Note: This Case Study refers to specific OE21 surveys and tools (spreadsheets or docs). Please try the link(s) below to learn more about these surveys and tools:
OFT 6.2b Cybersecurity Assessment (survey)
6.2b Management of Information Systems
Assumption: The (Elafino Sports Center) organization has implemented OE21 6.2b Management of Information Systems, process steps, with the following results and outcomes:
The Elafino Leadership Focus Team (LFT) includes the IT Manager, a smart guy named Seymore Bitts. Mr. Bitts plays the lead role on Management of Information Systems, including:
Ensuring the reliability and availability of hardware and software used for information systems
Ensuring the security of information systems and the data they house
Protection of information and assets by limiting cyberattacks and events
Minimizing the impact on the organization from cyber attacks and events
After a serious cyber attack at the Elafino Sports Center, the IT Manager discovered that one of the key assets of the organization were compromised (probably stolen). That asset was the Elafino Prospect and Customer database, containing the following personal information of each prospect and customer (member) of the Elafino Sports Center:
Name (first and last)
Age and Gender
Services that person is considering or using (hockey, figure skating, fitness center, other)
The IT Manager discovered this when he ran the routine scan for viruses and other possible problems in the INTRANET and internal network of computers used by all Elafino managers and senior leaders. The scan indicated that some form of "malicious code" had been installed by someone. That malicious code enabled the attacker to log in to the network and download database files, including the customer and prospect lists.
When the IT Manager reported this incident to the VP of Marketing and Sales, the "CEO, IT Manager, and VP Sales/Marketing quickly came to a meeting room to discuss this intrusion.
The CEO said, "How can this happen?"
The VP Sales/Marketing said, " What if our competitors get our customer and prospect lists?"
The IT Manager replied, "We need a better process for protecting our network and other management information system assets."
The CEO responded, "So what do you suggest we do?"
The IT Manager began to explain, "Well, I have been reading a document called Cybersecurity Framework."
"The U.S. National Institute of Standards and Technology publishes this document, and from what I understand, it is widely used to improve cybersecurity."
The VP Sales/Marketing pressed harder, "How do we know if our competitors have our customer and prospect information?"
The IT Manager shook his head in shame. "We have no good way to find out." With that comment, the VP Sales and Marketing remarked, "My God!" Then she promptly left the room.
The CEO glared at the IT Manager, "Mr. Bitts, I want you to get on this without delay and keep me advised on your progress. I am counting on you to make sure this does not happen again!" Then the CEO departed.
After that stressful the IT Manager rolled up his sleeves and studied the N.I.S.T Framework document. After a long read, he concluded that improving cybersecurity is an organization-wide commitment and project that would require support from all focus teams (LFT, CFT, OFT, WFT). He knew he could not do this by himself. As the IT Manager began to implement the N.I.S.T Framework, he created a deck of briefing slides for the other focus teams. His briefing had to be informative, understandable and useful.
Fortunately, the OE Guideline 6.2b Management of Information Systems provided the IT Manager with a process that began with a briefing of N.I.S.T Framework Table 1 Function and Category Unique Identifiers, shown below:
Table 1 shows the five Unique Identifiers and Functions:
ID - Identify
PR - Protect
DE - Detect
RS - Respond
RC - Recover
The 22 Category Unique Identifiers in Table 1 are used to create OE21 assessment questions. These questions allow for ratings (1-5) and narrative comments, as shown in Figure 6.2b-3 below
Figure 6.2b-3 - Example of OE21 Question for Category PR.PT
In Figure 6.2b-3, the question shown from the Framework category PR (Protect) subcategory. The question asks:
"To what extent are technical security solutions managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, agreements?"
As Figure 6.2b-3 shows, the IT Manager rated this question a "1" which means to a very low extent or not at all. The IT Manager filled in the narrative blocks in this Figure and the narrative indicates that nothing is in place for technical security solutions management, and an Action Plan is necessary.
The IT Manager used this example to brief the other focus teams. At the online briefing, all focus teams were at their and used an online live collaboration tool to conduct this interactive meeting. The IT Manager introduced all 22 questions in the OE21 Cybersecurity Assessment spreadsheet tool.
The next step was to select individuals with the best experience and knowledge to assist the IT Manager in rating each of the 22 questions, and creating the narrative analysis and action plans for each question. This process involved five 45-minute online meetings:
Meeting 1 - ID (Identify) 5 questions
Meeting 2 - PR (Protect) 6 questions
Meeting 3 - DE (Detect) 3 questions
Meeting 4 - RS (Respond) 5 questions
Meeting 5 - RC (Recover) 3 questions
The 22 questions in the OE21 Assessment are as follows:
1. Asset Management (ID.AM): To what extent are the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy?
2. Business Environment (ID.BE): To what extent are the organization’s mission, objectives, stakeholders, and activities understood and prioritized; and this information is used to inform cybersecurity roles, responsibilities, and risk management decisions?
3. Governance (ID.GV): To what extent are the policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements understood and used to inform the management of cybersecurity risk?
4. Risk Assessment (ID.RA): To what extent does the organization understand the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals?
5. Risk Management Strategy (ID.RM): To what extent are the organization’s priorities, constraints, risk tolerances, and assumptions established and used to support operational risk decisions?
6. Access Control (PR.AC): To what extent is access to
assets and associated facilities limited to authorized users, processes, or devices, and to authorized activities and transactions?
7. Awareness and Training (PR.AT): To what extent are the organization’s personnel and partners provided with cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements?
8. Data Security (PR.DS): To what extent are information and records (data) managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information?
9. Information Protection Processes and Procedures (PR.IP): To what extent are security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures maintained and used to manage the protection of information systems and assets?
10. Maintenance (PR.MA): To what extent are maintenance and repairs of industrial control and information system components performed consistent with policies and procedures?
11. Protective Technology (PR.PT): To what extent are technical security solutions managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements?
12. Anomalies and Events (DE.AE): To what extent is anomalous activity the potential impact of events is understood?
13. Security Continuous Monitoring (DE.CM): To what extent is the information system and assets monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures?
14. Detection Processes (DE.DP): To what extent are detection processes and procedures maintained and tested to ensure timely and adequate awareness of anomalous events?
15. Response Planning (RS.RP): To what extent are response processes and procedures executed and maintained, to ensure timely response to detected cybersecurity events?
16. Communications (RS.CO): To what extent are response activities coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies?
17. Analysis (RS.AN): To what extent is analysis conducted to ensure adequate response and support recovery activities?
18. Mitigation (RS.MI): To what extent are activities performed to prevent expansion of an event, mitigate its effects, and eradicate the incident?
19. Improvements (RS.IM): To what extent are organizational response activities improved by incorporating lessons learned from current and previous detection/response activities?
20. Recovery Planning (RC.RP): To what extent are recovery processes and procedures executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events?
21. Improvements (RC.IM): To what extent are recovery planning and processes improved by incorporating lessons learned into future activities?
22. Communications (RC.CO): To what extent are restoration activities coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other Computer Security Incident Response Teams (CIRTs), and vendors?
After the five meetings, the IT Manager had a fully populated OE21 Cybersecurity Assessment spreadsheet file. At that point the IT Manager could see the Dashboard in Figure 6.2b-4.
Figure 6.2b-4 OE21 Cybersecurity Assessment Dashboard
The OE21 Cybersecurity Assessment Dashboard indicated that the category scores were:
IDENTIFY (ID) - 46%
PROTECT (PR) - 43.3%
DETECT (DE) - 20%
RESPOND (RS) - 27.6%
RECOVER (RC) - 28.7%
The IT Manager set and conducted a 30-minute online meeting attended by all focus teams (LFT, CFT, OFT, WFT) and briefed them on the results of the OE21 Cybersecurity Assessment and, with the help of the CEO, the IT Manager secured the commitment of all those involved in the Action Plans documented in the 22 question spreadsheet tabs, of the assessment.
The CEO (chair of the LFT) announced, "The action plans in this Cybersecurity Assessment are critical to the survival of the Elafino Sports Center."
The CEO continued, "The high-level actions in this assessment must be input into the Leadership Excellence Action Plan, which is part of the Elafino Strategic Action Plan, and I want to see Trend Charts showing the of these actions in our monthly Performance Review meetings."
The IT Manager added his final point, "My job is to study and interpret the many references associated with the N.I.S.T. Framework for Cybersecurity, and I will provide technical leadership as needed to get the most from this effort, and thank you all for your help."
After that, the Elafino Sports Center began their deep-dive into putting in place a comprehensive and effective cybersecurity system that the organization will count on for the long term.
Update Operations Excellence Action Plan - The Elafino OFT updated the Operations Excellence Action Plan to include additional projects tasks or other information necessary to meet the requirements and criteria specified in this OE21 Guideline and the N.I.S.T Cybersecurity Framework.
The Leadership Focus Team (LFT) reviewed and approved these changes to the Operations Excellence Action Plan, and used these outputs to update the Strategy Plan.
Input Cybersecurity Metrics into Performance Measurement System (PMS) - The Elafino OFT used the OE21 PMS Operations Excellence Metrics tables and Trend Charts to select and track appropriate measures for Security and Cybersecurity, including:
Number of Cyberattacks per Month
Cycle time from cyber attack until recovery of information systems and data
On a quarterly basis, the OFT used the PMS to monitor trends in cybersecurity initiatives versus goals. The Elafino OFT continued to take appropriate action to drive measures towards their goals. When goals were met, the OFT raised the goals higher, as appropriate.
Figure 6.2b-3 is the Elafino Trend Chart and Action Plan for Cyber Attack Recovery.
Figure 6.2b-3 Trend Chart and Action Plan for Cyber Attack Recovery (example)
The Elafino LFT (IT Manager) published the 6.2a Process Efficiency and Effectiveness output results on the Elafino INTRANET, and notified all focus teams and managers of these updates.