Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
e
en d s
The Cybersecurity Framework Categories
fid it d U
Identify
on hi e
C o riz
e
l
tia
Pr o Protect
b
Recover
h
ut
na
U
Respond Detect
Organizational Security Components
e
1) Physical Security – the protection
en d s
of property, e.g. using fences and
fid it d U
locks;
on hi e
C o riz
3) Contingency Planning and
e
l
Disaster Recovery: how to
tia
Pr o resume normal operations after an
b
incident, also known as Business
h Continuity Planning;
ut
4) Operational Security – protecting
na
5) information;
e
en d s
fid it d U
on hi e
C o riz
e
l
tia
Pr o
b
h
ut
na
U
Identify and Prioritize Information Types
1)List all of the information types used in your
e
Info type Info type Info type … organization (define “information type” in any way
en d s
1 2 3
that makes sense in your business). Think about all
fid it d U
Cost of
revelation
the information used by and in your business.
(Confidentiality)
Cost to verify
information
(Integrity) 2)Enter estimated costs for each of the categories on
on hi e
Cost of lost
access the left. If you are unable to assign a dollar amount,
C o riz
(Availability)
use a scale such as low-medium-high, or 1-10. Avoid
e
Cost of lost
l
using a range (e.g. $2,500 to $50,000) and simply
tia
work
Fines,
Pr o enter a best-guess average.
b
penalties, h
customer
notification
ut
Other legal costs 3)Based on the estimated costs, prioritize your
Reputation information types in the bottom row. You may do this
na
/ public
Relations by calculating an overall ranking or risk score for
costs
Cost to each information type. Either add the values to give a
identify and
repair total value or use the highest value or score given.
U
problem
PRIORITY:
For example, if the information type has one “high”
rating, the entire information type should be rated as
“high”.
Develop an Inventory
1) List what technology comes in contact with
e
Description (e.g. nickname, make, Location Overall
Type of information the product comes in
model, serial number, service ID, other
identifying information)
contact with. (accesses,
Potential
Impact
processes, transmits or stores) your
en d s
information. This can include hardware (e.g.
fid it d U
computers) and software applications (e.g.
browser email).
on hi e
information such as the make, model,
C o riz
nickname, title, version, owner, and serial
e
l
number.
tia
Pr o
b
h 3) Identify where that product is located. For
software, identify what machine(s) the software
ut
has been loaded on to.
na
e
en d s
Example: Customer
Contact Info type / Info type / Info type /
fid it d U
Information on Dr. J. Technology Technology Technology …
Smith’s cell phone
Confidentiality
Med (encrypted;
Theft by criminal password-
protected)
on hi e
Med
Accidental disclosure (has previously lost
C o riz
phone twice)
e
Integrity
l
tia
Accidental alteration by
Pr o
user / employee Med
b
Intentional alteration by
h
external criminal / hacker Low
ut
Availability
Accidental Destruction Med (Regular
(fire, water, user error) backups)
na
Low High
Likelihood
This Presentation is based on the following standards:
e
en d s
ISO 27000 family of Cybersecurity Standards
fid it d U
NIST Cyber Security Standards and Framework
on hi e
HIPAA (Health Insurance Portability and Accountability Act)
C o riz
e
l
tia
The Payment Card Industry Data Security Standard (PCI-DSS)
Pr o
b
h
DHS/FEMA Cybersecurity Community Preparedness Standards
ut
na