Cyber GRC Ideas Portal
Add a new idea Subscribe
Status Pending Product Manager's Review
Workspace IT and Cyber Risk
Created by Guest
Created on Feb 18, 2022

RELATED IDEAS

Complying with NIST 800-30 Cybersecurity Framework using IT and cyber risk module.

NIST SP 800-30

NIST Cybersecurity Framework is popular among companies in the US. NIST has become the gold standard for assessing cybersecurity maturity, identifying security gaps, and meeting cybersecurity regulations. Using our IT- risk module we are unable to implement all the steps mentioned in the framework.

NIST Publication: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

Below are the challenges:

  • Risk assessments steps mentioned in the standard are not completely aligned with product:

    • Our Threats and vulnerabilities module will not support the below 3 steps. See #1 note for more information

      • TASK 2-1 IDENTIFY THREAT SOURCES

      • TASK 2-2 IDENTIFY THREAT EVENTS

      • TASK 2-3 IDENTIFY VULNERABILITIES AND PREDISPOSING CONDITIONS

    • Using our product, we cannot implement this. Refer to “TABLE I-5: TEMPLATE – ADVERSARIAL RISK” and “TABLE I-7: TEMPLATE – NON-ADVERSARIAL RISK” there are more than 2 factors which determine the risk and we don't have that option. That makes it hard to implement below 3 steps. See #2 note for more information

      • TASK 2-4 DETERMINE LIKELIHOOD

      • TASK 2-5 DETERMINE IMPACT

      • TASK 2-6 DETERMINE RISK

  1. As per NIST800-30 standard, Threat source characteristics (refer appendix D) for “Adversarial” will be determined by the Capability, Intent and Targeting. For ‘Accidental’ threat source it is ‘Range of Effects’. In ITRM Product every threat source/motive, threats actors and threats are based on CIA only which does not match with standard. Methodology/standard Product is using for the Threat actors, motives and Threats does not match with NIST standards defined.

  2. Using qualitative assessment, we can implement to an extent using scoring rules and scoring and rating method. But the limitations are:

    • There is no way we can include Threats and vulnerabilities in the Qualitative assessment. If we can allow threats and Vulnerabilities as assessable items, it will work out for the IT frameworks which work on qualitative assessment basis.

    • There are multiple factors to determine the risk in this methodology. Our scoring and rating method has X and Y based matrix. Scoring algorithm method also would not work as it is not formula based. We do not have conditional based formulas option to try that as an alternative method.

  • Attach files
  • Guest
    Reply
    |     Feb 22, 2022

    Anil, Sure we can have a call to discuss the options over a call. That way we can discuss various options.

    In the above write up #1 and #2 briefly explain about the changes that we need to bring in to support NiST. We can discuss them in detail over a call.

  • Admin
    Anil Gokare Krishnamurthy
    Reply
    |     Feb 22, 2022

    Anuradha. Can you please propose a solution to meeting the requirement. What are the things we can do in the product that will bring it closer to the standard. IF we need to have an hours session to brainstrom we can do that.