NIST-COBIT-2019 ISACA Implementing the NIST Cybersecurity Framework using COBIT 2019 Questions and Answers

According to the NIST Cybersecurity Framework, gaps identified between the current and target profiles should be addressed through a risk-based approach, which enables an organization to gauge the resources needed and prioritize the mitigation of gaps in a cost-effective manner. This approach also aligns the cybersecurity program with the business objectives and risk appetite of the organization12.

ReferencesExamples of Framework Profiles | NISTWhat is the NIST Cybersecurity Framework? | IBM

According to the NIST Cybersecurity Framework, mission drivers are a primary consideration when creating an action plan to address gaps identified in CSF Step 6, as they help to align the cybersecurity program with the organization’s objectives, priorities, and risk appetite. Mission drivers also help to determine the resources needed and the cost-benefit analysis of the proposed solutions12.

References7 Steps to Implement & Improve Cybersecurity with NISTCybersecurity Framework v1.1 - CSF Tools - Identity Digital, page 7.

The seven high-level CSF steps generally align to the high-level phases of the COBIT 2019 implementation guide, which are: What are the drivers?; Where are we now?; Where do we want to be?; What needs to be done?; How do we get there?; Did we get there?; and How do we keep the momentum going?12. These phases provide a structured approach for implementing a governance system using COBIT 2019, and can be mapped to the CSF steps of Prioritize and Scope, Orient, Create a Current Profile, Conduct a Risk Assessment, Create a Target Profile, Determine, Analyze and Prioritize Gaps, and Implement Action Plan34.

References: 1: COBIT 2019 Implementation Guide 2: COBIT 2019 Implementation - ISACA 3: Implementing the NIST Cybersecurity Framework Using COBIT 2019 | ISACA 4: REVIEW OF IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK USING COBIT 2019.

According to the NIST Cybersecurity Framework, an organization should review cyber threat information from internal and external sources to gain a better understanding of the likelihood and impact of cybersecurity events. This information can help the organization to identify potential threats, vulnerabilities, and consequences, and to assess the current and target profiles of its cybersecurity posture12.

ReferencesIdentifying and Estimating Cybersecurity Risk for Enterprise Risk Management, page 19.COBIT VS NIST : A Comprehensive Analysis - ITSM Docs

Identifying external compliance requirements is most likely to occur during COBIT Implementation Phase 2: Where Are We Now?, because this phase involves assessing the current state of the enterprise’s governance and management system, as well as its strengths, weaknesses, opportunities, and threats12. This phase also includes identifying the relevant stakeholders, drivers, and scope of the implementation program . Therefore, this phase requires a thorough understanding of the external laws, regulations, and contractual obligations that apply to the enterprise and its I&T activities.

References: 1: COBIT 2019 Implementation Guide 2: COBIT 2019 Implementation - ISACA : Connecting COBIT 2019 to the NIST Cybersecurity Framework - ISACA : 7 Phases of COBIT Implementation: Explained - The Knowledge Academy : Compliance with External Requirements - Morland-Austin

One of the framework principles established by NIST is to ensure that the framework is consistent and aligned with existing regulatory and legal requirements that are relevant to cybersecurity12.

References: 1: Cybersecurity Framework | NIST 2: Framework Documents | NIST

Combining CSF principles with COBIT 2019 practices helps to ensure value, manage risk, and support mission drivers through support and direction of the board of directors and executive management, as they are responsible for setting the vision, strategy, and objectives of the organization, and for overseeing the governance and management of IT-related operations12.

ReferencesConnecting COBIT 2019 to the NIST Cybersecurity Framework - ISACACOBIT 2019 (With Principles, Components, Users and Benefits)

Executives are the role that will benefit most from a better understanding of the current cybersecurity posture by applying the CSF. This is because executives are responsible for setting the strategic direction, objectives, and priorities for the organization, as well as overseeing the allocation of resources and the management of risks1. By applying the CSF, executives can gain a comprehensive and consistent view of the cybersecurity risks and capabilities of the organization, and align them with the business goals and requirements2. The CSF can also help executives communicate and collaborate with other stakeholders, such as regulators, customers, suppliers, and partners, on cybersecurity issues3.

References: 1: Implementing the NIST Cybersecurity Framework Using COBIT 2019 | ISACA 2: Cybersecurity Framework | NIST 3: Framework Documents | NIST

The function of the CSF that is addressed by incorporating governance, risk, and compliance (GRC) elements into the implementation plan is Identify, which assists in developing an organizational understanding to managing cybersecurity risk to systems, people, assets, data, and capabilities. GRC elements help to define the governance program, the legal and regulatory requirements, the risk management strategy, and the supply chain risk management strategy of the organization12.

ReferencesThe Five Functions | NISTNIST Cybersecurity Framework 2.0: Understanding the "Govern" Function

The organization’s asset register should primarily align to configuration management, because it is a process that maintains an accurate and complete inventory of the organization’s I&T assets and their relationships12. Configuration management supports the implementation of Step 2: Orient and Step 3: Create a Current Profile, because it helps to identify the systems, people, assets, data, and capabilities that are within the scope of the cybersecurity program, and to assess their current cybersecurity outcomes34.

References: 1: COBIT 2019 Framework – ITSM Docs - ITSM Documents & Templates 2: COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution 3: Cybersecurity Framework Components | NIST 4: Implementing the NIST Cybersecurity Framework Using COBIT 2019 | ISACA

A clear understanding of the likelihood and impact of cybersecurity events is critical for the success of CSF Step 6, as it helps to prioritize the gaps and actions based on the risk assessment and the cost-benefit analysis of the proposed solutions12.

References7 Steps to Implement & Improve Cybersecurity with NISTNIST CSF: The seven-step cybersecurity framework process

The implementation status is the information that should be collected for a Current Profile, because it indicates the degree to which the cybersecurity outcomes defined by the CSF Subcategories are currently being achieved by the organization12. The implementation status can be expressed using a four-level scale: Not Performed, Partially Performed, Performed, and Informative References Not Applicable34.

References: 1: Cybersecurity Framework Components | NIST 2: Implementing the NIST Cybersecurity Framework Using COBIT 2019 | ISACA 3: Framework Documents | NIST 4: REVIEW OF IMPLEMENTING THE NIST CYBERSECURITY FRAMEWORK USING COBIT 2019.