For example, if data was lost, you may need to restore the lost data from backup copies.Within each of these five basic functions, best practices, guidelines, and standards are presented focusing on specific cybersecurity outcomes, such as “Remote access is managed” or “Removable media is protected and its use restricted according to policy.”I offer more detail on the Framework Core later in this section.
Framework Implementation Tiers: This section describes four distinct tiers that represent an increasing level of sophistication in cybersecurity practices. As an organization invests more in cybersecurity, it moves up through the tier levels.
Framework Profile: This section discusses the use of profiles to indicate which specific outcomes in the Framework Core are implemented. You can create a current profile, which documents the current cybersecurity practices at your organization, and then create a target profile to represent where you’d like to be. Then you can devise a plan to move from the current profile to the target profile.
Each of the five functions of the Framework Core (listed earlier) is divided into several categories, which are in turn divided into subcategories. A simple numbering scheme is used to track the functions, categories, and subcategories. For example, the Identify function is designated by the identifier ID. Its first category is Asset Management, which is designated by ID.AM. The first subcategory under Asset Management is “Physical devices and systems within the organization are inventoried,” and it’s designated ID.AM-1.
Table 4-1 lists the five functions along with each function’s categories and the identifier for each category.
TABLE 4-1 The Functions and Categories of the NIST Framework Core
| Function | Category | Identifier |
|---|---|---|
| Identify | Asset Management | ID.AM |
| Business Environment | ID.BE | |
| Governance | ID.GV | |
| Risk Assessment | ID.RA | |
| Risk Management Strategy | ID.RM | |
| Supply Chain Risk Management | ID.SC | |
| Protect | Identity Management and Access Control | PR.AC |
| Awareness and Training | PR.AT | |
| Data Security | PR.DS | |
| Information Protection Processes and Procedures | PR.IP | |
| Maintenance | PR.MA | |
| Protective Technology | PR.PT | |
| Detect | Anomalies and Events | DE.AE |
| Security Continuous Monitoring | DE.CM | |
| Detection Processes | DE.DP | |
| Respond | Response Planning | RS.RP |
| Communications | RS.CO | |
| Analysis | RS.AN | |
| Mitigation | RS.MI | |
| Improvements | RS.IM | |
| Recover | Recovery Planning | RC.RP |
| Improvements | RC.IM | |
| Communications | RC.CO |
In all, there are 23 categories across the five functions. Each of these categories is broken down into from 2 to 12 subcategories, for a total of 106 subcategories altogether.
The Framework doesn’t prescribe specific solutions for each of the 106 subcategories; it merely states the outcome to be achieved by each subcategory and invites you to design a solution that produces the desired outcome.
For example, the first subcategory of Asset Management (ID.AM-1) is as follows:
Physical devices and systems within the organization are inventoried.
There are many ways to accomplish this goal. If your organization is small, you may just keep track of all your computer and network devices in a simple Microsoft Excel spreadsheet. If your organization is larger, you may utilize software that automatically scans your network to create a catalog of all attached devices, and you may want to use inventory tags with barcodes so you can track hardware assets. But one way or another, keeping an inventory of all your physical devices and systems is a vital element of cybersecurity.
Chapter 5
Servers and Virtualization
IN THIS CHAPTER
Servers are the lifeblood of any network. They provide the shared resources that network users crave, such as file storage, databases, email, web services, and so on. Choosing which servers your network needs and selecting the type of equipment you use
