hey hi everyone welcome to another interested webinar of Ministry of security so I'm thean and I would be the speaker for today's session so I coach and Mentor infosec professionals on ISU 2701 and I've been helping organizations with multiple infosec standards and audits so that's about me I'm all excited and I know you guys have been waiting for a webinar for a very long time so without wasting time let's get started with the most anticipated webinar the N CSF 2.0 implementation in today's webinar we would be first understanding the introduction or overview to the N CSF standard then we'll understand what is the structure of the N CSF standard then we'll Deep dive into the requirements and understand the CSF core the organizational profiles the CSF tires and at last we will focus on understanding how to implement and what are the best practices for the requirements that are specified in the N CSF core at first we have the introduction overview of n CSF so the N CSF is a voluntary framework de developed by nist to help organizations manage and reduce cyber security risks so the it provides a common language for cyber security risks man risk management and serves as a flexib uh serves as a flexible adaptable and cost-effective approach to improving the cyber security posture so the nist CSF framework is a framework that is developed to help any organization regardless of the service line so so the N CSF is applicable to any government entity to any Financial organization or Insurance Company Healthcare sector educational institutes and also even NOS so the N psf basically provides the requirements of what needs to be done but it is left to the organizations to decide how they are achieving or complying to the requirements but if you ask me ask me a question that implementation and the use of n CSF would it be same across all these various organizations and various sectors the answer would be no because each of these organizations and each of these sector have their own Vision they have their own mission they have their own objectives and strategies so the organizations have to customize and implement the requirements based on their needs and requirements so that was a brief overview of the N CSF standard so let's understand what are the outcomes or what are the advantages of having n CSF framework or if you implement n CSF framework in your organization so at first n CSF ensures that we have a improved cyber security posture then it helps us to enhance the risk management Pro the the risk management process within the organization and also a better communication within the organization so by following the N CSF the organization can enhance their ability to prevent detect and respond and recover from cyber security incidents so that's how the cyber security posture would be improved or enhanced and the framework also helps the organization to align their cyber security efforts with the overall risk management strategy ensuring a more holistic approach to cyber security thereby helping the organizations with the enhanced risk management process and lastly the framework also provides a Common Language for communicating the cyber security risks and helps us helps the organization to prioritize the processes across all levels of the organizations in order to ensure that the organization is meeting the cyber security goals and objectives coming at let's understand the overview of the N CSF framework so at first let us understand what is the structure of the framework so the framework has three components the framework core the profiles and the CSF tires so the framework core provides a set of cyber security activities or outcomes that helps the organization to manage the cyber security risks and coming at the cyber security profiles so these are mechanisms for describing the or organization's current cyber security posture or a future cyber security posture with regards to the outcomes of the CSF framework or the free in in to be precise the framework code and lastly the CSF tires can be applied to the organizational profiles to characterize Define and understand the current level of an organization cyber security risk governance and management processes or practices so moving ahead let's understand what what does the framework core consists of so the framework core consists of three sections first the functions these functions these functions can be used by any organizations right so the requirements as we discussed earlier can be used by any organization so these functions are nothing but the high level outcomes of the framework so these outcomes are the functions are categorized into various categories and they are further divided into subcategories so that's how we get or that's how we have the framework defined so let us understand the framework core in depth so we have six functions so we have governance the identify protect detect respond and recover so let us understand each of these uh framework course on a brief so the Govern function of the N CSF it's all about setting up the rules and and expectations for the cyber security within an organization so it includes making sure everybody understand what needs to be done to manage cyber security risks effectively it involves creating policies assigning roles and responsibilities overseeing the cyber security strategy so essentially it's about laying down the groundwork to make sure cyber security is integrated into the organization's overall risk management strategy next we have the ident function so this is all about ensuring that the organization is aware about the cyber security risks that the organization has that means if we if the organization needs to understand what the risks it has it should have a thorough understanding of all its assets the data the information the applications that that the organization use and also the service providers and its employees so by identifying these risks the organ organization can prioritize where to focus the cyber security efforts additionally this functions helps us to spot areas where we can improve our policies plans processes procedures Etc coming to the protect function so this function is G this function emphasized on putting the safeguards in place in order to manage the cyber security risks within the organizations so once we've identified all our assets and risks the protect function helps us to secure those assets in order to reduce the chances of cyber attacks so this includes measures like managing identities controlling access to systems providing awareness and training to employees securing the data and ensuring that we have a resilient technological infrastructure next we have the detect function so the the detect function is focus the detect function focuses on spot ing the possible cyber security attacks or compromises within the organization so it helps us to find and analiz any unusual activities or signs of a Cyber attack promptly so by attemp by detecting these anomalies early so we can respond quickly and effectively in order to minimize the impact of any potential incidents then we have the respond function so this predominantly focuses on how to care to the cyber security incidents that were detected so it's all about containing the effects of of the incident in order to minimize the damage of the impact so this includes managing the incident analyzing its impact mitigating its effects and communicating about it internally and exter externally and finally we have the recover function which focuses on restoring the assets or the operations that were affected by the incidents so the goal is to minimize the impact of the incident and ensure that normal operations resume smoothly so it's it's all about bouncing back from a cyber security incident as quickly and efficiently possible so this was a brief overview of all the six functions that we have under the framework core so we'll Deep dive into all the requirements and sub requirements in the upcoming slides but at now we'll understand the organizational profiles Okay so the CSF organizational profile profiles describe the organization's current or the target cyber security posture in terms of the core outcomes so the CSF organizational profile is a tool in order to understand and communicate the organization cyber security posture so we have three profiles that is a current profile the target profile and the community profile so the current profile shows what outcomes the organization is currently meeting and how well they are being achieved so a Target profile outlines the desired outcomes the organization aim to achieve in the future that is what is their target State and newly a community profiles have been launched these profiles help organizations prioritize actions and communicate their cyber security status to the stakeholders so these Community profile acts as a shared Baseline of the CSF outcomes for a specific sector or use say for example if the We There are profiles available for financial sectors there are profiles available for insurance domain profiles available for it sectors so these profiles focuses on a particular sector or a particular domain now let us understand how can we actually plan or what are the steps for creating a profile in the organization so the first step is to scope the organizational profile so when scoping the organizational profile we are essentially outlining what aspects of our organization cyber security posture the profile will cover so this includes defining the high level facts and assumptions that will guide the creation of the profile for example a profile could address an entire organization or be scope to a organization's Financial systems or a organization's it systems right so we can scope out on what systems or on what processes are we trying to develop a profile and once the scope is done we need to gather information in order to profile in order to prepare this organization profile for example we may include uh information with regards to what are the policies that are present in the organization what are what are the risk management priorities what are the resources that are available in the organization what is the importance given to the risk management as the organization completed a business impact analysis what is its cyber security objectives what are the requirements what are the other standards and Frameworks followed by the organizations what are the tools that are used in order to manage cyber security within the organization so these are the these are the information which you would predominantly gather so that we can use this data in creating the profile and then the third step is actually creating the profile itself so firstly we identify the CSF outcomes that are relevant to the organization cyber security goals and challenges right then we document the needed information for each outcome such as what are the policies that we have what are the risk management priorities that the organization have so whatever information we collected right we would be documenting that in the profile and once we documented we conduct something called as an Gap analysis that is in order to bridge the gap between the current state and the target State we'll have to identify what is the gap that we need to mitigate in order to reach to the current state compared to where we stand actually and lastly we develop an action plan in order to remediate or mitigate the gaps that we have identified so that we can move ahead in achieving the target compliance state or we would be achieving the target profile so the the these are the five simple steps that any organization can use in order to create a organizational profile now let's understand what are the CSF tires okay so these uh so the CSF tires are a means which will help us to categorize the rigor of an organization's cyber security RIS governance and management practices so once we develop an organizational profile right so we can use this tires in order to identify what is the maturity level say is it on a state one that is partial is it on a state two that is risk informed is it on a state three repeatable and it is on a state four that is adaptive the one being the lowest State and four being the highest value so however this this CSF framework states that CSF tires are not directly linked to the maturity level so we can use these CSF tires in order to give a certain valuation on the current state of the cyber security posture so say as per uh as per the tires implementation we got to know our current state is only one so the organization can plan to achieve the state two or three in the next future probably say in the next 6 months or the next one year so that can be their target state so that they can say we have have we have improved from Tire one to Tire three that's how we've been progressing the CSF or the infos posture within the organization so that's where CSF tires help us now let us understand the CSF core we'll understand what are the requirements what are the sub requirements and we'll understand what the best best practices for these requirements so at first we have the Govern function so as this disced earlier earlier govern function is all about setting up the rules and expectations for cyber security within your organization so this includes uh making sure that everybody understand what needs to be done in order to manage cyber security risks effectively so at first we have the organizational context so as part of the governance we need to identify the organization's vision mission what are their goals and objectives with regards to information security we also need to identify who are the internal and external stakeholders and what are their needs and expectations with respect to information security within the organization we also should emphasize on identifying and complying to all the legal and regulatory requirements that are applicable to the organization and the services that we are delivering to the customers so we should also identify what the infosec objectives of the organization and these objectives should be in line with the business objectives so that the information security will always be an enabler to your organization not a restriction so all these objectives should also be communicated to all the relevant internal and external stakeholders as necessary next we have the risk management strategy so this requirement emphasiz on the Enterprise risk management procam program we need to Define and develop an information security risk management program that actually covers the objectives of the ERM that is the Enterprise risk management we also need to identify the acceptable values of risk that is our risk appetite and the acceptable deviations from this risk appetite that is our risk tolerance we also have to clearly identify and Define what is the methodology or the process that we are using in order to manage risks with within the organization and this risk management methodology should be communicated to all the relevant stakeholders and also as part of the risk management program we also need to emphasize on identifying all possible opportunities for improving the information security posture within the organization next we have the roles responsibilities and authorities so responsibility refers to the obligation to per perform a particular task or comply with a rule and accountability refers to answerability for a particular outcome or a task and Authority is the empowerment or what is the privilege that an individual possesses right so we have to ensure that the top management is taking the responsibility for developing a secure culture within the organization we need to identify all the roles responsibilities and authorities with regards to information security within the organization and the top management should also ensure that it is providing with the all the necessary resources in terms of people process technology Monitor and time for establishing maintaining and improving the information security within the organization next we have uh the cyber security policy or the information security policy so the cyber security policy must be established within the organization and this should be in line with the organization's vision mission strategy so the policy should be regularly reviewed and updated in order to ensure that it is in line with the organization requirements and this policy should also include all the requirements with regards to information security and also it should address all the legal and regulatory requirements and any contractual requirements that the organization has agreed upon so this information security policy or the cyber security policy would be the backbone or the basement or the foundation for the information security program within the organization next we have the oversight So based on the results of the risk management or the risk assessment or the outcomes of the of our Enterprise risk management program we need to assess how well the Enterprise risk management has helped us in order to achieve these infosec objectives and if required we need to modify the risk management strategy so that it is it better suits the organization's needs and needs so we also need to develop the kpi metrics in order to Monitor and measure the performance of Enterprise risk management within the organization at last we have the cyber security supply chain risk management so all the risks pertaining to supply chain is emphasized on are focused or addressed here at first we need to identify these risks but pertaining to the organization's supply chain and who within the organization is responsible to address and manage these supply chain risks so the supply chain risks risk management should not be considered as a separate program however it needs to be integrated with the existing organizations Enterprise risk management program we need to identify the suppliers and prioritize them based on the critical of the data and the services that they're offering to the organization so these supply chain risks can be effectively managed by conducting a proper due diligence or risk assessments on the suppliers and the services that the organization would be receiving from them and all the information security obligations of both the organization and the supplier should be mentioned in the contract so that it is clearly mentioned as to which entity is responsible for what processes of the information security management and the supplier contracts should also include the process for managing incidents pertaining to the services that are obtained from the supplier so at next we have the identify function so the identify function is all about knowing what are the risks that your organ organization faces so that means we have to understand the organization's process what kind of information the organization has what are the various assets what are the various applications how the data flows and we also should have a understanding of the various roles within the organizations the business units as well as the suppliers so at first we have the asset management so this requirement predominantly focuses on the entire asset life cycle management starting from procuring the assets using the assets and finally disposing these assets so at first we should have a hardware or a software asset inventory where in which this inventory will have all the list of all the hardware and software that the organization has what is the location of the hardware who is the owner who is the custodian for this particular asset what is the valuation for the asset and what is the classification for the asset and each asset should be tagged to a relevant asset owner right and we should also have the network data flows that is the data flow diagram within the organization in order to understand how the data is entering or what is happening to the data in a particular process how the data is entering what is happening to the data where it is being stored where it is being sent so the complete life cycle of data should be captured we should also have an inventory which has list of all the services and all the suppliers that the organization is having and finally we should also have an asset classification process in place so predominantly this asset classification is done based on the sensitivity sensitivity and the criticality of the asset so the very common classifications include top secret restricted internal public Etc so these these classification levels helps us to identify what sorts of information security controls or what levels of controls should be implemented on these assets and the data next we have the risk assessment so here we understand how the risk assessment should actually be conducted in the organization so risk has two components one is a vulnerability and the other component is a threat so vulner vulnerability are the gaps or the defects or the loopholes within the assets or a process and we need to identify these vulnerabilities as part of the risk assessment as well next we have the threats so threats are nothing but anything that has a potential to cause harm to our assets or processes now risk is nothing but any event where a threat successfully exploits a vulnerability causing a negative impact so so the extent of the impact and the probability of occurrence of a risk needs to be identified and used for calculating the risk levels that is nothing but analysis of the risk where in which we give a certain value to a risk by understanding what is the impact and what is the probability of the occurrence of this risk So based on this we we will have to prioritize these risks for risk treatment and the other sources for identifying risks are from our cyber security threat intelligence feeds the vulnerability assessment programs that we conduct and any changes in the processes within the organization we could also ensure that we are using only authorized hardware and softwares within the organizations and we are also properly categorizing the suppliers and Performing proper due diligence on these suppliers before taking their services so that we are managing the risks effectively then we have the Improvement function so information security and risk management should always be an ongoing activity within the organization so in order to ensure that we are continually improving the security posture there there so we have to ensure that we are continually improving the security posture posture so thereby increasing the maturity levels within the organization so we need to identify all the Poss processes and operations for improvement so we can conduct periodic security assessments periodic audits or periodic assessments on the organization process in order to ensure that we are continually improving the infosec posture within the organization next we have the protect function so the protect function predominantly focuses on or emphasize on setting up or putting controls or safeguards in place in order to manage cyber security risks effectively within the organization so at first we have the identity management authentication and access control so this function predominantly focuses on your identity identity and access management life cycle so starting from giving a unique IDs to your employees so these unique IDs can be in terms of an employee ID a unique mail ID a salary code or a unique employee reference number so we have to ensure each individual within the organization it might be employee a contractor or a third party every individual should have a unique identification and we have to ensure that the Privileges are assigned based on their job roles after getting an appropriate approval so the typical uh identity and access management life cycle involves firstly creating the identities then assigning privileges based on the job roles then manage these managing these identities and privileges through uh throughout their service and finally removing or deleting the Privileges and the identities so as part of providing access to our organization systems and information we have to have a proper authentication mechanisms so there are typically three types of authentication which involves something you know that is any password or any pin then something you have that is any otps that you get or any uh RFID cards that you have or any uh tokens that you get and finally something you are which involves your biometric authentication facial recognition voice recognition right so these are the three methods of authentication so we can use more than one that is combination of two authentication mechanisms that will become your multiactor authentication and we should also emphasize on managing the physical access as well so within the organization we have to ensure that not all the uh individuals have access to all the parts of the organization wherever we have any sensitive areas or any restricted areas that access should be managed to only limited individuals who actually need the access also physical access management also involves managing the visitors within the organization next we have the awareness and training again a very important function so this uh this module or this function focuses on two types of training one is a gen generic security awareness training which is given to all the employees of the organization which focuses on the organization's information security best practices the information security objectives the information security policies what are the best practices with regards to information security and then we have a role specific training where we customize the training for a particular role for example say network administrator software Developers for software developers we customize the training and we provide training in terms of OAS top 10 vulnerabilities what are the best practices for coding how can the development team ensure that they are coding securely right so it administrator so we can provide our customize training as to how the it administrator has to configure the assets before deploying in the network what are the best practices that needs to be considered for configuring or hardening these assets so like this we can customize the security awareness for a job specific role next we have the data security so the organization has data in various forms and formats and this data can be stored in assets such as the databases hard drives the laptops mobile phones tablets desktops removable media Etc and there is always a constant flow of data to and from the organ organization hence we need to ensure that we are securing the data that is at rest the data that is in motion and the data while it is being used so the the data must also be backed up on a periodic basis based on the criticality per say there is an incident for example a ransomware or a malware attack which corrupts all the data within the organization so in that case these backups that we had taken will help us to restore to our normal working conditions and helps us to restore the processes next we have platform security this function predominantly focuses on securing all the assets basically that the organization has so the organization has to firstly identify what are the various assets that is being used for example servers network devices laptops desk desktops wireless access points the um physical Access Control Systems so all the assets has to to be identified or all the categories of the electronic and physical assets need to be identified and we need to develop the Baseline configuration requirements for each and every asset say a particular uh server what are the minimum requirements or what are the minimum security configurations that should be present before de deploying this asset to the network so we should manage all the Hardwares and softwares and finally we should also restrict the installation of softwares so we shouldn't give the administrative privileges to the end points sorry uh the employees so the administrative privileges on the end points should always reside with the organization's it team so any employee who if they want to install any application they need to First reach out to the IT team get a proper approvals and then they would give they would be given an administrative privilege for a very short period of time so that they can finish the installation next we have the technology infrastructure resiliency so here we need to basically uh focus on all of our net data that is present present on the network and all the assets that the organization has or the organization uses in order to store the organization's information and these assets should be protected against the loss of confidentiality integrity and availability so all the resilience requirements that the organization needs should be identified and the organization should identify the capacity requirements of these assets so we have to identify what is the current capacity that the organization is having and what is the future expected capacity based on the growth of the business so that we ensure that we have adequate assets and capacity of the assets are maintained in order to cater to the demand up next we have the detect function so the detect function emphasize or focuses on identifying or spotting all the possible cyber security attacks or compromises within the organization so it helps us to identify and analyze any unusual activities or any signs of cyber security attack in advance so by detecting these anomalies early we can respond quickly and effectively in so that we minimize the impact of these incidents or any anomalous events so first we have continuous monitoring so we have to ensure that all the data that is residing on the organization G A's Network and is monitored to spot any sort of anomaly anomalous activities or any malicious data and not only the uh network of the organization we should also monitor the physical environment in order to spot any malicious activities that are happening or that are ongoing within the organization itself so we can use some sort of a CCTV cameras or some sort of contact sensors in order to identify any malicious activities and also all the activities of the organizations employees Service Pro service providers vendors third parties and mainly the administrators should also be monitored in order to identify if there are any malicious or any anomalous activity that is going on so next we have adverse event analysis so once we identified or or once we uh once we started the monitoring with this monitoring mechanism we will we can identify all the anomalous activities but there might be a Chan that there are many Falls positive not all the events would be malicious right so first we have to understand what is the event we have to analyze the event we can use informations from different sour SES so that we can correlate them and come to a conclusion whether the event that was triggered or alert that was triggered was a true positive or was it a false positive and if at all it is a valid event and it is a malicious event we have to understand what is the impact and what is the scope of this event so this uh we can also have a threat intelligence in place that we receive from various organizations across the globe so that we can identify and be prepared to the threats that are currently present in the organization so this will help us to effectively detect any threats any uh vulnerabilities any risks that are present in the internet next we have the respond so after identifying and analyzing the security incident security events if at all we got to know that there is any information security incident now we should also respond to this incident right so this respond function predominantly focuses on taking actions whenever the cyber security incidents are detected so it is all about containing the effects of the incident in order to minimize the damage at first we have The Incident Management function or a requirement so firstly we should have a incident response plan which clearly identifies what are the steps that needs to be taken in order to effectively respond to a incident so this should have a plan of what are the steps that we need to take in order to effectively I manage the incident we should also have a process in place in order to categorize the incident whether it is a high level incident it is a medium level incident or a low level incident So based on the categorization we should also prioritize so we should have a timelines or slas defined all the high level incidents shall be responded in or shall be uh mitigated in so and so time frame all the medium level or all the medium impact incidents should shall be addressed in so and so timelines we should also have a process for escalating the situation wherever possible or wherever necessary next we have the incident analysis so we got to know it is an incident we also have defined the incident response plan but we should also have a understanding as to what exactly went wrong what went wrong why did the event actually happen what was the loophole what was the actual reason so if we understand this root cause for the incident or an event we will be in a better better position to effectively mitigate the incident within the organization without escalating it to a greater extent so all the evidence that we collect as part of the incident analysis and incident mitigation should be protected and the magnitude of this incident should also be understood all the stakeholders should be notified wherever possible and to whatever levels that are needed and the last control is the incident mitigation so once we've identified the root cause anal root cause for the incident we have to take decision or we have to take steps to firstly contain the incident so that it is not uh spreading to other Assets in the network and we have to take steps in order to eliminate the incident or eradicate the incident from the organization so the last function we have is the recover so this function predominantly focuses on getting things back to normal after a cyber security incident so it involves restoring any assets or any operations that that were affected by the incident promptly so the goal is to minimize the impact of the incident and ensure that normal operations resume smoothly so it it's all about bouncing back from a cyber security incident as quickly and E efficiently as possible first we have the incident recovery plan execution so once we have eradicated the incident it is time to recover the processes back to its previous normal working condition so how do we know which process to restore first so we we usually perform an activity called as business impact analysis where we identify what are the process that needs to be restored first so in what timelines we need to restore it also what is the amount of data that needs to be restored so this data we get from the terminologies called as RTO and rpos So based on this we select and prioritize the processes and the data that needs to be restored and we on in uh we have to also ensure that the backups that we had taken should be should should be useful in order to ensure that they actually help us in recovering from the incidents so we have to also have a proper restoration schedule for the backups so that we on a periodic uh basis we are actually restoring these backups to check whether they are actually working and whether we have the capability to restore the data in in uh in in an event of a disaster or an incident and last we we have incident recovery communication once the incidents are once we recover from an incident we should communicate that to all the relevant stakeholders and also we have to give updates to the general public say for example whenever uh a very big application like for example Twitter or Instagram or Whatsapp or Facebook is down everybody panics and we see uh all the social media on all in all the news channels stating that Instagram is down WhatsApp is down down Facebook is down Twitter is down so then everybody will wait for Instagram or the affected company to actually confirm what actually went wrong was it any technical glitch or was it an incident and once it once the organization says it's an incident now again everybody would be waiting to hear that the incident is recovered so that they can use the application to normal extent as they were using before that is why come communication is very important so this was the last control and this was it for today's webinar thank you so much for attending the webinar for more such security content webinars please follow Ministry of security on LinkedIn Instagram as well as YouTube so we will provide links to all our channels that is LinkedIn YouTube also for um Instagram on the description so please uh follow as for more such infos content thank you so much let's see catch up in the next webinar bye-bye