Uruguay is one of the most developed countries in the region in terms of e-government, e-commerce and use of ICT. The high rate of ICT penetration in all realms of society not only increases potential vulnerability and incidents but also an expansion of attack surface.
Similar to reputation and financial risks, cyber security risks impact an organization’s bottom line. More than the financial risks, government’s assets are meant for wider objectives. Some of the infrastructure fall in Critical Information Infrastructure category. Critical Information Infrastructures (CII) are systems and assets whether physical or virtual, so vital that the incapacity or destruction of such system would have debilitating impact on economic, public health security and safety of nation.
Uruguay’s “Agency Electronic Government and Information Society and Knowledge (AGESIC)” has released cyber security framework. The framework is adapted from US’ NIST cyber security framework. The framework is quite versatile and is also adapted by other organization in public & private spheres.
The framework is applicable to IT, Industrial Control Systems (ICS), Cyber Physical systems (CPS) and Internet of things (IoT). It also includes methodology to protect individual privacy and civil liberties when CII conduct cyber security activities.
“The Cybersecurity Framework can help an organization plan its cybersecurity risk management strategy and develop it over time based on its activity, size, and other distinctive features and specific elements.
It is not a static document, but will be modified according to technological changes, the evolution of threats and changes in risk management techniques.
NIST Cyber Security Framework Components
There are 3 components to cyber security framework:
1. Framework Core
These are industry standards, guidelines and practices that capture cyber security activities and outcomes across the organization. The framework core consists of 5 concurrent and continuous functions, Categories, Sub Categories and References.
The next level is Categories – 23 in all split across 5 functions. The categories cover breadth of organization with topics ranging across cyber, physical and personnel with a focus on business outcomes.
Then there are Sub Categories – 108 in all split across 23 categories. These are outcome driven statements, and do not mandate how an organization would achieve these.
The references are guidance for technical implementation, whereas framework is more general.
2. Implementation Tiers
These defines how organization views the risks and puts in place processes to manage the risks. Tiers are determined based on organization’s characteristic for 3 categories – Risk Management Process, Integrated Risk Management Programs and External Participation.
Risk management is ongoing process of identifying, assessing and responding to risks. To manage risks, two things are required to be understood by organization:
- Likelihood of risk
- Resulting impact
Post assessment of risk tolerance, organization can make decision on handling risks mitigation, transferring and acceptance. Commonly referred guidelines/ standards for risk management are ISO31000, ISO27005, NIST special publications (SP) 800-39
There are 4 tiers in the framework:
Risk Management Process
Integrated Risk Management
Tier – 1 (Partial)
- Informal, ad-hoc
- Not linked to threat environment or business objectives
- Limited awareness
- Risk management Implemented on case by case basis
- May not have processes to share cyber security information internally.
- No collaboration or exchange of information with other entities.
Tier – 2 (Risk Informed)
- Approved by management but not implemented organization wide
- IS linked to threat environment or business objectives
- Awareness of cyber risks at org level
- Org wide risk management approach not established.
- Cyber risk assessment of assets occurs but is not a regular process.
- Cyber security information is shared on irregular basis.
- Organization collaborates and receives information from other entities.
- Org is aware of risks in supply chain but takes no formal action against those risks.
Tier – 3 (Repeatable)
- Formally approved and expressed as policy
- Cyber security practices are updated based on application of risk management processes to business environment and threat perception
- Processes are defined, implemented and reviewed.
- Regular communication on risk informed policies
- Organization collaborates, receives and shares information from outside entities.
- Organization formally acts against the risks.
Tier – 4 (Adaptable)
- Continuous improvement incorporating advanced technology
- Responds to sophisticated changing cyber security landscape.
- Can adapt based on past and present cyber security activities.
- Org wide risks to cyber security risk management.
- Processes and procedure in place to treat potential cyber security events.
- Cyber risks treated same as financial risk.
- Organization collaborates, analyses, receives, generates and shares information with outside and internal entities.
Tiers do not represent maturity level. It is left to organization to determine the desired tier to meet organizational goals.
3. Framework Profiles
While framework core define the “Target” profile, organization based on its objectives, risk appetites and resources may have its own cyber security posturing commonly called “Current” profile. Profiles are about optimizing cyber security framework while factoring in business needs.