what every community association needs to know about data ... · in the age of hacking and cyber...
TRANSCRIPT
DIGITAL SURVIVAL MANUALWhat Every Community Association
Needs to Know About Data Protectionin the Age of Hacking and Cyber Crime
by,
Matthew C. Collins, Esq.Stark & Stark
Tuesday, April 3, 20182018 Annual Condo Staff Training Symposium
CAI Regional Council: Philadelphia
www.Stark-Stark.com1-800-53-LEGAL • [email protected]
TABLE OF CONTENTS
1. Commonwealth v. Uber teChnologies, inC.
2. small bUsiness gUide: FormUlating a Comprehensive written inFormation seCUrity program. Massachusetts Office Of cOnsuMer affairs & Business regulatiOn.
3. inFormation seCUrity & breaCh notiFiCation gUidanCe. illinOis attOrney general.
4. best praCtiCes For viCtim response & reporting oF Cyber inCidents. u.s. DepartMent Of Justice, cyBersecurity unit.
5. Framework For improving CritiCal inFrastrUCtUre CyberseCUrity. natiOnal institute Of stanDarDs & technOlOgy.
Case ID: 180300004
Filed and Attested by theOffice of Judicial Records
05 MAR 2018 09:08 amM. BRYANT
Case ID: 180300004
Case ID: 180300004
Case ID: 180300004
Case ID: 180300004
Case ID: 180300004
Case ID: 180300004
Case ID: 180300004
Case ID: 180300004
Case ID: 180300004
Case ID: 180300004
Case ID: 180300004
Case ID: 180300004
COMMONWEALTH OF MASSACHUSETTS
OFFICE OF CONSUMER AFFAIRS AND BUSINESS REGULATION
10 Park Plaza – Suite 5170, Boston MA 02116 (617) 973-8700 FAX (617) 973-8799
www.mass.gov/consumer
DEVAL L. PATRICK GOVERNOR
TIMOTHY P. MURRAY LIEUTENANT GOVERNOR
GREGORY BIALECKI SECRETARY OF HOUSING AND
ECONOMIC DEVELOPMENT
BARBARA ANTHONY
UNDERSECRETARY
A Small Business Guide:
Formulating A Comprehensive Written Information Security Program
While the contents of any comprehensive written information security program required
by 201 CMR 17.00 must always satisfy the detailed provisions of those regulations; and while
the development of each individual program will take into account (i) the size, scope and type of
business of the person obligated to safeguard the personal information under such comprehensive
information security program, (ii) the amount of resources available to such person, (iii) the
amount of stored data, and (iv) the need for security and confidentiality of both consumer and
employee information, the Office of Consumer Affairs and Business Regulation is issuing this
guide to help small businesses in their compliance efforts. This Guide is not a substitute for
compliance with 201 CMR 17.00. It is simply a tool designed to aid in the development of a
written information security program for a small business, including the self employed, that
handles “personal information.”
Having in mind that wherever there is a conflict found between this guide and the
provisions of 201 CMR 17.00, it is the latter that will govern. We set out below this “guide” to
devising a security program (references below to “we” and “our” are references to the small
business to whom the real WISP will relate):
COMPREHENSIVE WRITTEN INFORMATION SECURITY PROGRAM
I. OBJECTIVE:
Our objective, in the development and implementation of this comprehensive written
information security program (“WISP”), is to create effective administrative, technical and
physical safeguards for the protection of personal information of residents of the Commonwealth
of Massachusetts, and to comply with obligations under 201 CMR 17.00. The WISP sets forth
our procedure for evaluating our electronic and physical methods of accessing, collecting,
storing, using, transmitting, and protecting personal information of residents of the
Commonwealth of Massachusetts. For purposes of this WISP, “personal information” means a
Massachusetts resident's first name and last name or first initial and last name in combination
with any one or more of the following data elements that relate to such resident: (a) Social
Security number; (b) driver's license number or state-issued identification card number; or (c)
financial account number, or credit or debit card number, with or without any required security
code, access code, personal identification number or password, that would permit access to a
resident’s financial account; provided, however, that “personal information” shall not include
information that is lawfully obtained from publicly available information, or from federal, state
or local government records lawfully made available to the general public.
II. PURPOSE:
The purpose of the WISP is to:
(a) Ensure the security and confidentiality of personal information;
(b) Protect against any anticipated threats or hazards to the security or integrity of such
information
(c) Protect against unauthorized access to or use of such information in a manner that creates a
substantial risk of identity theft or fraud.
III. SCOPE:
In formulating and implementing the WISP, (1) identify reasonably foreseeable internal
and external risks to the security, confidentiality, and/or integrity of any electronic, paper or
other records containing personal information; (2) assess the likelihood and potential damage of
these threats, taking into consideration the sensitivity of the personal information; (3) evaluate
the sufficiency of existing policies, procedures, customer information systems, and other
safeguards in place to control risks; (4) design and implement a WISP that puts safeguards in
place to minimize those risks, consistent with the requirements of 201 CMR 17.00; and (5)
regularly monitor the effectiveness of those safeguards:
IV. DATA SECURITY COORDINATOR:
We have designated ____________________ to implement, supervise and maintain the
WISP. That designated employee (the “Data Security Coordinator”) will be responsible for:
a. Initial implementation of the WISP;
b. Training employees;
c. Regular testing of the WISP’s safeguards;
d. Evaluating the ability of each of our third party service providers to implement and maintain
appropriate security measures for the personal information to which we have permitted them
access, consistent with 201 CMR 17.00; and requiring such third party service providers by
contract to implement and maintain appropriate security measures.
e. Reviewing the scope of the security measures in the WISP at least annually, or whenever there
is a material change in our business practices that may implicate the security or integrity of
records containing personal information.
f. Conducting an annual training session for all owners, managers, employees and independent
contractors, including temporary and contract employees who have access to personal
information on the elements of the WISP. All attendees at such training sessions are required to
certify their attendance at the training, and their familiarity with the firm’s requirements for
ensuring the protection of personal information.
V. INTERNAL RISKS:
To combat internal risks to the security, confidentiality, and/or integrity of any electronic,
paper or other records containing personal information, and evaluating and improving, where
necessary, the effectiveness of the current safeguards for limiting such risks, the following
measures are mandatory and are effective immediately. To the extent that any of these measures
require a phase-in period, such phase-in must be completed on or before March 1, 2010:
Internal Threats
A copy of the WISP must be distributed to each employee who shall,
upon receipt of the WISP, acknowledge in writing that he/she has received
a copy of the WISP.
There must be immediate retraining of employees on the detailed
provisions of the WISP.
Employment contracts must be amended immediately to require all
employees to comply with the provisions of the WISP, and to prohibit any
nonconforming use of personal information during or after employment;
with mandatory disciplinary action to be taken for violation of security
provisions of the WISP (The nature of the disciplinary measures may depend
on a number of factors including the nature of the violation and the nature
of the personal information affected by the violation).
The amount of personal information collected should be limited to
that amount reasonably necessary to accomplish our legitimate business
purposes, or necessary to us to comply with other state or federal
regulations.
Access to records containing personal information shall be limited
to those persons who are reasonably required to know such information in
order to accomplish your legitimate business purpose or to enable us
comply with other state or federal regulations.
Electronic access to user identification after multiple unsuccessful
attempts to gain access must be blocked.
All security measures shall be reviewed at least annually, or
whenever there is a material change in our business practices that may
reasonably implicate the security or integrity of records containing
personal information. The Data Security Coordinator shall be responsible
for this review and shall fully apprise management of the results of that
review and any recommendations for improved security arising out of that
review.
Terminated employees must return all records containing personal
information, in any form, that may at the time of such termination be in
the former employee’s possession (including all such information stored
on laptops or other portable devices or media, and in files, records, work
papers, etc.)
A terminated employee’s physical and electronic access to
personal information must be immediately blocked. Such terminated
employee shall be required to surrender all keys, IDs or access codes or
badges, business cards, and the like, that permit access to the firm’s
premises or information. Moreover, such terminated employee’s remote
electronic access to personal information must be disabled; his/her
voicemail access, e-mail access, internet access, and passwords must be
invalidated. The Data Security Coordinator shall maintain a highly
secured master list of all lock combinations, passwords and keys.
Current employees’ user ID’s and passwords must be changed
periodically.
Access to personal information shall be restricted to active users
and active user accounts only.
Employees are encouraged to report any suspicious or
unauthorized use of customer information.
Whenever there is an incident that requires notification under
M.G.L. c. 93H, §3, there shall be an immediate mandatory post-incident
review of events and actions taken, if any, with a view to determining
whether any changes in our security practices are required to improve the
security of personal information for which we are responsible.
Employees are prohibited from keeping open files containing
personal information on their desks when they are not at their desks.
At the end of the work day, all files and other records containing
personal information must be secured in a manner that is consistent with
the WISP’s rules for protecting the security of personal information.
Each department shall develop rules (bearing in mind the business
needs of that department) that ensure that reasonable restrictions upon
physical access to records containing personal information are in place,
including a written procedure that sets forth the manner in which physical
access to such records in that department is to be restricted; and each
department must store such records and data in locked facilities, secure
storage areas or locked containers.
Access to electronically stored personal information shall be
electronically limited to those employees having a unique log-in ID; and
re-log-in shall be required when a computer has been inactive for more
than a few minutes.
Visitors’ access must be restricted to one entry point for each
building in which personal information is stored, and visitors shall be
required to present a photo ID, sign-in and wear a plainly visible
“GUEST” badge or tag. Visitors shall not be permitted to visit unescorted
any area within our premises that contains personal information.
Paper or electronic records (including records stored on hard
drives or other electronic media) containing personal information shall be
disposed of only in a manner that complies with M.G.L. c. 93I.
VI. EXTERNAL RISKS
To combat external risks to the security, confidentiality, and/or integrity of any
electronic, paper or other records containing personal information, and evaluating and
improving, where necessary, the effectiveness of the current safeguards for limiting such risks,
the following measures must be completed on or before March 1, 2010:
External Threats
There must be reasonably up-to-date firewall protection and
operating system security patches, reasonably designed to maintain the
integrity of the personal information, installed on all systems processing
personal information.
There must be reasonably up-to-date versions of system security
agent software which must include malware protection and reasonably
up-to-date patches and virus definitions, installed on all systems
processing personal information.
To the extent technically feasible, all personal information stored
on laptops or other portable devices must be encrypted, as must all records
and files transmitted across public networks or wirelessly, to the extent
technically feasible. Encryption here means the transformation of data into
a form in which meaning cannot be assigned without the use of a confidential
process or key, unless further defined by regulation by the Office of Consumer Affairs
and Business Regulation.
All computer systems must be monitored for unauthorized use of or
access to personal information.
There must be secure user authentication protocols in place, including:
(1) protocols for control of user IDs and other identifiers; (2) a reasonably
secure method of assigning and selecting passwords, or use of unique identifier
technologies, such as biometrics or token devices; (3) control of data security
passwords to ensure that such passwords are kept in a location.
Information Security and Security Breach Notification Guidance | 1
INFORMATION SECURITY AND SECURITY BREACH NOTIFICATION GUIDANCEPreventing, Preparing for, and Responding to Breaches of Information Security
The Office of Illinois Attorney General Lisa Madigan has created this guide for businesses and governmental agencies in Illinois subject to the Personal Information Protection Act. The Illinois Personal Information Pro-tection Act requires notification to Illinois residents in the event of an unauthorized acquisition of their personal information.
Entities that collect, maintain, store, use, and ultimately dispose of personal information should take steps to protect that information and reduce the risk of suffering a security breach. Although it may be impossible to prevent every breach, good data security can reduce the likelihood of some breaches, thereby helping entities to avoid the costly notification process.
This guide is meant to provide guidance, and not to provide legal advice. It is also important to recognize that due to the ever-changing aspect of information security and technology, more may be required of businesses and governmental agencies than is explained in this guide.
Businesses and governmental agencies are encouraged to stay abreast of industry best practices for data security and prevention of data breaches.
This guide begins by providing guidance for strong data security practices. Because not all prevention is fool-proof, it then provides information on how to plan ahead so that a response plan can be implemented immedi-ately upon discovery of a breach. It then provides guidance for responding to breaches and complying with the Personal Information Protection Act.
PREVENTING SECURITY BREACHES
Safeguarding sensitive data in files and on computers makes good business sense. After all, if that information falls into the wrong hands, it can lead to fraud or identity theft. A sound data security plan is built on the follow-ing five key principles: (1) take stock; (2) scale down; (3) lock it; (4) pitch it; and (5) plan ahead.
TAKE STOCKKnow what personal information you have in your files and on your computers. Understanding how personal information moves into, through, and out of your business and who has—or could have—access to it is essential to assessing security vulnerabilities. Conduct a thorough information assessment of all departments and divi-sions within your business or governmental agency.
When conducting the information assessment, you should follow these steps: • Review human resources and personnel records and files and determine what personal employee information is collected, used, maintained, and stored. • Review internal forms and computer systems that are used by employees for expense reports, trainings, reimbursement requests, and other administrative functions. • Review all requests for personal information from clients, customers, vendors, and the general public.
SCALE DOWNKeep only what you need for your business. If you don’t have a legitimate business need for sensitive person-ally identifiable information, don’t keep it. Maintaining Social Security numbers (SSNs) on personnel records is required for tax purposes and may be required for other purposes. Other uses may not be required and can be phased out as appropriate.
2 | Illinois Personal Information Protection Act
In order to reduce unnecessary reliance on personal information, especially SSNs, consider phasing out the use of personal information, especially SSNs, for administrative purposes and internal identification; explore the feasibility of replacing the SSN with a unique identification number; and if you determine that you do not need an SSN from clients, customers, vendors, or the general public with which you do business or interact, change your forms so that the SSN is not being requested.
LOCK IT Protect the information that you keep. This includes physical and electronic security, and employee training regarding the handling of the information.
Physical and Electronic Security • Know where sensitive customer information is stored and store it securely. Make sure only authorized employees have access. For example: o Ensure that storage areas are protected against destruction or damage from physical hazards, like fire or floods. o Store records in a room or cabinet that is locked when unattended. • When customer information is stored on a server or other computer, ensure that the computer is accessible only with a strong password and is kept in a physically secure area. • Change default passwords on all software. • Where possible, avoid storing sensitive customer data on a computer with an Internet connection. • Implement strong access controls. For example: o Limit access to customer information to employees who have a business reason to see it. For example, give employees who respond to customer inquiries access to customer files, but only to the extent they need it to do their jobs. o Control access to sensitive information by requiring employees to use “strong” passwords that must be changed on a regular basis. Strong passwords are a minimum of eight characters in length, and contain numeric characters, symbols, and a mixture of upper- and lower-case alphabetic characters. An employee’s username and password should never be the same. • Develop policies for employees who telecommute or travel often. o Consider whether or how employees should be allowed to keep or access customer data at home. o Require employees who use personal computers to store or access customer data to use protec- tions against viruses, spyware, and other unauthorized intrusions. o Allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access. • Maintain secure backup records and keep archived data secure by storing it off-line and in a physically secure area. • Maintain a careful inventory of your company’s computers and any other equipment on which customer information may be stored. • Encrypt, using National Institute of Standards and Technology (NIST) certified cryptographic modules, all data on mobile computers/devices carrying sensitive data and all data that is transmitted via public networks. • Use a “time-out” function for all internal computers that house sensitive information, remote access, and mobile devices. Time-out functions require users to re-authenticate after periods of inactivity. • Log all computer-readable data extracts from databases holding sensitive information and verify each extract. Logs should be reviewed and inappropriate data extracts should be further investigated. • Ensure all individuals with authorized access to personally identifiable information and their supervisors sign a document clearly describing their responsibilities. • Maintain current updates to all software. • Maintain strong firewalls, anti-virus, and anti-spyware protections. • Do not allow employees to download and utilize peer-to-peer (P2P) software. • Develop policies for appropriate use and protection of laptops, PDAs, cell phones, or other mobile devices.
Information Security and Security Breach Notification Guidance | 3
Security for Transmission of Payment Information The Payment Card Industry (PCI) standards require businesses to maintain secure networks and dictate the proper storage and destruction of transmittable payment information. By complying with the PCI Data Se-curity Standards, merchants and service providers not only meet their obligations to the payment system, but also build a culture of security that benefits everyone. The PCI Data Security Standards consist of twelve basic requirements categorized as follows: Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data 2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel
Employee TrainingEmployees with access to sensitive personal information must be trusted to maintain that information without taking advantage of their position. By some accounts, employee theft is a major cause of security breaches and subsequent identity theft. It is important to take the following steps to keep information out of the hands of rogue employees who steal or sell information: • Check references or order background checks before hiring employees who will have access to customer information. • Ask every new employee to sign an agreement to follow your company’s confidentiality and security standards for handling customer information. • Train employees to take basic steps to maintain the security, confidentiality, and integrity of customer information, including: o Lock rooms and file cabinets where records are kept; o Do not share or openly post employee passwords in work areas; o Protect laptops, PDAs, cell phones, and other mobile devices according to policy; o Refer calls or other requests for customer information to designated individuals who have been trained in how your company safeguards personal data; and o Report suspicious attempts to obtain customer information to designated personnel. • Regularly remind all employees of your company’s policy—and the legal requirement—to keep customer information secure and confidential. For example, consider posting reminders about their re- sponsibility for security in areas where customer information is stored, like file rooms. • Impose disciplinary measures for security policy violations.
4 | Illinois Personal Information Protection Act
• Prevent terminated employees from accessing customer information by immediately deactivating their passwords and user names and taking other appropriate measures.
PITCH ITDispose of customer information in a secure way. For example: • Consider designating or hiring a records retention manager to supervise the disposal of records contain- ing customer information. If you hire an outside disposal company, conduct due diligence beforehand by checking references or requiring that the company be certified by a recognized industry group. • Burn, pulverize, or shred papers containing customer information so that the information cannot be read or reconstructed. • Destroy or erase data when disposing of computers, disks, CDs, magnetic tapes, hard drives, laptops, PDAs, cell phones, or any other electronic media or hardware containing customer information.
Proper DisposalAs of January 1, 2012, the Illinois Personal Information Protection Act requires the proper disposal of materials containing personal information. Proper disposal of material that contains personal information is a necessary step in protecting individuals against identity theft and financial fraud. Incidents of identity theft occur when “dumpster divers” find troves of valuable personal information in publicly available garbage bins. In addition, personal information left on computers and other electronic media can be accessed and misused with relative ease. • A person must dispose of the materials containing personal information in a manner that renders the personal information unreadable, unusable, and undecipherable. Proper disposal methods include, but are not limited to, the following: o Paper documents containing personal information may be either redacted, burned, pulverized, or shredded so that personal information cannot practicably be read or reconstructed. o Electronic media and other non-paper media containing personal information may be destroyed or erased so that personal information cannot practicably be read or reconstructed. • “Person” means: a natural person; a corporation, partnership, association, or other legal entity; a unit of local government or any agency, department, division, bureau, board, commission, or committee thereof; or the State of Illinois or any constitutional officer, agency, department, division, bureau, board, commis- sion, or committee thereof. • Any person disposing of materials containing personal information may contract with a third party to dispose of such materials in accordance with this Section. Any third party that contracts with a person to dispose of materials containing personal information must implement and monitor compliance with poli- cies and procedures that prohibit unauthorized access to, acquisition of, or use of personal information during the collection, transportation, and disposal of materials containing personal information.
Information Security and Security Breach Notification Guidance | 5
PREPARING FOR SECURITY BREACHES
Even entities that take all appropriate precautions against security breaches may find themselves in the unenvi-able position of learning that sensitive personal information has been lost, stolen, or otherwise accessed inappro-priately. A company or agency should not be caught off guard when a breach is discovered. In order to ensure compliance with breach notification laws, and to provide all affected individuals an opportunity to protect against identity theft, it is important that all entities establish a plan for responding to breaches. For that reason, the Federal Trade Commission (FTC) identifies “plan ahead” as the fifth key principle for a strong data security plan. Planning ahead can be part of a larger information security program.
INFORMATION SECURITY PROGRAMSFederal law imposes data storage and destruction requirements on financial institutions and creditors who ac-cess consumer credit reports. As part of its implementation of the Gramm-Leach-Bliley (GLB) Act and the Fair Credit Reporting Act (FCRA), the FTC issued the Safeguards Rule, which requires financial institutions and users of credit reports under FTC jurisdiction to have measures in place to keep customer information secure.
The Safeguards Rule requires entities to establish, maintain, and update individual Information Security Pro-grams. The Safeguards Rule can be used as a model for all businesses and governmental agencies. In creating an Information Security Program, consideration should be paid to the following steps: • Designate an employee or employees to coordinate the information security program. • Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each area of operations, including: o Employee training and management; o Information systems, including network and software design, as well as information processing, storage, transmission, and disposal; and o Detecting, preventing, and responding to attacks, intrusions, or other systems failures. • Design and implement information safeguards to control the risks identified through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures. • Oversee service providers, by: o Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and o Requiring service providers by contract to implement and maintain such safeguards. • Evaluate and adjust the information security program in light of the results of testing and monitoring; any material changes to business operations or business arrangements; or any other circumstances that may have a material impact on the information security program.
6 | Illinois Personal Information Protection Act
• PLANAHEAD. Create a plan to respond to security incidents. The Government Accountability Office recommends that government agencies develop a plan to respond to security breaches. Private entities should establish plans in line with these same recommendations: o Develop a uniform response policy and standard operating procedures for data breach response capabilities. o Identify a core response group that can be convened in the event of a breach to evaluate the situation and help guide further response. • Train employees to notify the appropriate personnel in the event of lost or compromised data. If a problem has been detected, it must be reported to the appropriate member of the response group so that a response can be implemented. o Conduct risk analyses to determine when to offer credit monitoring and when to contract for an alternative form of monitoring. • Credit monitoring may not be appropriate in all breach situations. Many consumers have come to expect some offer of free credit monitoring, though. Before a breach occurs, talk to private companies that offer credit monitoring to discuss your options. o Implement an announcement strategy in preparing for inquiries about the incident by considering a call center staffed with individuals prepared to answer the most frequently asked questions. • A call center may be appropriate where large amounts of data are compromised and notification is sent nationwide. Many businesses and agencies do not have the capability to respond to thousands of inquiries. o Require service providers and business partners who handle personal information for the agency to follow the agency’s security policies and procedures.
Information Security and Security Breach Notification Guidance | 7
RESPONDING TO SECURITY BREACHES
Businesses and government agencies learn of security breaches in a variety of ways. For example, an employee may notify his supervisor that a laptop containing sensitive customer data was lost or stolen. Information technology, properly monitoring its intrusion detection systems, may learn that an unauthorized individual has accessed the computer network. The business or agency may learn that a rogue employee has been selling data to identity thieves. There are many different ways that sensitive personal information belonging to employees, clients, customers, or consumers can be compromised. Regardless of the type of breach, the following steps should be taken upon discovery of a breach. 1. Implement the appropriate incident response plan. a. Notify the appropriate internal response team of the nature of the breach. ***Note: It is important that every employee understands what security incidents need to be reported, and to whom they should be reported. A response plan cannot be implement- ed without the proper individuals first having sufficient knowledge of a problem. b. Assess what happened and follow your pre-set plan. ***Note: Following the pre-set plan may include setting up a call center and establishing credit monitoring service for affected individuals. It may also include notifying the three major credit reporting agencies of the breach. 2. Secure the data immediately. a. Contact your information technology department and determine how to secure the data so that the minimum amount of data is compromised. b. Take all appropriate measures to secure the data. 3. Involve law enforcement immediately. a. Once the data is secure and isolated, if necessary, contact your local police, the FBI, or the U.S. Secret Service. ***Note: It might be prudent to notify law enforcement first, if an intruder has hacked into your computer network and you suspect that the intruder is still present in the system. Although you do not want additional information to be compromised, you also want to give law enforcement an opportunity to learn more about the thief while he is actively stealing data. b. Cooperate in any law enforcement investigation. 4. Consider hiring an outside forensic analyst to determine the extent of the breach and the individuals affected. 5. If you are handling the data for another entity, immediately contact that entity and any other entities from which you may have obtained the data. a. The Illinois law requires the entity that owns or licenses the data to notify affected individuals. The entity that maintains the data must report any breach to the owner/licenser of the data, which in turn will notify affected individuals. 6. Notify consumers about the breach without unreasonable delay. a. Notification can be delayed upon request by law enforcement. 7. Consider notifying the Illinois Attorney General’s Identity Theft Hotline. a. Although notification to the Office of the Attorney General is not required, it may help affected individuals to know that they can turn to the Identity Theft Hotline for assistance. Notifying the Attorney General’s Office before giving out the Identity Theft Hotline number will help us better prepare for the influx of calls.
8 | Illinois Personal Information Protection Act
ILLINOIS LAW REQUIRING NOTIFICATION IN THE EVENT OF A SECURITY BREACH
Personal Information Protection Act815 ILCS 530/
Security Breach“Breach of the security of the system data” means unauthorized acquisition of computerized data that compro-mises the security, confidentiality, or integrity of personal information maintained by the data collector. “Breach of the security of the system data” does not include good faith acquisition of personal information by an em-ployee or agent of the data collector for a legitimate purpose of the data collector, provided that the personal information is not used for a purpose unrelated to the data collector’s business or subject to further unauthorized disclosure.
Type of Information“Personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: 1. Social Security number. 2. Driver’s license number or State identification card number. 3. Account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account. “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, State, or local government records.
***Note: If the breach involves the unauthorized acquisition of protected health information, notification may be required under the federal Health Insurance Portability and Accountability Act (HIPAA).
Whom to NotifyAny Illinois resident whose personal information has been breached. Any data collector that owns or licenses personal information concerning an Illinois resident shall notify the resident at no charge that there has been a breach of the security of the system data following discovery or notification of the breach.
*** Note: State agencies that collect personal information concerning an Illinois resident must notify the resi-dent where there has been a breach of written material in addition to computerized data. There is a distinction here between data collectors and State agencies.
Any State agency that collects personal data and has had a breach of security of the system data or written mate-rial shall submit a report within 5 business days of the discovery or notification of the breach to the General As-sembly listing the breaches and outlining any corrective measures that have been taken to prevent future breach-es of the security of the system data or written material. Any State agency that has submitted a report under this Section shall submit an annual report listing all breaches of security of the system data or written materials and the corrective measures that have been taken to prevent future breaches.
When to NotifyThe disclosure notification shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integ-rity, security, and confidentiality of the data system.
Information Security and Security Breach Notification Guidance | 9
The notification may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the data collector with a written request for the delay. How-ever, the data collector must notify the Illinois resident as soon as notification will no longer interfere with the investigation.
How to NotifyNotice to consumers may be provided by one of the following methods: 1. Written notice; 2. Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures for notices legally required to be in writing as set forth in Section 7001 of Title 15 of the United States Code; or 3. Substitute notice, if the data collector demonstrates that the cost of providing notice would exceed $250,000 or that the affected class of subject persons to be notified exceeds 500,000, or the data collector does not have sufficient contact information. Substitute notice shall consist of all of the following: (i) e-mail notice if the data collector has an e-mail address for the subject persons; (ii) conspicuous posting of the notice on the data collector’s Web site if the data collector maintains one; and (iii) notification to major statewide media.
Other Legal RequirementsAny State agency that collects personal data and has had a breach of security of the system data or written mate-rial shall submit a report within 5 business days of the discovery or notification of the breach to the General As-sembly listing the breaches and outlining any corrective measures that have been taken to prevent future breach-es of the security of the system data or written material. Any State agency that has submitted a report under this Section shall submit an annual report listing all breaches of security of the system data or written materials and the corrective measures that have been taken to prevent future breaches.
Any Illinois State agency that collects personal data that is no longer needed or stored at the agency shall dis-pose of the personal data or written material it has collected in such a manner as to ensure the security and confidentiality of the material.
A data collector that does not own or license the data shall provide such notification of the breach to the owner or licensee. In addition, the data collector shall cooperate with the owner or licensee in matters relating to the breach. That cooperation shall include, but need not be limited to, (i) informing the owner or licensee of the breach, including giving notice of the date or approximate date of the breach and the nature of the breach, and (ii) informing the owner or licensee of any steps the data collector has taken or plans to take relating to the breach. PracticalConsiderationsforNotificationoftheBreach • What does the law require the letter to include? The disclosure notification to an Illinois resident shall include, but need not be limited to: o The toll-free numbers and addresses for consumer reporting agencies: ü Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241 ü Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9532, Allen, TX 75013 ü TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790 o The toll-free number, address, and Web site address for the Federal Trade Commission. o A statement that the individual can obtain information from these sources about fraud alerts and security freezes.
10 | Illinois Personal Information Protection Act
• What other information could be helpful to include in the letter? Entities sending notification letters should also consider including the following information: o What happened; o What information was believed to be accessed; o Whether law enforcement has been notified and the status of any criminal investigation, including whether any arrests have been made; o How consumers can protect themselves against identity theft; o What consumers should look for to determine if they have become victims, including: • Receiving credit cards you did not apply for; • Being denied credit, or offered credit at less favorable terms for no apparent reason; • Receiving calls or letters from debt collectors or businesses about merchandise or services you did not buy; • Missing bills and other pieces of mail. o What steps consumers should take if they become victims of identity theft, including: • Contact the Attorney General’s Identity Theft Hotline at 1-866-999-5630 for further advice on protecting yourself from identity theft. • Check with your creditors. Work with your credit card companies, banks, and other lenders to determine if any suspicious or unauthorized activity has occurred on your accounts. • Cancel credit cards whose numbers may have been compromised. • Place an initial fraud alert on your credit report. Order your free copy of your credit report and review it for problems. ü Contact any of the three consumer reporting companies to place a fraud alert on your credit report. You only need to contact one of the three companies because that company is required to contact the other two. ü Once you place a fraud alert on your file, you are entitled to a free copy of your credit report. The credit reporting agencies will send you a letter telling you how to order your free report. When you receive your credit reports, review them carefully and look for any suspicious activity. • Remain alert. This is always a good idea, but especially in the first year following a security breach notification. Take advantage of your right to one free copy of your credit report from each of the three consumer reporting companies per year. Request a report from one of the reporting companies every four months and carefully review this report for suspicious activity. To obtain the free reports, consumers can call 1-877-322-8228 or order online at www.annualcreditreport.com. o How consumers can get further information; and o How consumers can sign up for credit monitoring (if you are offering it). • Do we need to set up a call center? o This may depend on the number of breach notification letters that are going out. If your regular customer service line can handle the influx of calls, you may not need a separate call center. • Should we stagger breach notification letters? o If you have a lot of letters to send out and are worried about call volume, you should consider staggering the mailing of notification letters. • How can we ensure accurate information is reaching affected consumers? o Employee training is essential. Fact sheets can be utilized to provide quick, easy information to all employees. Anticipate where calls might come in and make sure that those employees are briefed. • Should we offer credit monitoring? o Offering credit monitoring to consumers is not required under the Personal Information Protection Act. Nonetheless, many entities that suffer breaches offer 12 or 24 months of free credit monitoring to affected consumers.
Information Security and Security Breach Notification Guidance | 11
o Credit monitoring services may be inappropriate where credit or debit account information was accessed. In those cases, the thieves may make unauthorized charges on existing accounts, but they probably do not have the requisite information to open new lines of credit. Credit monitor- ing will not prevent the thief from spending to the limit on cards that already exist. • Do we need to notify anyone else? o Unless you are a state agency, the law does not require that you notify anyone other than the affected Illinois residents. o The Illinois Attorney General’s Office provides an Identity Theft Hotline to assist consumers. If you want to include the Hotline number on your breach notification letter, you should contact our office so that we can be prepared for the calls. • How can we prevent this from happening in the future? o The first step is to determine how it happened. Each situation requires a different response. For example: • If you had a rogue employee access the data without permission, address whether that employee should have had access to personal information in the first place, and whether increased or different training would have helped to protect the information. • If an honest employee misplaced a laptop, thumb drive, or list of personnel files, address whether it was proper for that employee to be permitted to take that information out of the office. Consider increased security on laptops and other portable devices to better protect the information. • If a hacker found his way into your network system, address whether IT security is up to date. Assess the storage, maintenance, and destruction of personal information and make a determination about whether information is being mishandled at any point in the process.
iProtecting Personal Information: A Guide for Business, Federal Trade Commission (March 2007).iiSafeguarding Against and Responding to the Breach of Personally Identifiable Information, Office of Management and Budget, MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES M-07-16 (May 22, 2007). These requirements are derived from existing federal security policy and National Institute of Standards and Technology (NIST) guidance.iiiSee NIST’s Web site at http://csrc.nist.gov/cryptval/ for a discussion of the certified encryption products.ivAdapted from Lessons Learned about Data Breach Notification, Report to Congressional Requestors, GAO-07-657 Privacy (April 2007).
Page 1 of 15
Best Practices for Victim Response and
Reporting of Cyber Incidents Version 1.0 (April 2015)
Any Internet-connected organization can fall prey to a disruptive network intrusion or
costly cyber attack. A quick, effective response to cyber incidents can prove critical to
minimizing the resulting harm and expediting recovery. The best time to plan such a response is
now, before an incident occurs.
This “best practices” document was drafted by the Cybersecurity Unit to assist
organizations in preparing a cyber incident response plan and, more generally, in preparing to
respond to a cyber incident. It reflects lessons learned by federal prosecutors while handling
cyber investigations and prosecutions, including information about how cyber criminals’ tactics
and tradecraft can thwart recovery. It also incorporates input from private sector companies that
have managed cyber incidents. It was drafted with smaller, less well-resourced organizations in
mind; however, even larger organizations with more experience in handling cyber incidents may
benefit from it.
I. Steps to Take Before a Cyber Intrusion or Attack Occurs
Having well-established plans and procedures in place for managing and responding to a
cyber intrusion or attack is a critical first step toward preparing an organization to weather a
cyber incident. Such pre-planning can help victim organizations limit damage to their computer
networks, minimize work stoppages, and maximize the ability of law enforcement to locate and
apprehend perpetrators. Organizations should take the precautions outlined below before
learning of a cyber incident affecting their networks.
A. Identify Your “Crown Jewels”
Different organizations have different mission critical needs. For some organizations,
even a short-term disruption in their ability to send or receive email will have a devastating
impact on their operations; others are able to rely on other means of communication to transact
CCyybbeerrsseeccuurriittyy UUnniitt
Computer Crime & Intellectual Property Section Criminal Division
U.S. Department of Justice
1301 New York Avenue, N.W., 6th Floor, Washington, D.C. 20530 - [email protected] - (202)514-1026
Page 2 of 15
business, but they may suffer significant harm if certain intellectual property is stolen. For
others still, the ability to guarantee the integrity and security of the data they store and process,
such as customer information, is vital to their continued operation.
The expense and resources required to protect a whole enterprise may force an
organization to prioritize its efforts and may shape its incident response planning. Before
formulating a cyber incident response plan, an organization should first determine which of their
data, assets, and services warrants the most protection. Ensuring that protection of an
organization’s “crown jewels” is appropriately prioritized is an important first step to preventing
a cyber intrusion or attack from causing catastrophic harm. The Cybersecurity Framework
produced by the National Institute of Standards and Technology (NIST) provides excellent
guidance on risk management planning and policies and merits consideration.1
B. Have an Actionable Plan in Place Before an Intrusion Occurs
Organizations should have a plan in place for handling computer intrusions before an
intrusion occurs. During an intrusion, an organization’s management and personnel should be
focused on containing the intrusion, mitigating the harm, and collecting and preserving vital
information that will help them assess the nature and scope of the damage and the potential
source of the threat. A cyber incident is not the time to be creating emergency procedures or
considering for the first time how best to respond.
The plan should be “actionable.” It should provide specific, concrete procedures to
follow in the event of a cyber incident. At a minimum, the procedures should address:
Who has lead responsibility for different elements of an organization’s cyber incident
response, from decisions about public communications, to information technology access,
to implementation of security measures, to resolving legal questions;
How to contact critical personnel at any time, day or night;
How to proceed if critical personnel is unreachable and who will serve as back-up;
What mission critical data, networks, or services should be prioritized for the greatest
protection;
How to preserve data related to the intrusion in a forensically sound manner;
What criteria will be used to ascertain whether data owners, customers, or partner
companies should be notified if their data or data affecting their networks is stolen; and
Procedures for notifying law enforcement and/or computer incident-reporting
organization.
1 The NIST Cybersecurity Framework is available at http://www.nist.gov/cyberframework/upload/cybersecurity-
framework-021214.pdf.
Page 3 of 15
All personnel who have computer security responsibilities should have access to and
familiarity with the plan, particularly anyone who will play a role in making technical,
operational, or managerial decisions during an incident. It is important for an organization to
institute rules that will ensure its personnel have and maintain familiarity with its incident
response plan. For instance, the procedures for responding to a cyber incident under an incident
response plan can be integrated into regular personnel training. The plan may also be ingrained
through regularly conducted exercises to ensure that it is up-to-date. Such exercises should be
designed to verify that necessary lines of communication exist, that decision-making roles and
responsibilities are well understood, and that any technology that may be needed during an actual
incident is available and likely to be effective. Deficiencies and gaps identified during an
exercise should be noted for speedy resolution.
Incident response plans may differ depending upon an organization’s size, structure, and
nature of its business. Similarly, decision-making under a particular incident response plan may
differ depending upon the nature of a cyber incident. In any event, institutionalized familiarity
with the organization’s framework for addressing a cyber incident will expedite response time
and save critical minutes during an incident.
C. Have Appropriate Technology and Services in Place Before An Intrusion Occurs
Organizations should already have in place or have ready access to the technology and
services that they will need to respond to a cyber incident. Such equipment may include off-site
data back-up, intrusion detection capabilities, data loss prevention technologies, and devices for
traffic filtering or scrubbing. An organization’s computer servers should also be configured to
conduct the logging necessary to identify a network security incident and to perform routine
back-ups of important information. The requisite technology should already be installed, tested,
and ready to deploy. Any required supporting services should either be acquired beforehand or
be identified and ready for acquisition.
D. Have Appropriate Authorization in Place to Permit Network Monitoring
Real-time monitoring of an organization’s own network is typically lawful if prior
consent for such monitoring is obtained from network users. For this reason, before an incident
takes place, an organization should adopt the mechanisms necessary for obtaining user consent to
monitoring users’ communications so it can detect and respond to a cyber incident. One means
of accomplishing this is through network warnings or “banners” that greet users who log onto a
network and inform them of how the organization will collect, store, and use their
communications. A banner can also be installed on the ports through which an intruder is likely
to access the organization’s system.
Page 4 of 15
A banner, however, is not the only means of obtaining legally valid consent. Computer
user agreements, workplace policies, and personnel training may also be used to obtain legally
sufficient user consent to monitoring. Organizations should obtain written acknowledgement
from their personnel of having signed such agreements or received such training. Doing so will
provide an organization with ready proof that they have met legal requirements for conducting
network monitoring.
Any means of obtaining legally sufficient consent should notify users that their use of the
system constitutes consent to the interception of their communications and that the results of
such monitoring may be disclosed to others, including law enforcement.2 If an organization is a
government entity (e.g., a federal, state, or local agency or a state university) or a private entity
acting as an instrument or agent of the government, its actions may implicate the Fourth
Amendment. Consequently, any notice on the system of such an entity or organization should
also inform users of their diminished expectation of privacy for communications on the network.
E. Ensure Your Legal Counsel is Familiar with Technology and Cyber Incident
Management to Reduce Response Time During an Incident
Cyber incidents can raise unique legal questions. An organization faced with decisions
about how it interacts with government agents, the types of preventative technologies it can
lawfully use, its obligation to report the loss of customer information, and its potential liability
for taking specific remedial measures (or failing to do so) will benefit from obtaining legal
guidance from attorneys who are conversant with technology and knowledgeable about relevant
laws (e.g., the Computer Fraud and Abuse Act (18 U.S.C. § 1030), electronic surveillance, and
communications privacy laws). Legal counsel that is accustomed to addressing these types of
issues that are often associated with cyber incidents will be better prepared to provide a victim
organization with timely, accurate advice.
Many private organizations retain outside counsel who specialize in legal questions
associated with data breaches while others find such cyber issues are common enough that they
have their own cyber-savvy attorneys on staff in their General Counsel’s offices. Having ready
access to advice from lawyers well acquainted with cyber incident response can speed an
organization’s decision making and help ensure that a victim organization’s incident response
activities remain on firm legal footing.
2 More guidance on banners, including a model banners, can be found in our manual on searching and seizing
electronic evidence and in a 2009 legal opinion prepared by the Department of Justice’s Office of Legal Counsel.
See Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations (3d ed. 2009),
available at http://www.justice.gov/criminal/cybercrime/docs/ssmanual2009.pdf; and Stephen G. Bradbury, Legal
Issues Relating to the Testing, Use, and Deployment of an Intrusion-Detection System to Protect Unclassified
Computer Networks in the Executive Branch, 33 Op. Off. Legal Counsel 1 (2009), available at
http://www.justice.gov/sites/default/files/olc/opinions/2009/01/31/e2-issues.pdf.
Page 5 of 15
F. Ensure Organization Policies Align with Your Cyber Incident Response Plan
Some preventative and preparatory measures related to incident planning may need to be
implemented outside the context of preparing a cyber incident response plan. For instance, an
organization should review its personnel and human resource policies to ensure they will
reasonably minimize the risk of cyber incidents, including from “insider threats.” Proper
personnel and information technology (IT) policies may help prevent a cyber incident in the first
place. For instance, a practice of promptly revoking the network credentials of terminated
employees—particularly system administrators and information technology staff—may prevent a
subsequent cyber incident from occurring. Furthermore, reasonable access controls on networks
may reduce the risk of harmful computer misuse.
G. Engage with Law Enforcement Before an Incident
Organizations should attempt to establish a relationship with their local federal law
enforcement offices long before they suffer a cyber incident. Having a point-of-contact and a
pre-existing relationship with law enforcement will facilitate any subsequent interaction that may
occur if an organization needs to enlist law enforcement’s assistance. It will also help establish
the trusted relationship that cultivates bi-directional information sharing that is beneficial both to
potential victim organizations and to law enforcement. The principal federal law enforcement
agencies responsible for investigating criminal violations of the federal Computer Fraud and
Abuse Act are the Federal Bureau of Investigation (FBI) and the U.S. Secret Service. Both
agencies conduct regular outreach to private companies and other organizations likely to be
targeted for intrusions and attacks. Such outreach occurs mostly through the FBI’s Infragard
chapters and Cyber Task Forces in each of the FBI’s 56 field offices, and through the U.S. Secret
Service’s Electronic Crimes Task Forces.
H. Establish Relationships with Cyber Information Sharing Organizations
Defending a network at all times from every cyber threat is a daunting task. Access to
information about new or commonly exploited vulnerabilities can assist an organization
prioritize its security measures. Information sharing organizations for every sector of the critical
infrastructure exist to provide such information. Information Sharing and Analysis Centers
(ISACs) have been created in each sector of the critical infrastructure and for key resources.
They produce analysis of cyber threat information that is shared within the relevant sector, with
other sectors, and with the government. Depending upon the sector, they may also provide other
cybersecurity services. The government has also encouraged the creation of new information
sharing entities called Information Sharing and Analysis Organizations (ISAOs) to accommodate
organizations that do not fit within an established sector of the critical infrastructure or that have
Page 6 of 15
unique needs.3 ISAOs are intended to provide such organizations with the same benefits of
obtaining cyber threat information and other supporting services that are provided by an ISAC.
II. Responding to a Computer Intrusion: Executing Your Incident Response Plan
An organization can fall victim to a cyber intrusion or attack even after taking reasonable
precautions. Consequently, having a vetted, actionable cyber incident response plan is critical.
A robust incident response plan does more than provide procedures for handling an incident; it
also provides guidance on how a victim organization can continue to operate while managing an
incident and how to work with law enforcement and/or incident response firms as an
investigation is conducted.4 An organization’s incident response plan should, at a minimum,
give serious consideration to all of the steps outlined below.
A. Step 1: Make an Initial Assessment
During a cyber incident, a victim organization should immediately make an assessment
of the nature and scope of the incident. In particular, it is important at the outset to determine
whether the incident is a malicious act or a technological glitch. The nature of the incident will
determine the type of assistance an organization will need to address the incident and the type of
damage and remedial efforts that may be required.
Having appropriate network logging capabilities enabled can be critical to identifying the
cause of a cyber incident. Using log information, a system administrator should attempt to
identify:
The affected computer systems;
The apparent origin of the incident, intrusion, or attack;
Any malware used in connection with the incident;
Any remote servers to which data were sent (if information was exfiltrated); and
The identity of any other victim organizations, if such data is apparent in logged data.
3 See, Exec. Order No. 13,691, 80 Fed. Reg. 9347 (Feb. 20, 2015), available at http://www.gpo.gov/fdsys/pkg/FR-
2015-02-20/pdf/2015-03714.pdf. 4 Often in the case of data breaches, organizations may learn that they have been the victim of an intrusion from a
third party. For instance, law enforcement may discover evidence; while conducting a data breach investigation that
other organizations have also been breached, or a cybersecurity company’s forensic analysis of a customer’s
network following a breach may uncover evidence of other victims. Organizations should be prepared to respond to
such receiving such notice.
Page 7 of 15
In addition, the initial assessment of the incident should document:
Which users are currently logged on;
What the current connections to the computer systems are;
Which processes are running; and
All open ports and their associated services and applications.
Any communications (in particular, threats or extortionate demands) received by the
organization that might relate to the incident should also be preserved. Suspicious calls, emails,
or other requests for information should be treated as part of the incident.
Evidence that an intrusion or other criminal incident has occurred will typically include
logging or file creation data indicating that someone improperly accessed, created, modified,
deleted, or copied files or logs; changed system settings; or added or altered user accounts or
permissions. In addition, an intruder may have stored “hacker tools” or data from another
intrusion on your network. In the case of a root-level intrusion,5 victims should be alert for signs
that the intruder gained access to multiple areas of the network. The victim organization should
take care to ensure that its actions do not unintentionally or unnecessarily modify stored data in a
way that could hinder incident response or subsequent criminal investigation. In particular,
potentially relevant files should not be deleted; if at all possible, avoid modifying data or at least
keep track of how and when information was modified.
B. Step 2: Implement Measures to Minimize Continuing Damage
After an organization has assessed the nature and scope of the incident and determined it
to be an intentional cyber intrusion or attack rather than a technical glitch, it may need to take
steps to stop ongoing damage caused by the perpetrator. Such steps may include rerouting
network traffic, filtering or blocking a distributed denial-of-service attack,6 or isolating all or
parts of the compromised network. In the case of an intrusion, a system administrator may
decide either to block further illegal access or to watch the illegal activity to identify the source
of the attack and/or learn the scope of the compromise.
If proper preparations were made, an organization will have an existing back-up copy of
critical data and may elect to abandon the network in its current state and to restore it to a prior
5 An intruder with “root level access” has the highest privileges given to a user working with an operating system or
other program and has as much authority on the network as a system administrator, including the authority to access
files, alter permissions and privileges, and add or remove accounts.
Page 8 of 15
state. If an organization elects to restore a back-up version of its data, it should first make sure
that the back-up is not compromised as well.
Where a victim organization obtains information regarding the location of exfiltrated data
or the apparent origin of a cyber attack, it may choose to contact the system administrator of that
network. Doing so may stop the attack, assist in regaining possession of stolen data, or help
determine the true origin of the malicious activity. A victim organization may also choose to
blunt the damage of an ongoing intrusion or attack by “null routing”7 malicious traffic, closing
the ports being used by the intruder to gain access to the network, or otherwise altering the
configuration of a network to thwart the malicious activity.
The victim organization should keep detailed records of whatever steps are taken to
mitigate the damage and should keep stock of any associated costs incurred. Such information
may be important for recovering damages from responsible parties and for any subsequent
criminal investigation.
C. Step 3: Record and Collect Information
1. Image the Affected Computer(s)
Ideally, a victim organization will immediately make a “forensic image” of the affected
computers, which will preserve a record of the system at the time of the incident for later
analysis and potentially for use as evidence at trial.8 This may require the assistance of law
enforcement or professional incident response experts. In addition, the victim organization
should locate any previously generated backups, which may assist in identifying any changes an
intruder made to the network. New or sanitized media should be used to store copies of any data
that is retrieved and stored. Once the victim organization makes such copies, it should write-
protect the media to safeguard it from alteration. The victim organization should also restrict
access to this media to maintain the integrity of the copy’s authenticity, safeguard it from
unidentified malicious insiders, and establish a chain of custody. These steps will enhance the
value of any backups as evidence in any later criminal investigations and prosecutions, internal
6 A Distributed Denial of Service (DDOS) attack involves the orchestrated transmission of communications
engineered to overwhelm another network’s connection to the Internet to impair or disrupt that network’s ability to
send or receive communications. DDOS attacks are usually launched by a large number of computers infected by
malware that permits their actions to be centrally controlled. 7 A null route directs the system to drop network communications that are destined for specified IP address on the
network, so a system will no longer send any response to the originating IP address. This means the system will
continue to receive data from the attackers but no longer respond to them. 8 A “forensic image” is an exact, sector-by-sector copy of a hard disk. Software capable of creating such copies of
hard drives preserve deleted files, slack space, system files, and executable files and can be critical for later analysis
of an incident.
Page 9 of 15
investigations, or civil law suits.
2. Keep Logs, Notes, Records, and Data
The victim organization should take immediate steps to preserve relevant existing logs.
In addition, the victim organization should direct personnel participating in the incident response
to keep an ongoing, written record of all steps undertaken. If this is done while responding to the
incident or shortly thereafter, personnel can minimize the need to rely on their memories or the
memories of others to reconstruct the order of events. As the investigation progresses,
information that was collected by the organization contemporaneous to the intrusion may take on
unanticipated significance.
The types of information that the victim organization should retain include:
● a description of all incident-related events, including dates and times;
● information about incident-related phone calls, emails, and other contacts;
● the identity of persons working on tasks related to the intrusion, including a description,
the amount of time spent, and the approximate hourly rate for those persons’ work;
● identity of the systems, accounts, services, data, and networks affected by the incident
and a description of how these network components were affected;
● information relating to the amount and type of damage inflicted by the incident, which
can be important in civil actions by the organization and in criminal cases;
● information regarding network topology;
● the type and version of software being run on the network; and
● any peculiarities in the organization’s network architecture, such as proprietary hardware
or software.
Ideally, a single, designated employee will retain custody of all such records. This will
help to ensure that records are properly preserved and can be produced later on. Proper handling
of this information is often useful in rebutting claims in subsequent legal proceedings (whether
criminal or civil) that electronic evidence has been tampered with or altered.
3. Records Related to Continuing Attacks
When an incident is ongoing (e.g., during a DDOS attack, as a worm is propagating
through the network, or while an intruder is exfiltrating data), the victim organization should
record any continuing activity. If a victim organization has not enabled logging on an affected
Page 10 of 15
server, it should do so immediately. It should also consider increasing the default size of log
files on its servers to prevent losing data. A victim organization may also be able to use a
“sniffer” or other network-monitoring device to record communications between the intruder and
any of its targeted servers. Such monitoring, which implicates the Wiretap Act (18 U.S.C. §§
2510 et seq.) is typically lawful, provided it is done to protect the organization’s rights or
property or system users have actually or impliedly consented to such monitoring. An
organization should consult with its legal counsel to make sure such monitoring is conducted
lawfully and consistent with the organization’s employment agreements and privacy policies.
D. Step 4: Notify9
1. People Within the Organization
Managers and other personnel within the organization should be notified about the
incident as provided for in the incident response plan and should be given the results of any
preliminary analysis. Relevant personnel may include senior management, IT and physical
security coordinators, communications or public affairs personnel, and legal counsel. The
incident response plan should set out individual points-of-contact within the organization and the
circumstances in which they should be contacted.
2. Law Enforcement
If an organization suspects at any point during its assessment or response that the incident
constitutes criminal activity, it should contact law enforcement immediately. Historically, some
companies have been reticent to contact law enforcement following a cyber incident fearing that
a criminal investigation may result in disruption of its business or reputational harm. However, a
company harboring such concerns should not hesitate to contact law enforcement.
The FBI and U.S. Secret Service place a priority on conducting cyber investigations that
cause as little disruption as possible to a victim organization’s normal operations and recognize
the need to work cooperatively and discreetly with victim companies. They will use
investigative measures that avoid computer downtime or displacement of a company's
employees. When using an indispensable investigative measures likely to inconvenience a
victim organization, they will do so with the objective of minimizing the duration and scope of
any disruption.
The FBI and U.S. Secret Service will also conduct their investigations with discretion and
9 Some private organizations are regulated by the federal government and may be subject to rules requiring
notification if a data breach or other cyber incident occurs. While guidance to such organizations for notifying
regulators is beyond the scope of this document, a cyber incident response plan should take into account whether a
victim organization may need also to notify regulators and how best to do so.
Page 11 of 15
work with a victim company to avoid unwarranted disclosure of information. They will attempt
to coordinate statements to the news media concerning the incident with a victim company to
ensure that information harmful to a company’s interests is not needlessly disclosed. Victim
companies should likewise consider sharing press releases regarding a cyber incident with
investigative agents before issuing them to avoid releasing information that might damage the
ongoing investigation.
Contacting law enforcement may also prove beneficial to a victim organization. Law
enforcement may be able to use legal authorities and tools that are unavailable to non-
governmental entities10
and to enlist the assistance of international law enforcement partners to
locate stolen data or identify the perpetrator. These tools and relationships can greatly increase
the odds of successfully apprehending an intruder or attacker and securing lost data. In addition,
a cyber criminal who is successfully prosecuted will be prevented from causing further damage
to the victim company or to others, and other would-be cyber criminals may be deterred by such
a conviction.
In addition, as of January 2015, at least forty-seven states have passed database breach
notification laws requiring companies to notify customers whose data is compromised by an
intrusion; however, many data breach reporting laws allow a covered organization to delay
notification if law enforcement concludes that such notice would impede an investigation. State
laws also may allow a victim company to forgo providing notice altogether if the victim
company consults with law enforcement and thereafter determines that the breach will not likely
result in harm to the individuals whose personal information has been acquired and accessed.
Organizations should consult with counsel to determine their obligations under state data breach
notification laws. It is also noteworthy that companies from regulated industries that cooperate
with law enforcement may be viewed more favorably by regulators looking into a data breach.
3. The Department of Homeland Security
The Department of Homeland Security has components dedicated to cybersecurity that
not only collect and report on cyber incidents, phishing, malware, and other vulnerabilities, but
also provide certain incident response services. The National Cybersecurity & Communications
Integration Center (NCCIC) serves as a 24x7 centralized location for cybersecurity information
sharing, incident response, and incident coordination. By contacting the NCCIC, a victim
organization can both share and receive information about an ongoing incident that may prove
beneficial to both the victim organization and the government. A victim organization may also
10
For instance, data that are necessary to trace an intrusion or attack to its source may not be obtainable without use
of legal process (e.g., a search warrant, court order, or subpoena) that may be unavailable to a private party.
Furthermore, some potentially useful intrusion detection techniques require law enforcement involvement. For
instance, under 18 U.S.C. § 2511(2)(i) a network owner may authorize law enforcement to intercept a computer
trespasser’s communications on the network owner’s computers during an investigation.
Page 12 of 15
obtain technical assistance capable of mitigating an ongoing cyber incident.
4. Other Potential Victims
If a victim organization or the private incident response firm it hires uncovers evidence of
additional victims while assessing a cyber incident—for example, in the form of another
company’s data stored on the network—the other potential victims should be promptly notified.
While the initial victim can conduct such notification directly, notifying victims through law
enforcement may be preferable. It insulates the initial victim from potentially unnecessary
exposure and allows law enforcement to conduct further investigation, which may uncover
additional victims warranting notification. Similarly, if a forensic examination reveals an
unreported software or hardware vulnerability, the victim organization should make immediate
notification to law enforcement or the relevant vendor.
Such notifications may prevent further damage by prompting the victims or vendors to
take remedial action immediately. The victim organization may also reap benefits, because other
victims may be able to provide helpful information gleaned from their own experiences
managing the same cyber incident (e.g., information regarding the perpetrator’s methods, a
timeline of events, or effective mitigation techniques that may thwart the intruder).
III. What Not to Do Following a Cyber Incident
A. Do Not Use the Compromised System to Communicate
The victim organization should avoid, to the extent reasonably possible, using a system
suspected of being compromised to communicate about an incident or to discuss its response to
the incident. If the victim organization must use the compromised system to communicate, it
should encrypt its communications. To avoid becoming the victim of a “social engineering”
attack (i.e., attempts by a perpetrator to convince a target to take an action through use of a ruse
or guile that will compromise the security of the system or data), employees of the victim
organization should not disclose incident-specific information to unknown communicants
inquiring about an incident without first verifying their identity.
B. Do Not Hack Into or Damage Another Network
A victimized organization should not attempt to access, damage, or impair another
system that may appear to be involved in the intrusion or attack. Regardless of motive, doing so
is likely illegal, under U.S. and some foreign laws, and could result in civil and/or criminal
liability. Furthermore, many intrusions and attacks are launched from compromised systems.
Consequently, “hacking back” can damage or impair another innocent victim’s system rather
Page 13 of 15
than the intruder’s.
IV. After a Computer Incident
Even after a cyber incident appears to be under control, remain vigilant. Many intruders
return to attempt to regain access to networks they previously compromised. It is possible that,
despite best efforts, a company that has addressed known security vulnerabilities and taken all
reasonable steps to eject an intruder has nevertheless not eliminated all of the means by which
the intruder illicitly accessed the network. Continue to monitor your system for anomalous
activity.
Once the victim organization has recovered from the attack or intrusion, it should initiate
measures to prevent similar attacks. To do so, it should conduct a post-incident review of the
organization’s response to the incident and assess the strengths and weaknesses of its
performance and incident response plan. Part of the assessment should include ascertaining
whether the organization followed each of the steps outlined above and, if not, why not. The
organization should note and discuss deficiencies and gaps in its response and take remedial
steps as needed.
Page 14 of 15
Cyber Incident Preparedness Checklist
Before a Cyber Attack or Intrusion
Identify mission critical data and assets (i.e., your “Crown Jewels”) and institute tiered
security measures to appropriately protect those assets.
Review and adopt risk management practices found in guidance such as the National
Institute of Standards and Technology Cybersecurity Framework.
Create an actionable incident response plan.
o Test plan with exercises
o Keep plan up-to-date to reflect changes in personnel and structure
Have the technology in place (or ensure that it is easily obtainable) that will be used to
address an incident.
Have procedures in place that will permit lawful network monitoring.
Have legal counsel that is familiar with legal issues associated with cyber incidents
Align other policies (e.g., human resources and personnel policies) with your incident
response plan.
Develop proactive relationships with relevant law enforcement agencies, outside counsel,
public relations firms, and investigative and cybersecurity firms that you may require in
the event of an incident.
During a Cyber Attack or Intrusion
Make an initial assessment of the scope and nature of the incident, particularly whether it
is a malicious act or a technological glitch.
Minimize continuing damage consistent with your cyber incident response plan.
Collect and preserve data related to the incident.
o “Image” the network
o Keep all logs, notes, and other records
o Keep records of ongoing attacks
Consistent with your incident response plan, notify—
o Appropriate management and personnel within the victim organization should
o Law enforcement
o Other possible victims
o Department of Homeland Security
Do not—
o Use compromised systems to communicate.
o “Hack back” or intrude upon another network.
Page 15 of 15
After Recovering from a Cyber Attack or Intrusion
Continue monitoring the network for any anomalous activity to make sure the intruder
has been expelled and you have regained control of your network.
Conduct a post-incident review to identify deficiencies in planning and execution of your
incident response plan.
Framework for Improving
Critical Infrastructure Cybersecurity
Version 1.0
National Institute of Standards and Technology
February 12, 2014
February 12, 2014 Cybersecurity Framework Version 1.0
ii
Table of Contents
Executive Summary .........................................................................................................................1
1.0 Framework Introduction .........................................................................................................3
2.0 Framework Basics ...................................................................................................................7
3.0 How to Use the Framework ..................................................................................................13
Appendix A: Framework Core .......................................................................................................18
Appendix B: Glossary ....................................................................................................................37
Appendix C: Acronyms .................................................................................................................39
List of Figures
Figure 1: Framework Core Structure .............................................................................................. 7 Figure 2: Notional Information and Decision Flows within an Organization .............................. 12
List of Tables
Table 1: Function and Category Unique Identifiers ..................................................................... 19 Table 2: Framework Core ............................................................................................................. 20
February 12, 2014 Cybersecurity Framework Version 1.0
1
Executive Summary
The national and economic security of the United States depends on the reliable functioning of
critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of
critical infrastructure systems, placing the Nation’s security, economy, and public safety and
health at risk. Similar to financial and reputational risk, cybersecurity risk affects a company’s
bottom line. It can drive up costs and impact revenue. It can harm an organization’s ability to
innovate and to gain and maintain customers.
To better address these risks, the President issued Executive Order 13636, “Improving Critical
Infrastructure Cybersecurity,” on February 12, 2013, which established that “[i]t is the Policy of
the United States to enhance the security and resilience of the Nation’s critical infrastructure and
to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity
while promoting safety, security, business confidentiality, privacy, and civil liberties.” In
enacting this policy, the Executive Order calls for the development of a voluntary risk-based
Cybersecurity Framework – a set of industry standards and best practices to help organizations
manage cybersecurity risks. The resulting Framework, created through collaboration between
government and the private sector, uses a common language to address and manage
cybersecurity risk in a cost-effective way based on business needs without placing additional
regulatory requirements on businesses.
The Framework focuses on using business drivers to guide cybersecurity activities and
considering cybersecurity risks as part of the organization’s risk management processes. The
Framework consists of three parts: the Framework Core, the Framework Profile, and the
Framework Implementation Tiers. The Framework Core is a set of cybersecurity activities,
outcomes, and informative references that are common across critical infrastructure sectors,
providing the detailed guidance for developing individual organizational Profiles. Through use of
the Profiles, the Framework will help the organization align its cybersecurity activities with its
business requirements, risk tolerances, and resources. The Tiers provide a mechanism for
organizations to view and understand the characteristics of their approach to managing
cybersecurity risk.
The Executive Order also requires that the Framework include a methodology to protect
individual privacy and civil liberties when critical infrastructure organizations conduct
cybersecurity activities. While processes and existing needs will differ, the Framework can assist
organizations in incorporating privacy and civil liberties as part of a comprehensive
cybersecurity program.
The Framework enables organizations – regardless of size, degree of cybersecurity risk, or
cybersecurity sophistication – to apply the principles and best practices of risk management to
improving the security and resilience of critical infrastructure. The Framework provides
organization and structure to today’s multiple approaches to cybersecurity by assembling
standards, guidelines, and practices that are working effectively in industry today. Moreover,
because it references globally recognized standards for cybersecurity, the Framework can also be
February 12, 2014 Cybersecurity Framework Version 1.0
2
used by organizations located outside the United States and can serve as a model for
international cooperation on strengthening critical infrastructure cybersecurity.
The Framework is not a one-size-fits-all approach to managing cybersecurity risk for critical
infrastructure. Organizations will continue to have unique risks – different threats, different
vulnerabilities, different risk tolerances – and how they implement the practices in the
Framework will vary. Organizations can determine activities that are important to critical service
delivery and can prioritize investments to maximize the impact of each dollar spent. Ultimately,
the Framework is aimed at reducing and better managing cybersecurity risks.
The Framework is a living document and will continue to be updated and improved as industry
provides feedback on implementation. As the Framework is put into practice, lessons learned
will be integrated into future versions. This will ensure it is meeting the needs of critical
infrastructure owners and operators in a dynamic and challenging environment of new threats,
risks, and solutions.
Use of this voluntary Framework is the next step to improve the cybersecurity of our Nation’s
critical infrastructure – providing guidance for individual organizations, while increasing the
cybersecurity posture of the Nation’s critical infrastructure as a whole.
February 12, 2014 Cybersecurity Framework Version 1.0
3
1.0 Framework Introduction
The national and economic security of the United States depends on the reliable functioning of
critical infrastructure. To strengthen the resilience of this infrastructure, President Obama issued
Executive Order 13636 (EO), “Improving Critical Infrastructure Cybersecurity,” on February 12,
2013.1 This Executive Order calls for the development of a voluntary Cybersecurity Framework
(“Framework”) that provides a “prioritized, flexible, repeatable, performance-based, and cost-
effective approach” to manage cybersecurity risk for those processes, information, and systems
directly involved in the delivery of critical infrastructure services. The Framework, developed in
collaboration with industry, provides guidance to an organization on managing cybersecurity
risk.
Critical infrastructure is defined in the EO as “systems and assets, whether physical or virtual, so
vital to the United States that the incapacity or destruction of such systems and assets would have
a debilitating impact on security, national economic security, national public health or safety, or
any combination of those matters.” Due to the increasing pressures from external and internal
threats, organizations responsible for critical infrastructure need to have a consistent and iterative
approach to identifying, assessing, and managing cybersecurity risk. This approach is necessary
regardless of an organization’s size, threat exposure, or cybersecurity sophistication today.
The critical infrastructure community includes public and private owners and operators, and
other entities with a role in securing the Nation’s infrastructure. Members of each critical
infrastructure sector perform functions that are supported by information technology (IT) and
industrial control systems (ICS).2 This reliance on technology, communication, and the
interconnectivity of IT and ICS has changed and expanded the potential vulnerabilities and
increased potential risk to operations. For example, as ICS and the data produced in ICS
operations are increasingly used to deliver critical services and support business decisions, the
potential impacts of a cybersecurity incident on an organization’s business, assets, health and
safety of individuals, and the environment should be considered. To manage cybersecurity risks,
a clear understanding of the organization’s business drivers and security considerations specific
to its use of IT and ICS is required. Because each organization’s risk is unique, along with its use
of IT and ICS, the tools and methods used to achieve the outcomes described by the Framework
will vary.
Recognizing the role that the protection of privacy and civil liberties plays in creating greater
public trust, the Executive Order requires that the Framework include a methodology to protect
individual privacy and civil liberties when critical infrastructure organizations conduct
cybersecurity activities. Many organizations already have processes for addressing privacy and
civil liberties. The methodology is designed to complement such processes and provide guidance
to facilitate privacy risk management consistent with an organization’s approach to cybersecurity
risk management. Integrating privacy and cybersecurity can benefit organizations by increasing
customer confidence, enabling more standardized sharing of information, and simplifying
operations across legal regimes.
1 Executive Order no. 13636, Improving Critical Infrastructure Cybersecurity, DCPD-201300091, February 12,
2013. http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf 2 The DHS Critical Infrastructure program provides a listing of the sectors and their associated critical functions
and value chains. http://www.dhs.gov/critical-infrastructure-sectors
February 12, 2014 Cybersecurity Framework Version 1.0
4
To ensure extensibility and enable technical innovation, the Framework is technology neutral.
The Framework relies on a variety of existing standards, guidelines, and practices to enable
critical infrastructure providers to achieve resilience. By relying on those global standards,
guidelines, and practices developed, managed, and updated by industry, the tools and methods
available to achieve the Framework outcomes will scale across borders, acknowledge the global
nature of cybersecurity risks, and evolve with technological advances and business requirements.
The use of existing and emerging standards will enable economies of scale and drive the
development of effective products, services, and practices that meet identified market needs.
Market competition also promotes faster diffusion of these technologies and practices and
realization of many benefits by the stakeholders in these sectors.
Building from those standards, guidelines, and practices, the Framework provides a common
taxonomy and mechanism for organizations to:
1) Describe their current cybersecurity posture;
2) Describe their target state for cybersecurity;
3) Identify and prioritize opportunities for improvement within the context of a
continuous and repeatable process;
4) Assess progress toward the target state;
5) Communicate among internal and external stakeholders about cybersecurity risk.
The Framework complements, and does not replace, an organization’s risk management process
and cybersecurity program. The organization can use its current processes and leverage the
Framework to identify opportunities to strengthen and communicate its management of
cybersecurity risk while aligning with industry practices. Alternatively, an organization without
an existing cybersecurity program can use the Framework as a reference to establish one.
Just as the Framework is not industry-specific, the common taxonomy of standards, guidelines,
and practices that it provides also is not country-specific. Organizations outside the United States
may also use the Framework to strengthen their own cybersecurity efforts, and the Framework
can contribute to developing a common language for international cooperation on critical
infrastructure cybersecurity.
1.1 Overview of the Framework
The Framework is a risk-based approach to managing cybersecurity risk, and is composed of
three parts: the Framework Core, the Framework Implementation Tiers, and the Framework
Profiles. Each Framework component reinforces the connection between business drivers and
cybersecurity activities. These components are explained below.
The Framework Core is a set of cybersecurity activities, desired outcomes, and
applicable references that are common across critical infrastructure sectors. The Core
presents industry standards, guidelines, and practices in a manner that allows for
communication of cybersecurity activities and outcomes across the organization from the
executive level to the implementation/operations level. The Framework Core consists of
five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover.
When considered together, these Functions provide a high-level, strategic view of the
lifecycle of an organization’s management of cybersecurity risk. The Framework Core
February 12, 2014 Cybersecurity Framework Version 1.0
5
then identifies underlying key Categories and Subcategories for each Function, and
matches them with example Informative References such as existing standards,
guidelines, and practices for each Subcategory.
Framework Implementation Tiers (“Tiers”) provide context on how an organization
views cybersecurity risk and the processes in place to manage that risk. Tiers describe the
degree to which an organization’s cybersecurity risk management practices exhibit the
characteristics defined in the Framework (e.g., risk and threat aware, repeatable, and
adaptive). The Tiers characterize an organization’s practices over a range, from Partial
(Tier 1) to Adaptive (Tier 4). These Tiers reflect a progression from informal, reactive
responses to approaches that are agile and risk-informed. During the Tier selection
process, an organization should consider its current risk management practices, threat
environment, legal and regulatory requirements, business/mission objectives, and
organizational constraints.
A Framework Profile (“Profile”) represents the outcomes based on business needs that an
organization has selected from the Framework Categories and Subcategories. The Profile
can be characterized as the alignment of standards, guidelines, and practices to the
Framework Core in a particular implementation scenario. Profiles can be used to identify
opportunities for improving cybersecurity posture by comparing a “Current” Profile (the
“as is” state) with a “Target” Profile (the “to be” state). To develop a Profile, an
organization can review all of the Categories and Subcategories and, based on business
drivers and a risk assessment, determine which are most important; they can add
Categories and Subcategories as needed to address the organization’s risks. The Current
Profile can then be used to support prioritization and measurement of progress toward the
Target Profile, while factoring in other business needs including cost-effectiveness and
innovation. Profiles can be used to conduct self-assessments and communicate within an
organization or between organizations.
1.2 Risk Management and the Cybersecurity Framework
Risk management is the ongoing process of identifying, assessing, and responding to risk. To
manage risk, organizations should understand the likelihood that an event will occur and the
resulting impact. With this information, organizations can determine the acceptable level of risk
for delivery of services and can express this as their risk tolerance.
With an understanding of risk tolerance, organizations can prioritize cybersecurity activities,
enabling organizations to make informed decisions about cybersecurity expenditures.
Implementation of risk management programs offers organizations the ability to quantify and
communicate adjustments to their cybersecurity programs. Organizations may choose to handle
risk in different ways, including mitigating the risk, transferring the risk, avoiding the risk, or
accepting the risk, depending on the potential impact to the delivery of critical services.
The Framework uses risk management processes to enable organizations to inform and prioritize
decisions regarding cybersecurity. It supports recurring risk assessments and validation of
business drivers to help organizations select target states for cybersecurity activities that reflect
desired outcomes. Thus, the Framework gives organizations the ability to dynamically select and
direct improvement in cybersecurity risk management for the IT and ICS environments.
February 12, 2014 Cybersecurity Framework Version 1.0
6
The Framework is adaptive to provide a flexible and risk-based implementation that can be used
with a broad array of cybersecurity risk management processes. Examples of cybersecurity risk
management processes include International Organization for Standardization (ISO)
31000:20093, ISO/IEC 27005:20114, National Institute of Standards and Technology (NIST)
Special Publication (SP) 800-395, and the Electricity Subsector Cybersecurity Risk Management
Process (RMP) guideline6.
1.3 Document Overview
The remainder of this document contains the following sections and appendices:
Section 2 describes the Framework components: the Framework Core, the Tiers, and the
Profiles.
Section 3 presents examples of how the Framework can be used.
Appendix A presents the Framework Core in a tabular format: the Functions, Categories,
Subcategories, and Informative References.
Appendix B contains a glossary of selected terms.
Appendix C lists acronyms used in this document.
3 International Organization for Standardization, Risk management – Principles and guidelines, ISO 31000:2009,
2009. http://www.iso.org/iso/home/standards/iso31000.htm 4 International Organization for Standardization/International Electrotechnical Commission, Information
technology – Security techniques – Information security risk management, ISO/IEC 27005:2011, 2011.
http://www.iso.org/iso/catalogue_detail?csnumber=56742 5 Joint Task Force Transformation Initiative, Managing Information Security Risk: Organization, Mission, and
Information System View, NIST Special Publication 800-39, March 2011.
http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf 6 U.S. Department of Energy, Electricity Subsector Cybersecurity Risk Management Process, DOE/OE-0003, May
2012. http://energy.gov/sites/prod/files/Cybersecurity%20Risk%20Management%20Process%20Guideline%20-
%20Final%20-%20May%202012.pdf
February 12, 2014 Cybersecurity Framework Version 1.0
7
2.0 Framework Basics
The Framework provides a common language for understanding, managing, and expressing
cybersecurity risk both internally and externally. It can be used to help identify and prioritize
actions for reducing cybersecurity risk, and it is a tool for aligning policy, business, and
technological approaches to managing that risk. It can be used to manage cybersecurity risk
across entire organizations or it can be focused on the delivery of critical services within an
organization. Different types of entities – including sector coordinating structures, associations,
and organizations – can use the Framework for different purposes, including the creation of
common Profiles.
2.1 Framework Core
The Framework Core provides a set of activities to achieve specific cybersecurity outcomes, and
references examples of guidance to achieve those outcomes. The Core is not a checklist of
actions to perform. It presents key cybersecurity outcomes identified by industry as helpful in
managing cybersecurity risk. The Core comprises four elements: Functions, Categories,
Subcategories, and Informative References, depicted in Figure 1:
Figure 1: Framework Core Structure
The Framework Core elements work together as follows:
Functions organize basic cybersecurity activities at their highest level. These Functions
are Identify, Protect, Detect, Respond, and Recover. They aid an organization in
expressing its management of cybersecurity risk by organizing information, enabling risk
management decisions, addressing threats, and improving by learning from previous
activities. The Functions also align with existing methodologies for incident management
and help show the impact of investments in cybersecurity. For example, investments in
planning and exercises support timely response and recovery actions, resulting in reduced
impact to the delivery of services.
Categories are the subdivisions of a Function into groups of cybersecurity outcomes
closely tied to programmatic needs and particular activities. Examples of Categories
include “Asset Management,” “Access Control,” and “Detection Processes.”
February 12, 2014 Cybersecurity Framework Version 1.0
8
Subcategories further divide a Category into specific outcomes of technical and/or
management activities. They provide a set of results that, while not exhaustive, help
support achievement of the outcomes in each Category. Examples of Subcategories
include “External information systems are catalogued,” “Data-at-rest is protected,” and
“Notifications from detection systems are investigated.”
Informative References are specific sections of standards, guidelines, and practices
common among critical infrastructure sectors that illustrate a method to achieve the
outcomes associated with each Subcategory. The Informative References presented in the
Framework Core are illustrative and not exhaustive. They are based upon cross-sector
guidance most frequently referenced during the Framework development process.7
The five Framework Core Functions are defined below. These Functions are not intended to
form a serial path, or lead to a static desired end state. Rather, the Functions can be performed
concurrently and continuously to form an operational culture that addresses the dynamic
cybersecurity risk. See Appendix A for the complete Framework Core listing.
Identify – Develop the organizational understanding to manage cybersecurity risk to
systems, assets, data, and capabilities.
The activities in the Identify Function are foundational for effective use of the
Framework. Understanding the business context, the resources that support critical
functions, and the related cybersecurity risks enables an organization to focus and
prioritize its efforts, consistent with its risk management strategy and business needs.
Examples of outcome Categories within this Function include: Asset Management;
Business Environment; Governance; Risk Assessment; and Risk Management Strategy.
Protect – Develop and implement the appropriate safeguards to ensure delivery of
critical infrastructure services.
The Protect Function supports the ability to limit or contain the impact of a potential
cybersecurity event. Examples of outcome Categories within this Function include:
Access Control; Awareness and Training; Data Security; Information Protection
Processes and Procedures; Maintenance; and Protective Technology.
Detect – Develop and implement the appropriate activities to identify the occurrence of a
cybersecurity event.
The Detect Function enables timely discovery of cybersecurity events. Examples of
outcome Categories within this Function include: Anomalies and Events; Security
Continuous Monitoring; and Detection Processes.
Respond – Develop and implement the appropriate activities to take action regarding a
detected cybersecurity event.
7 NIST developed a Compendium of informative references gathered from the Request for Information (RFI)
input, Cybersecurity Framework workshops, and stakeholder engagement during the Framework development
process. The Compendium includes standards, guidelines, and practices to assist with implementation. The
Compendium is not intended to be an exhaustive list, but rather a starting point based on initial stakeholder
input. The Compendium and other supporting material can be found at http://www.nist.gov/cyberframework/.
February 12, 2014 Cybersecurity Framework Version 1.0
9
The Respond Function supports the ability to contain the impact of a potential
cybersecurity event. Examples of outcome Categories within this Function include:
Response Planning; Communications; Analysis; Mitigation; and Improvements.
Recover – Develop and implement the appropriate activities to maintain plans for
resilience and to restore any capabilities or services that were impaired due to a
cybersecurity event.
The Recover Function supports timely recovery to normal operations to reduce the
impact from a cybersecurity event. Examples of outcome Categories within this Function
include: Recovery Planning; Improvements; and Communications.
2.2 Framework Implementation Tiers
The Framework Implementation Tiers (“Tiers”) provide context on how an organization views
cybersecurity risk and the processes in place to manage that risk. The Tiers range from Partial
(Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor and sophistication in
cybersecurity risk management practices and the extent to which cybersecurity risk management
is informed by business needs and is integrated into an organization’s overall risk management
practices. Risk management considerations include many aspects of cybersecurity, including the
degree to which privacy and civil liberties considerations are integrated into an organization’s
management of cybersecurity risk and potential risk responses.
The Tier selection process considers an organization’s current risk management practices, threat
environment, legal and regulatory requirements, business/mission objectives, and organizational
constraints. Organizations should determine the desired Tier, ensuring that the selected level
meets the organizational goals, is feasible to implement, and reduces cybersecurity risk to critical
assets and resources to levels acceptable to the organization. Organizations should consider
leveraging external guidance obtained from Federal government departments and agencies,
Information Sharing and Analysis Centers (ISACs), existing maturity models, or other sources to
assist in determining their desired tier.
While organizations identified as Tier 1 (Partial) are encouraged to consider moving toward Tier
2 or greater, Tiers do not represent maturity levels. Progression to higher Tiers is encouraged
when such a change would reduce cybersecurity risk and be cost effective. Successful
implementation of the Framework is based upon achievement of the outcomes described in the
organization’s Target Profile(s) and not upon Tier determination.
February 12, 2014 Cybersecurity Framework Version 1.0
10
The Tier definitions are as follows:
Tier 1: Partial
Risk Management Process – Organizational cybersecurity risk management practices are
not formalized, and risk is managed in an ad hoc and sometimes reactive manner.
Prioritization of cybersecurity activities may not be directly informed by organizational
risk objectives, the threat environment, or business/mission requirements.
Integrated Risk Management Program – There is limited awareness of cybersecurity risk
at the organizational level and an organization-wide approach to managing cybersecurity
risk has not been established. The organization implements cybersecurity risk
management on an irregular, case-by-case basis due to varied experience or information
gained from outside sources. The organization may not have processes that enable
cybersecurity information to be shared within the organization.
External Participation – An organization may not have the processes in place to
participate in coordination or collaboration with other entities.
Tier 2: Risk Informed
Risk Management Process – Risk management practices are approved by management
but may not be established as organizational-wide policy. Prioritization of cybersecurity
activities is directly informed by organizational risk objectives, the threat environment, or
business/mission requirements.
Integrated Risk Management Program – There is an awareness of cybersecurity risk at
the organizational level but an organization-wide approach to managing cybersecurity
risk has not been established. Risk-informed, management-approved processes and
procedures are defined and implemented, and staff has adequate resources to perform
their cybersecurity duties. Cybersecurity information is shared within the organization on
an informal basis.
External Participation – The organization knows its role in the larger ecosystem, but has
not formalized its capabilities to interact and share information externally.
Tier 3: Repeatable
Risk Management Process – The organization’s risk management practices are formally
approved and expressed as policy. Organizational cybersecurity practices are regularly
updated based on the application of risk management processes to changes in
business/mission requirements and a changing threat and technology landscape.
Integrated Risk Management Program – There is an organization-wide approach to
manage cybersecurity risk. Risk-informed policies, processes, and procedures are
defined, implemented as intended, and reviewed. Consistent methods are in place to
respond effectively to changes in risk. Personnel possess the knowledge and skills to
perform their appointed roles and responsibilities.
External Participation – The organization understands its dependencies and partners and
receives information from these partners that enables collaboration and risk-based
management decisions within the organization in response to events.
February 12, 2014 Cybersecurity Framework Version 1.0
11
Tier 4: Adaptive
Risk Management Process – The organization adapts its cybersecurity practices based on
lessons learned and predictive indicators derived from previous and current cybersecurity
activities. Through a process of continuous improvement incorporating advanced
cybersecurity technologies and practices, the organization actively adapts to a changing
cybersecurity landscape and responds to evolving and sophisticated threats in a timely
manner.
Integrated Risk Management Program – There is an organization-wide approach to
managing cybersecurity risk that uses risk-informed policies, processes, and procedures
to address potential cybersecurity events. Cybersecurity risk management is part of the
organizational culture and evolves from an awareness of previous activities, information
shared by other sources, and continuous awareness of activities on their systems and
networks.
External Participation – The organization manages risk and actively shares information
with partners to ensure that accurate, current information is being distributed and
consumed to improve cybersecurity before a cybersecurity event occurs.
2.3 Framework Profile
The Framework Profile (“Profile”) is the alignment of the Functions, Categories, and
Subcategories with the business requirements, risk tolerance, and resources of the organization.
A Profile enables organizations to establish a roadmap for reducing cybersecurity risk that is well
aligned with organizational and sector goals, considers legal/regulatory requirements and
industry best practices, and reflects risk management priorities. Given the complexity of many
organizations, they may choose to have multiple profiles, aligned with particular components and
recognizing their individual needs.
Framework Profiles can be used to describe the current state or the desired target state of specific
cybersecurity activities. The Current Profile indicates the cybersecurity outcomes that are
currently being achieved. The Target Profile indicates the outcomes needed to achieve the
desired cybersecurity risk management goals. Profiles support business/mission requirements
and aid in the communication of risk within and between organizations. This Framework
document does not prescribe Profile templates, allowing for flexibility in implementation.
Comparison of Profiles (e.g., the Current Profile and Target Profile) may reveal gaps to be
addressed to meet cybersecurity risk management objectives. An action plan to address these
gaps can contribute to the roadmap described above. Prioritization of gap mitigation is driven by
the organization’s business needs and risk management processes. This risk-based approach
enables an organization to gauge resource estimates (e.g., staffing, funding) to achieve
cybersecurity goals in a cost-effective, prioritized manner.
February 12, 2014 Cybersecurity Framework Version 1.0
12
2.4 Coordination of Framework Implementation
Figure 2 describes a common flow of information and decisions at the following levels within an
organization:
Executive
Business/Process
Implementation/Operations
The executive level communicates the mission priorities, available resources, and overall risk
tolerance to the business/process level. The business/process level uses the information as inputs
into the risk management process, and then collaborates with the implementation/operations
level to communicate business needs and create a Profile. The implementation/operations level
communicates the Profile implementation progress to the business/process level. The
business/process level uses this information to perform an impact assessment. Business/process
level management reports the outcomes of that impact assessment to the executive level to
inform the organization’s overall risk management process and to the implementation/operations
level for awareness of business impact.
Figure 2: Notional Information and Decision Flows within an Organization
February 12, 2014 Cybersecurity Framework Version 1.0
13
3.0 How to Use the Framework
An organization can use the Framework as a key part of its systematic process for identifying,
assessing, and managing cybersecurity risk. The Framework is not designed to replace existing
processes; an organization can use its current process and overlay it onto the Framework to
determine gaps in its current cybersecurity risk approach and develop a roadmap to
improvement. Utilizing the Framework as a cybersecurity risk management tool, an organization
can determine activities that are most important to critical service delivery and prioritize
expenditures to maximize the impact of the investment.
The Framework is designed to complement existing business and cybersecurity operations. It can
serve as the foundation for a new cybersecurity program or a mechanism for improving an
existing program. The Framework provides a means of expressing cybersecurity requirements to
business partners and customers and can help identify gaps in an organization’s cybersecurity
practices. It also provides a general set of considerations and processes for considering privacy
and civil liberties implications in the context of a cybersecurity program.
The following sections present different ways in which organizations can use the Framework.
3.1 Basic Review of Cybersecurity Practices
The Framework can be used to compare an organization’s current cybersecurity activities with
those outlined in the Framework Core. Through the creation of a Current Profile, organizations
can examine the extent to which they are achieving the outcomes described in the Core
Categories and Subcategories, aligned with the five high-level Functions: Identify, Protect,
Detect, Respond, and Recover. An organization may find that it is already achieving the desired
outcomes, thus managing cybersecurity commensurate with the known risk. Conversely, an
organization may determine that it has opportunities to (or needs to) improve. The organization
can use that information to develop an action plan to strengthen existing cybersecurity practices
and reduce cybersecurity risk. An organization may also find that it is overinvesting to achieve
certain outcomes. The organization can use this information to reprioritize resources to
strengthen other cybersecurity practices.
While they do not replace a risk management process, these five high-level Functions will
provide a concise way for senior executives and others to distill the fundamental concepts of
cybersecurity risk so that they can assess how identified risks are managed, and how their
organization stacks up at a high level against existing cybersecurity standards, guidelines, and
practices. The Framework can also help an organization answer fundamental questions,
including “How are we doing?” Then they can move in a more informed way to strengthen their
cybersecurity practices where and when deemed necessary.
3.2 Establishing or Improving a Cybersecurity Program
The following steps illustrate how an organization could use the Framework to create a new
cybersecurity program or improve an existing program. These steps should be repeated as
necessary to continuously improve cybersecurity.
February 12, 2014 Cybersecurity Framework Version 1.0
14
Step 1: Prioritize and Scope. The organization identifies its business/mission objectives and
high-level organizational priorities. With this information, the organization makes strategic
decisions regarding cybersecurity implementations and determines the scope of systems and
assets that support the selected business line or process. The Framework can be adapted to
support the different business lines or processes within an organization, which may have
different business needs and associated risk tolerance.
Step 2: Orient. Once the scope of the cybersecurity program has been determined for the
business line or process, the organization identifies related systems and assets, regulatory
requirements, and overall risk approach. The organization then identifies threats to, and
vulnerabilities of, those systems and assets.
Step 3: Create a Current Profile. The organization develops a Current Profile by indicating
which Category and Subcategory outcomes from the Framework Core are currently being
achieved.
Step 4: Conduct a Risk Assessment. This assessment could be guided by the organization’s
overall risk management process or previous risk assessment activities. The organization
analyzes the operational environment in order to discern the likelihood of a cybersecurity event
and the impact that the event could have on the organization. It is important that organizations
seek to incorporate emerging risks and threat and vulnerability data to facilitate a robust
understanding of the likelihood and impact of cybersecurity events.
Step 5: Create a Target Profile. The organization creates a Target Profile that focuses on the
assessment of the Framework Categories and Subcategories describing the organization’s desired
cybersecurity outcomes. Organizations also may develop their own additional Categories and
Subcategories to account for unique organizational risks. The organization may also consider
influences and requirements of external stakeholders such as sector entities, customers, and
business partners when creating a Target Profile.
Step 6: Determine, Analyze, and Prioritize Gaps. The organization compares the Current
Profile and the Target Profile to determine gaps. Next it creates a prioritized action plan to
address those gaps that draws upon mission drivers, a cost/benefit analysis, and understanding of
risk to achieve the outcomes in the Target Profile. The organization then determines resources
necessary to address the gaps. Using Profiles in this manner enables the organization to make
informed decisions about cybersecurity activities, supports risk management, and enables the
organization to perform cost-effective, targeted improvements.
Step 7: Implement Action Plan. The organization determines which actions to take in regards
to the gaps, if any, identified in the previous step. It then monitors its current cybersecurity
practices against the Target Profile. For further guidance, the Framework identifies example
Informative References regarding the Categories and Subcategories, but organizations should
determine which standards, guidelines, and practices, including those that are sector specific,
work best for their needs.
An organization may repeat the steps as needed to continuously assess and improve its
cybersecurity. For instance, organizations may find that more frequent repetition of the orient
February 12, 2014 Cybersecurity Framework Version 1.0
15
step improves the quality of risk assessments. Furthermore, organizations may monitor progress
through iterative updates to the Current Profile, subsequently comparing the Current Profile to
the Target Profile. Organizations may also utilize this process to align their cybersecurity
program with their desired Framework Implementation Tier.
3.3 Communicating Cybersecurity Requirements with Stakeholders
The Framework provides a common language to communicate requirements among
interdependent stakeholders responsible for the delivery of essential critical infrastructure
services. Examples include:
An organization may utilize a Target Profile to express cybersecurity risk management
requirements to an external service provider (e.g., a cloud provider to which it is
exporting data).
An organization may express its cybersecurity state through a Current Profile to report
results or to compare with acquisition requirements.
A critical infrastructure owner/operator, having identified an external partner on whom
that infrastructure depends, may use a Target Profile to convey required Categories and
Subcategories.
A critical infrastructure sector may establish a Target Profile that can be used among its
constituents as an initial baseline Profile to build their tailored Target Profiles.
3.4 Identifying Opportunities for New or Revised Informative References
The Framework can be used to identify opportunities for new or revised standards, guidelines, or
practices where additional Informative References would help organizations address emerging
needs. An organization implementing a given Subcategory, or developing a new Subcategory,
might discover that there are few Informative References, if any, for a related activity. To
address that need, the organization might collaborate with technology leaders and/or standards
bodies to draft, develop, and coordinate standards, guidelines, or practices.
3.5 Methodology to Protect Privacy and Civil Liberties
This section describes a methodology as required by the Executive Order to address individual
privacy and civil liberties implications that may result from cybersecurity operations. This
methodology is intended to be a general set of considerations and processes since privacy and
civil liberties implications may differ by sector or over time and organizations may address these
considerations and processes with a range of technical implementations. Nonetheless, not all
activities in a cybersecurity program may give rise to these considerations. Consistent with
Section 3.4, technical privacy standards, guidelines, and additional best practices may need to be
developed to support improved technical implementations.
Privacy and civil liberties implications may arise when personal information is used, collected,
processed, maintained, or disclosed in connection with an organization’s cybersecurity activities.
Some examples of activities that bear privacy or civil liberties considerations may include:
cybersecurity activities that result in the over-collection or over-retention of personal
information; disclosure or use of personal information unrelated to cybersecurity activities;
cybersecurity mitigation activities that result in denial of service or other similar potentially
February 12, 2014 Cybersecurity Framework Version 1.0
16
adverse impacts, including activities such as some types of incident detection or monitoring that
may impact freedom of expression or association.
The government and agents of the government have a direct responsibility to protect civil
liberties arising from cybersecurity activities. As referenced in the methodology below,
government or agents of the government that own or operate critical infrastructure should have a
process in place to support compliance of cybersecurity activities with applicable privacy laws,
regulations, and Constitutional requirements.
To address privacy implications, organizations may consider how, in circumstances where such
measures are appropriate, their cybersecurity program might incorporate privacy principles such
as: data minimization in the collection, disclosure, and retention of personal information material
related to the cybersecurity incident; use limitations outside of cybersecurity activities on any
information collected specifically for cybersecurity activities; transparency for certain
cybersecurity activities; individual consent and redress for adverse impacts arising from use of
personal information in cybersecurity activities; data quality, integrity, and security; and
accountability and auditing.
As organizations assess the Framework Core in Appendix A, the following processes and
activities may be considered as a means to address the above-referenced privacy and civil
liberties implications:
Governance of cybersecurity risk
An organization’s assessment of cybersecurity risk and potential risk responses considers
the privacy implications of its cybersecurity program
Individuals with cybersecurity-related privacy responsibilities report to appropriate
management and are appropriately trained
Process is in place to support compliance of cybersecurity activities with applicable
privacy laws, regulations, and Constitutional requirements
Process is in place to assess implementation of the foregoing organizational measures and
controls
Approaches to identifying and authorizing individuals to access organizational assets and
systems
Steps are taken to identify and address the privacy implications of access control
measures to the extent that they involve collection, disclosure, or use of personal
information
Awareness and training measures
Applicable information from organizational privacy policies is included in cybersecurity
workforce training and awareness activities
Service providers that provide cybersecurity-related services for the organization are
informed about the organization’s applicable privacy policies
February 12, 2014 Cybersecurity Framework Version 1.0
17
Anomalous activity detection and system and assets monitoring
Process is in place to conduct a privacy review of an organization’s anomalous activity
detection and cybersecurity monitoring
Response activities, including information sharing or other mitigation efforts
Process is in place to assess and address whether, when, how, and the extent to which
personal information is shared outside the organization as part of cybersecurity
information sharing activities
Process is in place to conduct a privacy review of an organization’s cybersecurity
mitigation efforts
February 12, 2014 Cybersecurity Framework Version 1.0
18
Appendix A: Framework Core
This appendix presents the Framework Core: a listing of Functions, Categories, Subcategories,
and Informative References that describe specific cybersecurity activities that are common
across all critical infrastructure sectors. The chosen presentation format for the Framework Core
does not suggest a specific implementation order or imply a degree of importance of the
Categories, Subcategories, and Informative References. The Framework Core presented in this
appendix represents a common set of activities for managing cybersecurity risk. While the
Framework is not exhaustive, it is extensible, allowing organizations, sectors, and other entities
to use Subcategories and Informative References that are cost-effective and efficient and that
enable them to manage their cybersecurity risk. Activities can be selected from the Framework
Core during the Profile creation process and additional Categories, Subcategories, and
Informative References may be added to the Profile. An organization’s risk management
processes, legal/regulatory requirements, business/mission objectives, and organizational
constraints guide the selection of these activities during Profile creation. Personal information is
considered a component of data or assets referenced in the Categories when assessing security
risks and protections.
While the intended outcomes identified in the Functions, Categories, and Subcategories are the
same for IT and ICS, the operational environments and considerations for IT and ICS differ. ICS
have a direct effect on the physical world, including potential risks to the health and safety of
individuals, and impact on the environment. Additionally, ICS have unique performance and
reliability requirements compared with IT, and the goals of safety and efficiency must be
considered when implementing cybersecurity measures.
For ease of use, each component of the Framework Core is given a unique identifier. Functions
and Categories each have a unique alphabetic identifier, as shown in Table 1. Subcategories
within each Category are referenced numerically; the unique identifier for each Subcategory is
included in Table 2.
Additional supporting material relating to the Framework can be found on the NIST website at
http://www.nist.gov/cyberframework/.
February 12, 2014 Cybersecurity Framework Version 1.0
19
Table 1: Function and Category Unique Identifiers
Function
Unique
Identifier
Function
Category
Unique
Identifier
Category
ID Identify
ID.AM Asset Management
ID.BE Business Environment
ID.GV Governance
ID.RA Risk Assessment
ID.RM Risk Management Strategy
PR Protect
PR.AC Access Control
PR.AT Awareness and Training
PR.DS Data Security
PR.IP Information Protection Processes and Procedures
PR.MA Maintenance
PR.PT Protective Technology
DE Detect
DE.AE Anomalies and Events
DE.CM Security Continuous Monitoring
DE.DP Detection Processes
RS Respond
RS.RP Response Planning
RS.CO Communications
RS.AN Analysis
RS.MI Mitigation
RS.IM Improvements
RC Recover
RC.RP Recovery Planning
RC.IM Improvements
RC.CO Communications
February 12, 2014 Cybersecurity Framework Version 1.0
20
Table 2: Framework Core
Function Category Subcategory Informative References
IDENTIFY
(ID)
Asset Management (ID.AM):
The data, personnel, devices,
systems, and facilities that enable
the organization to achieve
business purposes are identified
and managed consistent with their
relative importance to business
objectives and the organization’s
risk strategy.
ID.AM-1: Physical devices and systems
within the organization are inventoried
CCS CSC 1
COBIT 5 BAI09.01, BAI09.02
ISA 62443-2-1:2009 4.2.3.4
ISA 62443-3-3:2013 SR 7.8
ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
NIST SP 800-53 Rev. 4 CM-8
ID.AM-2: Software platforms and
applications within the organization are
inventoried
CCS CSC 2
COBIT 5 BAI09.01, BAI09.02, BAI09.05
ISA 62443-2-1:2009 4.2.3.4
ISA 62443-3-3:2013 SR 7.8
ISO/IEC 27001:2013 A.8.1.1, A.8.1.2
NIST SP 800-53 Rev. 4 CM-8
ID.AM-3: Organizational communication
and data flows are mapped
CCS CSC 1
COBIT 5 DSS05.02
ISA 62443-2-1:2009 4.2.3.4
ISO/IEC 27001:2013 A.13.2.1
NIST SP 800-53 Rev. 4 AC-4, CA-3, CA-9,
PL-8
ID.AM-4: External information systems
are catalogued
COBIT 5 APO02.02
ISO/IEC 27001:2013 A.11.2.6
NIST SP 800-53 Rev. 4 AC-20, SA-9
ID.AM-5: Resources (e.g., hardware,
devices, data, and software) are prioritized
based on their classification, criticality, and
business value
COBIT 5 APO03.03, APO03.04, BAI09.02
ISA 62443-2-1:2009 4.2.3.6
ISO/IEC 27001:2013 A.8.2.1
NIST SP 800-53 Rev. 4 CP-2, RA-2, SA-14
ID.AM-6: Cybersecurity roles and
responsibilities for the entire workforce and
third-party stakeholders (e.g., suppliers,
customers, partners) are established
COBIT 5 APO01.02, DSS06.03
ISA 62443-2-1:2009 4.3.2.3.3
ISO/IEC 27001:2013 A.6.1.1
February 12, 2014 Cybersecurity Framework Version 1.0
21
Function Category Subcategory Informative References
NIST SP 800-53 Rev. 4 CP-2, PS-7, PM-11
Business Environment (ID.BE):
The organization’s mission,
objectives, stakeholders, and
activities are understood and
prioritized; this information is
used to inform cybersecurity
roles, responsibilities, and risk
management decisions.
ID.BE-1: The organization’s role in the
supply chain is identified and
communicated
COBIT 5 APO08.04, APO08.05, APO10.03,
APO10.04, APO10.05
ISO/IEC 27001:2013 A.15.1.3, A.15.2.1,
A.15.2.2
NIST SP 800-53 Rev. 4 CP-2, SA-12
ID.BE-2: The organization’s place in
critical infrastructure and its industry sector
is identified and communicated
COBIT 5 APO02.06, APO03.01
NIST SP 800-53 Rev. 4 PM-8
ID.BE-3: Priorities for organizational
mission, objectives, and activities are
established and communicated
COBIT 5 APO02.01, APO02.06, APO03.01
ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6
NIST SP 800-53 Rev. 4 PM-11, SA-14
ID.BE-4: Dependencies and critical
functions for delivery of critical services
are established
ISO/IEC 27001:2013 A.11.2.2, A.11.2.3,
A.12.1.3
NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11,
PM-8, SA-14
ID.BE-5: Resilience requirements to
support delivery of critical services are
established
COBIT 5 DSS04.02
ISO/IEC 27001:2013 A.11.1.4, A.17.1.1,
A.17.1.2, A.17.2.1
NIST SP 800-53 Rev. 4 CP-2, CP-11, SA-14
Governance (ID.GV): The
policies, procedures, and
processes to manage and monitor
the organization’s regulatory,
legal, risk, environmental, and
operational requirements are
understood and inform the
management of cybersecurity
risk.
ID.GV-1: Organizational information
security policy is established
COBIT 5 APO01.03, EDM01.01, EDM01.02
ISA 62443-2-1:2009 4.3.2.6
ISO/IEC 27001:2013 A.5.1.1
NIST SP 800-53 Rev. 4 -1 controls from all
families
ID.GV-2: Information security roles &
responsibilities are coordinated and aligned
with internal roles and external partners
COBIT 5 APO13.12
ISA 62443-2-1:2009 4.3.2.3.3
ISO/IEC 27001:2013 A.6.1.1, A.7.2.1
NIST SP 800-53 Rev. 4 PM-1, PS-7
ID.GV-3: Legal and regulatory
requirements regarding cybersecurity,
COBIT 5 MEA03.01, MEA03.04
ISA 62443-2-1:2009 4.4.3.7
February 12, 2014 Cybersecurity Framework Version 1.0
22
Function Category Subcategory Informative References
including privacy and civil liberties
obligations, are understood and managed ISO/IEC 27001:2013 A.18.1
NIST SP 800-53 Rev. 4 -1 controls from all
families (except PM-1)
ID.GV-4: Governance and risk
management processes address
cybersecurity risks
COBIT 5 DSS04.02
ISA 62443-2-1:2009 4.2.3.1, 4.2.3.3, 4.2.3.8,
4.2.3.9, 4.2.3.11, 4.3.2.4.3, 4.3.2.6.3
NIST SP 800-53 Rev. 4 PM-9, PM-11
Risk Assessment (ID.RA): The
organization understands the
cybersecurity risk to
organizational operations
(including mission, functions,
image, or reputation),
organizational assets, and
individuals.
ID.RA-1: Asset vulnerabilities are
identified and documented
CCS CSC 4
COBIT 5 APO12.01, APO12.02, APO12.03,
APO12.04
ISA 62443-2-1:2009 4.2.3, 4.2.3.7, 4.2.3.9,
4.2.3.12
ISO/IEC 27001:2013 A.12.6.1, A.18.2.3
NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8,
RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5
ID.RA-2: Threat and vulnerability
information is received from information
sharing forums and sources
ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12
ISO/IEC 27001:2013 A.6.1.4
NIST SP 800-53 Rev. 4 PM-15, PM-16, SI-5
ID.RA-3: Threats, both internal and
external, are identified and documented
COBIT 5 APO12.01, APO12.02, APO12.03,
APO12.04
ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12
NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12,
PM-16
ID.RA-4: Potential business impacts and
likelihoods are identified
COBIT 5 DSS04.02
ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12
NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-9,
PM-11, SA-14
ID.RA-5: Threats, vulnerabilities,
likelihoods, and impacts are used to
determine risk
COBIT 5 APO12.02
ISO/IEC 27001:2013 A.12.6.1
NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-16
ID.RA-6: Risk responses are identified and COBIT 5 APO12.05, APO13.02
February 12, 2014 Cybersecurity Framework Version 1.0
23
Function Category Subcategory Informative References
prioritized NIST SP 800-53 Rev. 4 PM-4, PM-9
Risk Management Strategy
(ID.RM): The organization’s
priorities, constraints, risk
tolerances, and assumptions are
established and used to support
operational risk decisions.
ID.RM-1: Risk management processes are
established, managed, and agreed to by
organizational stakeholders
COBIT 5 APO12.04, APO12.05, APO13.02,
BAI02.03, BAI04.02
ISA 62443-2-1:2009 4.3.4.2
NIST SP 800-53 Rev. 4 PM-9
ID.RM-2: Organizational risk tolerance is
determined and clearly expressed
COBIT 5 APO12.06
ISA 62443-2-1:2009 4.3.2.6.5
NIST SP 800-53 Rev. 4 PM-9
ID.RM-3: The organization’s
determination of risk tolerance is informed
by its role in critical infrastructure and
sector specific risk analysis
NIST SP 800-53 Rev. 4 PM-8, PM-9, PM-11,
SA-14
PROTECT (PR)
Access Control (PR.AC): Access
to assets and associated facilities
is limited to authorized users,
processes, or devices, and to
authorized activities and
transactions.
PR.AC-1: Identities and credentials are
managed for authorized devices and users
CCS CSC 16
COBIT 5 DSS05.04, DSS06.03
ISA 62443-2-1:2009 4.3.3.5.1
ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3,
SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9
ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4,
A.9.3.1, A.9.4.2, A.9.4.3
NIST SP 800-53 Rev. 4 AC-2, IA Family
PR.AC-2: Physical access to assets is
managed and protected
COBIT 5 DSS01.04, DSS05.05
ISA 62443-2-1:2009 4.3.3.3.2, 4.3.3.3.8
ISO/IEC 27001:2013 A.11.1.1, A.11.1.2,
A.11.1.4, A.11.1.6, A.11.2.3
NIST SP 800-53 Rev. 4 PE-2, PE-3, PE-4, PE-
5, PE-6, PE-9
PR.AC-3: Remote access is managed
COBIT 5 APO13.01, DSS01.04, DSS05.03
ISA 62443-2-1:2009 4.3.3.6.6
ISA 62443-3-3:2013 SR 1.13, SR 2.6
ISO/IEC 27001:2013 A.6.2.2, A.13.1.1,
A.13.2.1
February 12, 2014 Cybersecurity Framework Version 1.0
24
Function Category Subcategory Informative References
NIST SP 800-53 Rev. 4 AC-17, AC-19, AC-20
PR.AC-4: Access permissions are
managed, incorporating the principles of
least privilege and separation of duties
CCS CSC 12, 15
ISA 62443-2-1:2009 4.3.3.7.3
ISA 62443-3-3:2013 SR 2.1
ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, A.9.2.3,
A.9.4.1, A.9.4.4
NIST SP 800-53 Rev. 4 AC-2, AC-3, AC-5,
AC-6, AC-16
PR.AC-5: Network integrity is protected,
incorporating network segregation where
appropriate
ISA 62443-2-1:2009 4.3.3.4
ISA 62443-3-3:2013 SR 3.1, SR 3.8
ISO/IEC 27001:2013 A.13.1.1, A.13.1.3,
A.13.2.1
NIST SP 800-53 Rev. 4 AC-4, SC-7
Awareness and Training
(PR.AT): The organization’s
personnel and partners are
provided cybersecurity awareness
education and are adequately
trained to perform their
information security-related
duties and responsibilities
consistent with related policies,
procedures, and agreements.
PR.AT-1: All users are informed and
trained
CCS CSC 9
COBIT 5 APO07.03, BAI05.07
ISA 62443-2-1:2009 4.3.2.4.2
ISO/IEC 27001:2013 A.7.2.2
NIST SP 800-53 Rev. 4 AT-2, PM-13
PR.AT-2: Privileged users understand
roles & responsibilities
CCS CSC 9
COBIT 5 APO07.02, DSS06.03
ISA 62443-2-1:2009 4.3.2.4.2, 4.3.2.4.3
ISO/IEC 27001:2013 A.6.1.1, A.7.2.2
NIST SP 800-53 Rev. 4 AT-3, PM-13
PR.AT-3: Third-party stakeholders (e.g.,
suppliers, customers, partners) understand
roles & responsibilities
CCS CSC 9
COBIT 5 APO07.03, APO10.04, APO10.05
ISA 62443-2-1:2009 4.3.2.4.2
ISO/IEC 27001:2013 A.6.1.1, A.7.2.2
NIST SP 800-53 Rev. 4 PS-7, SA-9
PR.AT-4: Senior executives understand
roles & responsibilities
CCS CSC 9
COBIT 5 APO07.03
February 12, 2014 Cybersecurity Framework Version 1.0
25
Function Category Subcategory Informative References
ISA 62443-2-1:2009 4.3.2.4.2
ISO/IEC 27001:2013 A.6.1.1, A.7.2.2,
NIST SP 800-53 Rev. 4 AT-3, PM-13
PR.AT-5: Physical and information
security personnel understand roles &
responsibilities
CCS CSC 9
COBIT 5 APO07.03
ISA 62443-2-1:2009 4.3.2.4.2
ISO/IEC 27001:2013 A.6.1.1, A.7.2.2,
NIST SP 800-53 Rev. 4 AT-3, PM-13
Data Security (PR.DS):
Information and records (data) are
managed consistent with the
organization’s risk strategy to
protect the confidentiality,
integrity, and availability of
information.
PR.DS-1: Data-at-rest is protected
CCS CSC 17
COBIT 5 APO01.06, BAI02.01, BAI06.01,
DSS06.06
ISA 62443-3-3:2013 SR 3.4, SR 4.1
ISO/IEC 27001:2013 A.8.2.3
NIST SP 800-53 Rev. 4 SC-28
PR.DS-2: Data-in-transit is protected
CCS CSC 17
COBIT 5 APO01.06, DSS06.06
ISA 62443-3-3:2013 SR 3.1, SR 3.8, SR 4.1,
SR 4.2
ISO/IEC 27001:2013 A.8.2.3, A.13.1.1,
A.13.2.1, A.13.2.3, A.14.1.2, A.14.1.3
NIST SP 800-53 Rev. 4 SC-8
PR.DS-3: Assets are formally managed
throughout removal, transfers, and
disposition
COBIT 5 BAI09.03
ISA 62443-2-1:2009 4. 4.3.3.3.9, 4.3.4.4.1
ISA 62443-3-3:2013 SR 4.2
ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2,
A.8.3.3, A.11.2.7
NIST SP 800-53 Rev. 4 CM-8, MP-6, PE-16
PR.DS-4: Adequate capacity to ensure
availability is maintained
COBIT 5 APO13.01
ISA 62443-3-3:2013 SR 7.1, SR 7.2
ISO/IEC 27001:2013 A.12.3.1
February 12, 2014 Cybersecurity Framework Version 1.0
26
Function Category Subcategory Informative References
NIST SP 800-53 Rev. 4 AU-4, CP-2, SC-5
PR.DS-5: Protections against data leaks
are implemented
CCS CSC 17
COBIT 5 APO01.06
ISA 62443-3-3:2013 SR 5.2
ISO/IEC 27001:2013 A.6.1.2, A.7.1.1, A.7.1.2,
A.7.3.1, A.8.2.2, A.8.2.3, A.9.1.1, A.9.1.2,
A.9.2.3, A.9.4.1, A.9.4.4, A.9.4.5, A.13.1.3,
A.13.2.1, A.13.2.3, A.13.2.4, A.14.1.2, A.14.1.3
NIST SP 800-53 Rev. 4 AC-4, AC-5, AC-6,
PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC-31,
SI-4
PR.DS-6: Integrity checking mechanisms
are used to verify software, firmware, and
information integrity
ISA 62443-3-3:2013 SR 3.1, SR 3.3, SR 3.4,
SR 3.8
ISO/IEC 27001:2013 A.12.2.1, A.12.5.1,
A.14.1.2, A.14.1.3
NIST SP 800-53 Rev. 4 SI-7
PR.DS-7: The development and testing
environment(s) are separate from the
production environment
COBIT 5 BAI07.04
ISO/IEC 27001:2013 A.12.1.4
NIST SP 800-53 Rev. 4 CM-2
Information Protection
Processes and Procedures
(PR.IP): Security policies (that
address purpose, scope, roles,
responsibilities, management
commitment, and coordination
among organizational entities),
processes, and procedures are
maintained and used to manage
protection of information systems
and assets.
PR.IP-1: A baseline configuration of
information technology/industrial control
systems is created and maintained
CCS CSC 3, 10
COBIT 5 BAI10.01, BAI10.02, BAI10.03,
BAI10.05
ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3
ISA 62443-3-3:2013 SR 7.6
ISO/IEC 27001:2013 A.12.1.2, A.12.5.1,
A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4
NIST SP 800-53 Rev. 4 CM-2, CM-3, CM-4,
CM-5, CM-6, CM-7, CM-9, SA-10
PR.IP-2: A System Development Life
Cycle to manage systems is implemented
COBIT 5 APO13.01
ISA 62443-2-1:2009 4.3.4.3.3
ISO/IEC 27001:2013 A.6.1.5, A.14.1.1,
A.14.2.1, A.14.2.5
February 12, 2014 Cybersecurity Framework Version 1.0
27
Function Category Subcategory Informative References
NIST SP 800-53 Rev. 4 SA-3, SA-4, SA-8, SA-
10, SA-11, SA-12, SA-15, SA-17, PL-8
PR.IP-3: Configuration change control
processes are in place
COBIT 5 BAI06.01, BAI01.06
ISA 62443-2-1:2009 4.3.4.3.2, 4.3.4.3.3
ISA 62443-3-3:2013 SR 7.6
ISO/IEC 27001:2013 A.12.1.2, A.12.5.1,
A.12.6.2, A.14.2.2, A.14.2.3, A.14.2.4
NIST SP 800-53 Rev. 4 CM-3, CM-4, SA-10
PR.IP-4: Backups of information are
conducted, maintained, and tested
periodically
COBIT 5 APO13.01
ISA 62443-2-1:2009 4.3.4.3.9
ISA 62443-3-3:2013 SR 7.3, SR 7.4
ISO/IEC 27001:2013 A.12.3.1,
A.17.1.2A.17.1.3, A.18.1.3
NIST SP 800-53 Rev. 4 CP-4, CP-6, CP-9
PR.IP-5: Policy and regulations regarding
the physical operating environment for
organizational assets are met
COBIT 5 DSS01.04, DSS05.05
ISA 62443-2-1:2009 4.3.3.3.1 4.3.3.3.2,
4.3.3.3.3, 4.3.3.3.5, 4.3.3.3.6
ISO/IEC 27001:2013 A.11.1.4, A.11.2.1,
A.11.2.2, A.11.2.3
NIST SP 800-53 Rev. 4 PE-10, PE-12, PE-13,
PE-14, PE-15, PE-18
PR.IP-6: Data is destroyed according to
policy
COBIT 5 BAI09.03
ISA 62443-2-1:2009 4.3.4.4.4
ISA 62443-3-3:2013 SR 4.2
ISO/IEC 27001:2013 A.8.2.3, A.8.3.1, A.8.3.2,
A.11.2.7
NIST SP 800-53 Rev. 4 MP-6
PR.IP-7: Protection processes are
continuously improved
COBIT 5 APO11.06, DSS04.05
ISA 62443-2-1:2009 4.4.3.1, 4.4.3.2, 4.4.3.3,
4.4.3.4, 4.4.3.5, 4.4.3.6, 4.4.3.7, 4.4.3.8
NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-
February 12, 2014 Cybersecurity Framework Version 1.0
28
Function Category Subcategory Informative References
8, PL-2, PM-6
PR.IP-8: Effectiveness of protection
technologies is shared with appropriate
parties
ISO/IEC 27001:2013 A.16.1.6
NIST SP 800-53 Rev. 4 AC-21, CA-7, SI-4
PR.IP-9: Response plans (Incident
Response and Business Continuity) and
recovery plans (Incident Recovery and
Disaster Recovery) are in place and
managed
COBIT 5 DSS04.03
ISA 62443-2-1:2009 4.3.2.5.3, 4.3.4.5.1
ISO/IEC 27001:2013 A.16.1.1, A.17.1.1,
A.17.1.2
NIST SP 800-53 Rev. 4 CP-2, IR-8
PR.IP-10: Response and recovery plans
are tested
ISA 62443-2-1:2009 4.3.2.5.7, 4.3.4.5.11
ISA 62443-3-3:2013 SR 3.3
ISO/IEC 27001:2013 A.17.1.3
NIST SP 800-53 Rev.4 CP-4, IR-3, PM-14
PR.IP-11: Cybersecurity is included in
human resources practices (e.g.,
deprovisioning, personnel screening)
COBIT 5 APO07.01, APO07.02, APO07.03,
APO07.04, APO07.05
ISA 62443-2-1:2009 4.3.3.2.1, 4.3.3.2.2,
4.3.3.2.3
ISO/IEC 27001:2013 A.7.1.1, A.7.3.1, A.8.1.4
NIST SP 800-53 Rev. 4 PS Family
PR.IP-12: A vulnerability management
plan is developed and implemented
ISO/IEC 27001:2013 A.12.6.1, A.18.2.2
NIST SP 800-53 Rev. 4 RA-3, RA-5, SI-2
Maintenance (PR.MA): Maintenance and repairs of
industrial control and information
system components is performed
consistent with policies and
procedures.
PR.MA-1: Maintenance and repair of
organizational assets is performed and
logged in a timely manner, with approved
and controlled tools
COBIT 5 BAI09.03
ISA 62443-2-1:2009 4.3.3.3.7
ISO/IEC 27001:2013 A.11.1.2, A.11.2.4,
A.11.2.5
NIST SP 800-53 Rev. 4 MA-2, MA-3, MA-5
PR.MA-2: Remote maintenance of
organizational assets is approved, logged,
and performed in a manner that prevents
unauthorized access
COBIT 5 DSS05.04
ISA 62443-2-1:2009 4.3.3.6.5, 4.3.3.6.6,
4.3.3.6.7, 4.4.4.6.8
ISO/IEC 27001:2013 A.11.2.4, A.15.1.1,
A.15.2.1
February 12, 2014 Cybersecurity Framework Version 1.0
29
Function Category Subcategory Informative References
NIST SP 800-53 Rev. 4 MA-4
Protective Technology (PR.PT):
Technical security solutions are
managed to ensure the security
and resilience of systems and
assets, consistent with related
policies, procedures, and
agreements.
PR.PT-1: Audit/log records are
determined, documented, implemented,
and reviewed in accordance with policy
CCS CSC 14
COBIT 5 APO11.04
ISA 62443-2-1:2009 4.3.3.3.9, 4.3.3.5.8,
4.3.4.4.7, 4.4.2.1, 4.4.2.2, 4.4.2.4
ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10,
SR 2.11, SR 2.12
ISO/IEC 27001:2013 A.12.4.1, A.12.4.2,
A.12.4.3, A.12.4.4, A.12.7.1
NIST SP 800-53 Rev. 4 AU Family
PR.PT-2: Removable media is protected
and its use restricted according to policy
COBIT 5 DSS05.02, APO13.01
ISA 62443-3-3:2013 SR 2.3
ISO/IEC 27001:2013 A.8.2.2, A.8.2.3, A.8.3.1,
A.8.3.3, A.11.2.9
NIST SP 800-53 Rev. 4 MP-2, MP-4, MP-5,
MP-7
PR.PT-3: Access to systems and assets is
controlled, incorporating the principle of
least functionality
COBIT 5 DSS05.02
ISA 62443-2-1:2009 4.3.3.5.1, 4.3.3.5.2,
4.3.3.5.3, 4.3.3.5.4, 4.3.3.5.5, 4.3.3.5.6,
4.3.3.5.7, 4.3.3.5.8, 4.3.3.6.1, 4.3.3.6.2,
4.3.3.6.3, 4.3.3.6.4, 4.3.3.6.5, 4.3.3.6.6,
4.3.3.6.7, 4.3.3.6.8, 4.3.3.6.9, 4.3.3.7.1,
4.3.3.7.2, 4.3.3.7.3, 4.3.3.7.4
ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3,
SR 1.4, SR 1.5, SR 1.6, SR 1.7, SR 1.8, SR 1.9,
SR 1.10, SR 1.11, SR 1.12, SR 1.13, SR 2.1, SR
2.2, SR 2.3, SR 2.4, SR 2.5, SR 2.6, SR 2.7
ISO/IEC 27001:2013 A.9.1.2
NIST SP 800-53 Rev. 4 AC-3, CM-7
PR.PT-4: Communications and control
networks are protected
CCS CSC 7
COBIT 5 DSS05.02, APO13.01
ISA 62443-3-3:2013 SR 3.1, SR 3.5, SR 3.8,
SR 4.1, SR 4.3, SR 5.1, SR 5.2, SR 5.3, SR 7.1,
February 12, 2014 Cybersecurity Framework Version 1.0
30
Function Category Subcategory Informative References
SR 7.6
ISO/IEC 27001:2013 A.13.1.1, A.13.2.1
NIST SP 800-53 Rev. 4 AC-4, AC-17, AC-18,
CP-8, SC-7
DETECT (DE)
Anomalies and Events (DE.AE):
Anomalous activity is detected in
a timely manner and the potential
impact of events is understood.
DE.AE-1: A baseline of network
operations and expected data flows for
users and systems is established and
managed
COBIT 5 DSS03.01
ISA 62443-2-1:2009 4.4.3.3
NIST SP 800-53 Rev. 4 AC-4, CA-3, CM-2,
SI-4
DE.AE-2: Detected events are analyzed to
understand attack targets and methods
ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7,
4.3.4.5.8
ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10,
SR 2.11, SR 2.12, SR 3.9, SR 6.1, SR 6.2
ISO/IEC 27001:2013 A.16.1.1, A.16.1.4
NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, SI-
4
DE.AE-3: Event data are aggregated and
correlated from multiple sources and
sensors
ISA 62443-3-3:2013 SR 6.1
NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-
5, IR-8, SI-4
DE.AE-4: Impact of events is determined
COBIT 5 APO12.06
NIST SP 800-53 Rev. 4 CP-2, IR-4, RA-3, SI -
4
DE.AE-5: Incident alert thresholds are
established
COBIT 5 APO12.06
ISA 62443-2-1:2009 4.2.3.10
NIST SP 800-53 Rev. 4 IR-4, IR-5, IR-8
Security Continuous
Monitoring (DE.CM): The
information system and assets are
monitored at discrete intervals to
identify cybersecurity events and
verify the effectiveness of
protective measures.
DE.CM-1: The network is monitored to
detect potential cybersecurity events
CCS CSC 14, 16
COBIT 5 DSS05.07
ISA 62443-3-3:2013 SR 6.2
NIST SP 800-53 Rev. 4 AC-2, AU-12, CA-7,
CM-3, SC-5, SC-7, SI-4
DE.CM-2: The physical environment is ISA 62443-2-1:2009 4.3.3.3.8
February 12, 2014 Cybersecurity Framework Version 1.0
31
Function Category Subcategory Informative References
monitored to detect potential cybersecurity
events NIST SP 800-53 Rev. 4 CA-7, PE-3, PE-6, PE-
20
DE.CM-3: Personnel activity is monitored
to detect potential cybersecurity events
ISA 62443-3-3:2013 SR 6.2
ISO/IEC 27001:2013 A.12.4.1
NIST SP 800-53 Rev. 4 AC-2, AU-12, AU-13,
CA-7, CM-10, CM-11
DE.CM-4: Malicious code is detected
CCS CSC 5
COBIT 5 DSS05.01
ISA 62443-2-1:2009 4.3.4.3.8
ISA 62443-3-3:2013 SR 3.2
ISO/IEC 27001:2013 A.12.2.1
NIST SP 800-53 Rev. 4 SI-3
DE.CM-5: Unauthorized mobile code is
detected
ISA 62443-3-3:2013 SR 2.4
ISO/IEC 27001:2013 A.12.5.1
NIST SP 800-53 Rev. 4 SC-18, SI-4. SC-44
DE.CM-6: External service provider
activity is monitored to detect potential
cybersecurity events
COBIT 5 APO07.06
ISO/IEC 27001:2013 A.14.2.7, A.15.2.1
NIST SP 800-53 Rev. 4 CA-7, PS-7, SA-4, SA-
9, SI-4
DE.CM-7: Monitoring for unauthorized
personnel, connections, devices, and
software is performed
NIST SP 800-53 Rev. 4 AU-12, CA-7, CM-3,
CM-8, PE-3, PE-6, PE-20, SI-4
DE.CM-8: Vulnerability scans are
performed
COBIT 5 BAI03.10
ISA 62443-2-1:2009 4.2.3.1, 4.2.3.7
ISO/IEC 27001:2013 A.12.6.1
NIST SP 800-53 Rev. 4 RA-5
Detection Processes (DE.DP): Detection processes and
procedures are maintained and
tested to ensure timely and
DE.DP-1: Roles and responsibilities for
detection are well defined to ensure
accountability
CCS CSC 5
COBIT 5 DSS05.01
ISA 62443-2-1:2009 4.4.3.1
ISO/IEC 27001:2013 A.6.1.1
February 12, 2014 Cybersecurity Framework Version 1.0
32
Function Category Subcategory Informative References
adequate awareness of anomalous
events. NIST SP 800-53 Rev. 4 CA-2, CA-7, PM-14
DE.DP-2: Detection activities comply with
all applicable requirements
ISA 62443-2-1:2009 4.4.3.2
ISO/IEC 27001:2013 A.18.1.4
NIST SP 800-53 Rev. 4 CA-2, CA-7, PM-14,
SI-4
DE.DP-3: Detection processes are tested
COBIT 5 APO13.02
ISA 62443-2-1:2009 4.4.3.2
ISA 62443-3-3:2013 SR 3.3
ISO/IEC 27001:2013 A.14.2.8
NIST SP 800-53 Rev. 4 CA-2, CA-7, PE-3,
PM-14, SI-3, SI-4
DE.DP-4: Event detection information is
communicated to appropriate parties
COBIT 5 APO12.06
ISA 62443-2-1:2009 4.3.4.5.9
ISA 62443-3-3:2013 SR 6.1
ISO/IEC 27001:2013 A.16.1.2
NIST SP 800-53 Rev. 4 AU-6, CA-2, CA-7,
RA-5, SI-4
DE.DP-5: Detection processes are
continuously improved
COBIT 5 APO11.06, DSS04.05
ISA 62443-2-1:2009 4.4.3.4
ISO/IEC 27001:2013 A.16.1.6
NIST SP 800-53 Rev. 4, CA-2, CA-7, PL-2,
RA-5, SI-4, PM-14
February 12, 2014 Cybersecurity Framework Version 1.0
33
Function Category Subcategory Informative References
RESPOND (RS)
Response Planning (RS.RP): Response processes and
procedures are executed and
maintained, to ensure timely
response to detected cybersecurity
events.
RS.RP-1: Response plan is executed
during or after an event
COBIT 5 BAI01.10
CCS CSC 18
ISA 62443-2-1:2009 4.3.4.5.1
ISO/IEC 27001:2013 A.16.1.5
NIST SP 800-53 Rev. 4 CP-2, CP-10, IR-4, IR-
8
Communications (RS.CO):
Response activities are
coordinated with internal and
external stakeholders, as
appropriate, to include external
support from law enforcement
agencies.
RS.CO-1: Personnel know their roles and
order of operations when a response is
needed
ISA 62443-2-1:2009 4.3.4.5.2, 4.3.4.5.3,
4.3.4.5.4
ISO/IEC 27001:2013 A.6.1.1, A.16.1.1
NIST SP 800-53 Rev. 4 CP-2, CP-3, IR-3, IR-8
RS.CO-2: Events are reported consistent
with established criteria
ISA 62443-2-1:2009 4.3.4.5.5
ISO/IEC 27001:2013 A.6.1.3, A.16.1.2
NIST SP 800-53 Rev. 4 AU-6, IR-6, IR-8
RS.CO-3: Information is shared consistent
with response plans
ISA 62443-2-1:2009 4.3.4.5.2
ISO/IEC 27001:2013 A.16.1.2
NIST SP 800-53 Rev. 4 CA-2, CA-7, CP-2, IR-
4, IR-8, PE-6, RA-5, SI-4
RS.CO-4: Coordination with stakeholders
occurs consistent with response plans
ISA 62443-2-1:2009 4.3.4.5.5
NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
RS.CO-5: Voluntary information sharing
occurs with external stakeholders to
achieve broader cybersecurity situational
awareness
NIST SP 800-53 Rev. 4 PM-15, SI-5
Analysis (RS.AN): Analysis is
conducted to ensure adequate
response and support recovery
activities.
RS.AN-1: Notifications from detection
systems are investigated
COBIT 5 DSS02.07
ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7,
4.3.4.5.8
ISA 62443-3-3:2013 SR 6.1
ISO/IEC 27001:2013 A.12.4.1, A.12.4.3,
A.16.1.5
NIST SP 800-53 Rev. 4 AU-6, CA-7, IR-4, IR-
February 12, 2014 Cybersecurity Framework Version 1.0
34
Function Category Subcategory Informative References
5, PE-6, SI-4
RS.AN-2: The impact of the incident is
understood
ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.7,
4.3.4.5.8
ISO/IEC 27001:2013 A.16.1.6
NIST SP 800-53 Rev. 4 CP-2, IR-4
RS.AN-3: Forensics are performed
ISA 62443-3-3:2013 SR 2.8, SR 2.9, SR 2.10,
SR 2.11, SR 2.12, SR 3.9, SR 6.1
ISO/IEC 27001:2013 A.16.1.7
NIST SP 800-53 Rev. 4 AU-7, IR-4
RS.AN-4: Incidents are categorized
consistent with response plans
ISA 62443-2-1:2009 4.3.4.5.6
ISO/IEC 27001:2013 A.16.1.4
NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-5, IR-8
Mitigation (RS.MI): Activities
are performed to prevent
expansion of an event, mitigate its
effects, and eradicate the incident.
RS.MI-1: Incidents are contained
ISA 62443-2-1:2009 4.3.4.5.6
ISA 62443-3-3:2013 SR 5.1, SR 5.2, SR 5.4
ISO/IEC 27001:2013 A.16.1.5
NIST SP 800-53 Rev. 4 IR-4
RS.MI-2: Incidents are mitigated
ISA 62443-2-1:2009 4.3.4.5.6, 4.3.4.5.10
ISO/IEC 27001:2013 A.12.2.1, A.16.1.5
NIST SP 800-53 Rev. 4 IR-4
RS.MI-3: Newly identified vulnerabilities
are mitigated or documented as accepted
risks
ISO/IEC 27001:2013 A.12.6.1
NIST SP 800-53 Rev. 4 CA-7, RA-3, RA-5
Improvements (RS.IM):
Organizational response activities
are improved by incorporating
lessons learned from current and
previous detection/response
activities.
RS.IM-1: Response plans incorporate
lessons learned
COBIT 5 BAI01.13
ISA 62443-2-1:2009 4.3.4.5.10, 4.4.3.4
ISO/IEC 27001:2013 A.16.1.6
NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
RS.IM-2: Response strategies are updated NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
RECOVER (RC)
Recovery Planning (RC.RP):
Recovery processes and
procedures are executed and
maintained to ensure timely
RC.RP-1: Recovery plan is executed
during or after an event
CCS CSC 8
COBIT 5 DSS02.05, DSS03.04
ISO/IEC 27001:2013 A.16.1.5
February 12, 2014 Cybersecurity Framework Version 1.0
35
Function Category Subcategory Informative References
restoration of systems or assets
affected by cybersecurity events. NIST SP 800-53 Rev. 4 CP-10, IR-4, IR-8
Improvements (RC.IM):
Recovery planning and processes
are improved by incorporating
lessons learned into future
activities.
RC.IM-1: Recovery plans incorporate
lessons learned
COBIT 5 BAI05.07
ISA 62443-2-1:2009 4.4.3.4
NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
RC.IM-2: Recovery strategies are updated COBIT 5 BAI07.08
NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8
Communications (RC.CO):
Restoration activities are
coordinated with internal and
external parties, such as
coordinating centers, Internet
Service Providers, owners of
attacking systems, victims, other
CSIRTs, and vendors.
RC.CO-1: Public relations are managed COBIT 5 EDM03.02
RC.CO-2: Reputation after an event is
repaired COBIT 5 MEA03.02
RC.CO-3: Recovery activities are
communicated to internal stakeholders and
executive and management teams NIST SP 800-53 Rev. 4 CP-2, IR-4
Information regarding Informative References described in Appendix A may be found at the following locations:
Control Objectives for Information and Related Technology (COBIT): http://www.isaca.org/COBIT/Pages/default.aspx
Council on CyberSecurity (CCS) Top 20 Critical Security Controls (CSC): http://www.counciloncybersecurity.org
ANSI/ISA-62443-2-1 (99.02.01)-2009, Security for Industrial Automation and Control Systems: Establishing an Industrial
Automation and Control Systems Security Program:
http://www.isa.org/Template.cfm?Section=Standards8&Template=/Ecommerce/ProductDisplay.cfm&ProductID=10243
ANSI/ISA-62443-3-3 (99.03.03)-2013, Security for Industrial Automation and Control Systems: System Security Requirements
and Security Levels:
http://www.isa.org/Template.cfm?Section=Standards2&template=/Ecommerce/ProductDisplay.cfm&ProductID=13420
ISO/IEC 27001, Information technology -- Security techniques -- Information security management systems -- Requirements:
http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber=54534
NIST SP 800-53 Rev. 4: NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information
Systems and Organizations, April 2013 (including updates as of January 15, 2014). http://dx.doi.org/10.6028/NIST.SP.800-
53r4.
February 12, 2014 Cybersecurity Framework Version 1.0
36
Mappings between the Framework Core Subcategories and the specified sections in the Informative References represent a general
correspondence and are not intended to definitively determine whether the specified sections in the Informative References provide
the desired Subcategory outcome.
February 12, 2014 Cybersecurity Framework Version 1.0
37
Appendix B: Glossary
This appendix defines selected terms used in the publication.
Category The subdivision of a Function into groups of cybersecurity outcomes,
closely tied to programmatic needs and particular activities. Examples
of Categories include “Asset Management,” “Access Control,” and
“Detection Processes.”
Critical
Infrastructure
Systems and assets, whether physical or virtual, so vital to the United
States that the incapacity or destruction of such systems and assets
would have a debilitating impact on cybersecurity, national economic
security, national public health or safety, or any combination of those
matters.
Cybersecurity The process of protecting information by preventing, detecting, and
responding to attacks.
Cybersecurity
Event
A cybersecurity change that may have an impact on organizational
operations (including mission, capabilities, or reputation).
Detect (function) Develop and implement the appropriate activities to identify the
occurrence of a cybersecurity event.
Framework A risk-based approach to reducing cybersecurity risk composed of
three parts: the Framework Core, the Framework Profile, and the
Framework Implementation Tiers. Also known as the “Cybersecurity
Framework.”
Framework Core A set of cybersecurity activities and references that are common
across critical infrastructure sectors and are organized around
particular outcomes. The Framework Core comprises four types of
elements: Functions, Categories, Subcategories, and Informative
References.
Framework
Implementation
Tier
A lens through which to view the characteristics of an organization’s
approach to risk—how an organization views cybersecurity risk and
the processes in place to manage that risk.
Framework
Profile
A representation of the outcomes that a particular system or
organization has selected from the Framework Categories and
Subcategories.
Function One of the main components of the Framework. Functions provide the
highest level of structure for organizing basic cybersecurity activities
into Categories and Subcategories. The five functions are Identify,
February 12, 2014 Cybersecurity Framework Version 1.0
38
Protect, Detect, Respond, and Recover.
Identify (function) Develop the organizational understanding to manage cybersecurity
risk to systems, assets, data, and capabilities.
Informative
Reference
A specific section of standards, guidelines, and practices common
among critical infrastructure sectors that illustrates a method to
achieve the outcomes associated with each Subcategory. An example
of an Informative Reference is ISO/IEC 27001 Control A.10.8.3,
which supports the “Data-in-transit is protected” Subcategory of the
“Data Security” Category in the “Protect” function.
Mobile Code A program (e.g., script, macro, or other portable instruction) that can
be shipped unchanged to a heterogeneous collection of platforms and
executed with identical semantics.
Protect (function) Develop and implement the appropriate safeguards to ensure delivery
of critical infrastructure services.
Privileged User A user that is authorized (and, therefore, trusted) to perform security-
relevant functions that ordinary users are not authorized to perform.
Recover (function) Develop and implement the appropriate activities to maintain plans for
resilience and to restore any capabilities or services that were impaired
due to a cybersecurity event.
Respond
(function)
Develop and implement the appropriate activities to take action
regarding a detected cybersecurity event.
Risk A measure of the extent to which an entity is threatened by a potential
circumstance or event, and typically a function of: (i) the adverse
impacts that would arise if the circumstance or event occurs; and (ii)
the likelihood of occurrence.
Risk Management The process of identifying, assessing, and responding to risk.
Subcategory The subdivision of a Category into specific outcomes of technical
and/or management activities. Examples of Subcategories include
“External information systems are catalogued,” “Data-at-rest is
protected,” and “Notifications from detection systems are
investigated.”
February 12, 2014 Cybersecurity Framework Version 1.0
39
Appendix C: Acronyms
This appendix defines selected acronyms used in the publication.
CCS Council on CyberSecurity
COBIT Control Objectives for Information and Related Technology
DCS Distributed Control System
DHS Department of Homeland Security
EO Executive Order
ICS Industrial Control Systems
IEC International Electrotechnical Commission
IR Interagency Report
ISA International Society of Automation
ISAC Information Sharing and Analysis Center
ISO International Organization for Standardization
IT Information Technology
NIST National Institute of Standards and Technology
RFI Request for Information
RMP Risk Management Process
SCADA Supervisory Control and Data Acquisition
SP Special Publication