Academic Foreword xiiiAcknowledgments xvPreface - Overview of the NIST Framework xviiBackground on the Framework xviiiFramework Based on Risk Management xixThe Framework Core xixFramework Implementation Tiers xxiFramework Profile xxiiOther Aspects of the Framework Document xxiiiRecent Developments At Nist xxiiiChapter 1 Cybersecurity Risk Planning and Management 1Introduction 2I. What Is Cybersecurity Risk Management? 2A. Risk Management Is a Process 3II. Asset Management 4A. Inventory Every Physical Device and System You Have and Keep the Inventory Updated 5B. Inventory Every Software Platform and Application You Use and Keep the Inventory Updated 9C. Prioritize Every Device, Software Platform, and Application Based on Importance 10D. Establish Personnel Security Requirements Including Third-Party Stakeholders 11III. Governance 13A. Make Sure You Educate Management about Risks 13IV. Risk Assessment and Management 15A. Know Where You're Vulnerable 15B. Identify the Threats You Face, Both Internally and Externally 16C. Focus on the Vulnerabilities and Threats That Are Most Likely AND Pose the Highest Risk to Assets 17D. Develop Plans for Dealing with the Highest Risks 18Summary 20Chapter Quiz 20Essential Reading on Cybersecurity Risk Management 22Chapter 2 User and Network Infrastructure Planning and Management 23I. Introduction 24II. Infrastructure Planning and Management Is All about Protection, Where the Rubber Meets the Road 24A. Identity Management, Authentication, and Access Control 251. Always Be Aware of Who Has Access to Which System, for Which Period of Time, and from Where the Access Is Granted 272. Establish, Maintain, and Audit an Active Control List and Process for Who Can Physically Gain Access to Systems 283. Establish Policies, Procedures, and Controls for Who Has Remote Access to Systems 284. Make Sure That Users Have the Least Authority Possible to Perform Their Jobs and Ensure That at Least Two Individuals Are Responsible for a Task 295. Implement Network Security Controls on All Internal Communications, Denying Communications among Various Segments Where Necessary 31A Word about Firewalls 316. Associate Activities with a Real Person or a Single Specific Entity 327. Use Single- or Multi-Factor Authentication Based on the Risk Involved in the Interaction 33III. Awareness and Training 34A. Make Sure That Privileged Users and Security Personnel Understand Their Roles and Responsibilities 35IV. Data Security 35A. Protect the Integrity of Active and Archived Databases 35B. Protect the Confidentiality and Integrity of Corporate Data Once It Leaves Internal Networks 36C. Assure That Information Can Only Be Accessed by Those Authorized to Do So and Protect Hardware and Storage Media 37D. Keep Your Development and Testing Environments Separate from Your Production Environment 38E. Implement Checking Mechanisms to Verify Hardware Integrity 39V. Information Protection Processes and Procedures 39A. Create a Baseline of IT and OT Systems 40B. Manage System Configuration Changes in a Careful, Methodical Way 41A Word about Patch Management 42C. Perform Frequent Backups and Test Your Backup Systems Often 43D. Create a Plan That Focuses on Ensuring That Assets and Personnel Will Be Able to Continue to Function in the Event of a Crippling Attack or Disaster 43VI. Mainte nance 44A. Perform Maintenance and Repair of Assets and Log Activities Promptly 45B. Develop Criteria for Authorizing, Monitoring, and Controlling All Maintenance and Diagnostic Activities for Third Parties 45VII. Protective Technology 46A. Restrict the Use of Certain Types of Media On Your Systems 46B. Wherever Possible, Limit Functionality to a Single Function Per Device (Least Functionality) 47C. Implement Mechanisms to Achieve Resilience on Shared Infrastructure 48Summary 49Chapter Quiz 50Essential Reading on Network Management 51Chapter 3 Tools and Techniques for Detecting Cyber Incidents 53Introduction 54What Is an Incident? 55I. Detect 56A. Anomalies and Events 561. Establish Baseline Data for Normal, Regular Traffic Activity and Standard Configuration for Network Devices 572. Monitor Systems with Intrusion Detection Systems and Establish a Way of Sending and Receiving Notifications of Detected Events; Establish a Means of Verifying, Assessing, and Tracking the Source of Anomalies 58A Word about Antivirus Software 603. Deploy One or More Centralized Log File Monitors and Configure Logging Devices throughout the Organization to Send Data Back to the Centralized Log Monitor 614. Determine the Impact of Events Both Before and After they Occur 615. Develop a Threshold for How Many Times an Event Can Occur Before You Take Action 62B. Continuous Monitoring 621. Develop Strategies for Detecting Breaches as Soon as Possible, Emphasizing Continuous Surveillance of Systems through Network Monitoring 632. Ensure That Appropriate Access to the Physical Environment Is Monitored, Most Likely through Electronic Monitoring or Alarm Systems 643. Monitor Employee Behavior in Terms of Both Physical and Electronic Access to Detect Unauthorized Access 654. Develop a System for Ensuring That Software Is Free of Malicious Code through Software Code Inspection and Vulnerability Assessments 655. Monitor Mobile Code Applications (e.g., Java Applets) for Malicious Activity by Authenticating the Codes' Origins, Verifying their Integrity, and Limiting the Actions they Can Perform 666. Evaluate a Provider's Internal and External Controls' Adequacy and Ensure they Develop and Adhere to Appropriate Policies, Procedures, and Standards; Consider the Results of Internal and External Audits 667. Monitor Employee Activity for Security Purposes and Assess When Unauthorized Access Occurs 678. Use Vulnerability Scanning Tools to Find Your Organization's Weaknesses 68C. Detection Processes 681. Establish a Clear Delineation between Network and Security Detection, with the Networking Group and the Security Group Having Distinct and Different Responsibilities 692. Create a Formal Detection Oversight and Control Management Function; Define Leadership for a Security Review, Operational Roles, and a Formal Organizational Plan; Train Reviewers to Perform Their Duties Correctly and Implement the Review Process 703. Test Detection Processes Either Manually or in an Automated Fashion in Conformance with the Organization's Risk Assessment 714. Inform Relevant Personnel Who Must Use Data or Network Security Information about What Is Happening and Otherwise Facilitate Organizational Communication 715. Document the Process for Event Detection to Improve the Organization's Detection Systems 72Summary 72Chapter Quiz 73Essential Reading for Tools and Techniques for Detecting a Cyberattack 74Chapter 4 Developing a Continuity of Operations Plan 75Introduction 77A. One Size Does Not Fit All 77I. Response 77A. Develop an Executable Response Plan 79B. Understand the Importance of Communications in Incident Response 80C. Prepare for Corporate-Wide Involvement During Some Cybersecurity Attacks 81II. Analysis 82A. Examine Your Intrusion Detection System in Analyzing an Incident 82B. Understand the Impact of the Event 83C. Gather and Preserve Evidence 84D. Prioritize the Treatment of the Incident Consistent with Your Response Plan 84E. Establish Processes for Handling Vulnerability Disclosures 85III. Mitigation 86A. Take Steps to Contain the Incident 86B. Decrease the Threat Level by Eliminating or Intercepting the Adversary as Soon as the Incident Occurs 87C. Mitigate Vulnerabilities or Designate Them as Accepted Risk 88IV. Recover 88A. Recovery Plan Is Executed During or After a Cybersecurity Incident 89B. Update Recovery Procedures Based on New Information as Recovery Gets Underway 91C. Develop Relationships with Media to Accurately Disseminate Information and Engage in Reputational Damage Limitation 92Summary 92Chapter Quiz 93Essential Reading for Developing a Continuity of Operations Plan 94Chapter 5 Supply Chain Risk Management 95Introduction 96I. NIST Special Publication 800-161 96II. Software Bill of Materials 97III. NIST Revised Framework Incorporates Major Supply Chain Category 98A. Identify, Establish, and Assess Cyber Supply Chain Risk Management Processes and Gain Stakeholder Agreement 98B. Identify, Prioritize, and Assess Suppliers and Third-Party Partners of Suppliers 99C. Develop Contracts with Suppliers and Third-Party Partners to Address Your Organization's Supply Chain Risk Management Goals 100D. Routinely Assess Suppliers and Third-Party Partners Using Audits, Test Results, and Other Forms of Evaluation 101E. Test to Make Sure Your Suppliers and Third-Party Providers Can Respond to and Recover from Service Disruption 102Summary 103Chapter Quiz 103Essential Reading for Supply Chain Risk Management 104Chapter 6 Manufacturing and Industrial Control Systems Security 105Essential Reading on Manufacturing and Industrial Control Security 110Appendix A: Helpful Advice for Small OrganizationsSeeking to Implement Some of the Book's Recommendations 111Appendix B: Critical Security Controls Version 8.0 Mapped to NIST CSF v1.1 113Answers to Chapter Quizzes 121Index 131

Cynthia Brumfield is the President of DCT Associates and a veteran media, communications, and technology analyst who is now focused on cybersecurity. Backed by executive-level experience at top-tier U.S. communications trade associations, a premier investment analysis firm, and her own successful publication and consulting businesses, she has spearheaded research, analysis, consulting, publishing, and education initiatives for major organizations, including Fortune 500 corporations, security organizations, and federal government clients. In addition, she is an award-winning writer who currently runs a pioneering cybersecurity news destination, Metacurity, and writes regularly for top news outlets, including ongoing columns for CSO Online.Brian Haugli is the Managing Partner and Founder of SideChannel. He has been driving security programs for two decades and brings a true practitioner's approach to the industry. He has led programs for the DoD, Pentagon, Intelligence Community, Fortune 500, and many others. In addition, Brian is a renowned speaker and expert on NIST guidance, threat intelligence implementations, and strategic organizational initiatives.