Cybersecurity Framework – a case study

In the last blog, we saw what entails NIST’s Cybersecurity framework.  In this blog, let us see Intel’s implementation of NIST’s CSF.

NIST  – Intel Case study  

A classic case of adoption of NIST Cyber Security framework (CSF) has been articulated by Intel.   Shared during an NIST workshop in 2014, by Intel Security and Privacy office, Intel’s journey in setting up the NIST framework makes for a detailed study.

Intel adoption of Cybersecurity framework:

Definition of goals:

Intel defined its goal as below:

  • Aligning the organization to risks and tolerance
  • Incorporate Cyber-risks in budget plan for the year 2015
  • Analysis of security situation within intel as heat map and sharing it with Senior Management
  • Acceptance and adoption of CSF as a risk management approach

To operationalize these goals, Intel choose a three phase approach:

Infrastructure: Both at an organization and at an office level, it was important to align all initiatives to CSF. Also, an audit was launched to evaluate the status quo of office and enterprise infrastructure against

Product: It was also important to evaluate all product and service capabilities, features and assurances through the CSF lens.  This brings all aspects of strategy, marketing and other key functions into focus.

Supply Chain and third party contracting:  Intel being a large manufacturer and outsourcer of major portions of its manufacturing process, it was important to align the language of supply chain and outsourced manufacturing of the extended organization to align to the Cyber Security Framework format.

cs2bInfrastructure assessment:  A four stage process was adopted to evaluate the infrastructure against the CSF framework.   A) Set targets b) Assess gaps c) Analyse Results d) Communicate Results.

A core group was formed and targets were set on parameters based on an assessment matrix. An assessment matrix was drawn up to include the five stages of the framework and further divided into specific categories – Identify, protect, detect, respond and recover.

The gap analysis consisted of measuring the gaps between targets and the accumulate results.  This was mapped to categories and key issues were identified and analysed.  The communication of analysed results to the stakeholders helped for clarity for both budget and planning cycles.

Following were the management outcomes of the CSF Infrastructure assessment:

Program Management: The outcome of the CSF Framework implementation has been impressive and without any major deviations.  The process that had been designed leveraged existing processes and procedures, and hence added little overhead for adopters.

Estimated Cost: Cost was kept less due to repeatable processes designed and only a total of 150 man-hours were put into the assessment.

Participants feedback:  The feedback from the participants was that there is intense feedback with key concerns around granularity and repeatability of the process.

Key learnings from Intel’s ongoing implementation of CSF framework:

  • There was further alignment of processes during Intel’s target setting exercise with the stakeholders and core team including CISO.
  • Categorization helped as one had to analyse each function ( design, manufacturing etc.,) to map the targets to results
  • The challenge was to manage overhead while diving deep into subcategories for analysis.

The take away from Intel’s learnings is that like any risk management program, Cybersecurity Framework implementation is a journey.  Informed internal discussions helps bring clarity and build harmony to risk management implementations. The assessments also help improve visibility of organization’s risk landscape.

The next blog will cover the details of implementation of NIST framework.