Skip to main content

RACI, Cybersecurity and NICE Framework

The NICE framework from a RACI point of view

The NICE framework (NIST SP 800-181 rev. 1) established a standard approach for describing cybersecurity work, in order to help stakeholders share a common language and ideally improve how to identify, recruit, develop and retain talent. It breaks down cybersecurity work role categories into: Oversight and Governance; Design and Development; Implementation and Operation; Protection and Defense; Investigation. 

Which is very cybersecurity-centric and not related to common tools for project management within companies. Especially smaller enterprises that do not have dedicated people to mange and coordinate cybersecurity needs.

RACI chart is a project management tool used to define and clarify roles and responsibilities within a project team. It stands for Responsible, Accountable, Consulted, and Informed, and visually represents who is responsible for what, who is accountable for the outcome, who needs to be consulted, and who needs to be informed. 

How do we merge these tools easily in an organization that is smaller, leaner and more 
mission driven - to enable their necessary tools while not over-burdening them with process? 
I propose a simple mapping of the NIST Work Role Categories to RACI matrix:
  • Responsible -> Oversight and Governance provides Leadership &  Management - overall direction and expectations get set here.
  • Accountable -> Design and Development and Implementation and Operation - provides understanding of what needs to be protected and how. Documents, selects and tests solutions. In reality for small and medium enterprises this is often a third party. 
  • Consulted -> Overlap of Implementation and Operations along with Protection and Defense are those responsible for the daily usage of systems, as well as the weekly and monthly upkeep of systems, so they are consulted as part of business to ensure that the systems are not burdensome and enable daily operations to proceed apace. This is the education of any and all that touch systems within the enterprise.
  • Informed -> Internally this happens if there are problems, this is tagged as the NIST NICE work role of Investigation. Includes those outside the organization whose data you are handling in some way - such as customers and partners.   
Ideally if you are using a RACI mindset for many of your business decisions, when you drop into the world of the systems that support your business, and you're think about cybersecurity this, mapping is meant to help move from one point of reference to another. From who to what. 

Labels:
Location: Boston, MA, USA

Comments

Post a Comment

Popular posts from this blog

You don't really know who you're talking to online...

The following is a story that I think highlights the assumptions that get you into trouble online... https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media This is particularly scary since we found so much utility in online connections during the pandemic and out of necessity, started trusting more online. Please note the timeline for this breach - it was a long, slow process, a key factor in many 'cons'. "Build trust" is a key first step, once someone has identified you as a party. You think...you're convinced you know who your talking to, but if you don't triangulate the identity with some non-online, ideally in-person information, you shouldn't trust. And even if you do get what seems like real-life confirmations of identity, you must look at questioning motives, needs, and keeping danger at arms-length. Online includes email, texting (sms), application chatbots, voice communicati...
Post a Comment
Read more

Threat Modeling Manifesto

Secure Your Code with Threat Modeling As a software developer, security should be a top priority. By proactively identifying and addressing potential vulnerabilities, you can significantly reduce the risk of breaches and data loss. What is Threat Modeling?   Threat modeling is a systematic approach to identifying, assessing, and mitigating security threats. It involves looking at your system from a hacker's perspective to uncover weaknesses and devise strategies to protect against attacks. See the  OWASP Cheat Sheet   Why is Threat Modeling Important? Proactive Security: By anticipating potential threats, you can take steps to prevent them. Risk Mitigation: Identify and address vulnerabilities before they can be exploited. Regulatory Compliance: Adhere to industry standards and regulations. Enhanced Security Posture: Strengthen your overall security posture. How to Get Started with Threat Modeling   The Threat Modeling Manifesto provides a valuable framewor...
Post a Comment
Read more

Where threat modeling can shine - an example from the EU MDCG-2019

From the  EU  MDCG 2019-16 Guidance on Cybersecurity for medical devices, December 2019 , this is the guidance on foreseeable risks.  Medical device manufacturers should ensure that a medical device is designed and manufactured in a way that ensures that the risks associated with reasonably foreseeable environmental conditions are removed or minimised. This may include the infield monitoring of the software’s vulnerabilities and the possibility to perform a device update (outside the context of a field safety corrective action) through, for example delivering patches to ensure the continued security of the device. During the risk management process, the manufacturer should foresee or evaluate the potential exploitation of those vulnerabilities that may be a result of reasonably foreseeable misuse. This, however, may depend on the specific situation. For example, using an unsecured memory-stick to enter data into a medical IT system can be considered “reasonably foreseeabl...
Post a Comment
Read more