NIST SP 800-30
NIST Cybersecurity Framework is popular among companies in the US. NIST has become the gold standard for assessing cybersecurity maturity, identifying security gaps, and meeting cybersecurity regulations. Using our IT- risk module we are unable to implement all the steps mentioned in the framework.
NIST Publication: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
Below are the challenges:
Risk assessments steps mentioned in the standard are not completely aligned with product:
Our Threats and vulnerabilities module will not support the below 3 steps. See #1 note for more information
TASK 2-1 IDENTIFY THREAT SOURCES
TASK 2-2 IDENTIFY THREAT EVENTS
TASK 2-3 IDENTIFY VULNERABILITIES AND PREDISPOSING CONDITIONS
Using our product, we cannot implement this. Refer to “TABLE I-5: TEMPLATE – ADVERSARIAL RISK” and “TABLE I-7: TEMPLATE – NON-ADVERSARIAL RISK” there are more than 2 factors which determine the risk and we don't have that option. That makes it hard to implement below 3 steps. See #2 note for more information
TASK 2-4 DETERMINE LIKELIHOOD
TASK 2-5 DETERMINE IMPACT
TASK 2-6 DETERMINE RISK
As per NIST800-30 standard, Threat source characteristics (refer appendix D) for “Adversarial” will be determined by the Capability, Intent and Targeting. For ‘Accidental’ threat source it is ‘Range of Effects’. In ITRM Product every threat source/motive, threats actors and threats are based on CIA only which does not match with standard. Methodology/standard Product is using for the Threat actors, motives and Threats does not match with NIST standards defined.
Using qualitative assessment, we can implement to an extent using scoring rules and scoring and rating method. But the limitations are:
There is no way we can include Threats and vulnerabilities in the Qualitative assessment. If we can allow threats and Vulnerabilities as assessable items, it will work out for the IT frameworks which work on qualitative assessment basis.
There are multiple factors to determine the risk in this methodology. Our scoring and rating method has X and Y based matrix. Scoring algorithm method also would not work as it is not formula based. We do not have conditional based formulas option to try that as an alternative method.
Anil, Sure we can have a call to discuss the options over a call. That way we can discuss various options.
In the above write up #1 and #2 briefly explain about the changes that we need to bring in to support NiST. We can discuss them in detail over a call.
Anuradha. Can you please propose a solution to meeting the requirement. What are the things we can do in the product that will bring it closer to the standard. IF we need to have an hours session to brainstrom we can do that.