Project #1: Integrating NIST’s Cyber security Framework with Information Technology Governance Frameworks
You have been assigned to your company’s newly established Risk Management Advisory Services team. This team will provide information, analysis, and recommendations to clients who need assistance with various aspects of IT Risk Management.
Your first task is to prepare a 3-to-4-page research paper which provides an analysis of the IT Governance, IT Management, and Risk Management issues and problems that might be encountered by an e-Commerce company (e.g., Amazon, e-Bay, PayPal, etc.).
Your paper should also include information about governance and management frameworks that can be used to address these issues. The specific frameworks that your team leader has asked you to address are:
The Risk Management Advisory team has performed some initial research and determined that using these three frameworks together can help e-Commerce companies ensure that they have processes in place to enable identification and management of information security related risks particularly those associated with the IT infrastructure supporting online sales, payment, and order fulfilment operations.
(This research is presented in the Background section below.) Your research paper will be used to extend the team’s initial research and provide additional information about the frameworks and how each one supports a company’s risk management objectives (reducing the risks arising from cyber threats and cyber-attacks against information, information systems, and information infrastructures).
Your research should also investigate and report on efforts to date to promote the use both frameworks at the same time.
Your audience will be members of the Risk Management Services team. These individuals are familiar with risk management processes and the e-Commerce industry.
Your readers will NOT have in-depth knowledge of either framework. For this reason, your team leader has asked you to make sure that you include a basic overview of these frameworks at the beginning of your paper for the benefit of those readers who are not familiar with CSF and COBIT.
Security controls are actions, which are taken to “control” or manage risk. Security controls are sometimes called “countermeasures” or “safeguards.” For this assignment, it is important to understand that it is not enough to pick or select controls and then buy or implement technologies, which implement those controls.
A structure is required to keep track of the controls and their status — implemented (effective, not effective) and not implemented. The overarching structure used to manage controls is the Information Security Management System.
Information Security Management System (ISMS)
An Information Security Management System is the set of policies, processes, procedures, and activities used to structure the organisational unit, which is responsible for managing the cyber security or information security program in a business.
Companies can and do design their own structure for this program including: scope, responsibilities, and resources. Many companies, however, choose to use a defined standard to provide guidance for the structure and functions assigned to this organisation.
The ISO/IEC 27000 family of standards is one of the most frequently adopted and is comprised of best practices for the implementation of an information security program. The ISO/IEC 27001 standard specifies the requirements for and structure of the overall Information Security Management System and ISMS program.
The ISO/IEC 27002 standard provides a catalogue of security controls which can/should be implemented by the ISMS program. For additional information about the standards, please see this blog https://www.itgovernance.co.uk/blog/what-is-the-iso-27000-series-of-standards.
Note: there are a number of free resources, which describe the contents, and purposes of the ISO/IEC 27000 family of standards. For your work in this course, you do not need access to the official standards documents (which are not freely available).
Control Objectives for Information Technology (COBIT)
COBIT is a framework that defines governance and management principles, processes, and organisational structures for enterprise Information Technology. COBIT includes a requirement for implementation of an Information Security Management System and is compatible with the ISO/IEC 27000 series of standards for ISMS implementation.
COBIT 5 has five process areas, which are specified for the Governance and Management of enterprise IT. These areas are:
Beginning with version 5, COBIT has incorporated Information Security as part of the framework. Three COBIT 5 processes specifically address information security: APO 13 “Manage Security,” DSS04 “Manage Continuity,” and DSS05 “Manage Security Services.”[FootnoteRef:1]
[1: Source: http://www.isaca.org/COBIT/Documents/COBIT-5-for-Information-Security-Introduction.pdf]
NIST Cyber security Framework (CSF)
The NIST Framework for Improving Critical Infrastructure Security, commonly referred to as the Cyber security Framework or CSF, was developed in collaboration with industry, government, and academia to provide a common language and common frame of reference for describing the activities required to manage cyber-related risks and, in so doing, protect and defend against cyber-attacks.
Unlike many NIST guidance documents, the CSF was designed specifically for businesses – to meet their needs and support attainment of business objectives. Originally designed for companies operating in the 16 critical infrastructure sectors, the CSF is now being required of federal government agencies and departments and their contractors.
The Executive Summary of the NIST CSF version 1.1 provides additional background and supporting information about the purposes, goals, and objectives of the CSF.
The Cyber security Framework is presented in three parts:
Commonalities between ISO/IEC 27000, COBIT, and NIST CSF
There are a number of common elements between the information security frameworks defined in the ISO/IEC 27000 family of standards, the COBIT standard, and the NIST Cyber security Framework. Each of these frameworks addresses risks that must be addressed by businesses that depend upon digital forms of information, information systems, and information infrastructures.
Each framework presents structured lists of IT Governance and IT Management activities (processes and practices), which must be adopted and implemented in order to effectively, manage risk and protect digital assets from harm or loss. Each framework also provides a list or catalogue security.
Each framework also provides lists of goals or objectives, which must be met in order to assure the effectiveness of controls implemented to defend against cyber threats and attacks.
The ISO/IEC 27001:2013 and COBIT 5 controls and process areas have been cross referenced to the NIST Cyber security Framework Functions, Categories, and Subcategories in the NIST CSF document.
[footnoteRef:2] Table 1 below shows examples of the mapping between COBIT 5 and NIST CSF as provided in Table 2: Framework Core: Informative References in the NIST CSF document. [2: Source: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf]
Table 1. Example Mappings from ISO/IEC 27001 to COBIT 5 Processes to NIST CSF Functions
|ISO/IEC 27001:2013[footnoteRef:3] [3: Names for many of the ISO/IEC 27001 controls can be found here: https://www.bsigroup.com/Documents/iso-27001/resources/BSI-ISO27001-mapping-guide-UK-EN.pdf]||COBIT 5 Process||NIST CSF Function||NIST CSF Category||NIST CSF Subcategory|
|A.5.1.1||APO 13.01||Identify||Governance (ID.GV)||ID.GV-1|
|A.16.1.6||DSS 04.02||Identify||Risk Assessment (ID.RA)||ID.RA-4|
|A.6.1.1, A.7.2.1, A.15.||DSS 05.04||Identify||Governance (ID.GV)||ID.GV-2|
|A.12.6.1, A.18.2.3||DSS 05.01, DSS 05.02||Identify||Risk Assessment (ID.RA)||ID.RA-1|
Adoption and Use of IT Security Frameworks
A 2016 survey conducted by Dimensional Research for Tenable [foot note Ref:4] found that over 80% of the responding organisations used an IT security or cyber security frameworks to structure their IT security management program.
This finding was similar across all sizes of companies and across industries. Over 40% of the respondents used multiple frameworks. The NIST CSF was utilised by over 40% of the respondents – approximately the same number who adopted the ISO/IEC 27000 standards.
One notable finding was that in some cases a business partner or a federal contract required the NIST CSF adoption. [4: Source: https://static.tenable.com/marketing/tenable-csf-report.pdf ]
Use standard terminology including correctly used cyber security terms and definitions to write a three to four page summary of your research. At a minimum, your summary must include the following:
An introduction or overview of the role that the Information Security Management System plays as part of an organization’s IT Governance, IT Management, and Risk Management activities.
1 The most important part of this overview is a clear explanation of the purpose and relationships between governance and management activities as they pertain to managing and reducing risks arising from the use of information technology.
(Use Table 2: Informative References to find overlapping functions / activities.) You are not required to identify or discuss potential pit falls, conflicts, or other types of “problems” which could arise from concurrent use of multiple guidance documents.
Submit for Grading
Submit your work in MS Word format (.docx or .doc file) using the Project #1 Assignment in your assignment folder. (Attach the file.)
Rubric Name: Project 1: Integrating NIST CSF with IT Gov. Frameworks
Provided an excellent overview of the role that an Information Security Management System plays as part of an organisation’s IT Governance, IT Management, and Risk Management activities. Provided a clear and concise explanation of the relationships between these activities. Appropriately used information from 3 or more authoritative sources.
Analysis of Standards and Frameworks
Provided an excellent analysis and explanation of how ISO/IEC 27000, 27001, 27002; COBIT 5; and NIST’s CSF can be integrated to improve the effectiveness of an organisation’s risk management efforts for cyber security related risks. Appropriately used and cited information from 5 or more authoritative sources.
Application of Standards and Frameworks to e-Commerce
Provided an excellent discussion of the use of ISO/IEC 27000/1/2, COBIT5, and NIST CSF to reduce IT related risks for e-Commerce and related business operations. Provided 5 or more examples of ways that these frameworks can support risk management efforts. Appropriately used information from 3 or more authoritative sources.
Recommendations for Integrating Multiple Standards or Frameworks
Provided an excellent discussion illustrating how e-Commerce companies can integrate and use the ISO 27000/1/2, COBIT, and NIST CSF standards and frameworks as part of the organisation’s risk management efforts. Included discussion of 5 or more areas where two or more frameworks overlap or address the same issues / problems. Appropriately used information from 3 or more authoritative sources.
Summary and Conclusions
Provided an excellent summary and conclusions section which presented a summary of findings including 3 or more benefits of using ISO/IEC 27000/1/2, COBIT 5, and/or NIST CSF to support risk management in an e-Commerce organisation. Appropriately used information from authoritative sources.
Addressed security issues using standard cyber security terminology
Demonstrated excellence in the use of standard cyber security terminology to support discussion of security issues. Appropriately used 5 or more standard terms.
Professionalism Part 1: Consistent Use and Formatting for Citations and Reference List
Work contains a reference list containing entries for all cited resources. Sufficient information is provided to allow a reader to find and retrieve the cited sources. Reference list entries and in-text citations are consistently and correctly formatted using an appropriate citation style (APA, MLA, etc.).
Professionalism Part 2: Organisation & Appearance
Submitted work shows outstanding organisation and the use of colour, fonts, titles, headings and sub-headings, etc. is appropriate to the assignment type.
Professionalism Part 3: Execution
Paragraph. Use the Normal Indent style to indent your paragraphs as First Line Indent by ½ inch. This style will also double space between lines. Do not hit the ENTER key until you have finished your paragraph. Let MS Word wrap lines within the paragraph itself.
In your reference section, use the Reference style from the style gallery to indent your entries as Hanging Indent by ½ inch. This style will also double-space your references for you. Do NOT hit the ENTER key until you come to the END of a reference entry.
If you want to force MS Word to wrap long URLs, use the Insert->Symbol feature to insert a no width optional break character. Or, turn on paragraph marks (so that you can see the symbol for the character) and copy/paste this character (immediately to the left of the opening parenthesis for this clause you should see two gray squares, one inside the other).
If you do not see the character, then you do not have paragraph marks turned on (click on the ¶ symbol in the paragraph formatting group on the Home Ribbon).