the chicago school of cybersecurity: a pragmatic look at the nist cybersecurity framework

The Chicago School of Cybersecurity: A Pragmatic Look at the NIST Cybersecurity Framework

Dwight Koop, COO of Cohesive Networks July 2015 Copyright Cohesive Networks

White Paper

A Pragmatic Look At Cybersecurity Risk And Regulation For All Organizations

Executive Summary

In the last two years, there have been increasingly public data breaches and cybersecurity costs. But, the recent news has also brought positive attention to the developments in the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

The NIST Framework is an important advancement in improving cybersecurity for all organizations. The Framework is a unifying single document that combines the best practices of preceding standards. The document itself consists of three main sections: Profile, Implementation Tiers, and Core. It is designed as a reference guide for organizations to conduct iterative cybersecurity evaluations and prioritize the areas that matter most according to their risk profile.

The Framework is intended to be a living document to guide how critical infrastructure organizations manage current cybersecurity risks. Mandates from the White House and Congress ensure the NIST Framework authors adopt a risk management approach to cybersecurity and consider private sector implications.

Organizations of all sizes and industries can use the Framework to asses current cybersecurity capabilities, then use it to set goals to improve and maintain security. Because it is an ongoing work of collective industry knowledge, the Framework has huge potential value for any organization looking to improve cybersecurity.

There is a definite shift in industries as companies seek actionable cybersecurity plans that can help prevent costly data breaches rather than simply documenting compliance checklists. As part of Cohesive’s work with customers looking for guidance and practical advice, we developed this guide to put the NIST Framework to work for any organization’s cybersecurity needs.

2July 2015

Copyright Cohesive Networks

NIST Cybersecurity for AllCohesive Networks

The NIST Cybersecurity Framework Core section, which groups actions an organization can take to achieve business outcomes, as well as a categorization of other standards and guidelines to reference.

http://nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

A Pragmatic Look at Cybersecurity Risk and Regulation for all organizations

Executive Summary 2

Cybersecurity Needs a Hero 4

Cybersecurity is the Solution, Not a Problem 4

Chicago School of Thought 5

Before the NIST Framework - the Fog of More 6

Protecting Data or Protecting the Process? 6

The NIST Timeline - Not Just Another Standard 6

Shift from Audit-Heavy Compliance to Risk-Based Security 7

An In-Depth Look at the Framework 8

How the NIST Cybersecurity Framework works 8

The Assessment Mechanism: NIST Framework Components 9

7 Steps to Implement the NIST Cybersecurity Framework 11

Putting the Framework Parts Together 11

Applying the Cybersecurity Framework 12 Step 1: Prioritize and define the scope of your framework 12 Step 2: Orient stakeholders around existing assets and practices 12 Step 3: Build your current profile 12 Step 4: Assign risk assessment tasks to IT teams 12 Step 5: Collect target profile highlights 12 Step 6: Determine, analyze, and prioritize gaps 13 Step 7: Implement action plan 13

Case Study: LocusView Standardizes Security Reporting 14

Put the NIST Framework to work 17

Bibliography 18

3July 2015



Cybersecurity Needs a Hero

Cybersecurity is the Solution, Not a Problem

The National Association of Corporate Directors (NCD) reports a majority of board members are unhappy with how management teams report corporate cybersecurity risks1. Undoubtedly, a driving force for the board-level pressure is the frequency and intensity of negative cybersecurity news. The recent U.S. Cost of Data Breach Study from the Ponemon Institute reports that average total cost of a data breach rose to $3.8 million in 2015 2.

Additionally, the costs for each individual lost or stolen record also increased from $145 in 2014 to $154 in 2015, as reported in the Ponemon Cost of Data Breach Study2. Organizations are spending more on legal defense to fight both data breaches and the data liabilities following customer or employee data loss, notes the Ponemon Institute. Corporate boards and IT teams are finally taking notice of the horrible impacts of a weak cybersecurity strategy.

The past two years also saw positive cybersecurity news for organizations looking for cures for the common data breach: the National Institute of Standards and Technology (NIST) Cybersecurity Framework3. The world is looking to the 2013 U.S. government mandate to see how organizations evaluate and adopt security standards to outmatch modern cybercrime.

Cybersecurity compliance is a shifting target, and organizations of all sizes struggle to stay one step ahead. The new NIST Cybersecurity Framework is glimmer of hope in an otherwise overwhelming sea of policies, audit checklists, and narrow compliance standards. The NIST Framework offers a useful, unified reference to cybersecurity best practices, and after a through study, Cohesive Networks have outlined actionable advice to unravel the NIST Framework and use it to improve cybersecurity in any organization.

4July 2015



http://www.securityweek.com/boards-dissatisfied-cyber-it-risk-info-provided-management

http://www.ponemon.org/news-2/23



http://nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

Chicago School of Thought

The NIST Cybersecurity Framework combines the best of existing rules, assessments, regulations, and guidelines into a unifying cybersecurity reference guide. While it is created for critical infrastructure – banking, transportation, oil and gas, defense, public health, and so on - the standard is applicable to most organizations. The NIST Framework is easy to apply, once organizations begin to unravel the core components. The Framework is a single process for enterprises to begin and update, using a risk-management approach to defense in depth.

In the last two years, we have seen a shift in companies’ needs. Whereas before they looked to implement documentation in order to pass compliance audits, now IT teams seek actionable cybersecurity plans that can prevent costly data breaches. As our customers search for guidance with security and ask for practical advice, we developed this white paper so any organization can use the NIST Framework for its cybersecurity needs.

As a Chicago-based company, we take pride in drawing analogies to the Chicago School of architecture. In Chicago School architecture there are no rigid design rules, but a general application of design style. Chicago School architects were some the first to use new technologies like steel-frame construction, use less exterior ornamentation, and design the "Chicago window” to let in more light and ventilation4.

In keeping with the Chicago School of thought, our overview of the NIST Framework embraces new technologies without the frills. with the purpose of shedding light on how the Framework can help all organizations. We encourage IT teams to use these steps, becoming the heroes organizations need to fight growing

cybersecurity threats and costs.

5July 2015


The Rookery Building, designed by Chicago School architects John Wellborn Root and Daniel Burnham (Burnham and Root), mixes the traditional architecture styles with newer construction techniques. The building is considered the oldest standing high-rise in Chicago, and the lobby was remodeled in 1905 by Frank Lloyd Wright.


http://en.wikipedia.org/wiki/Chicago_school_%28architecture%29

Before the NIST Framework - the Fog of More

Protecting Data or Protecting the Process?

The compliance standards that came before the NIST Framework should read like a familiar alphabet soup for those working in security for regulated industries: CERT, COBIT, CSA, CSET, ISO, NIST 800, PCI, and so on. One of the most memorable comments from the documentation is the description of pre-NIST standards as “the fog of more.”

The standards preceding the NIST Cybersecurity Framework offer competing priorities, opinions, and processes. Certification boards have “pay-to-play” certifications, proprietary software tools, approved vendor benchmarks, and all the trappings of stodgy cybersecurity officiousness.

Thousands of documented standards cover security and technology topics ranging from accounting to family privacy rights, and from personal health records to data storage requirements. Reading through the Health Insurance Portability and Accountability Act (HIPAA), one could easily replace any mention of “electronic health record” with “credit card information” and mistake the documentation for the Payment Card Industry Data Security Standard (PCI DSS).

All these standards and protections essentially attempt to do the same things: protect sensitive data and ensure compliant organizations are not liable in the case of a data breach. Yet the $162 million data breach shows that PCI compliance was not enough for Target in late 2013 5,6.

The NIST Timeline - Not Just Another Standard

In 2013, the Presidential Executive Order (EO) 13636 began the process of creating the NIST Cybersecurity Framework7. President Obama’s signed order called for improved cybersecurity for critical infrastructure in the U.S. In this case, critical infrastructure includes systems and assets that impact national security, economy, public health or safety.

The Executive Order directs the Department of Homeland Security (DHS) to “increase the volume, timeliness, and quality” of cybersecurity threat reporting critical infrastructure7.

6July 2015



http://techcrunch.com/2015/02/25/target-says-credit-card-data-breach-cost-it-162m-in-2013-14/

https://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity

Two main mandates of the Order are for the DHS and NIST to actively involve private sector subject-matter experts and enterprises in the Framework development. The Order tasks the DHS with improving communication and participation in Framework adoption while NIST must develop and refine the Framework.

In late 2014, the Cybersecurity Enhancement Act of 2014 (Public Law 113-274) became law8. The Act directs NIST to continue awareness and education programs, while other U.S. government agencies must submit ongoing strategic plans to report cybersecurity tracking.

Perhaps fittingly, politics dictate that the standards remain voluntary but offer yet-to-be-determined incentives. So far, the DHS has created the Critical Infrastructure Cyber Community C³ to encourage adoption9.

Shift from Audit-Heavy Compliance to Risk-Based Security

Security standards that precede the NIST Framework focus more on audits, compliance objectives, policies and procedures, and transactions. The traditional approaches were tedious and costly, and worse, massive data breaches including Target, Sony, and Anthem occurred despite PCI DSS and HIPAA

compliance10.

The NIST Framework ratifies a shift from traditional audit-based standards toward more risk-based prevention. Risk-based cybersecurity approaches focus on the business and customer needs to both operate and ensure data is secure in any environment. Further,

7July 2015



https://www.govtrack.us/congress/bills/113/s1353/summary

http://www.dhs.gov/about-critical-infrastructure-cyber-community-c%C2%B3-voluntary-program

there is a key difference in the NIST Framework approach: risk management departments incorporate diverse knowledge and experiences rather than compliance tracking.

The NIST Framework acknowledges the shift toward risk-based security, and the fact that government bodies brought in private sector experts is a huge advance for all organizations looking for cybersecurity leadership. Additionally, because of the Congressional mandates, risk-based security is more likely to be adopted by hundreds of U.S. governmental agencies and regulatory authorities over existing standards and rules.

An In-Depth Look at the Framework

How the NIST Cybersecurity Framework works

The National Institute of Standards and Technology (NIST) drafted the Framework after ten months of collaboration with other standards organizations, the DHS, and private sector subject matter experts12. The Cybersecurity Framework does not introduce any new requirements, but is a collection of highlights from other standards.

The Framework covers a wide range of industries and potential risks, but it is designed for massive critical infrastructure firms like nuclear facilities, national banks, and defense manufacturers. The Framework is also intended to be an evolving, living document that will incorporate cybersecurity threats, processes, new technologies and industry feedback. Because it is a collection of iterative knowledge, the Framework has huge potential value for any organization looking to establish cybersecurity standards.

8July 2015


• Chemicals • Commercial

Facilities • Communications • Critical

Manufacturing • Dams • Defense Industrial

Base • Emergency Services

• Energy • Financial Services • Food & Agriculture • Government

Facilities • Healthcare & Public

Health • Information

Technology

• Nuclear Reactors, Materials & Waste

• Transportation Systems

• Water & Wastewater Systems

The 16 sectors of U.S. Critical Infrastructure:


The Assessment Mechanism: NIST Framework Components

The goal of the Framework is to be an adaptive, risk-based guide for organizations; it will help assess and improve cybersecurity practices. Organizations should use the Framework to asses current cybersecurity capabilities, and set goals and target profiles to improve and maintain security practices. To more easily map target areas for risk management, the Framework consists of three main sections: Profile, Implementation Tiers, and Core.

The NIST Framework’s Profile section is the measure of how an organization’s existing security practices compare to recommended practices categorized in the Framework Core. The Profile section focuses on business outcomes for potential cybersecurity scenarios. Comparing “current” profiles to a “target” profiles can help organizations select Core functions to prioritize.

Likewise, the Implementation Tiers give context to how organizations deal with a cybersecurity risk. Tiers are a range of an organization’s progress in each risk management practice, from Tier 1’s “partial” up to Tier 4 “adaptive.” Tiers do not reflect cybersecurity maturity levels. Organizations can asses current security practices and use the tier system to prioritize improvements.

9July 2015



In the Framework Core, NIST categorizes activities, outcomes, and references into five functions: identify, protect, detect, respond, and recover. Core is neatly organized into a spreadsheet. Framework implementation teams can focus on the high-level functions, or delve deeper into subcategories to target outcomes. Within each function, category, and subcategory, NIST lists the references to sections of other security standards.

In the Framework close up below, the first row shows the Function, Category, and Subcategory assigned by NIST. The columns to the right list the referenced sections from CCS CSC, COBIT 5, ISA and so on.

10July 2015



7 Steps to Implement the NIST Cybersecurity Framework

Putting the Framework Parts Together

The NIST Framework is an important advancement for cybersecurity; is not a checklist but rather, a reference designed for organizations to select the components that matter for their use case. The Framework is a blueprint to assess, document, and lead teams through cybersecurity evaluations over and over again. NIST expects organizations to use the Framework to circulate cybersecurity information between the executive level, business or project teams, and operations teams, as well as a way to refine the process at each step.

Organizations should begin by comparing existing cybersecurity practices to the NIST Framework. By overlaying the NIST Framework, teams should be able to quickly identify any gaps in identifying, assessing, or managing risks in their systems.

Then, teams can use the Framework as a roadmap to improve and prioritize risk management practices. NIST assumes the process will repeat at regular intervals, and both the Framework and an organization’s evaluations should evolve to meet new cybersecurity threats.

The "Conformity Assessment,” or the process of comparing the Framework to organizational cybersecurity practices, is the measure of how useful the Framework can be for an organization. Once implemented, the process of re-assessing cybersecurity risk should become more streamlined. Organizations can continue to improve their own conformity assessments through internal feedback loops, data analytics, and outside assessments.

11July 2015



Applying the Cybersecurity Framework Organizations can begin to implement the NIST Framework by working through the following seven steps:

Step 1: Prioritize and define the scope of your framework The first step is both the easiest and most daunting: read through the NIST Framework documentation. Use Profile, Implementation Tiers, and Core to determine how each function might fit with your most pressing cybersecurity needs. For example, if a company must protect financial data, it has a much higher risk profile and should focus on the “protect” and “detect” functions. Step 2: Orient stakeholders around existing assets and practices Get executive buy-in and gather information. IT teams should implicitly know key information about physical and virtual assets, people, networks, supply and distribution chains. Coordinate cybersecurity practices with the responsible players within the organization. For cybersecurity challenges that go deeper, orient firm-wide key stakeholders with the risks, the Framework, and on-going process to avoid getting caught in that “fog of more.”Step 3: Build your current profile Every organization should have some security defenses, standards, and procedures in place. Comparing the NIST Framework’s Profile, Implementation Tiers and Core categories against existing practices creates a realistic baseline of the current cybersecurity profile. And comparing the Framework to existing assessments may be the first comprehensive assessment. Step 4: Assign risk assessment tasks to IT teams To start from scratch, download one of the various self-assessment tools such as the ICS-CERT13. We highly recommend delegating the self-assessment tools to application owners across the IT organization. Not only will this ease the work load, but the NIST implementation team can use it as a key tactic for raising awareness in the organization. Moreover, distributing risk assessment tasks among IT teams is part of a shift from audit compliance thinking toward actionable risk management. Step 5: Collect target profile highlights Delegating risk assessment tasks and orienting the organization will take longer than hiring auditors. But the shared cybersecurity accountabilities and responsibilities give application owners much more ownership in the outcomes. As a result, the implementation team will

12July 2015



https://ics-cert.us-cert.gov/Assessments

receive many target profiles, budgets, and head-count requests from each team, but the documentation is more thorough.Step 6: Determine, analyze, and prioritize gaps Compare the target profile to the initial current profile from Step 3. Rationalize the findings and use the organization's existing processes to map top priorities in each business unit. Naturally, business priorities and budgets guide what systems and applications are most important.Step 7: Implement action plan Executive management should guide how the organization addresses the security holes, sets priorities, and establishes the budget. Plus, key stakeholders across the organization should take responsibility for both reducing risks and preventing future risks. No organization can address every cybersecurity need immediately, so the organization must communicate the ongoing and iterative nature of the NIST Framework.

The seven steps are similar to many of the other standards’ implementation guides. We believe the NIST Framework will become the international cybersecurity standard for both private sector and U.S. government agencies because of the nature of the Framework.

NIST and the DHS have created an empowering single document to highlight the best of preceding standards, rather than attempt to replace them with a checklist. The legislative mandates for input, updates, and participation will encourage more organizations to adopt the Framework. Most of all, the NIST Framework embodies the industry shift from audit-based compliance toward risk-based prevention. The NIST Framework is the biggest step toward reducing the risks of attack from hackers, insider threats, and egregious scrutiny.

13July 2015



Case Study: LocusView Standardizes Security Reporting

LocusView Solutions, a Chicago-based subsidiary of the Gas Technology Institute (GTI), recently sought our expertise in NIST Cybersecurity Framework and compliance. LocusView was facing an increasing stream of requests for documentation, certifications, and penetration test results from their customers in the natural gas and energy sectors. The IT team wanted to answer each request for security information with a consistent package of responses.

Cohesive's primary role was to provide VNS3 firewall virtual machines to manage and secure LocusView’s network. By leveraging Cohesive's experience with the cross-mapping frameworks, LocusView was able to use the NIST Framework as a unifying process. Their internal teams used NIST as a guide to update their risk-management approach to defense in depth and a roadmap for repeatable reports to customers.

Step oneThe first step in the process was to identify a short list of security standards with specific recommendations for reaching an adaptive implementation level (or maturity level). For LocusView, we needed to find the most useful tools for identifying the desired cybersecurity profile.

In order to find any gaps in the company's current profile, we recommended using the following guidelines:

• The Department of Energy Cybersecurity Capability Maturity Model (C2M2)• The Department of Homeland Security US-Computer Emergency Readiness Team,

Cyber Resilience Review (US CERT-CRR)• The Payment Card Industry Security Standards Council Self-Assessment

Questionnaire and Attestation of Compliance

These three guidelines provide cybersecurity questionnaires and self-evaluation tools that streamline the first three steps of the NIST implementation process. Taken together, these three are an exhaustive compilation of the requirements that are identified across the much larger universe of cybersecurity frameworks and standards for each of the NIST function subcategories.

In preparation for the second step, we reorganized each of the specific questions in the DOE C2M2 Self-Assessment, CERT Self-Service CRR, and PCI Self-Assessment into the Functional Categories and Subcategories found in the NIST Framework.

14July 2015



Step twoWe worked with each of t LocusView’s application owners (including representation from both the IT organization and business units) to address each set of questions. By staying focused on answering each specific and prescriptive question, the process moved quickly with considerably less discussion. For each question, the current and target responses were tabulated into 5 categories:Cyber Security Program Requirements

1. Policy, Procedures, & Organizational Documents2. Registries (Database Tables of Current and Historical Cyber Security Records)3. Logs (Database Tables of Cybersecurity Events, Changes, & Etc.)4. Incident Case History Reports and Analytics5. Gap Analysis, Budget, and Improvement Plan Documents

Any gaps?By consolidating current and target profiles into the same discussion at the detail level, any gaps can become clear to the LocusView team. We were able to document and discuss action plans as issues arose, simplifying and shortening the process.

In this particular case, application owners shared a preconceived notion that PCI requirements did not apply since the client did not handle credit card information. In practice, and like the other assessment tools, the PCI Self-Assessment Questions deal with the common cybersecurity concerns of any company:

• Network Segmentation• Firewall Configuration Tracking• Access and Change Monitoring• Network Segment Traffic Flow Analytics• Packet Inspection & Intrusion Detection• Alert Reporting, and Response Process

Step threeThe third step in the process was to create a “Cybersecurity Risk Management & Network Operations Manual” for each of LocusView’s application teams. At this step, the value of distributing accountability for cybersecurity to the application owners becomes clear. Viewing the enterprise in totality results in confounding complexity.

For example, firewall access rules are usually very wide to include as many applications as possible inside the corporate network. Yet, when we applied rules to each server running a specific application suite, firewall access rules could become very narrow and specific.

15July 2015



For each application team we recommended LocusView use the following documentation outline:

APPLICATION XXXCybersecurity Risk Management & Network Operations MANUALRISK MANAGEMENT STRATEGY STATEMENT

Enterprise Risk Management ProcessIntegrated Risk Management ProgramApplication Team Specific Roles and ResponsibilitiesExternal Participation

SCOPE OF RISK MANAGEMENT PROGRAMAsset, Change, and Configuration ManagementCybersecurity Program ManagementSupply Chain and External Dependencies ManagementIdentity and Access ManagementEvent and Incident Response, Continuity of OperationsInformation Sharing and CommunicationsRisk ManagementSituational AwarenessThreat and Vulnerability ManagementWorkforce Management

IMMEDIATE INFRASTRUCTURE UPGRADE PROJECT PLANSLONG TERM CYBERSECURITY ROADMAP AND MILESTONESEDUCATION AND REASSESSMENT SCHEDULESEVENT AND INCIDENT RESPONSE PROCEDURESAppendix 1: Registry Of Primary Cybersecurity RisksAppendix 2: Registry Of Stakeholders, ID'sAppendix 3: Registry Of Assets, Change Logs, & IP'sAppendix 4: Registry Of Firewall & IDS RulesAppendix 5: Cybersecurity Event And Incident LogsAppendix 6: C2M2 Self Assessment – ReportsAppendix 7: US-CERT-CRR – ReportsAppendix 8: PCI-DSS Attestation – Reports

Step four The fourth and final step in the process was to convene the enterprise IT teams responsible for networks administration, release control, and infrastructure change control to consolidate the manuals from each team.

Outcome/Results LocusView was able to use the NIST Cybersecurity Framework as a map to the compliance areas that matter most to their organization. This approach to applying the NIST Framework helped LocusView achieve cost savings and process simplicity.

With this holistic knowledge as a guide to the individual standards, by delegating the process, and focusing in on the security of individual application sets, LocusView was able to respond to each request for security information with a consistent package of answers. Since our work, LocusView has used this approach for penetration tests and compliance auditing. At the time of publication, LocusView has passed initial audits and the first of several penetration tests.

16July 2015



Put the NIST Framework to work

As more organizations consider and move to cloud, IT teams will need a guide to cybersecurity which works to both secure critical systems and pass industry standards. Savvy IT security leaders must navigate the challenges of avoiding vendor lock-in, passing compliance, while efficiently using existing resources.

The NIST Framework can help teams get started, but all organizations deserve to have clear guidelines and advisors who value a practical and honest approach to security.

At Cohesive Networks we like to think of ourselves as “honest Midwesterners.” We are real people who have guided customers through similar cloud security and compliance scenarios. What’s our angle? We want to put the Chicago technology scene on the map the way Chicago School architects built the first skyscrapers. We want to build a rich technology community though honest, hard work.

Don’t get caught in the “fog of more” when it comes to cybersecurity assessments. Use the NIST Cybersecurity Framework as a map to the compliance areas that matter most to your organization. If you need a guide, get in touch with me or any of us at Cohesive Networks for that honest Chicago School advice: [email protected]

17July 2015



Bibliography

References studies, articles, and standards. Formatted in the Chicago Manual of Style, of course.

1. Prince, Brian. “Boards Dissatisfied With Cyber, IT Risk Info Provided by Management.” January 02, 2015. SecurityWeek. http://www.securityweek.com/boards-dissatisfied-cyber-it-risk-info-provided-management.

2. Ponemon Institute. “2015 Cost of Data Breach Study: Global Analysis.” Ponemon Institute. May 2015. http://www.ponemon.org/news-2/23.

3. NIST Cybersecurity Framework “Framework for Improving Critical Infrastructure Cybersecurity” http://www.nist.gov/cyberframework/upload/nist-cybersecurity-framework-update-120514.pdf.

4. Wikipedia. “Chicago school (architecture).” May 16 2015. http://en.wikipedia.org/wiki/Chicago_school_(architecture).

5. Lunden, Ingrid. “Target Says Credit Card Data Breach Cost It $162M In 2013-14.” TechCrunch. February 25 2015. http://techcrunch.com/2015/02/25/target-says-credit-card-data-breach-cost-it-162m-in-2013-14/

6. Burnette, Mark. “Key takeaways from the Target settlement for retailers.” Internet Retailer. May 21, 2015. https://www.internetretailer.com/commentary/2015/05/21/key-takeaways-target-settlement-retailers.

7. The White House The Office of the Press Secretary, Executive Order -- Improving Critical Infrastructure Cybersecurity (13636). February 12, 2013. https://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity.

8. 113th Congress, S. 1353 - Cybersecurity Enhancement Act of 2014 (Public Law 113-274). December 18, 2014. https://www.congress.gov/bill/113th-congress/senate-bill/1353.

9. Department of Homeland Security. About the Critical Infrastructure Cyber Community C³ Voluntary Program. February 12, 2015. http://www.dhs.gov/about-critical-infrastructure-cyber-community-c%C2%B3-voluntary-program.

10. Mello Jr., John P. “Target Breach Lesson: PCI Compliance Isn't Enough.” Tech News World. March 18, 2014. http://www.technewsworld.com/story/80160.html.

11. National Institute of Standards and Technology. Framework for Improving Critical Infrastructure Cybersecurity (Version 1.0). February 12, 2014. http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

12. National Institute of Standards and Technology. Framework for Improving Critical Infrastructure Cybersecurity (Version 1.0). February 12, 2014. http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

13. Department of Homeland Security, Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Assessments. https://ics-cert.us-cert.gov/Assessments

18July 2015



http://www.securityweek.com/boards-dissatisfied-cyber-it-risk-info-provided-management


http://www.nist.gov/cyberframework/upload/nist-cybersecurity-framework-update-120514.pdf

http://en.wikipedia.org/wiki/Chicago_school_(architecture)

http://techcrunch.com/2015/02/25/target-says-credit-card-data-breach-cost-it-162m-in-2013-14/

https://www.internetretailer.com/commentary/2015/05/21/key-takeaways-target-settlement-retailers

https://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity

https://www.congress.gov/bill/113th-congress/senate-bill/1353

http://www.dhs.gov/about-critical-infrastructure-cyber-community-c%C2%B3-voluntary-program

http://www.technewsworld.com/story/80160.html

http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf


Images: 1. National Institute of Standards and Technology. “Figure 1.” Framework for Improving Critical

Infrastructure Cybersecurity (Version 1.0). February 12, 2014. http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

2. Wikimedia Commons. Rookery Building, via http://upload.wikimedia.org/wikipedia/commons/6/6b/Rookery_Building,_209_South_LaSalle_Street,_Chicago,_Cook_County,_IL_HABS_ILL,16-CHIG,31-_(sheet_4_of_8).png.

3. The History of the NIST Cybersecurity Framework. Cohesive Networks. June 2015.

4. PricewaterhouseCoopers LLP. “Why you should adopt the NIST Cybersecurity Framework.” Figure 1: Tiers of Cybersecurity Maturity. May 2014. http://www.pwc.com/en_US/us/increasing-it-effectiveness/publications/assets/adopt-the-nist.pdf.

5. National Institute of Standards and Technology. “Appendix A, Framework Core.” Alternative View: Appendix A - Framework Core Informative References. February 12, 2014. http://www.nist.gov/itl/upload/alternative-view-framework-core-021214.pdf.

6. National Institute of Standards and Technology. “Figure 2: Notional Information and Decision Flows within an Organization.” Framework for Improving Critical Infrastructure Cybersecurity (Version 1.0). February 12, 2014. http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf

7. 7 Steps to Build Your Own NIST Cybersecurity Framework. Cohesive Networks. June 2015.

19July 2015




http://upload.wikimedia.org/wikipedia/commons/6/6b/Rookery_Building,_209_South_LaSalle_Street,_Chicago,_Cook_County,_IL_HABS_ILL,16-CHIG,31-_(sheet_4_of_8).png

http://www.pwc.com/en_US/us/increasing-it-effectiveness/publications/assets/adopt-the-nist.pdf

http://www.nist.gov/itl/upload/alternative-view-framework-core-021214.pdf


20July 2015


NIST Cybersecurity for AllCohesive NetworksAbout the Author

Dwight Koop is cofounder and chief operating officer for Cohesive Networks. His experience spans enterprise IT and entrepreneurial startups. Dwight was global head of data center operations and security for Swiss Banks capital markets and O'Connor and Associates. He was one of the founders and an EVP of the Chicago Board Options Exchange during its early and rapid growth years. As COO of Bedouin, Inc, he was instrumental in its acquisition by Borland, and as a VP at Borland he played a significant role in its acquisition of Starbase. He was also COO of Signet Assurance, where he is proud to say his engineering team consisted of Eric Hughes, the noted cryptographer, and Bram Cohen, the founder of BitTorrent. Mr. Koop is also the Managing Member of Leporidae Holdings LLC, a private asset management company. Leporidae recently sold its interest in Rabbit Technologies Limited to VMWare.