Cybersecurity Framework Extensible Model Visualization v1.0 using XMind
Note: You're going to need XMind for Mac or Windows to view this file.
What is Mind Mapping? “A mind map is a diagram used to visually organize information. A mind map is hierarchical and shows relationships among pieces of the whole. It is often created around a single concept, drawn as an image in the center of a blank page, to which associated representations of ideas such as images, words and parts of words are added. Major ideas are connected directly to the central concept, and other ideas branch out from those. [ref: https://en.wikipedia.org/wiki/Mind_map]”
The idea behind mapping the Cybersecurity Framework v1.1 is to illustrate the connections between the 5 core functions (Identify, Protect, Detect, Respond, and Recovery) and the associated NIST 800-53r4 and the Critical Security Controls v6.1 (CSC v6.1) control standards. The user will be able to traverse from the Cybersecurity Framework Core to the Function to the Subcategory to the Control References. We’ve selected NIST 800-53r4 and the CSC v6.1 because of its availability and clarity.
The Cybersecurity Framework is based on 5 core functions; IDENTIFY (ID), PROTECT(PR), DETECT (DE), RESPOND (RS) and RECOVER(RC).
IDENTIFY (ID): Develop the organizational understanding to manage cybersecurity risk to 300 systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy. [ref: https://www.nist.gov/file/344206]
PROTECT(PR): Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology.[ref: https://www.nist.gov/file/344206]
DETECT(DE): Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes. [ref: https://www.nist.gov/file/344206]
RESPOND(RS): Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements. [ref: https://www.nist.gov/file/344206]
RECOVER(RC): Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications. [ref: https://www.nist.gov/file/344206]
A Practical Example of How to Use this Mind Map; Scenario
Scenario: Your organization needs to build a Security Operations Centers. How do you use the Cybersecurity Framework to help you with the correct controls?
What is a Security Operations Center (SOC)? “A SOC is an organized and highly skilled team whose mission is to continuously monitor and improve an organization’s security posture while preventing, detecting, analyzing, and responding to cyber security incidents with the aid of both technology and well-defined processes and procedures.” [ref: http://securityaffairs.co/wordpress/47631/breaking-news/soc-security-operations-center.html]
OK, we see from this definition that a SOC prevents, detects and responds to incidents. We’ll look at prevents as PROTECTS(PR), detects and analyzing will be DETECTS(DE), and responds is RESPOND(RS). Those are three of the main functions we’ll research.
We expand PROTECT(PR) on the Mind Map from the core then expand "PR.DS Data Security". From there we see “PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity”. The SOC should be able to identify changes in software to alert on some anomaly. We then traverse over to Control References and then to NIST SP 800-53 Rev. 4 – SI-7 which states, “Control: The organization employs integrity verification tools to detect unauthorized changes to organization-defined software, firmware, and information”. We then analyze our needs to fulfill this control. Is this a manual control? Can we automate this control? What level of effort, budget, and resources are needed for this control? We then come up with a cost-benefits analysis to present to management.
There are many other controls for the SOC but this is one methodology to determine what you want to implement and measure. At the point you determine your controls you’ll then want to define documented processes and procedures to ensure your program is repeatable.
Here is a link to my Cybersecurity Framework Core Mind Map. You're going to need XMind for Mac or Windows to view this file.
I know this was short but I could write an entire book on this subject. Let me know if you have questions or updates. The Mind Map is self explanatory once you download it and look at it.