade Commission. o A statement that the individual can obtain information from these sources about fraud alerts and security freezes.


• What other information could be helpful to include in the letter? Entities sending notification letters should also consider including the following information: o What happened; o What information was believed to be accessed; o Whether law enforcement has been notified and the status of any criminal investigation, including whether any arrests have been made; o How consumers can protect themselves against identity theft; o What consumers should look for to determine if they have become victims, including: • Receiving credit cards you did not apply for; • Being denied credit, or offered credit at less favorable terms for no apparent reason; • Receiving calls or letters from debt collectors or businesses about merchandise or services you did not buy; • Missing bills and other pieces of mail. o What steps consumers should take if they become victims of identity theft, including: • Contact the Attorney General’s Identity Theft Hotline at 1-866-999-5630 for further advice on protecting yourself from identity theft. • Check with your creditors. Work with your credit card companies, banks, and other lenders to determine if any suspicious or unauthorized activity has occurred on your accounts. • Cancel credit cards whose numbers may have been compromised. • Place an initial fraud alert on your credit report. Order your free copy of your credit report and review it for problems. ü Contact any of the three consumer reporting companies to place a fraud alert on your credit report. You only need to contact one of the three companies because that company is required to contact the other two. ü Once you place a fraud alert on your file, you are entitled to a free copy of your credit report. The credit reporting agencies will send you a letter telling you how to order your free report. When you receive your credit reports, review them carefully and look for any suspicious activity. • Remain alert. This is always a good idea, but especially in the first year following a security breach notification. Take advantage of your right to one free copy of your credit report from each of the three consumer reporting companies per year. Request a report from one of the reporting companies every four months and carefully review this report for suspicious activity. To obtain the free reports, consumers can call 1-877-322-8228 or order online at www.annualcreditreport.com. o How consumers can get further information; and o How consumers can sign up for credit monitoring (if you are offering it). • Do we need to set up a call center? o This may depend on the number of breach notification letters that are going out. If your regular customer service line can handle the influx of calls, you may not need a separate call center. • Should we stagger breach notification letters? o If you have a lot of letters to send out and are worried about call volume, you should consider staggering the mailing of notification letters. • How can we ensure accurate information is reaching affected consumers? o Employee training is essential. Fact sheets can be utilized to provide quick, easy information to all employees. Anticipate where calls might come in and make sure that those employees are briefed. • Should we offer credit monitoring? o Offering credit monitoring to consumers is not required under the Personal Information Protection Act. Nonetheless, many entities that suffer breaches offer 12 or 24 months of free credit monitoring to affected consumers.


o Credit monitoring services may be inappropriate where credit or debit account information was accessed. In those cases, the thieves may make unauthorized charges on existing accounts, but they probably do not have the requisite information to open new lines of credit. Credit monitoring will not prevent the thief from spending to the limit on cards that already exist. • Do we need to notify anyone else? o Unless you are a state agency, the law does not require that you notify anyone other than the affected Illinois residents. o The Illinois Attorney General’s Office provides an Identity Theft Hotline to assist consumers. If you want to include the Hotline number on your breach notification letter, you should contact our office so that we can be prepared for the calls. • How can we prevent this from happening in the future? o The first step is to determine how it happened. Each situation requires a different response. For example: • If you had a rogue employee access the data without permission, address whether that employee should have had access to personal information in the first place, and whether increased or different training would have helped to protect the information. • If an honest employee misplaced a laptop, thumb drive, or list of personnel files, address whether it was proper for that employee to be permitted to take that information out of the office. Consider increased security on laptops and other portable devices to better protect the information. • If a hacker found his way into your network system, address whether IT security is up to date. Assess the storage, maintenance, and destruction of personal information and make a determination about whether information is being mishandled at any point in the process.

iProtecting Personal Information: A Guide for Business, Federal Trade Commission (March 2007).iiSafeguarding Against and Responding to the Breach of Personally Identifiable Information, Office of Management and Budget, MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES M-07-16 (May 22, 2007). These requirements are derived from existing federal security policy and National Institute of Standards and Technology (NIST) guidance.iiiSee NIST’s Web site at http://csrc.nist.gov/cryptval/ for a discussion of the certified encryption products.ivAdapted from Lessons Learned about Data Breach Notification, Report to Congressional Requestors, GAO-07-657 Privacy (April 2007).

of 15

Best Practices for Victim Response and

Reporting of Cyber Incidents Version 1.0 (April 2015)

Any Internet-connected organization can fall prey to a disruptive network intrusion or

costly cyber attack. A quick, effective response to cyber incidents can prove critical to

minimizing the resulting harm and expediting recovery. The best time to plan such a response is

now, before an incident occurs.

This “best practices” document was drafted by the Cybersecurity Unit to assist

organizations in preparing a cyber incident response plan and, more generally, in preparing to

respond to a cyber incident. It reflects lessons learned by federal prosecutors while handling

cyber investigations and prosecutions, including information about how cyber criminals’ tactics

and tradecraft can thwart recovery. It also incorporates input from private sector companies that

have managed cyber incidents. It was drafted with smaller, less well-resourced organizations in

mind; however, even larger organizations with more experience in handling cyber incidents may

benefit from it.

I. Steps to Take Before a Cyber Intrusion or Attack Occurs

Having well-established plans and procedures in place for managing and responding to a

cyber intrusion or attack is a critical first step toward preparing an organization to weather a

cyber incident. Such pre-planning can help victim organizations limit damage to their computer

networks, minimize work stoppages, and maximize the ability of law enforcement to locate and

apprehend perpetrators. Organizations should take the precautions outlined below before

learning of a cyber incident affecting their networks.

A. Identify Your “Crown Jewels”

Different organizations have different mission critical needs. For some organizations,

even a short-term disruption in their ability to send or receive email will have a devastating

impact on their operations; others are able to rely on other means of communication to transact

CCyybbeerrsseeccuurriittyy UUnniitt

Computer Crime & Intellectual Property Section Criminal Division

U.S. Department of Justice

1301 New York Avenue, N.W., 6th Floor, Washington, D.C. 20530 - [email protected] - (202)514-1026

mailto:[email protected]

of 15

business, but they may suffer significant harm if certain intellectual property is stolen. For

others still, the ability to guarantee the integrity and security of the data they store and process,

such as customer information, is vital to their continued operation.

The expense and resources required to protect a whole enterprise may force an

organization to prioritize its efforts and may shape its incident response planning. Before

formulating a cyber incident response plan, an organization should first determine which of their

data, assets, and services warrants the most protection. Ensuring that protection of an

organization’s “crown jewels” is appropriately prioritized is an important first step to preventing

a cyber intrusion or attack from causing catastrophic harm. The Cybersecurity Framework

produced by the National Institute of Standards and Technology (NIST) provides excellent

guidance on risk management planning and policies and merits consideration.1

B. Have an Actionable Plan in Place Before an Intrusion Occurs

Organizations should have a plan in place for handling computer intrusions before an

intrusion occurs. During an intrusion, an organization’s management and personnel should be

focused on containing the intrusion, mitigating the harm, and collecting and preserving vital

information that will help them assess the nature and scope of the damage and the potential

source of the threat. A cyber incident is not the time to be creating emergency procedures or

considering for the first time how best to respond.

The plan should be “actionable.” It should provide specific, concrete procedures to

follow in the event of a cyber incident. At a minimum, the procedures should address:

Who has lead responsibility for different elements of an organization’s cyber incident

response, from decisions about public communications, to information technology access,

to implementation of security measures, to resolving legal questions;

How to contact critical personnel at any time, day or night;

How to proceed if critical personnel is unreachable and who will serve as back-up;

What mission critical data, networks, or services should be prioritized for the greatest

protection;

How to preserve data related to the intrusion in a forensically sound manner;

What criteria will be used to ascertain whether data owners, customers, or partner

companies should be notified if their data or data affecting their networks is stolen; and

Procedures for notifying law enforcement and/or computer incident-reporting

organization.

1 The NIST Cybersecurity Framework is available at http://www.nist.gov/cyberframework/upload/cybersecurity-

framework-021214.pdf.

of 15

All personnel who have computer security responsibilities should have access to and

familiarity with the plan, particularly anyone who will play a role in making technical,

operational, or managerial decisions during an incident. It is important for an organization to

institute rules that will ensure its personnel have and maintain familiarity with its incident

response plan. For instance, the procedures for responding to a cyber incident under an incident

response plan can be integrated into regular personnel training. The plan may also be ingrained

through regularly conducted exercises to ensure that it is up-to-date. Such exercises should be

designed to verify that necessary lines of communication exist, that decision-making roles and

responsibilities are well understood, and that any technology that may be needed during an actual

incident is available and likely to be effective. Deficiencies and gaps identified during an

exercise should be noted for speedy resolution.

Incident response plans may differ depending upon an organization’s size, structure, and

nature of its business. Similarly, decision-making under a particular incident response plan may

differ depending upon the nature of a cyber incident. In any event, institutionalized familiarity

with the organization’s framework for addressing a cyber incident will expedite response time

and save critical minutes during an incident.

C. Have Appropriate Technology and Services in Place Before An Intrusion Occurs

Organizations should already have in place or have ready access to the technology and

services that they will need to respond to a cyber incident. Such equipment may include off-site

data back-up, intrusion detection capabilities, data loss prevention technologies, and devices for

traffic filtering or scrubbing. An organization’s computer servers should also be configured to

conduct the logging necessary to identify a network security incident and to perform routine

back-ups of important information. The requisite technology should already be installed, tested,

and ready to deploy. Any required supporting services should either be acquired beforehand or

be identified and ready for acquisition.

D. Have Appropriate Authorization in Place to Permit Network Monitoring

Real-time monitoring of an organization’s own network is typically lawful if prior

consent for such monitoring is obtained from network users. For this reason, before an incident

takes place, an organization should adopt the mechanisms necessary for obtaining user consent to

monitoring users’ communications so it can detect and respond to a cyber incident. One means

of accomplishing this is through network warnings or “banners” that greet users who log onto a

network and inform them of how the organization will collect, store, and use their

communications. A banner can also be installed on the ports through which an intruder is likely

to access the organization’s system.

of 15

A banner, however, is not the only means of obtaining legally valid consent. Computer

user agreements, workplace policies, and personnel training may also be used to obtain legally

sufficient user consent to monitoring. Organizations should obtain written acknowledgement

from their personnel of having signed such agreements or received such training. Doing so will

provide an organization with ready proof that they have met legal requirements for conducting

network monitoring.

Any means of obtaining legally sufficient consent should notify users that their use of the

system constitutes consent to the interception of their communications and that the results of

such monitoring may be disclosed to others, including law enforcement.2 If an organization is a

government entity (e.g., a federal, state, or local agency or a state university) or a private entity

acting as an instrument or agent of the government, its actions may implicate the Fourth

Amendment. Consequently, any notice on the system of such an entity or organization should

also inform users of their diminished expectation of privacy for communications on the network.

E. Ensure Your Legal Counsel is Familiar with Technology and Cyber Incident

Management to Reduce Response Time During an Incident

Cyber incidents can raise unique legal questions. An organization faced with decisions

about how it interacts with government agents, the types of preventative technologies it can

lawfully use, its obligation to report the loss of customer information, and its potential liability

for taking specific remedial measures (or failing to do so) will benefit from obtaining legal

guidance from attorneys who are conversant with technology and knowledgeable about relevant

laws (e.g., the Computer Fraud and Abuse Act (18 U.S.C. § 1030), electronic surveillance, and

communications privacy laws). Legal counsel that is accustomed to addressing these types of

issues that are often associated with cyber incidents will be better prepared to provide a victim

organization with timely, accurate advice.

Many private organizations retain outside counsel who specialize in legal questions

associated with data breaches while others find such cyber issues are common enough that they

have their own cyber-savvy attorneys on staff in their General Counsel’s offices. Having ready

access to advice from lawyers well acquainted with cyber incident response can speed an

organization’s decision making and help ensure that a victim organization’s incident response

activities remain on firm legal footing.

2 More guidance on banners, including a model banners, can be found in our manual on searching and seizing

electronic evidence and in a 2009 legal opinion prepared by the Department of Justice’s Office of Legal Counsel.

See Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations (3d ed. 2009),

available at http://www.justice.gov/criminal/cybercrime/docs/ssmanual2009.pdf; and Stephen G. Bradbury, Legal

Issues Relating to the Testing, Use, and Deployment of an Intrusion-Detection System to Protect Unclassified

Computer Networks in the Executive Branch, 33 Op. Off. Legal Counsel 1 (2009), available at

http://www.justice.gov/sites/default/files/olc/opinions/2009/01/31/e2-issues.pdf.

http://www.justice.gov/criminal/cybercrime/docs/ssmanual2009.pdf

http://www.justice.gov/sites/default/files/olc/opinions/2009/01/31/e2-issues.pdf

of 15

F. Ensure Organization Policies Align with Your Cyber Incident Response Plan

Some preventative and preparatory measures related to incident planning may need to be

implemented outside the context of preparing a cyber incident response plan. For instance, an

organization should review its personnel and human resource policies to ensure they will

reasonably minimize the risk of cyber incidents, including from “insider threats.” Proper

personnel and information technology (IT) policies may help prevent a cyber incident in the first

place. For instance, a practice of promptly revoking the network credentials of terminated

employees—particularly system administrators and information technology staff—may prevent a

subsequent cyber incident from occurring. Furthermore, reasonable access controls on networks

may reduce the risk of harmful computer misuse.

G. Engage with Law Enforcement Before an Incident

Organizations should attempt to establish a relationship with their local federal law

enforcement offices long before they suffer a cyber incident. Having a point-of-contact and a

pre-existing relationship with law enforcement will facilitate any subsequent interaction that may

occur if an organization needs to enlist law enforcement’s assistance. It will also help establish

the trusted relationship that cultivates bi-directional information sharing that is beneficial both to

potential victim organizations and to law enforcement. The principal federal law enforcement

agencies responsible for investigating criminal violations of the federal Computer Fraud and

Abuse Act are the Federal Bureau of Investigation (FBI) and the U.S. Secret Service. Both

agencies conduct regular outreach to private companies and other organizations likely to be

targeted for intrusions and attacks. Such outreach occurs mostly through the FBI’s Infragard

chapters and Cyber Task Forces in each of the FBI’s 56 field offices, and through the U.S. Secret

Service’s Electronic Crimes Task Forces.

H. Establish Relationships with Cyber Information Sharing Organizations

Defending a network at all times from every cyber threat is a daunting task. Access to

information about new or commonly exploited vulnerabilities can assist an organization

prioritize its security measures. Information sharing organizations for every sector of the critical

infrastructure exist to provide such information. Information Sharing and Analysis Centers

(ISACs) have been created in each sector of the critical infrastructure and for key resources.

They produce analysis of cyber threat information that is shared within the relevant sector, with

other sectors, and with the government. Depending upon the sector, they may also provide other

cybersecurity services. The government has also encouraged the creation of new information

sharing entities called Information Sharing and Analysis Organizations (ISAOs) to accommodate

organizations that do not fit within an established sector of the critical infrastructure or that have

of 15

unique needs.3 ISAOs are intended to provide such organizations with the same benefits of

obtaining cyber threat information and other supporting services that are provided by an ISAC.

II. Responding to a Computer Intrusion: Executing Your Incident Response Plan

An organization can fall victim to a cyber intrusion or attack even after taking reasonable

precautions. Consequently, having a vetted, actionable cyber incident response plan is critical.

A robust incident response plan does more than provide procedures for handling an incident; it

also provides guidance on how a victim organization can continue to operate while managing an

incident and how to work with law enforcement and/or incident response firms as an

investigation is conducted.4 An organization’s incident response plan should, at a minimum,

give serious consideration to all of the steps outlined below.

A. Step 1: Make an Initial Assessment

During a cyber incident, a victim organization should immediately make an assessment

of the nature and scope of the incident. In particular, it is important at the outset to determine

whether the incident is a malicious act or a technological glitch. The nature of the incident will

determine the type of assistance an organization will need to address the incident and the type of

damage and remedial efforts that may be required.

Having appropriate network logging capabilities enabled can be critical to identifying the

cause of a cyber incident. Using log information, a system administrator should attempt to

identify:

The affected computer systems;

The apparent origin of the incident, intrusion, or attack;

Any malware used in connection with the incident;

Any remote servers to which data were sent (if information was exfiltrated); and

The identity of any other victim organizations, if such data is apparent in logged data.

3 See, Exec. Order No. 13,691, 80 Fed. Reg. 9347 (Feb. 20, 2015), available at http://www.gpo.gov/fdsys/pkg/FR-

2015-02-20/pdf/2015-03714.pdf. 4 Often in the case of data breaches, organizations may learn that they have been the victim of an intrusion from a

third party. For instance, law enforcement may discover evidence; while conducting a data breach investigation that

other organizations have also been breached, or a cybersecurity company’s forensic analysis of a customer’s

network following a breach may uncover evidence of other victims. Organizations should be prepared to respond to

such receiving such notice.

http://www.gpo.gov/fdsys/pkg/FR-2015-02-20/pdf/2015-03714.pdf


of 15

In addition, the initial assessment of the incident should document:

Which users are currently logged on;

What the current connections to the computer systems are;

Which processes are running; and

All open ports and their associated services and applications.

Any communications (in particular, threats or extortionate demands) received by the

organization that might relate to the incident should also be preserved. Suspicious calls, emails,

or other requests for information should be treated as part of the incident.

Evidence that an intrusion or other criminal incident has occurred will typically include

logging or file creation data indicating that someone improperly accessed, created, modified,

deleted, or copied files or logs; changed system settings; or added or altered user accounts or

permissions. In addition, an intruder may have stored “hacker tools” or data from another

intrusion on your network. In the case of a root-level intrusion,5 victims should be alert for signs

that the intruder gained access to multiple areas of the network. The victim organization should

take care to ensure that its actions do not unintentionally or unnecessarily modify stored data in a

way that could hinder incident response or subsequent criminal investigation. In particular,

potentially relevant files should not be deleted; if at all possible, avoid modifying data or at least

keep track of how and when information was modified.

B. Step 2: Implement Measures to Minimize Continuing Damage

After an organization has assessed the nature and scope of the incident and determined it

to be an intentional cyber intrusion or attack rather than a technical glitch, it may need to take

steps to stop ongoing damage caused by the perpetrator. Such steps may include rerouting

network traffic, filtering or blocking a distributed denial-of-service attack,6 or isolating all or

parts of the compromised network. In the case of an intrusion, a system administrator may

decide either to block further illegal access or to watch the illegal activity to identify the source

of the attack and/or learn the scope of the compromise.

If proper preparations were made, an organization will have an existing back-up copy of

critical data and may elect to abandon the network in its current state and to restore it to a prior

5 An intruder with “root level access” has the highest privileges given to a user working with an operating system or

other program and has as much authority on the network as a system administrator, including the authority to access

files, alter permissions and privileges, and add or remove accounts.

of 15

state. If an organization elects to restore a back-up version of its data, it should first make sure

that the back-up is not compromised as well.

Where a victim organization obtains information regarding the location of exfiltrated data

or the apparent origin of a cyber attack, it may choose to contact the system administrator of that

network. Doing so may stop the attack, assist in regaining possession of stolen data, or help

determine the true origin of the malicious activity. A victim organization may also choose to

blunt the damage of an ongoing intrusion or attack by “null routing”7 malicious traffic, closing

the ports being used by the intruder to gain access to the network, or otherwise altering the

configuration of a network to thwart the malicious activity.

The victim organization should keep detailed records of whatever steps are taken to

mitigate the damage and should keep stock of any associated costs incurred. Such information

may be important for recovering damages from responsible parties and for any subsequent

criminal investigation.

C. Step 3: Record and Collect Information

1. Image the Affected Computer(s)

Ideally, a victim organization will immediately make a “forensic image” of the affected

computers, which will preserve a record of the system at the time of the incident for later

analysis and potentially for use as evidence at trial.8 This may require the assistance of law

enforcement or professional incident response experts. In addition, the victim organization

should locate any previously generated backups, which may assist in identifying any changes an

intruder made to the network. New or sanitized media should be used to store copies of any data

that is retrieved and stored. Once the victim organization makes such copies, it should write-

protect the media to safeguard it from alteration. The victim organization should also restrict

access to this media to maintain the integrity of the copy’s authenticity, safeguard it from

unidentified malicious insiders, and establish a chain of custody. These steps will enhance the

value of any backups as evidence in any later criminal investigations and prosecutions, internal

6 A Distributed Denial of Service (DDOS) attack involves the orchestrated transmission of communications

engineered to overwhelm another network’s connection to the Internet to impair or disrupt that network’s ability to

send or receive communications. DDOS attacks are usually launched by a large number of computers infected by

malware that permits their actions to be centrally controlled. 7 A null route directs the system to drop network communications that are destined for specified IP address on the

network, so a system will no longer send any response to the originating IP address. This means the system will

continue to receive data from the attackers but no longer respond to them. 8 A “forensic image” is an exact, sector-by-sector copy of a hard disk. Software capable of creating such copies of

hard drives preserve deleted files, slack space, system files, and executable files and can be critical for later analysis

of an incident.

of 15

investigations, or civil law suits.

2. Keep Logs, Notes, Records, and Data

The victim organization should take immediate steps to preserve relevant existing logs.

In addition, the victim organization should direct personnel participating in the incident response

to keep an ongoing, written record of all steps undertaken. If this is done while responding to the

incident or shortly thereafter, personnel can minimize the need to rely on their memories or the

memories of others to reconstruct the order of events. As the investigation progresses,

information that was collected by the organization contemporaneous to the intrusion may take on

unanticipated significance.

The types of information that the victim organization should retain include:

● a description of all incident-related events, including dates and times;

● information about incident-related phone calls, emails, and other contacts;

● the identity of persons working on tasks related to the intrusion, including a description,

the amount of time spent, and the approximate hourly rate for those persons’ work;

● identity of the systems, accounts, services, data, and networks affected by the incident

and a description of how these network components were affected;

● information relating to the amount and type of damage inflicted by the incident, which

can be important in civil actions by the organization and in criminal cases;

● information regarding network topology;

● the type and version of software being run on the network; and

● any peculiarities in the organization’s network architecture, such as proprietary hardware

or software.

Ideally, a single, designated employee will retain custody of all such records. This will

help to ensure that records are properly preserved and can be produced later on. Proper handling

of this information is often useful in rebutting claims in subsequent legal proceedings (whether

criminal or civil) that electronic evidence has been tampered with or altered.

3. Records Related to Continuing Attacks

When an incident is ongoing (e.g., during a DDOS attack, as a worm is propagating

through the network, or while an intruder is exfiltrating data), the victim organization should

record any continuing activity. If a victim organization has not enabled logging on an affected

of 15

server, it should do so immediately. It should also consider increasing the default size of log

files on its servers to prevent losing data. A victim organization may also be able to use a

“sniffer” or other network-monitoring device to record communications between the intruder and

any of its targeted servers. Such monitoring, which implicates the Wiretap Act (18 U.S.C. §§

2510 et seq.) is typically lawful, provided it is done to protect the organization’s rights or

property or system users have actually or impliedly consented to such monitoring. An

organization should consult with its legal counsel to make sure such monitoring is conducted

lawfully and consistent with the organization’s employment agreements and privacy policies.

D. Step 4: Notify9

1. People Within the Organization

Managers and other personnel within the organization should be notified about the

incident as provided for in the incident response plan and should be given the results of any

preliminary analysis. Relevant personnel may include senior management, IT and physical

security coordinators, communications or public affairs personnel, and legal counsel. The

incident response plan should set out individual points-of-contact within the organization and the

circumstances in which they should be contacted.

2. Law Enforcement

If an organization suspects at any point during its assessment or response that the incident

constitutes criminal activity, it should contact law enforcement immediately. Historically, some

companies have been reticent to contact law enforcement following a cyber incident fearing that

a criminal investigation may result in disruption of its business or reputational harm. However, a

company harboring such concerns should not hesitate to contact law enforcement.

The FBI and U.S. Secret Service place a priority on conducting cyber investigations that

cause as little disruption as possible to a victim organization’s normal operations and recognize

the need to work cooperatively and discreetly with victim companies. They will use

investigative measures that avoid computer downtime or displacement of a company's

employees. When using an indispensable investigative measures likely to inconvenience a

victim organization, they will do so with the objective of minimizing the duration and scope of

any disruption.

The FBI and U.S. Secret Service will also conduct their investigations with discretion and

9 Some private organizations are regulated by the federal government and may be subject to rules requiring

notification if a data breach or other cyber incident occurs. While guidance to such organizations for notifying

regulators is beyond the scope of this document, a cyber incident response plan should take into account whether a

victim organization may need also to notify regulators and how best to do so.

of 15

work with a victim company to avoid unwarranted disclosure of information. They will attempt

to coordinate statements to the news media concerning the incident with a victim company to

ensure that information harmful to a company’s interests is not needlessly disclosed. Victim

companies should likewise consider sharing press releases regarding a cyber incident with

investigative agents before issuing them to avoid releasing information that might damage the

ongoing investigation.

Contacting law enforcement may also prove beneficial to a victim organization. Law

enforcement may be able to use legal authorities and tools that are unavailable to non-

governmental entities10

and to enlist the assistance of international law enforcement partners to

locate stolen data or identify the perpetrator. These tools and relationships can greatly increase

the odds of successfully apprehending an intruder or attacker and securing lost data. In addition,

a cyber criminal who is successfully prosecuted will be prevented from causing further damage

to the victim company or to others, and other would-be cyber criminals may be deterred by such

a conviction.

In addition, as of January 2015, at least forty-seven states have passed database breach

notification laws requiring companies to notify customers whose data is compromised by an

intrusion; however, many data breach reporting laws allow a covered organization to delay

notification if law enforcement concludes that such notice would impede an investigation. State

laws also may allow a victim company to forgo providing notice altogether if the victim

company consults with law enforcement and thereafter determines that the breach will not likely

result in harm to the individuals whose personal information has been acquired and accessed.

Organizations should consult with counsel to determine their obligations under state data breach

notification laws. It is also noteworthy that companies from regulated industries that cooperate

with law enforcement may be viewed more favorably by regulators looking into a data breach.

3. The Department of Homeland Security

The Department of Homeland Security has components dedicated to cybersecurity that

not only collect and report on cyber incidents, phishing, malware, and other vulnerabilities, but

also provide certain incident response services. The National Cybersecurity & Communications

Integration Center (NCCIC) serves as a 24x7 centralized location for cybersecurity information

sharing, incident response, and incident coordination. By contacting the NCCIC, a victim

organization can both share and receive information about an ongoing incident that may prove

beneficial to both the victim organization and the government. A victim organization may also

10

For instance, data that are necessary to trace an intrusion or attack to its source may not be obtainable without use

of legal process (e.g., a search warrant, court order, or subpoena) that may be unavailable to a private party.

Furthermore, some potentially useful intrusion detection techniques require law enforcement involvement. For

instance, under 18 U.S.C. § 2511(2)(i) a network owner may authorize law enforcement to intercept a computer

trespasser’s communications on the network owner’s computers during an investigation.

of 15

obtain technical assistance capable of mitigating an ongoing cyber incident.

4. Other Potential Victims

If a victim organization or the private incident response firm it hires uncovers evidence of

additional victims while assessing a cyber incident—for example, in the form of another

company’s data stored on the network—the other potential victims should be promptly notified.

While the initial victim can conduct such notification directly, notifying victims through law

enforcement may be preferable. It insulates the initial victim from potentially unnecessary

exposure and allows law enforcement to conduct further investigation, which may uncover

additional victims warranting notification. Similarly, if a forensic examination reveals an

unreported software or hardware vulnerability, the victim organization should make immediate

notification to law enforcement or the relevant vendor.

Such notifications may prevent further damage by prompting the victims or vendors to

take remedial action immediately. The victim organization may also reap benefits, because other

victims may be able to provide helpful information gleaned from their own experiences

managing the same cyber incident (e.g., information regarding the perpetrator’s methods, a

timeline of events, or effective mitigation techniques that may thwart the intruder).

III. What Not to Do Following a Cyber Incident

A. Do Not Use the Compromised System to Communicate

The victim organization should avoid, to the extent reasonably possible, using a system

suspected of being compromised to communicate about an incident or to discuss its response to

the incident. If the victim organization must use the compromised system to communicate, it

should encrypt its communications. To avoid becoming the victim of a “social engineering”

attack (i.e., attempts by a perpetrator to convince a target to take an action through use of a ruse

or guile that will compromise the security of the system or data), employees of the victim

organization should not disclose incident-specific information to unknown communicants

inquiring about an incident without first verifying their identity.

B. Do Not Hack Into or Damage Another Network

A victimized organization should not attempt to access, damage, or impair another

system that may appear to be involved in the intrusion or attack. Regardless of motive, doing so

is likely illegal, under U.S. and some foreign laws, and could result in civil and/or criminal

liability. Furthermore, many intrusions and attacks are launched from compromised systems.

Consequently, “hacking back” can damage or impair another innocent victim’s system rather

of 15

than the intruder’s.

IV. After a Computer Incident

Even after a cyber incident appears to be under control, remain vigilant. Many intruders

return to attempt to regain access to networks they previously compromised. It is possible that,

despite best efforts, a company that has addressed known security vulnerabilities and taken all

reasonable steps to eject an intruder has nevertheless not eliminated all of the means by which

the intruder illicitly accessed the network. Continue to monitor your system for anomalous

activity.

Once the victim organization has recovered from the attack or intrusion, it should initiate

measures to prevent similar attacks. To do so, it should conduct a post-incident review of the

organization’s response to the incident and assess the strengths and weaknesses of its

performance and incident response plan. Part of the assessment should include ascertaining

whether the organization followed each of the steps outlined above and, if not, why not. The

organization should note and discuss deficiencies and gaps in its response and take remedial

steps as needed.

of 15

Cyber Incident Preparedness Checklist

Before a Cyber Attack or Intrusion

Identify mission critical data and assets (i.e., your “Crown Jewels”) and institute tiered

security measures to appropriately protect those assets.

Review and adopt risk management practices found in guidance such as the National

Institute of Standards and Technology Cybersecurity Framework.

Create an actionable incident response plan.

o Test plan with exercises

o Keep plan up-to-date to reflect changes in personnel and structure

Have the technology in place (or ensure that it is easily obtainable) that will be used to

address an incident.

Have procedures in place that will permit lawful network monitoring.

Have legal counsel that is familiar with legal issues associated with cyber incidents

Align other policies (e.g., human resources and personnel policies) with your incident

response plan.

Develop proactive relationships with relevant law enforcement agencies, outside counsel,

public relations firms, and investigative and cybersecurity firms that you may require in

the event of an incident.

During a Cyber Attack or Intrusion

Make an initial assessment of the scope and nature of the incident, particularly whether it

is a malicious act or a technological glitch.

Minimize continuing damage consistent with your cyber incident response plan.

Collect and preserve data related to the incident.

o “Image” the network

o Keep all logs, notes, and other records

o Keep records of ongoing attacks

Consistent with your incident response plan, notify—

o Appropriate management and personnel within the victim organization should

o Law enforcement

o Other possible victims

o Department of Homeland Security

Do not—

o Use compromised systems to communicate.

o “Hack back” or intrude upon another network.

of 15

After Recovering from a Cyber Attack or Intrusion

Continue monitoring the network for any anomalous activity to make sure the intruder

has been expelled and you have regained control of your network.

Conduct a post-incident review to identify deficiencies in planning and execution of your

incident response plan.

Framework for Improving

Critical Infrastructure Cybersecurity

Version 1.0

National Institute of Standards and Technology

February 12, 2014

February 12, 2014 Cybersecurity Framework Version 1.0

ii

Table of Contents

Executive Summary .........................................................................................................................1

1.0 Framework Introduction .........................................................................................................3

2.0 Framework Basics ...................................................................................................................7

3.0 How to Use the Framework ..................................................................................................13

Appendix A: Framework Core .......................................................................................................18

Appendix B: Glossary ....................................................................................................................37

Appendix C: Acronyms .................................................................................................................39

List of Figures

Figure 1: Framework Core Structure .............................................................................................. 7 Figure 2: Notional Information and Decision Flows within an Organization .............................. 12

List of Tables

Table 1: Function and Category Unique Identifiers ..................................................................... 19 Table 2: Framework Core ............................................................................................................. 20


1

Executive Summary

The national and economic security of the United States depends on the reliable functioning of

critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of

critical infrastructure systems, placing the Nation’s security, economy, and public safety and

health at risk. Similar to financial and reputational risk, cybersecurity risk affects a company’s

bottom line. It can drive up costs and impact revenue. It can harm an organization’s ability to

innovate and to gain and maintain customers.

To better address these risks, the President issued Executive Order 13636, “Improving Critical

Infrastructure Cybersecurity,” on February 12, 2013, which established that “[i]t is the Policy of

the United States to enhance the security and resilience of the Nation’s critical infrastructure and

to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity

while promoting safety, security, business confidentiality, privacy, and civil liberties.” In

enacting this policy, the Executive Order calls for the development of a voluntary risk-based

Cybersecurity Framework – a set of industry standards and best practices to help organizations

manage cybersecurity risks. The resulting Framework, created through collaboration between

government and the private sector, uses a common language to address and manage

cybersecurity risk in a cost-effective way based on business needs without placing additional

regulatory requirements on businesses.

The Framework focuses on using business drivers to guide cybersecurity activities and

considering cybersecurity risks as part of the organization’s risk management processes. The

Framework consists of three parts: the Framework Core, the Framework Profile, and the

Framework Implementation Tiers. The Framework Core is a set of cybersecurity activities,

outcomes, and informative references that are common across critical infrastructure sectors,

providing the detailed guidance for developing individual organizational Profiles. Through use of

the Profiles, the Framework will help the organization align its cybersecurity activities with its

business requirements, risk tolerances, and resources. The Tiers provide a mechanism for

organizations to view and understand the characteristics of their approach to managing

cybersecurity risk.

The Executive Order also requires that the Framework include a methodology to protect

individual privacy and civil liberties when critical infrastructure organizations conduct

cybersecurity activities. While processes and existing needs will differ, the Framework can assist

organizations in incorporating privacy and civil liberties as part of a comprehensive

cybersecurity program.

The Framework enables organizations – regardless of size, degree of cybersecurity risk, or

cybersecurity sophistication – to apply the principles and best practices of risk management to

improving the security and resilience of critical infrastructure. The Framework provides

organization and structure to today’s multiple approaches to cybersecurity by assembling

standards, guidelines, and practices that are working effectively in industry today. Moreover,

because it references globally recognized standards for cybersecurity, the Framework can also be


2

used by organizations located outside the United States and can serve as a model for

international cooperation on strengthening critical infrastructure cybersecurity.

The Framework is not a one-size-fits-all approach to managing cybersecurity risk for critical

infrastructure. Organizations will continue to have unique risks – different threats, different

vulnerabilities, different risk tolerances – and how they implement the practices in the

Framework will vary. Organizations can determine activities that are important to critical service

delivery and can prioritize investments to maximize the impact of each dollar spent. Ultimately,

the Framework is aimed at reducing and better managing cybersecurity risks.

The Framework is a living document and will continue to be updated and improved as industry

provides feedback on implementation. As the Framework is put into practice, lessons learned

will be integrated into future versions. This will ensure it is meeting the needs of critical

infrastructure owners and operators in a dynamic and challenging environment of new threats,

risks, and solutions.

Use of this voluntary Framework is the next step to improve the cybersecurity of our Nation’s

critical infrastructure – providing guidance for individual organizations, while increasing the

cybersecurity posture of the Nation’s critical infrastructure as a whole.


3

1.0 Framework Introduction

The national and economic security of the United States depends on the reliable functioning of

critical infrastructure. To strengthen the resilience of this infrastructure, President Obama issued

Executive Order 13636 (EO), “Improving Critical Infrastructure Cybersecurity,” on February 12,

2013.1 This Executive Order calls for the development of a voluntary Cybersecurity Framework

(“Framework”) that provides a “prioritized, flexible, repeatable, performance-based, and cost-

effective approach” to manage cybersecurity risk for those processes, information, and systems

directly involved in the delivery of critical infrastructure services. The Framework, developed in

collaboration with industry, provides guidance to an organization on managing cybersecurity

risk.

Critical infrastructure is defined in the EO as “systems and assets, whether physical or virtual, so

vital to the United States that the incapacity or destruction of such systems and assets would have

a debilitating impact on security, national economic security, national public health or safety, or

any combination of those matters.” Due to the increasing pressures from external and internal

threats, organizations responsible for critical infrastructure need to have a consistent and iterative

approach to identifying, assessing, and managing cybersecurity risk. This approach is necessary

regardless of an organization’s size, threat exposure, or cybersecurity sophistication today.

The critical infrastructure community includes public and private owners and operators, and

other entities with a role in securing the Nation’s infrastructure. Members of each critical

infrastructure sector perform functions that are supported by information technology (IT) and

industrial control systems (ICS).2 This reliance on technology, communication, and the

interconnectivity of IT and ICS has changed and expanded the potential vulnerabilities and

increased potential risk to operations. For example, as ICS and the data produced in ICS

operations are increasingly used to deliver critical services and support business decisions, the

potential impacts of a cybersecurity incident on an organization’s business, assets, health and

safety of individuals, and the environment should be considered. To manage cybersecurity risks,

a clear understanding of the organization’s business drivers and security considerations specific

to its use of IT and ICS is required. Because each organization’s risk is unique, along with its use

of IT and ICS, the tools and methods used to achieve the outcomes described by the Framework

will vary.

Recognizing the role that the protection of privacy and civil liberties plays in creating greater

public trust, the Executive Order requires that the Framework include a methodology to protect

individual privacy and civil liberties when critical infrastructure organizations conduct

cybersecurity activities. Many organizations already have processes for addressing privacy and

civil liberties. The methodology is designed to complement such processes and provide guidance

to facilitate privacy risk management consistent with an organization’s approach to cybersecurity

risk management. Integrating privacy and cybersecurity can benefit organizations by increasing

customer confidence, enabling more standardized sharing of information, and simplifying

operations across legal regimes.

1 Executive Order no. 13636, Improving Critical Infrastructure Cybersecurity, DCPD-201300091, February 12,

2013. http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf 2 The DHS Critical Infrastructure program provides a listing of the sectors and their associated critical functions

and value chains. http://www.dhs.gov/critical-infrastructure-sectors


http://www.dhs.gov/critical-infrastructure-sectors


4

To ensure extensibility and enable technical innovation, the Framework is technology neutral.

The Framework relies on a variety of existing standards, guidelines, and practices to enable

critical infrastructure providers to achieve resilience. By relying on those global standards,

guidelines, and practices developed, managed, and updated by industry, the tools and methods

available to achieve the Framework outcomes will scale across borders, acknowledge the global

nature of cybersecurity risks, and evolve with technological advances and business requirements.

The use of existing and emerging standards will enable economies of scale and drive the

development of effective products, services, and practices that meet identified market needs.

Market competition also promotes faster diffusion of these technologies and practices and

realization of many benefits by the stakeholders in these sectors.

Building from those standards, guidelines, and practices, the Framework provides a common

taxonomy and mechanism for organizations to:

1) Describe their current cybersecurity posture;

2) Describe their target state for cybersecurity;

3) Identify and prioritize opportunities for improvement within the context of a

continuous and repeatable process;

4) Assess progress toward the target state;

5) Communicate among internal and external stakeholders about cybersecurity risk.

The Framework complements, and does not replace, an organization’s risk management process

and cybersecurity program. The organization can use its current processes and leverage the

Framework to identify opportunities to strengthen and communicate its management of

cybersecurity risk while aligning with industry practices. Alternatively, an organization without

an existing cybersecurity program can use the Framework as a reference to establish one.

Just as the Framework is not industry-specific, the common taxonomy of standards, guidelines,

and practices that it provides also is not country-specific. Organizations outside the United States

may also use the Framework to strengthen their own cybersecurity efforts, and the Framework

can contribute to developing a common language for international cooperation on critical

infrastructure cybersecurity.

1.1 Overview of the Framework

The Framework is a risk-based approach to managing cybersecurity risk, and is composed of

three parts: the Framework Core, the Framework Implementation Tiers, and the Framework

Profiles. Each Framework component reinforces the connection between business drivers and

cybersecurity activities. These components are explained below.

The Framework Core is a set of cybersecurity activities, desired outcomes, and

applicable references that are common across critical infrastructure sectors. The Core

presents industry standards, guidelines, and practices in a manner that allows for

communication of cybersecurity activities and outcomes across the organization from the

executive level to the implementation/operations level. The Framework Core consists of

five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover.

When considered together, these Functions provide a high-level, strategic view of the

lifecycle of an organization’s management of cybersecurity risk. The Framework Core


5

then identifies underlying key Categories and Subcategories for each Function, and

matches them with example Informative References such as existing standards,

guidelines, and practices for each Subcategory.

Framework Implementation Tiers (“Tiers”) provide context on how an organization

views cybersecurity risk and the processes in place to manage that risk. Tiers describe the

degree to which an organization’s cybersecurity risk management practices exhibit the

characteristics defined in the Framework (e.g., risk and threat aware, repeatable, and

adaptive). The Tiers characterize an organization’s practices over a range, from Partial

(Tier 1) to Adaptive (Tier 4). These Tiers reflect a progression from informal, reactive

responses to approaches that are agile and risk-informed. During the Tier selection

process, an organization should consider its current risk management practices, threat

environment, legal and regulatory requirements, business/mission objectives, and

organizational constraints.

A Framework Profile (“Profile”) represents the outcomes based on business needs that an

organization has selected from the Framework Categories and Subcategories. The Profile

can be characterized as the alignment of standards, guidelines, and practices to the

Framework Core in a particular implementation scenario. Profiles can be used to identify

opportunities for improving cybersecurity posture by comparing a “Current” Profile (the

“as is” state) with a “Target” Profile (the “to be” state). To develop a Profile, an

organization can review all of the Categories and Subcategories and, based on business

drivers and a risk assessment, determine which are most important; they can add

Categories and Subcategories as needed to address the organization’s risks. The Current

Profile can then be used to support prioritization and measurement of progress toward the

Target Profile, while factoring in other business needs including cost-effectiveness and

innovation. Profiles can be used to conduct self-assessments and communicate within an

organization or between organizations.

1.2 Risk Management and the Cybersecurity Framework

Risk management is the ongoing process of identifying, assessing, and responding to risk. To

manage risk, organizations should understand the likelihood that an event will occur and the

resulting impact. With this information, organizations can determine the acceptable level of risk

for delivery of services and can express this as their risk tolerance.

With an understanding of risk tolerance, organizations can prioritize cybersecurity activities,

enabling organizations to make informed decisions about cybersecurity expenditures.

Implementation of risk management programs offers organizations the ability to quantify and

communicate adjustments to their cybersecurity programs. Organizations may choose to handle

risk in different ways, including mitigating the risk, transferring the risk, avoiding the risk, or

accepting the risk, depending on the potential impact to the delivery of critical services.

The Framework uses risk management processes to enable organizations to inform and prioritize

decisions regarding cybersecurity. It supports recurring risk assessments and validation of

business drivers to help organizations select target states for cybersecurity activities that reflect

desired outcomes. Thus, the Framework gives organizations the ability to dynamically select and

direct improvement in cybersecurity risk management for the IT and ICS environments.


6

The Framework is adaptive to provide a flexible and risk-based implementation that can be used

with a broad array of cybersecurity risk management processes. Examples of cybersecurity risk

management processes include International Organization for Standardization (ISO)

31000:20093, ISO/IEC 27005:20114, National Institute of Standards and Technology (NIST)

Special Publication (SP) 800-395, and the Electricity Subsector Cybersecurity Risk Management

Process (RMP) guideline6.

1.3 Document Overview

The remainder of this document contains the following sections and appendices:

Section 2 describes the Framework components: the Framework Core, the Tiers, and the

Profiles.

Section 3 presents examples of how the Framework can be used.

Appendix A presents the Framework Core in a tabular format: the Functions, Categories,

Subcategories, and Informative References.

Appendix B contains a glossary of selected terms.

Appendix C lists acronyms used in this document.

3 International Organization for Standardization, Risk management – Principles and guidelines, ISO 31000:2009,

2009. http://www.iso.org/iso/home/standards/iso31000.htm 4 International Organization for Standardization/International Electrotechnical Commission, Information

technology – Security techniques – Information security risk management, ISO/IEC 27005:2011, 2011.

http://www.iso.org/iso/catalogue_detail?csnumber=56742 5 Joint Task Force Transformation Initiative, Managing Information Security Risk: Organization, Mission, and

Information System View, NIST Special Publication 800-39, March 2011.

http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf 6 U.S. Department of Energy, Electricity Subsector Cybersecurity Risk Management Process, DOE/OE-0003, May

2012. http://energy.gov/sites/prod/files/Cybersecurity%20Risk%20Management%20Process%20Guideline%20-

%20Final%20-%20May%202012.pdf

http://www.iso.org/iso/home/standards/iso31000.htm

http://www.iso.org/iso/catalogue_detail?csnumber=56742

http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf

http://energy.gov/sites/prod/files/Cybersecurity%20Risk%20Management%20Process%20Guideline%20-%20Final%20-%20May%202012.pdf

http://energy.gov/sites/prod/files/Cybersecurity%20Risk%20Management%20Process%20Guideline%20-%20Final%20-%20May%202012.pdf


7

2.0 Framework Basics

The Framework provides a common language for understanding, managing, and expressing

cybersecurity risk both internally and externally. It can be used to help identify and prioritize

actions for reducing cybersecurity risk, and it is a tool for aligning policy, business, and

technological approaches to managing that risk. It can be used to manage cybersecurity risk

across entire organizations or it can be focused on the delivery of critical services within an

organization. Different types of entities – including sector coordinating structures, associations,

and organizations – can use the Framework for different purposes, including the creation of

common Profiles.

2.1 Framework Core

The Framework Core provides a set of activities to achieve specific cybersecurity outcomes, and

references examples of guidance to achieve those outcomes. The Core is not a checklist of

actions to perform. It presents key cybersecurity outcomes identified by industry as helpful in

managing cybersecurity risk. The Core comprises four elements: Functions, Categories,

Subcategories, and Informative References, depicted in Figure 1:

Figure 1: Framework Core Structure

The Framework Core elements work together as follows:

Functions organize basic cybersecurity activities at their highest level. These Functions

are Identify, Protect, Detect, Respond, and Recover. They aid an organization in

expressing its management of cybersecurity risk by organizing information, enabling risk

management decisions, addressing threats, and improving by learning from previous

activities. The Functions also align with existing methodologies for incident management

and help show the impact of investments in cybersecurity. For example, investments in

planning and exercises support timely response and recovery actions, resulting in reduced

impact to the delivery of services.

Categories are the subdivisions of a Function into groups of cybersecurity outcomes

closely tied to programmatic needs and particular activities. Examples of Categories

include “Asset Management,” “Access Control,” and “Detection Processes.”


8

Subcategories further divide a Category into specific outcomes of technical and/or

management activities. They provide a set of results that, while not exhaustive, help

support achievement of the outcomes in each Category. Examples of Subcategories

include “External information systems are catalogued,” “Data-at-rest is protected,” and

“Notifications from detection systems are investigated.”

Informative References are specific sections of standards, guidelines, and practices

common among critical infrastructure sectors that illustrate a method to achieve the

outcomes associated with each Subcategory. The Informative References presented in the

Framework Core are illustrative and not exhaustive. They are based upon cross-sector

guidance most frequently referenced during the Framework development process.7

The five Framework Core Functions are defined below. These Functions are not intended to

form a serial path, or lead to a static desired end state. Rather, the Functions can be performed

concurrently and continuously to form an operational culture that addresses the dynamic

cybersecurity risk. See Appendix A for the complete Framework Core listing.

Identify – Develop the organizational understanding to manage cybersecurity risk to

systems, assets, data, and capabilities.

The activities in the Identify Function are foundational for effective use of the

Framework. Understanding the business context, the resources that support critical

functions, and the related cybersecurity risks enables an organization to focus and

prioritize its efforts, consistent with its risk management strategy and business needs.

Examples of outcome Categories within this Function include: Asset Management;

Business Environment; Governance; Risk Assessment; and Risk Management Strategy.

Protect – Develop and implement the appropriate safeguards to ensure delivery of

critical infrastructure services.

The Protect Function supports the ability to limit or contain the impact of a potential

cybersecurity event. Examples of outcome Categories within this Function include:

Access Control; Awareness and Training; Data Security; Information Protection

Processes and Procedures; Maintenance; and Protective Technology.

Detect – Develop and implement the appropriate activities to identify the occurrence of a

cybersecurity event.

The Detect Function enables timely discovery of cybersecurity events. Examples of

outcome Categories within this Function include: Anomalies and Events; Security

Continuous Monitoring; and Detection Processes.

Respond – Develop and implement the appropriate activities to take action regarding a

detected cybersecurity event.

7 NIST developed a Compendium of informative references gathered from the Request for Information (RFI)

input, Cybersecurity Framework workshops, and stakeholder engagement during the Framework development

process. The Compendium includes standards, guidelines, and practices to assist with implementation. The

Compendium is not intended to be an exhaustive list, but rather a starting point based on initial stakeholder

input. The Compendium and other supporting material can be found at http://www.nist.gov/cyberframework/.

http://www.nist.gov/cyberframework/


9

The Respond Function supports the ability to contain the impact of a potential

cybersecurity event. Examples of outcome Categories within this Function include:

Response Planning; Communications; Analysis; Mitigation; and Improvements.

Recover – Develop and implement the appropriate activities to maintain plans for

resilience and to restore any capabilities or services that were impaired due to a

cybersecurity event.

The Recover Function supports timely recovery to normal operations to reduce the

impact from a cybersecurity event. Examples of outcome Categories within this Function

include: Recovery Planning; Improvements; and Communications.

2.2 Framework Implementation Tiers

The Framework Implementation Tiers (“Tiers”) provide context on how an organization views

cybersecurity risk and the processes in place to manage that risk. The Tiers range from Partial

(Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor and sophistication in

cybersecurity risk management practices and the extent to which cybersecurity risk management

is informed by business needs and is integrated into an organization’s overall risk management

practices. Risk management considerations include many aspects of cybersecurity, including the

degree to which privacy and civil liberties considerations are integrated into an organization’s

management of cybersecurity risk and potential risk responses.

The Tier selection process considers an organization’s current risk management practices, threat

environment, legal and regulatory requirements, business/mission objectives, and organizational

constraints. Organizations should determine the desired Tier, ensuring that the selected level

meets the organizational goals, is feasible to implement, and reduces cybersecurity risk to critical

assets and resources to levels acceptable to the organization. Organizations should consider

leveraging external guidance obtained from Federal government departments and agencies,

Information Sharing and Analysis Centers (ISACs), existing maturity models, or other sources to

assist in determining their desired tier.

While organizations identified as Tier 1 (Partial) are encouraged to consider moving toward Tier

2 or greater, Tiers do not represent maturity levels. Progression to higher Tiers is encouraged

when such a change would reduce cybersecurity risk and be cost effective. Successful

implementation of the Framework is based upon achievement of the outcomes described in the

organization’s Target Profile(s) and not upon Tier determination.


10

The Tier definitions are as follows:

Tier 1: Partial

Risk Management Process – Organizational cybersecurity risk management practices are

not formalized, and risk is managed in an ad hoc and sometimes reactive manner.

Prioritization of cybersecurity activities may not be directly informed by organizational

risk objectives, the threat environment, or business/mission requirements.

Integrated Risk Management Program – There is limited awareness of cybersecurity risk

at the organizational level and an organization-wide approach to managing cybersecurity

risk has not been established. The organization implements cybersecurity risk

management on an irregular, case-by-case basis due to varied experience or information

gained from outside sources. The organization may not have processes that enable

cybersecurity information to be shared within the organization.

External Participation – An organization may not have the processes in place to

participate in coordination or collaboration with other entities.

Tier 2: Risk Informed

Risk Management Process – Risk management practices are approved by management

but may not be established as organizational-wide policy. Prioritization of cybersecurity

activities is directly informed by organizational risk objectives, the threat environment, or

business/mission requirements.

Integrated Risk Management Program – There is an awareness of cybersecurity risk at

the organizational level but an organization-wide approach to managing cybersecurity

risk has not been established. Risk-informed, management-approved processes and

procedures are defined and implemented, and staff has adequate resources to perform

their cybersecurity duties. Cybersecurity information is shared within the organization on

an informal basis.

External Participation – The organization knows its role in the larger ecosystem, but has

not formalized its capabilities to interact and share information externally.

Tier 3: Repeatable

Risk Management Process – The organization’s risk management practices are formally

approved and expressed as policy. Organizational cybersecurity practices are regularly

updated based on the application of risk management processes to changes in

business/mission requirements and a changing threat and technology landscape.

Integrated Risk Management Program – There is an organization-wide approach to

manage cybersecurity risk. Risk-informed policies, processes, and procedures are

defined, implemented as intended, and reviewed. Consistent methods are in place to

respond effectively to changes in risk. Personnel possess the knowledge and skills to

perform their appointed roles and responsibilities.

External Participation – The organization understands its dependencies and partners and

receives information from these partners that enables collaboration and risk-based

management decisions within the organization in response to events.


11

Tier 4: Adaptive

Risk Management Process – The organization adapts its cybersecurity practices based on

lessons learned and predictive indicators derived from previous and current cybersecurity

activities. Through a process of continuous improvement incorporating advanced

cybersecurity technologies and practices, the organization actively adapts to a changing

cybersecurity landscape and responds to evolving and sophisticated threats in a timely

manner.

Integrated Risk Management Program – There is an organization-wide approach to

managing cybersecurity risk that uses risk-informed policies, processes, and procedures

to address potential cybersecurity events. Cybersecurity risk management is part of the

organizational culture and evolves from an awareness of previous activities, information

shared by other sources, and continuous awareness of activities on their systems and

networks.

External Participation – The organization manages risk and actively shares information

with partners to ensure that accurate, current information is being distributed and

consumed to improve cybersecurity before a cybersecurity event occurs.

2.3 Framework Profile

The Framework Profile (“Profile”) is the alignment of the Functions, Categories, and

Subcategories with the business requirements, risk tolerance, and resources of the organization.

A Profile enables organizations to establish a roadmap for reducing cybersecurity risk that is well

aligned with organizational and sector goals, considers legal/regulatory requirements and

industry best practices, and reflects risk management priorities. Given the complexity of many

organizations, they may choose to have multiple profiles, aligned with particular components and

recognizing their individual needs.

Framework Profiles can be used to describe the current state or the desired target state of specific

cybersecurity activities. The Current Profile indicates the cybersecurity outcomes that are

currently being achieved. The Target Profile indicates the outcomes needed to achieve the

desired cybersecurity risk management goals. Profiles support business/mission requirements

and aid in the communication of risk within and between organizations. This Framework

document does not prescribe Profile templates, allowing for flexibility in implementation.

Comparison of Profiles (e.g., the Current Profile and Target Profile) may reveal gaps to be

addressed to meet cybersecurity risk management objectives. An action plan to address these

gaps can contribute to the roadmap described above. Prioritization of gap mitigation is driven by

the organization’s business needs and risk management processes. This risk-based approach

enables an organization to gauge resource estimates (e.g., staffing, funding) to achieve

cybersecurity goals in a cost-effective, prioritized manner.


12

2.4 Coordination of Framework Implementation

Figure 2 describes a common flow of information and decisions at the following levels within an

organization:

Executive

Business/Process

Implementation/Operations

The executive level communicates the mission priorities, available resources, and overall risk

tolerance to the business/process level. The business/process level uses the information as inputs

into the risk management process, and then collaborates with the implementation/operations

level to communicate business needs and create a Profile. The implementation/operations level

communicates the Profile implementation progress to the business/process level. The

business/process level uses this information to perform an impact assessment. Business/process

level management reports the outcomes of that impact assessment to the executive level to

inform the organization’s overall risk management process and to the implementation/operations

level for awareness of business impact.

Figure 2: Notional Information and Decision Flows within an Organization


13

3.0 How to Use the Framework

An organization can use the Framework as a key part of its systematic process for identifying,

assessing, and managing cybersecurity risk. The Framework is not designed to replace existing

processes; an organization can use its current process and overlay it onto the Framework to

determine gaps in its current cybersecurity risk approach and develop a roadmap to

improvement. Utilizing the Framework as a cybersecurity risk management tool, an organization

can determine activities that are most important to critical service delivery and prioritize

expenditures to maximize the impact of the investment.

The Framework is designed to complement existing business and cybersecurity operations. It can

serve as the foundation for a new cybersecurity program or a mechanism for improving an

existing program. The Framework provides a means of expressing cybersecurity requirements to

business partners and customers and can help identify gaps in an organization’s cybersecurity

practices. It also provides a general set of considerations and processes for considering privacy

and civil liberties implications in the context of a cybersecurity program.

The following sections present different ways in which organizations can use the Framework.

3.1 Basic Review of Cybersecurity Practices

The Framework can be used to compare an organization’s current cybersecurity activities with

those outlined in the Framework Core. Through the creation of a Current Profile, organizations

can examine the extent to which they are achieving the outcomes described in the Core

Categories and Subcategories, aligned with the five high-level Functions: Identify, Protect,

Detect, Respond, and Recover. An organization may find that it is already achieving the desired

outcomes, thus managing cybersecurity commensurate with the known risk. Conversely, an

organization may determine that it has opportunities to (or needs to) improve. The organization

can use that information to develop an action plan to strengthen existing cybersecurity practices

and reduce cybersecurity risk. An organization may also find that it is overinvesting to achieve

certain outcomes. The organization can use this information to reprioritize resources to

strengthen other cybersecurity practices.

While they do not replace a risk management process, these five high-level Functions will

provide a concise way for senior executives and others to distill the fundamental concepts of

cybersecurity risk so that they can assess how identified risks are managed, and how their

organization stacks up at a high level against existing cybersecurity standards, guidelines, and

practices. The Framework can also help an organization answer fundamental questions,

including “How are we doing?” Then they can move in a more informed way to strengthen their

cybersecurity practices where and when deemed necessary.

3.2 Establishing or Improving a Cybersecurity Program

The following steps illustrate how an organization could use the Framework to create a new

cybersecurity program or improve an existing program. These steps should be repeated as

necessary to continuously improve cybersecurity.


14

Step 1: Prioritize and Scope. The organization identifies its business/mission objectives and

high-level organizational priorities. With this information, the organization makes strategic

decisions regarding cybersecurity implementations and determines the scope of systems and

assets that support the selected business line or process. The Framework can be adapted to

support the different business lines or processes within an organization, which may have

different business needs and associated risk tolerance.

Step 2: Orient. Once the scope of the cybersecurity program has been determined for the

business line or process, the organization identifies related systems and assets, regulatory

requirements, and overall risk approach. The organization then identifies threats to, and

vulnerabilities of, those systems and assets.

Step 3: Create a Current Profile. The organization develops a Current Profile by indicating

which Category and Subcategory outcomes from the Framework Core are currently being

achieved.

Step 4: Conduct a Risk Assessment. This assessment could be guided by the organization’s

overall risk management process or previous risk assessment activities. The organization

analyzes the operational environment in order to discern the likelihood of a cybersecurity event

and the impact that the event could have on the organization. It is important that organizations

seek to incorporate emerging risks and threat and vulnerability data to facilitate a robust

understanding of the likelihood and impact of cybersecurity events.

Step 5: Create a Target Profile. The organization creates a Target Profile that focuses on the

assessment of the Framework Categories and Subcategories describing the organization’s desired

cybersecurity outcomes. Organizations also may develop their own additional Categories and

Subcategories to account for unique organizational risks. The organization may also consider

influences and requirements of external stakeholders such as sector entities, customers, and

business partners when creating a Target Profile.

Step 6: Determine, Analyze, and Prioritize Gaps. The organization compares the Current

Profile and the Target Profile to determine gaps. Next it creates a prioritized action plan to

address those gaps that draws upon mission drivers, a cost/benefit analysis, and understanding of

risk to achieve the outcomes in the Target Profile. The organization then determines resources

necessary to address the gaps. Using Profiles in this manner enables the organization to make

informed decisions about cybersecurity activities, supports risk management, and enables the

organization to perform cost-effective, targeted improvements.

Step 7: Implement Action Plan. The organization determines which actions to take in regards

to the gaps, if any, identified in the previous step. It then monitors its current cybersecurity

practices against the Target Profile. For further guidance, the Framework identifies example

Informative References regarding the Categories and Subcategories, but organizations should

determine which standards, guidelines, and practices, including those that are sector specific,

work best for their needs.

An organization may repeat the steps as needed to continuously assess and improve its

cybersecurity. For instance, organizations may find that more frequent repetition of the orient


15

step improves the quality of risk assessments. Furthermore, organizations may monitor progress

through iterative updates to the Current Profile, subsequently comparing the Current Profile to

the Target Profile. Organizations may also utilize this process to align their cybersecurity

program with their desired Framework Implementation Tier.

3.3 Communicating Cybersecurity Requirements with Stakeholders

The Framework provides a common language to communicate requirements among

interdependent stakeholders responsible for the delivery of essential critical infrastructure

services. Examples include:

An organization may utilize a Target Profile to express cybersecurity risk management

requirements to an external service provider (e.g., a cloud provider to which it is

exporting data).

An organization may express its cybersecurity state through a Current Profile to report

results or to compare with acquisition requirements.

A critical infrastructure owner/operator, having identified an external partner on whom

that infrastructure depends, may use a Target Profile to convey required Categories and

Subcategories.

A critical infrastructure sector may establish a Target Profile that can be used among its

constituents as an initial baseline Profile to build their tailored Target Profiles.

3.4 Identifying Opportunities for New or Revised Informative References

The Framework can be used to identify opportunities for new or revised standards, guidelines, or

practices where additional Informative References would help organizations address emerging

needs. An organization implementing a given Subcategory, or developing a new Subcategory,

might discover that there are few Informative References, if any, for a related activity. To

address that need, the organization might collaborate with technology leaders and/or standards

bodies to draft, develop, and coordinate standards, guidelines, or practices.

3.5 Methodology to Protect Privacy and Civil Liberties

This section describes a methodology as required by the Executive Order to address individual

privacy and civil liberties implications that may result from cybersecurity operations. This

methodology is intended to be a general set of considerations and processes since privacy and

civil liberties implications may differ by sector or over time and organizations may address these

considerations and processes with a range of technical implementations. Nonetheless, not all

activities in a cybersecurity program may give rise to these considerations. Consistent with

Section 3.4, technical privacy standards, guidelines, and additional best practices may need to be

developed to support improved technical implementations.

Privacy and civil liberties implications may arise when personal information is used, collected,

processed, maintained, or disclosed in connection with an organization’s cybersecurity activities.

Some examples of activities that bear privacy or civil liberties considerations may include:

cybersecurity activities that result in the over-collection or over-retention of personal

information; disclosure or use of personal information unrelated to cybersecurity activities;

cybersecurity mitigation activities that result in denial of service or other similar potentially


16

adverse impacts, including activities such as some types of incident detection or monitoring that

may impact freedom of expression or association.

The government and agents of the government have a direct responsibility to protect civil

liberties arising from cybersecurity activities. As referenced in the methodology below,

government or agents of the government that own or operate critical infrastructure should have a

process in place to support compliance of cybersecurity activities with applicable privacy laws,

regulations, and Constitutional requirements.

To address privacy implications, organizations may consider how, in circumstances where such

measures are appropriate, their cybersecurity program might incorporate privacy principles such

as: data minimization in the collection, disclosure, and retention of personal information material

related to the cybersecurity incident; use limitations outside of cybersecurity activities on any

information collected specifically for cybersecurity activities; transparency for certain

cybersecurity activities; individual consent and redress for adverse impacts arising from use of

personal information in cybersecurity activities; data quality, integrity, and security; and

accountability and auditing.

As organizations assess the Framework Core in Appendix A, the following processes and

activities may be considered as a means to address the above-referenced privacy and civil

liberties implications:

Governance of cybersecurity risk

An organization’s assessment of cybersecurity risk and potential risk responses considers

the privacy implications of its cybersecurity program

Individuals with cybersecurity-related privacy responsibilities report to appropriate

management and are appropriately trained

Process is in place to support compliance of cybersecurity activities with applicable

privacy laws, regulations, and Constitutional requirements

Process is in place to assess implementation of the foregoing organizational measures and

controls

Approaches to identifying and authorizing individuals to access organizational assets and

systems

Steps are taken to identify and address the privacy implications of access control

measures to the extent that they involve collection, disclosure, or use of personal

information

Awareness and training measures

Applicable information from organizational privacy policies is included in cybersecurity

workforce training and awareness activities

Service providers that provide cybersecurity-related services for the organization are

informed about the organization’s applicable privacy policies


17

Anomalous activity detection and system and assets monitoring

Process is in place to conduct a privacy review of an organization’s anomalous activity

detection and cybersecurity monitoring

Response activities, including information sharing or other mitigation efforts

Process is in place to assess and address whether, when, how, and the extent to which

personal information is shared outside the organization as part of cybersecurity

information sharing activities

Process is in place to conduct a privacy review of an organization’s cybersecurity

mitigation efforts


18

Appendix A: Framework Core

This appendix presents the Framework Core: a listing of Functions, Categories, Subcategories,

and Informative References that describe specific cybersecurity activities that are common

across all critical infrastructure sectors. The chosen presentation format for the Framework Core

does not suggest a specific implementation order or imply a degree of importance of the

Categories, Subcategories, and Informative References. The Framework Core presented in this

appendix represents a common set of activities for managing cybersecurity risk. While the

Framework is not exhaustive, it is extensible, allowing organizations, sectors, and other entities

to use Subcategories and Informative References that are cost-effective and efficient and that

enable them to manage their cybersecurity risk. Activities can be selected from the Framework

Core during the Profile creation process and additional Categories, Subcategories, and

Informative References may be added to the Profile. An organization’s risk management

processes, legal/regulatory requirements, business/mission objectives, and organizational

constraints guide the selection of these activities during Profile creation. Personal information is

considered a component of data or assets referenced in the Categories when assessing security

risks and protections.

While the intended outcomes identified in the Functions, Categories, and Subcategories are the

same for IT and ICS, the operational environments and considerations for IT and ICS differ. ICS

have a direct effect on the physical world, including potential risks to the health and safety of

individuals, and impact on the environment. Additionally, ICS have unique performance and

reliability requirements compared with IT, and the goals of safety and efficiency must be

considered when implementing cybersecurity measures.

For ease of use, each component of the Framework Core is given a unique identifier. Functions

and Categories each have a unique alphabetic identifier, as shown in Table 1. Subcategories

within each Category are referenced numerically; the unique identifier for each Subcategory is

included in Table 2.

Additional supporting material relating to the Framework can be found on the NIST website at

http://www.nist.gov/cyberframework/.

http://www.nist.gov/cyberframework/


19

Table 1: Function and Category Unique Identifiers

Function

Unique

Identifier

Function

Category

Unique

Identifier

Category

ID Identify

ID.AM Asset Management

ID.BE Business Environment

ID.GV Governance

ID.RA Risk Assessment

ID.RM Risk Management Strategy

PR Protect

PR.AC Access Control

PR.AT Awareness and Training

PR.DS Data Security

PR.IP Information Protection Processes and Procedures

PR.MA Maintenance

PR.PT Protective Technology

DE Detect

DE.AE Anomalies and Events

DE.CM Security Continuous Monitoring

DE.DP Detection Processes

RS Respond

RS.RP Response Planning

RS.CO Communications

RS.AN Analysis

RS.MI Mitigation

RS.IM Improvements

RC Recover

RC.RP Recovery Planning

RC.IM Improvements

RC.CO Communications


20

Table 2: Framework Core

Function Category Subcategory Informative References

IDENTIFY

(ID)

Asset Management (ID.AM):

The data, personnel, devices,

systems, and facilities that enable

the organization to achieve

business purposes are identified

and managed consistent with their

relative importance to business

objectives and the organization’s

risk strategy.

ID.AM-1: Physical devices and systems

within the organization are inventoried

CCS CSC 1

COBIT 5 BAI09.01, BAI09.02

ISA 62443-2-1:2009 4.2.3.4

ISA 62443-3-3:2013 SR 7.8

ISO/IEC 27001:2013 A.8.1.1, A.8.1.2

NIST SP 800-53 Rev. 4 CM-8

ID.AM-2: Software platforms and

applications within the organization are

inventoried

CCS CSC 2

COBIT 5 BAI09.01, BAI09.02, BAI09.05

ISA 62443-2-1:2009 4.2.3.4

ISA 62443-3-3:2013 SR 7.8

ISO/IEC 27001:2013 A.8.1.1, A.8.1.2


ID.AM-3: Organizational communication

and data flows are mapped

CCS CSC 1

COBIT 5 DSS05.02

ISA 62443-2-1:2009 4.2.3.4

ISO/IEC 27001:2013 A.13.2.1

NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9,

PL-8

ID.AM-4: External information systems

are catalogued

COBIT 5 APO02.02

ISO/IEC 27001:2013 A.11.2.6

NIST SP 800-53 Rev. 4 AC-20, SA-9

ID.AM-5: Resources (e.g., hardware,

devices, data, and software) are prioritized

based on their classification, criticality, and

business value

COBIT 5 APO03.03, APO03.04, BAI09.02

ISA 62443-2-1:2009 4.2.3.6

ISO/IEC 27001:2013 A.8.2.1

NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14

ID.AM-6: Cybersecurity roles and

responsibilities for the entire workforce and

third-party stakeholders (e.g., suppliers,

customers, partners) are established

COBIT 5 APO01.02, DSS06.03

ISA 62443-2-1:2009 4.3.2.3.3

ISO/IEC 27001:2013 A.6.1.1


21


NIST SP 800-53 Rev. 4 CP-2, PS-7, PM-11

Business Environment (ID.BE):

The organization’s mission,

objectives, stakeholders, and

activities are understood and

prioritized; this information is

used to inform cybersecurity

roles, responsibilities, and risk

management decisions.

ID.BE-1: The organization’s role in the

supply chain is identified and

communicated

COBIT 5 APO08.04, APO08.05, APO10.03,

APO10.04, APO10.05

ISO/IEC 27001:2013 A.15.1.3, A.15.2.1,

A.15.2.2

NIST SP 800-53 Rev. 4 CP-2, SA-12

ID.BE-2: The organization’s place in

critical infrastructure and its industry sector

is identified and communicated

COBIT 5 APO02.06, APO03.01

NIST SP 800-53 Rev. 4 PM-8

ID.BE-3: Priorities for organizational

mission, objectives, and activities are

established and communicated

COBIT 5 APO02.01, APO02.06, APO03.01

ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6

NIST SP 800-53 Rev. 4 PM-11, SA-14

ID.BE-4: Dependencies and critical

functions for delivery of critical services

are established

ISO/IEC 27001:2013 A.11.2.2, A.11.2.3,

A.12.1.3

NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11,

PM-8, SA-14

ID.BE-5: Resilience requirements to

support delivery of critical services are

established

COBIT 5 DSS04.02

ISO/IEC 27001:2013 A.11.1.4, A.17.1.1,

A.17.1.2, A.17.2.1

NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-14

Governance (ID.GV): The

policies, procedures, and

processes to manage and monitor

the organization’s regulatory,

legal, risk, environmental, and

operational requirements are

understood and inform the

management of cybersecurity

risk.

ID.GV-1: Organizational information

security policy is established

COBIT 5 APO01.03, EDM01.01, EDM01.02

ISA 62443-2-1:2009 4.3.2.6

ISO/IEC 27001:2013 A.5.1.1

NIST SP 800-53 Rev. 4 -1 controls from all

families

ID.GV-2: Information security roles &

responsibilities are coordinated and aligned

with internal roles and external partners

COBIT 5 APO13.12

ISA 62443-2-1:2009 4.3.2.3.3

ISO/IEC 27001:2013 A.6.1.1, A.7.2.1

NIST SP 800-53 Rev. 4 PM-1, PS-7

ID.GV-3: Legal and regulatory

requirements regarding cybersecurity,

COBIT 5 MEA03.01, MEA03.04

ISA 62443-2-1:2009 4.4.3.7


22


including privacy and civil liberties

obligations, are understood and managed ISO/IEC 27001:2013 A.18.1

NIST SP 800-53 Rev. 4 -1 controls from all

families (except PM-1)

ID.GV-4: Governance and risk

management processes address

cybersecurity risks

COBIT 5 DSS04.02

ISA 62443-2-1:2009 4.2.3.1, 4.2.3.3, 4.2.3.8,

4.2.3.9, 4.2.3.11, 4.3.2.4.3, 4.3.2.6.3

NIST SP 800-53 Rev. 4 PM-9, PM-11

Risk Assessment (ID.RA): The

organization understands the

cybersecurity risk to

organizational operations

(including mission, functions,

image, or reputation),

organizational assets, and

individuals.

ID.RA-1: Asset vulnerabilities are

identified and documented

CCS CSC 4

COBIT 5 APO12.01, APO12.02, APO12.03,

APO12.04

ISA 62443-2-1:2009 4.2.3, 4.2.3.7, 4.2.3.9,

4.2.3.12

ISO/IEC 27001:2013 A.12.6.1, A.18.2.3

NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8,

RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5

ID.RA-2: Threat and vulnerability

information is received from information

sharing forums and sources

ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12

ISO/IEC 27001:2013 A.6.1.4

NIST SP 800-53 Rev. 4 PM-15, PM-16, SI-5

ID.RA-3: Threats, both internal and

external, are identified and documented

COBIT 5 APO12.01, APO12.02, APO12.03,

APO12.04

ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12

NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12,

PM-16

ID.RA-4: Potential business impacts and

likelihoods are identified

COBIT 5 DSS04.02

ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12

NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-9,

PM-11, SA-14

ID.RA-5: Threats, vulnerabilities,

likelihoods, and impacts are used to

determine risk

COBIT 5 APO12.02

ISO/IEC 27001:2013 A.12.6.1

NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-16

ID.RA-6: Risk responses are identified and COBIT 5 APO12.05, APO13.02


23


prioritized NIST SP 800-53 Rev. 4 PM-4, PM-9

Risk Management Strategy

(ID.RM): The organization’s

priorities, constraints, risk

tolerances, and assumptions are

established and used to support

operational risk decisions.

ID.RM-1: Risk management processes are

established, managed, and agreed to by

organizational stakeholders

COBIT 5 APO12.04, APO12.05, APO13.02,

BAI02.03, BAI04.02

ISA 62443-2-1:2009 4.3.4.2


ID.RM-2: Organizational risk tolerance is

determined and clearly expressed

COBIT 5 APO12.06

ISA 62443-2-1:2009 4.3.2.6.5


ID.RM-3: The organization’s

determination of risk tolerance is informed

by its role in critical infrastructure and

sector specific risk analysis

NIST SP 800-53 Rev. 4 PM-8, PM-9, PM-11,

SA-14

PROTECT (PR)

Access Control (PR.AC): Access

to assets and associated facilities

is limited to authorized users,

processes, or devices, and to

authorized activities and

transactions.

PR.AC-1: Identities and credentials are

managed for authorized devices and users

CCS CSC 16

COBIT 5 DSS05.04, DSS06.03

ISA 62443-2-1:2009 4.3.3.5.1

ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3,

SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9

ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4,

A.9.3.1, A.9.4.2, A.9.4.3

NIST SP 800-53 Rev. 4 AC-2, IA Family

PR.AC-2: Physical access to assets is

managed and protected


ISA 62443-2-1:2009 4.3.3.3.2, 4.3.3.3.8

ISO/IEC 27001:2013 A.11.1.1, A.11.1.2,

A.11.1.4, A.11.1.6, A.11.2.3

NIST SP 800-53 Rev. 4 PE-2, PE-3, PE-4, PE-

5, PE-6, PE-9

PR.AC-3: Remote access is managed

COBIT 5 APO13.01, DSS01.04, DSS05.03

ISA 62443-2-1:2009 4.3.3.6.6

ISA 62443-3-3:2013 SR 1.13, SR 2.6

ISO/IEC 27001:2013 A.6.2.2, A.13.1.1,

A.13.2.1


24


NIST SP 800-53 Rev. 4 AC-17, AC-19, AC-20

PR.AC-4: Access permissions are

managed, incorporating the principles of

least privilege and separation of duties

CCS CSC 12, 15

ISA 62443-2-1:2009 4.3.3.7.3

ISA 62443-3-3:2013 SR 2.1

ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, A.9.2.3,

A.9.4.1, A.9.4.4

NIST SP 800-53 Rev. 4 AC-2, AC-3, AC-5,

AC-6, AC-16

PR.AC-5: Network integrity is protected,

incorporating network segregation where

appropriate

ISA 62443-2-1:2009 4.3.3.4

ISA 62443-3-3:2013 SR 3.1, SR 3.8

ISO/IEC 27001:2013 A.13.1.1, A.13.1.3,

A.13.2.1

NIST SP 800-53 Rev. 4 AC-4, SC-7

Awareness and Training

(PR.AT): The organization’s

personnel and partners are

provided cybersecurity awareness

education and are adequately

trained to perform their

information security-related

duties and responsibilities

consistent with related policies,

procedures, and agreements.

PR.AT-1: All users are informed and

trained

CCS CSC 9

COBIT 5 APO07.03, BAI05.07

ISA 62443-2-1:2009 4.3.2.4.2

ISO/IEC 27001:2013 A.7.2.2

NIST SP 800-53 Rev. 4 AT-2, PM-13

PR.AT-2: Privileged users understand

roles & responsibilities

CCS CSC 9


ISA 62443-2-1:2009 4.3.2.4.2, 4.3.2.4.3

ISO/IEC 27001:2013 A.6.1.1, A.7.2.2

NIST SP 800-53 Rev. 4 AT-3, PM-13

PR.AT-3: Third-party stakeholders (e.g.,

suppliers, customers, partners) understand


CCS CSC 9

COBIT 5 APO07.03, APO10.04, APO10.05

ISA 62443-2-1:2009 4.3.2.4.2

ISO/IEC 27001:2013 A.6.1.1, A.7.2.2

NIST SP 800-53 Rev. 4 PS-7, SA-9

PR.AT-4: Senior executives understand


CCS CSC 9

COBIT 5 APO07.03


25


ISA 62443-2-1:2009 4.3.2.4.2

ISO/IEC 27001:2013 A.6.1.1, A.7.2.2,

NIST SP 800-53 Rev. 4 AT-3, PM-13

PR.AT-5: Physical and information

security personnel understand roles &

responsibilities

CCS CSC 9

COBIT 5 APO07.03

ISA 62443-2-1:2009 4.3.2.4.2

ISO/IEC 27001:2013 A.6.1.1, A.7.2.2,

NIST SP 800-53 Rev. 4 AT-3, PM-13

Data Security (PR.DS):

Information and records (data) are

managed consistent with the

organization’s risk strategy to

protect the confidentiality,

integrity, and availability of

information.

PR.DS-1: Data-at-rest is protected

CCS CSC 17

COBIT 5 APO01.06, BAI02.01, BAI06.01,

DSS06.06

ISA 62443-3-3:2013 SR 3.4, SR 4.1

ISO/IEC 27001:2013 A.8.2.3

NIST SP 800-53 Rev. 4 SC-28

PR.DS-2: Data-in-transit is protected

CCS CSC 17


ISA 62443-3-3:2013 SR 3.1, SR 3.8, SR 4.1,

SR 4.2

ISO/IEC 27001:2013 A.8.2.3, A.13.1.1,

A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3

NIST SP 800-53 Rev. 4 SC-8

PR.DS-3: Assets are formally managed

throughout removal, transfers, and

disposition

COBIT 5 BAI09.03

ISA 62443-2-1:2009 4. 4.3.3.3.9, 4.3.4.4.1

ISA 62443-3-3:2013 SR 4.2

ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2,

A.8.3.3, A.11.2.7

NIST SP 800-53 Rev. 4 CM-8, MP-6, PE-16

PR.DS-4: Adequate capacity to ensure

availability is maintained

COBIT 5 APO13.01

ISA 62443-3-3:2013 SR 7.1, SR 7.2

ISO/IEC 27001:2013 A.12.3.1


26


NIST SP 800-53 Rev. 4 AU-4, CP-2, SC-5

PR.DS-5: Protections against data leaks

are implemented

CCS CSC 17

COBIT 5 APO01.06

ISA 62443-3-3:2013 SR 5.2

ISO/IEC 27001:2013 A.6.1.2, A.7.1.1, A.7.1.2,

A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2,

A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.3,

A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3


PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC-31,

SI-4

PR.DS-6: Integrity checking mechanisms

are used to verify software, firmware, and

information integrity

ISA 62443-3-3:2013 SR 3.1, SR 3.3, SR 3.4,

SR 3.8

ISO/IEC 27001:2013 A.12.2.1, A.12.5.1,

A.14.1.2, A.14.1.3

NIST SP 800-53 Rev. 4 SI-7

PR.DS-7: The development and testing

environment(s) are separate from the

production environment

COBIT 5 BAI07.04

ISO/IEC 27001:2013 A.12.1.4


Information Protection

Processes and Procedures

(PR.IP): Security policies (that

address purpose, scope, roles,

responsibilities, management

commitment, and coordination

among organizational entities),

processes, and procedures are

maintained and used to manage

protection of information systems

and assets.

PR.IP-1: A baseline configuration of

information technology/industrial control

systems is created and maintained

CCS CSC 3, 10

COBIT 5 BAI10.01, BAI10.02, BAI10.03,

BAI10.05

ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3

ISA 62443-3-3:2013 SR 7.6

ISO/IEC 27001:2013 A.12.1.2, A.12.5.1,

A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4

NIST SP 800-53 Rev. 4 CM-2, CM-3, CM-4,

CM-5, CM-6, CM-7, CM-9, SA-10

PR.IP-2: A System Development Life

Cycle to manage systems is implemented

COBIT 5 APO13.01

ISA 62443-2-1:2009 4.3.4.3.3

ISO/IEC 27001:2013 A.6.1.5, A.14.1.1,

A.14.2.1, A.14.2.5


27


NIST SP 800-53 Rev. 4 SA-3, SA-4, SA-8, SA-

10, SA-11, SA-12, SA-15, SA-17, PL-8

PR.IP-3: Configuration change control

processes are in place

COBIT 5 BAI06.01, BAI01.06

ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3

ISA 62443-3-3:2013 SR 7.6

ISO/IEC 27001:2013 A.12.1.2, A.12.5.1,

A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4

NIST SP 800-53 Rev. 4 CM-3, CM-4, SA-10

PR.IP-4: Backups of information are

conducted, maintained, and tested

periodically

COBIT 5 APO13.01

ISA 62443-2-1:2009 4.3.4.3.9

ISA 62443-3-3:2013 SR 7.3, SR 7.4

ISO/IEC 27001:2013 A.12.3.1,

A.17.1.2A.17.1.3, A.18.1.3

NIST SP 800-53 Rev. 4 CP-4, CP-6, CP-9

PR.IP-5: Policy and regulations regarding

the physical operating environment for

organizational assets are met


ISA 62443-2-1:2009 4.3.3.3.1 4.3.3.3.2,

4.3.3.3.3, 4.3.3.3.5, 4.3.3.3.6

ISO/IEC 27001:2013 A.11.1.4, A.11.2.1,

A.11.2.2, A.11.2.3

NIST SP 800-53 Rev. 4 PE-10, PE-12, PE-13,

PE-14, PE-15, PE-18

PR.IP-6: Data is destroyed according to

policy

COBIT 5 BAI09.03

ISA 62443-2-1:2009 4.3.4.4.4

ISA 62443-3-3:2013 SR 4.2

ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2,

A.11.2.7

NIST SP 800-53 Rev. 4 MP-6

PR.IP-7: Protection processes are

continuously improved


ISA 62443-2-1:2009 4.4.3.1, 4.4.3.2, 4.4.3.3,

4.4.3.4, 4.4.3.5, 4.4.3.6, 4.4.3.7, 4.4.3.8

NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-


28


8, PL-2, PM-6

PR.IP-8: Effectiveness of protection

technologies is shared with appropriate

parties

ISO/IEC 27001:2013 A.16.1.6

NIST SP 800-53 Rev. 4 AC-21, CA-7, SI-4

PR.IP-9: Response plans (Incident

Response and Business Continuity) and

recovery plans (Incident Recovery and

Disaster Recovery) are in place and

managed

COBIT 5 DSS04.03

ISA 62443-2-1:2009 4.3.2.5.3, 4.3.4.5.1

ISO/IEC 27001:2013 A.16.1.1, A.17.1.1,

A.17.1.2

NIST SP 800-53 Rev. 4 CP-2, IR-8

PR.IP-10: Response and recovery plans

are tested

ISA 62443-2-1:2009 4.3.2.5.7, 4.3.4.5.11

ISA 62443-3-3:2013 SR 3.3

ISO/IEC 27001:2013 A.17.1.3

NIST SP 800-53 Rev.4 CP-4, IR-3, PM-14

PR.IP-11: Cybersecurity is included in

human resources practices (e.g.,

deprovisioning, personnel screening)

COBIT 5 APO07.01, APO07.02, APO07.03,

APO07.04, APO07.05

ISA 62443-2-1:2009 4.3.3.2.1, 4.3.3.2.2,

4.3.3.2.3

ISO/IEC 27001:2013 A.7.1.1, A.7.3.1, A.8.1.4

NIST SP 800-53 Rev. 4 PS Family

PR.IP-12: A vulnerability management

plan is developed and implemented

ISO/IEC 27001:2013 A.12.6.1, A.18.2.2

NIST SP 800-53 Rev. 4 RA-3, RA-5, SI-2

Maintenance (PR.MA): Maintenance and repairs of

industrial control and information

system components is performed

consistent with policies and

procedures.

PR.MA-1: Maintenance and repair of

organizational assets is performed and

logged in a timely manner, with approved

and controlled tools

COBIT 5 BAI09.03

ISA 62443-2-1:2009 4.3.3.3.7

ISO/IEC 27001:2013 A.11.1.2, A.11.2.4,

A.11.2.5

NIST SP 800-53 Rev. 4 MA-2, MA-3, MA-5

PR.MA-2: Remote maintenance of

organizational assets is approved, logged,

and performed in a manner that prevents

unauthorized access

COBIT 5 DSS05.04

ISA 62443-2-1:2009 4.3.3.6.5, 4.3.3.6.6,

4.3.3.6.7, 4.4.4.6.8

ISO/IEC 27001:2013 A.11.2.4, A.15.1.1,

A.15.2.1


29


NIST SP 800-53 Rev. 4 MA-4

Protective Technology (PR.PT):

Technical security solutions are

managed to ensure the security

and resilience of systems and

assets, consistent with related

policies, procedures, and

agreements.

PR.PT-1: Audit/log records are

determined, documented, implemented,

and reviewed in accordance with policy

CCS CSC 14

COBIT 5 APO11.04

ISA 62443-2-1:2009 4.3.3.3.9, 4.3.3.5.8,

4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4

ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10,

SR 2.11, SR 2.12

ISO/IEC 27001:2013 A.12.4.1, A.12.4.2,

A.12.4.3, A.12.4.4, A.12.7.1

NIST SP 800-53 Rev. 4 AU Family

PR.PT-2: Removable media is protected

and its use restricted according to policy

COBIT 5 DSS05.02, APO13.01

ISA 62443-3-3:2013 SR 2.3

ISO/IEC 27001:2013 A.8.2.2, A.8.2.3, A.8.3.1,

A.8.3.3, A.11.2.9

NIST SP 800-53 Rev. 4 MP-2, MP-4, MP-5,

MP-7

PR.PT-3: Access to systems and assets is

controlled, incorporating the principle of

least functionality

COBIT 5 DSS05.02

ISA 62443-2-1:2009 4.3.3.5.1, 4.3.3.5.2,

4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6,

4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2,

4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6,

4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1,

4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4

ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3,

SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9,

SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 2.1, SR

2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7

ISO/IEC 27001:2013 A.9.1.2

NIST SP 800-53 Rev. 4 AC-3, CM-7

PR.PT-4: Communications and control

networks are protected

CCS CSC 7

COBIT 5 DSS05.02, APO13.01

ISA 62443-3-3:2013 SR 3.1, SR 3.5, SR 3.8,

SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1,


30


SR 7.6

ISO/IEC 27001:2013 A.13.1.1, A.13.2.1


CP-8, SC-7

DETECT (DE)

Anomalies and Events (DE.AE):

Anomalous activity is detected in

a timely manner and the potential

impact of events is understood.

DE.AE-1: A baseline of network

operations and expected data flows for

users and systems is established and

managed

COBIT 5 DSS03.01

ISA 62443-2-1:2009 4.4.3.3

NIST SP 800-53 Rev. 4 AC-4, CA-3, CM-2,

SI-4

DE.AE-2: Detected events are analyzed to

understand attack targets and methods

ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7,

4.3.4.5.8

ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10,

SR 2.11, SR 2.12, SR 3.9, SR 6.1, SR 6.2

ISO/IEC 27001:2013 A.16.1.1, A.16.1.4

NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, SI-

4

DE.AE-3: Event data are aggregated and

correlated from multiple sources and

sensors

ISA 62443-3-3:2013 SR 6.1

NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-

5, IR-8, SI-4

DE.AE-4: Impact of events is determined

COBIT 5 APO12.06

NIST SP 800-53 Rev. 4 CP-2, IR-4, RA-3, SI -

4

DE.AE-5: Incident alert thresholds are

established

COBIT 5 APO12.06

ISA 62443-2-1:2009 4.2.3.10

NIST SP 800-53 Rev. 4 IR-4, IR-5, IR-8

Security Continuous

Monitoring (DE.CM): The

information system and assets are

monitored at discrete intervals to

identify cybersecurity events and

verify the effectiveness of

protective measures.

DE.CM-1: The network is monitored to

detect potential cybersecurity events

CCS CSC 14, 16

COBIT 5 DSS05.07

ISA 62443-3-3:2013 SR 6.2

NIST SP 800-53 Rev. 4 AC-2, AU-12, CA-7,

CM-3, SC-5, SC-7, SI-4

DE.CM-2: The physical environment is ISA 62443-2-1:2009 4.3.3.3.8


31


monitored to detect potential cybersecurity

events NIST SP 800-53 Rev. 4 CA-7, PE-3, PE-6, PE-

20

DE.CM-3: Personnel activity is monitored

to detect potential cybersecurity events

ISA 62443-3-3:2013 SR 6.2

ISO/IEC 27001:2013 A.12.4.1

NIST SP 800-53 Rev. 4 AC-2, AU-12, AU-13,

CA-7, CM-10, CM-11

DE.CM-4: Malicious code is detected

CCS CSC 5

COBIT 5 DSS05.01

ISA 62443-2-1:2009 4.3.4.3.8

ISA 62443-3-3:2013 SR 3.2

ISO/IEC 27001:2013 A.12.2.1

NIST SP 800-53 Rev. 4 SI-3

DE.CM-5: Unauthorized mobile code is

detected

ISA 62443-3-3:2013 SR 2.4

ISO/IEC 27001:2013 A.12.5.1

NIST SP 800-53 Rev. 4 SC-18, SI-4. SC-44

DE.CM-6: External service provider

activity is monitored to detect potential

cybersecurity events

COBIT 5 APO07.06

ISO/IEC 27001:2013 A.14.2.7, A.15.2.1

NIST SP 800-53 Rev. 4 CA-7, PS-7, SA-4, SA-

9, SI-4

DE.CM-7: Monitoring for unauthorized

personnel, connections, devices, and

software is performed

NIST SP 800-53 Rev. 4 AU-12, CA-7, CM-3,

CM-8, PE-3, PE-6, PE-20, SI-4

DE.CM-8: Vulnerability scans are

performed

COBIT 5 BAI03.10

ISA 62443-2-1:2009 4.2.3.1, 4.2.3.7

ISO/IEC 27001:2013 A.12.6.1

NIST SP 800-53 Rev. 4 RA-5

Detection Processes (DE.DP): Detection processes and

procedures are maintained and

tested to ensure timely and

DE.DP-1: Roles and responsibilities for

detection are well defined to ensure

accountability

CCS CSC 5

COBIT 5 DSS05.01

ISA 62443-2-1:2009 4.4.3.1

ISO/IEC 27001:2013 A.6.1.1


32


adequate awareness of anomalous

events. NIST SP 800-53 Rev. 4 CA-2, CA-7, PM-14

DE.DP-2: Detection activities comply with

all applicable requirements

ISA 62443-2-1:2009 4.4.3.2

ISO/IEC 27001:2013 A.18.1.4

NIST SP 800-53 Rev. 4 CA-2, CA-7, PM-14,

SI-4

DE.DP-3: Detection processes are tested

COBIT 5 APO13.02

ISA 62443-2-1:2009 4.4.3.2

ISA 62443-3-3:2013 SR 3.3

ISO/IEC 27001:2013 A.14.2.8

NIST SP 800-53 Rev. 4 CA-2, CA-7, PE-3,

PM-14, SI-3, SI-4

DE.DP-4: Event detection information is

communicated to appropriate parties

COBIT 5 APO12.06

ISA 62443-2-1:2009 4.3.4.5.9

ISA 62443-3-3:2013 SR 6.1

ISO/IEC 27001:2013 A.16.1.2

NIST SP 800-53 Rev. 4 AU-6, CA-2, CA-7,

RA-5, SI-4

DE.DP-5: Detection processes are

continuously improved


ISA 62443-2-1:2009 4.4.3.4

ISO/IEC 27001:2013 A.16.1.6

NIST SP 800-53 Rev. 4, CA-2, CA-7, PL-2,

RA-5, SI-4, PM-14


33


RESPOND (RS)

Response Planning (RS.RP): Response processes and

procedures are executed and

maintained, to ensure timely

response to detected cybersecurity

events.

RS.RP-1: Response plan is executed

during or after an event

COBIT 5 BAI01.10

CCS CSC 18

ISA 62443-2-1:2009 4.3.4.5.1

ISO/IEC 27001:2013 A.16.1.5

NIST SP 800-53 Rev. 4 CP-2, CP-10, IR-4, IR-

8

Communications (RS.CO):

Response activities are

coordinated with internal and

external stakeholders, as

appropriate, to include external

support from law enforcement

agencies.

RS.CO-1: Personnel know their roles and

order of operations when a response is

needed

ISA 62443-2-1:2009 4.3.4.5.2, 4.3.4.5.3,

4.3.4.5.4

ISO/IEC 27001:2013 A.6.1.1, A.16.1.1

NIST SP 800-53 Rev. 4 CP-2, CP-3, IR-3, IR-8

RS.CO-2: Events are reported consistent

with established criteria

ISA 62443-2-1:2009 4.3.4.5.5

ISO/IEC 27001:2013 A.6.1.3, A.16.1.2

NIST SP 800-53 Rev. 4 AU-6, IR-6, IR-8

RS.CO-3: Information is shared consistent

with response plans

ISA 62443-2-1:2009 4.3.4.5.2

ISO/IEC 27001:2013 A.16.1.2

NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-

4, IR-8, PE-6, RA-5, SI-4

RS.CO-4: Coordination with stakeholders

occurs consistent with response plans

ISA 62443-2-1:2009 4.3.4.5.5

NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8

RS.CO-5: Voluntary information sharing

occurs with external stakeholders to

achieve broader cybersecurity situational

awareness

NIST SP 800-53 Rev. 4 PM-15, SI-5

Analysis (RS.AN): Analysis is

conducted to ensure adequate

response and support recovery

activities.

RS.AN-1: Notifications from detection

systems are investigated

COBIT 5 DSS02.07

ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7,

4.3.4.5.8

ISA 62443-3-3:2013 SR 6.1

ISO/IEC 27001:2013 A.12.4.1, A.12.4.3,

A.16.1.5

NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-


34


5, PE-6, SI-4

RS.AN-2: The impact of the incident is

understood

ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7,

4.3.4.5.8

ISO/IEC 27001:2013 A.16.1.6

NIST SP 800-53 Rev. 4 CP-2, IR-4

RS.AN-3: Forensics are performed

ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10,

SR 2.11, SR 2.12, SR 3.9, SR 6.1

ISO/IEC 27001:2013 A.16.1.7

NIST SP 800-53 Rev. 4 AU-7, IR-4

RS.AN-4: Incidents are categorized

consistent with response plans

ISA 62443-2-1:2009 4.3.4.5.6

ISO/IEC 27001:2013 A.16.1.4

NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-5, IR-8

Mitigation (RS.MI): Activities

are performed to prevent

expansion of an event, mitigate its

effects, and eradicate the incident.

RS.MI-1: Incidents are contained

ISA 62443-2-1:2009 4.3.4.5.6

ISA 62443-3-3:2013 SR 5.1, SR 5.2, SR 5.4

ISO/IEC 27001:2013 A.16.1.5

NIST SP 800-53 Rev. 4 IR-4

RS.MI-2: Incidents are mitigated

ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.10

ISO/IEC 27001:2013 A.12.2.1, A.16.1.5

NIST SP 800-53 Rev. 4 IR-4

RS.MI-3: Newly identified vulnerabilities

are mitigated or documented as accepted

risks

ISO/IEC 27001:2013 A.12.6.1

NIST SP 800-53 Rev. 4 CA-7, RA-3, RA-5

Improvements (RS.IM):

Organizational response activities

are improved by incorporating

lessons learned from current and

previous detection/response

activities.

RS.IM-1: Response plans incorporate

lessons learned

COBIT 5 BAI01.13

ISA 62443-2-1:2009 4.3.4.5.10, 4.4.3.4

ISO/IEC 27001:2013 A.16.1.6


RS.IM-2: Response strategies are updated NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8

RECOVER (RC)

Recovery Planning (RC.RP):

Recovery processes and

procedures are executed and

maintained to ensure timely

RC.RP-1: Recovery plan is executed

during or after an event

CCS CSC 8


ISO/IEC 27001:2013 A.16.1.5


35


restoration of systems or assets

affected by cybersecurity events. NIST SP 800-53 Rev. 4 CP-10, IR-4, IR-8

Improvements (RC.IM):

Recovery planning and processes

are improved by incorporating

lessons learned into future

activities.

RC.IM-1: Recovery plans incorporate

lessons learned

COBIT 5 BAI05.07

ISA 62443-2-1:2009 4.4.3.4


RC.IM-2: Recovery strategies are updated COBIT 5 BAI07.08


Communications (RC.CO):

Restoration activities are

coordinated with internal and

external parties, such as

coordinating centers, Internet

Service Providers, owners of

attacking systems, victims, other

CSIRTs, and vendors.

RC.CO-1: Public relations are managed COBIT 5 EDM03.02

RC.CO-2: Reputation after an event is

repaired COBIT 5 MEA03.02

RC.CO-3: Recovery activities are

communicated to internal stakeholders and

executive and management teams NIST SP 800-53 Rev. 4 CP-2, IR-4

Information regarding Informative References described in Appendix A may be found at the following locations:

Control Objectives for Information and Related Technology (COBIT): http://www.isaca.org/COBIT/Pages/default.aspx

Council on CyberSecurity (CCS) Top 20 Critical Security Controls (CSC): http://www.counciloncybersecurity.org

ANSI/ISA-62443-2-1 (99.02.01)-2009, Security for Industrial Automation and Control Systems: Establishing an Industrial

Automation and Control Systems Security Program:

http://www.isa.org/Template.cfm?Section=Standards8&Template=/Ecommerce/ProductDisplay.cfm&ProductID=10243

ANSI/ISA-62443-3-3 (99.03.03)-2013, Security for Industrial Automation and Control Systems: System Security Requirements

and Security Levels:

http://www.isa.org/Template.cfm?Section=Standards2&template=/Ecommerce/ProductDisplay.cfm&ProductID=13420

ISO/IEC 27001, Information technology -- Security techniques -- Information security management systems -- Requirements:

http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=54534

NIST SP 800-53 Rev. 4: NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information

Systems and Organizations, April 2013 (including updates as of January 15, 2014). http://dx.doi.org/10.6028/NIST.SP.800-

53r4.

http://www.isaca.org/COBIT/Pages/default.aspx

http://www.counciloncybersecurity.org/

http://www.isa.org/Template.cfm?Section=Standards8&Template=/Ecommerce/ProductDisplay.cfm&ProductID=10243

http://www.isa.org/Template.cfm?Section=Standards2&template=/Ecommerce/ProductDisplay.cfm&ProductID=13420

http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=54534

http://dx.doi.org/10.6028/NIST.SP.800-53r4

http://dx.doi.org/10.6028/NIST.SP.800-53r4


36

Mappings between the Framework Core Subcategories and the specified sections in the Informative References represent a general

correspondence and are not intended to definitively determine whether the specified sections in the Informative References provide

the desired Subcategory outcome.


37

Appendix B: Glossary

This appendix defines selected terms used in the publication.

Category The subdivision of a Function into groups of cybersecurity outcomes,

closely tied to programmatic needs and particular activities. Examples

of Categories include “Asset Management,” “Access Control,” and

“Detection Processes.”

Critical

Infrastructure

Systems and assets, whether physical or virtual, so vital to the United

States that the incapacity or destruction of such systems and assets

would have a debilitating impact on cybersecurity, national economic

security, national public health or safety, or any combination of those

matters.

Cybersecurity The process of protecting information by preventing, detecting, and

responding to attacks.

Cybersecurity

Event

A cybersecurity change that may have an impact on organizational

operations (including mission, capabilities, or reputation).

Detect (function) Develop and implement the appropriate activities to identify the

occurrence of a cybersecurity event.

Framework A risk-based approach to reducing cybersecurity risk composed of

three parts: the Framework Core, the Framework Profile, and the

Framework Implementation Tiers. Also known as the “Cybersecurity

Framework.”

Framework Core A set of cybersecurity activities and references that are common

across critical infrastructure sectors and are organized around

particular outcomes. The Framework Core comprises four types of

elements: Functions, Categories, Subcategories, and Informative

References.

Framework

Implementation

Tier

A lens through which to view the characteristics of an organization’s

approach to risk—how an organization views cybersecurity risk and

the processes in place to manage that risk.

Framework

Profile

A representation of the outcomes that a particular system or

organization has selected from the Framework Categories and

Subcategories.

Function One of the main components of the Framework. Functions provide the

highest level of structure for organizing basic cybersecurity activities

into Categories and Subcategories. The five functions are Identify,


38

Protect, Detect, Respond, and Recover.

Identify (function) Develop the organizational understanding to manage cybersecurity

risk to systems, assets, data, and capabilities.

Informative

Reference

A specific section of standards, guidelines, and practices common

among critical infrastructure sectors that illustrates a method to

achieve the outcomes associated with each Subcategory. An example

of an Informative Reference is ISO/IEC 27001 Control A.10.8.3,

which supports the “Data-in-transit is protected” Subcategory of the

“Data Security” Category in the “Protect” function.

Mobile Code A program (e.g., script, macro, or other portable instruction) that can

be shipped unchanged to a heterogeneous collection of platforms and

executed with identical semantics.

Protect (function) Develop and implement the appropriate safeguards to ensure delivery

of critical infrastructure services.

Privileged User A user that is authorized (and, therefore, trusted) to perform security-

relevant functions that ordinary users are not authorized to perform.

Recover (function) Develop and implement the appropriate activities to maintain plans for

resilience and to restore any capabilities or services that were impaired

due to a cybersecurity event.

Respond

(function)

Develop and implement the appropriate activities to take action

regarding a detected cybersecurity event.

Risk A measure of the extent to which an entity is threatened by a potential

circumstance or event, and typically a function of: (i) the adverse

impacts that would arise if the circumstance or event occurs; and (ii)

the likelihood of occurrence.

Risk Management The process of identifying, assessing, and responding to risk.

Subcategory The subdivision of a Category into specific outcomes of technical

and/or management activities. Examples of Subcategories include

“External information systems are catalogued,” “Data-at-rest is

protected,” and “Notifications from detection systems are

investigated.”


39

Appendix C: Acronyms

This appendix defines selected acronyms used in the publication.

CCS Council on CyberSecurity

COBIT Control Objectives for Information and Related Technology

DCS Distributed Control System

DHS Department of Homeland Security

EO Executive Order

ICS Industrial Control Systems

IEC International Electrotechnical Commission

IR Interagency Report

ISA International Society of Automation

ISAC Information Sharing and Analysis Center

ISO International Organization for Standardization

IT Information Technology

NIST National Institute of Standards and Technology

RFI Request for Information

RMP Risk Management Process

SCADA Supervisory Control and Data Acquisition

SP Special Publication

what every community association needs to know about data ... · in the age of hacking and cyber...

Documents