Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Cybersecurity Framework
Risk Management
Advancing cybersecurity across the global digital infrastructure has long been a priority for
Intel. President Obama issued Executive Order 13636—Improving Critical Infrastructure
Cybersecurity—in February 2013, and over the ensuing year Intel collaborated with government
and industry to develop the Framework for Improving Critical Infrastructure Cybersecurity (the
“Framework”). The first version of the Framework was delivered on February 12, 2014, and
soon thereafter Intel launched a pilot project to test the Framework’s use at Intel.
The Framework Provides Clear Benefit Next Steps for the Framework at
Intel’s pilot project assessed cybersecurity risk for our Office Intel and Beyond
and Enterprise infrastructure. We focused on developing a use The Framework embodies a longstanding pillar of Intel’s
case that would create a common language and encourage the cybersecurity strategy: supporting collaboration between
use of the Framework as a process and risk management tool, government, industry, and non-governmental organization
rather than a set of static compliance requirements. stakeholders to improve cybersecurity in a way that promotes
Our early experience with the Framework has helped us innovation, protects citizens’ privacy and civil liberties, and
harmonize our risk management technologies and language, preserves the promise of the Internet as a driver of global
improve our visibility into Intel’s risk landscape, inform risk economic development and social interaction.
tolerance discussions across our company, and enhance our As the Framework continues to evolve and mature, we believe
ability to set security priorities, develop budgets, and deploy it should include key elements such as the cyberthreat
security solutions. The pilot resulted in a set of reusable intelligence lifecycle, which is essential to developing a robust
tools and best practices for utilizing the Framework to assess understanding of cybersecurity attacks. Intel’s pilot project
infrastructure risk; we plan to use these tools and best has verified that the Framework can provide value to even
practices to expand Intel’s use of the Framework. We hope the largest organizations and has the potential to transform
other organizations will also embrace the Framework, utilizing cybersecurity on a global scale by accelerating cybersecurity
it for the benefit of their own security systems and sharing best practices across the compute continuum.
their results with industry and government partners.
Solution Brief | The Cybersecurity Framework In Action: An Intel Use Case
2
Solution Brief | The Cybersecurity Framework In Action: An Intel Use Case
as we move forward.
Methodology and references that is common across
critical infrastructure sectors and
Intel uses different risk management organized around particular outcomes.
The Framework Core comprises four
tools in different situations, depending
Utilizing the Cybersecurity on the environment being managed
types of elements: Functions, Catego-
ries, Subcategories, and Informative
Framework at Intel and the type and scope of the risks. References.
From the early days of development, We consider the Framework to be a Functions. One of the main compo-
nents of the Framework, Functions
the Intel team responsible for engaging top-level security management tool provide the highest level of structure
with the Framework planned to that helps assess cybersecurity risk for organizing basic cybersecurity
activities into Categories and Subcate-
conduct a pilot project to test its use across the enterprise. Intel’s approach gories. The five Functions are Identify,
at Intel. Once the 1.0 version of the was to conduct the pilot using the Protect, Detect, Respond, and Recover.
Framework was released and we knew Framework to create an enterprise- Categories. The subdivision
the final configuration, we looked for of a Function into groups of
level risk heat map that could be used
cybersecurity outcomes, closely tied
a business unit to partner with for the to do the following: to programmatic needs and particular
pilot. Because we were in new territory, activities. Examples of Categories
• Set risk tolerance baselines include Asset Management, Access
we sought a mature business unit with Control, and Detection Processes.
a robust cybersecurity program and • Identify areas that need more
Subcategories. The subdivision of
with a large range of products and detailed or technical assessments a Category into specific outcomes of
services we could use to test some of technical and management activities.
• Identify areas of overinvestment Examples of Subcategories include
the Framework’s limits. Intel IT met and underinvestment External information systems are
all these requirements, making it the cataloged, Data-at-rest is protected,
• Assist in risk prioritization and Notifications from detection
obvious choice. systems are investigated.
Intel IT is much more than a service Design Tiers. The Framework Implementation
Tiers (“Tiers”) provide context on how
organization. As an integral part of For assessment purposes, Intel divides an organization views cybersecurity
the Intel business, it delivers value by its compute infrastructure into five risk and the processes in place to
manage that risk. The Tiers range from
offering solutions to other business critical business functions: Design, Office, Partial (Tier 1) to Adaptive (Tier 4) and
units that drive other products. Intel Manufacturing, Enterprise, and Services describe an increasing degree of rigor
IT’s cybersecurity program has a large and sophistication in cybersecurity risk
(DOMES). For the pilot project, we used management practices and the extent
number of cybersecurity experts, all of the Framework to perform an initial to which cybersecurity risk manage-
whom could easily provide independent ment is informed by business needs
high-level risk assessment on only the and integrated into an organization’s
assessment and evaluation under the Office and Enterprise environments, overall risk management practices.
Framework with minimal training. Intel rather than attempt to apply the Profiles. A representation of the
IT also uses a mature model of cyber Framework across the entire computing outcomes that a particular system
or organization has selected from
functions within the enterprise (the domain. Because Office and Enterprise the Framework Categories and
DOMES model detailed in the Design are similar environments from a risk Subcategories. Profiles can be used
section) that enabled us to further to identify opportunities for improving
management perspective, the subject cybersecurity posture by comparing
simplify the pilot. matter experts (SMEs) involved in the a current profile (the “as is” state) with
a target profile (the “to be” state).
We have recently completed the pilot Framework risk assessment pilot were
project, which clearly demonstrated essentially the same people. Also, the For a more comprehensive glossary
the value of the Framework. We plan Office and Enterprise environments most of terms, refer to the Cybersecurity
Framework document. www.nist.
to apply what we learned during closely match the existing Framework
gov/cyberframework/upload/
the pilot to expanding Intel’s use of Categories (see the Cybersecurity cybersecurity-framework-021214.pdf
the Framework. Most importantly, Framework Terminology sidebar), while
we verified that by focusing on risk we believe the other business functions,
3
Solution Brief | The Cybersecurity Framework In Action: An Intel Use Case
Participants who approved target scores, reviewed meet our business needs. We believe
that organizations implementing
assessment results, and set risk
tolerance levels. the Framework should also consider
tailoring it to fit their individual
The activities of these groups are
business processes and priorities, to
described in more detail in the
maximize the benefits they can gain.
Implementing the Pilot Project section.
We customized the Framework in the
following areas:
Goals
We established the following goals • Tier definitions. We augmented
for the pilot Framework project, which the generic Tier definitions listed
sought to assess cybersecurity risk for in the Framework to provide more
the Office and Enterprise infrastructure: concrete guidance to our assessors,
as applicable to our particular
• Establish organizational alignment
environment.
on risk tolerance objectives.
We started with the traditional
• Inform the budget planning and
security triad of People, Processes,
prioritization processes.
and Technology, and mapped the
• Communicate an aligned cybersecurity Framework definitions into that
risk picture to senior leadership. structure. We then added a new
• Create a set of reusable tools and best element, Ecosystem, which we believe
practices for utilizing the Framework to is equally essential to a modern
assess infrastructure risk. corporate security program. Important
organizational and governance issues,
Early in the planning, we believed the
not included in the core model, are
Framework could transform a discussion
now included in this new element.
about risk tolerance objectives from
implicit to explicit. Today it is not Our modifications remained aligned
unusual for an organization to have a to the Framework Tiers’ graduated
disconnect between the C-level and maturity scale and intent. Table 1 lists
the technical implementation staff level our customized Tier definitions.
concerning risk tolerance, and often
4
Solution Brief | The Cybersecurity Framework In Action: An Intel Use Case
5
Solution Brief | The Cybersecurity Framework In Action: An Intel Use Case
7
Communicate Set Target how Intel manages each Category.
Results Scores
Functions and Categories
For example, in Asset Management
As a result of this initial phase we were
we created the Subcategories of
months Information, Client, Server, Network,
able to validate that our approach
aligned with Intel’s existing risk
PHASE 3 PHASE 2 People, and Virtual, which align with
Assess
management methodologies and could
Analyze Results the scheme Intel IT Security uses to
Current Status be a meaningful tool for prioritization
manage assets. In addition, we found
and risk tolerance decisions. Our chief
Subcategories were necessary to our
information security officer (CISO) and
assessment pilot only if that level of
other key stakeholders also validated
granularity helped inform a business
our target scores, further raising our
decision. For example, if the Asset
confidence that we had set them
Management Category received a
accurately.
low score, the Subcategories could
help identify the specific aspects Phase 2 – Assess Current Status
needing improvement.
We identified senior SME scorers to
conduct an independent risk assessment
Project Phases based on the Framework. Using learnings
Our pilot project consisted of four from our Core Group sessions, we
phases: set target scores, assess our developed individual scoring tools and
current status, analyze the results of provided training through virtual one-
that assessment, and communicate hour sessions (see Training Topics for
those results to managers and senior more information). Once trained, the
leadership. An organized, phased SMEs individually scored the Categories
approach enabled us to successfully and noted specific Subcategories where
implement the Framework in our Office opportunities to improve existed.
and Enterprise environments.
By design, participants were not aware
We completed the project in about of the target scores that the Core Group
seven months. set. The total time that each SME used
for the assessment was 2 to 3 hours,
which included training, using the
6
Solution Brief | The Cybersecurity Framework In Action: An Intel Use Case
self-scoring tool, and participating in a Using a heat map format to identify of the assessed scores. This process
validation of the aggregated scores. score differences greater than one, fostered a dialogue and helped us agree
we examined areas of concern at the on risk tolerance and prioritization.
Phase 3 – Analyze Results Subcategory level to further identify
We also informed the capability and
We analyzed the individual SME scores specific areas for improvement.
process owners who were impacted by
and compared them to the Core Group
the results of our discussion. Conveying
scores and the target scores (see Phase 4 – Communicate Results
this information helped us prioritize
Figure 1). Significant differences between We reviewed our findings and
the key issues in the budgeting
Core Group and individual SME scores recommendations with the CISO and
and planning cycles and examine
can identify visibility issues, either by the staff. A key component of this phase was
where additional, more granular risk
individual SME or the Core Group. to revalidate target scores with the CISO
assessments should be prioritized.
and key stakeholders, in the context
PROTECT
Access Control 2 3 3 2 3 2 3 2 2 3 1
Awareness/Training 2 3 3 2 3 3 3 3 3 4 1
Data Security 2 2 Mapping
2 highlighted
2 outliers3 2 2 3 3 3 0
Protective Process/Procedures 2 3 and3 major differences
1 2 2 2 2 2 4 2
Maintenance 3 2 2 2 2 4 2 1 2 3 1
Protective Technologies 2 2 1 3 1 2 2 3 2 3 1 Focus areas
stand out
DETECT (large ∆)
Anomalies/Events 2 3 1 2 2 4 2 2 2 4 2
Security Continuous Monitoring 2 2 1 2 1 1 1 2 2 4 2
Detection Process 2 3 2 2 3 2 2 4 3 3 0
Threat Intelligence 3 3 3 2 2 2 3 3 3 3 0
RESPOND
Response Planning 2 2 3 2 3 2 3 2 2 4 2
Communication 2 2 3 2 2 3 3 1 2 3 1
Analysis 2 3 3 2 3 3 3 2 2 3 1
Mitigations 2 3 1 2 3 1 2 3 3 3 0
Improvements 3 3 3 3 2 2 2 1 2 2 0
Significant differences
RECOVER between Core and Individual
Recovery Planning 2 3 3 2 scores
2 can highlight
3 3 3 3 3 0
Improvements 1 3 2 1 visibility
2 issues
3 2 1 2 2 0
Communications 2 2 3 2 1 3 2 3 3 3 0
Figure 1. A heat map resulting from charting individual and group scores and their comparisons. Note: The scores given
are examples and not the actual scores.