Tuesday, February 25, 2014

An Open Cyber Security Framework

By Mateo Martinez.

In this blog post we´re going to present a brief overview of the Open Cyber Security Framework Project.

There are a number of frameworks already on the market like the new NIST “Cybersecurity Framework” or “Transforming Cybersecurity using COBIT5” from ISACA and other paid or country-oriented frameworks. However there is no single open framework that governments and organizations can adopt for use as a reference model to start or improve on cybersecurity matters, and this is a real need from the market. There are many governments and organisations working on their Cybersecurity Frameworks starting all from scratch. This open framework will be created with governments and organizations around the globe creating the fact model to be used as a reference from starters to the ones improving or looking for optimized cybersecurity frameworks. The main web page of the project is www.ocsfp.org and the core framework release version 1 is expected for end of March 2014. The OWASP Open Cyber Security Framework Project's aim is to create a practical framework on Cybersecurity.

Creating, Implementing and managing a Cybersecurity Framework has become a need (or may be a must) for many governments and organizations. The Open Cybersecurity Framework Project (OCSFP) is an open project dedicated to enabling organizations to conceive or improve a Cybersecurity Framework. All of the information in OCSFP are free and open to anyone. Everyone is invited to join and collaborate in order to improve all the content that would be available worldwide. It is licensed under the Creative Commons Attribution-ShareAlike 3.0 license, so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. OCSFP is an OWASP Project since February 2014.

The main objective of the project is to provide a practical Cybersecurity strategy with a 1-2-3 practical phases as shown in the following figure:

There´s a team of active contributors working on the core framework and there´s a very interesting roadmap of releases for this year 2014. Below is the list of open documents that are under development and will be released during the year. There´s an open mailing list to join for those interested in collaborate with OCSFP.

The OCSFP contributors are working hard on the first Framework Core release but there´s also under development open frameworks for different specific Industries like Healthcare, Government, Aeronautics, Telcos and Critical Infrastructure. The first version of all of them will be released during 2014.

Open Cybersecurity Frameworks
  • Open Cybersecurity Framework Core
  • Open Cybersecurity Framework Core Implementation Guidelines
  • Open Cybersecurity Framework for IPv6
  • Open Cybersecurity Framework for Governments
  • Open Cybersecurity Framework for Enterprises
  • Open Cybersecurity Framework for Critical Infrastructure
  • Open Cybersecurity Framework for Aeronautics
  • Open Cybersecurity Framework for Oil & Gas
  • Open Cybersecurity Framework for Healthcare
  • Open Cybersecurity Framework for Telcos
  • Open Cybersecurity Assessment
  • Open Cybersecurity Quick Self-Assessment
  • Open Cybersecurity Quick Reference Guide
  • Open Cybersecurity Free Tools
  • Open Cybersecurity Incident Response Management Framework
  • Open Cybersecurity Framework for Small Biz

For those who are just evaluating their current status on cybersecurity, there´s an quick online assessment with some simple questions about the current Information Security Programs and about the implemented technologies. With the first release of the framework core, a complete assessment will be available online with a table of recommendations for the first steps developing a cybersecurity strategy taking into account your current maturity level.

Some of the available questions in the current online draft are:
  • Do you have a Data Loss Prevention Process?
  • Do you have an Incident Response Program?
  • Do you have a Vunerability Management Process?
  • Do you train your Response Teams in Malware Analysis and Forensics?
  • Do you have a NG Firewall installed?
  • Do you have a dedicated IDS or IPS
  • Do you have a Data Loss Prevention Solution implemented?
  • Do you have a Web Proxy installed?
  • Do you have full disk encryption in you laptops?
  • Do yo have Host Firewall in your organization´s computers?
  • Do yo have Host IPS in your organisation´s computers?
  • Do you have a vulnerability scanner?
  • Do you have any Log Management / SIEM solution?

When you go deeper into the framework you will notice that after the 3 phase strategy there are is a set of activities to be implemented in the cybersecurity strategy:
  • Security Strategy Roadmap
  • Risk Management
  • Vulnerability Management
  • Security Controls
  • Arsenal
  • Incident Response Management
  • Data Loss Prevention
  • Education & Training
  • Business Continuity & Disaster Recovery
  • Application Security
  • Penetration Tests

Last but not least, the project has created a matrix mapping for the controls of SANS Top 20, NIST Cybersecurity Framework and Federal Communications Commission with OCSFP and some other well-known market frameworks are being mapped into OCSFP activities too:

The first release of the framework core will be released at the end of next month and will be available worldwide in order to improve faster on the security posture of organisations and governments.

No comments:

Post a Comment