DRAFT Illustrative Example

Function Category Subcategory Informative Reference(s)

SP 800-53,
Understand corporate risk tolerance
ISO 31000

Identify risk assessment methodologies SP 800-53 RA-3, ISO 31000

Know the enterprise risk architecture
Document approved risk management strategies and criteria
Identify business drivers and mission
Detail external risk considerations (policy, regulations)
Inventory business systems and their integration
Inventory hardware assets
Know the enterprise assets and systems
K Inventory software applications
N
O
Document known hardware / software vulnerabilities
W Know vulnerability

Understand insider-specific threat sources

Know threat Information

Record risk impact assessment values for assets

Conduct an impact assessment

Determine likelihood of risk events by threat and vulnerability

Calculate likelihood

Determine appropriate risk management

activity
Select and determine appropriate risk
management controls
Restrict and protect remote access
Prohibit unauthorized applications ("Blacklisting") SP 800-53 CM-7
Implement Controls: Access Control
Enable only authorized applications ("Whitelisting") NIST SP 800-47
P
R
ISO 27001 5.2.2,
E
Perform security awareness training and education SP 800-53 (AT),
V Implement Controls: Workforce Suitability CSC #9
E
N
T
 P
R
DRAFTE Illustrative Example
V
E
Function
N Category Subcategory Informative Reference(s)
T
Implement Controls: Control Change

Implement Controls: Secure data in transit

Implement Controls: Environmental Ensure that sufficient power is always available
Protection
Ensure software security testing is performed
Implement Controls: Supply Chain and (software code reviews, threat modeling)
Software Assurance

Implement and test fire/physical intrusion detection devices / systems

D Implement Controls: Risk Monitoring &
E Detection
T
E Perform risk assessment activities upon detection of an event, informed by
C Assess potential impact of event including value and impact information gained in the "Identify" phase
T regulatory considerations

R Implement risk-based decision tree

E Perform risk prioritization
S Perform incident handling activities as described in the incident handling plan
P
O Perform incident response
N
D

R Perform information system recovery and reconstitution activities

E
C Perform system recovery Provide alternate work site to recover work activities
O
V
E
R
Function Category Subcategory Informative Reference(s)

NIST Special Publication 800-53 (Configuration Management family)

CIP-003-3 R6 (Change Control and Configuration Management)
Asset Management (Physical and Logical) CIP-007-3 R7 (Disposal or Redeployment)
CIP-006-3c R8 (Maintenance and Testing - Physical Security Systems)
CIP-007-3 R2 (Ports and Services)
CIP-005-3a R4 (Cyber Vulnerability Assessment – Electronic Access
Points)
CIP-007-3 R8 (Cyber Vulnerability Assessment – Cyber Assets within the
ESP)
K CIP-007-3 R1 (Test Procedures)
N Vulnerability Management
O CIP-007-3 R3 (Security Patch Management)
W CIP-007-3 R4 (Malicious Software Prevention)
NIST Special Publication 800-40
Critical Security Controls (Continuous Vulnerability Assessment and
Remediation)
ISO/IEC 27001 (A.6, A.12)
NIST Special Publication 800-53 (Risk Assessment Family)
Risk Assessment NIST Special Publication 800-30
CIP-002-3 R1/R2/R3 (Critical Asset Identification Method)
CIP-004-3 R3 (Personnel Risk Assessment)
Security Awareness CIP-004-3 R1 (Security Awareness Program)
CIP-003-3 R5 (Access Control Program)
CIP-004-3 R3 (Personnel Risk Assessment)
CIP-004-3 R4 (Access Rights)
Identity and Access Management
CIP-005-3a R3 (Electronic Access)
CIP-006-3c R2, R3, and R4 (Physical Access)
CIP-007-3 R5 (Systems Account Management)
Application Security CIP-007-3 R2 (Systems Security - Ports and Services)
P
CIP-005-3a R1 (Electronic Security Perimeter)
R Network Security
E CIP-005-3a R2 (Electronic Access Controls)
V Physical Security CIP-006-3c R1 (Physical Security Plan)
E Training CIP-004-3 R2 (Personnel Training)
N
Information Protection CIP-003-3 R4 (Information Protection Program)
T
R
E
V
E
N
T
CIP-003-3 R6 (Change Control & Config Mgmt)
Change Control
CIP-007-3 R1 (Testing of Changes)
E
N
T

NIST Special Publication 800-137

CIP-005-3a R3 (Monitoring Electronic Access)
CIP-006-3c R1 (Physical Security Plan)
CIP-006-3c R5 (Monitoring Physical Access)
CIP-006-3c R6 (Logging Physical Access)
Monitoring, Auditing, and Logging CIP-006-3c R7 (Access Log Retention)
D CIP-007-3 R2 (Ports and Services)
E CIP-007-3 R3 (Security Patch Management)
T
E CIP-007-3 R4 (Malicious Software Prevention)
C CIP-007-3 R5 (Account Management)
T CIP-007-3 R6 (Security Status Monitoring)
CIP-001-2a R1 (Recognition & Awareness)
Incident Management CIP-008-3 R1.1, 1.2, 1.4, 1.5 (Incident Response Plan)
R
E CIP-008-3 R2 (Retain Incident Documentation)
S Testing / Exercises CIP-008-3 R1.6 (Test Incident Response Plan)
P CIP-001-2a R2, R3, R4 (Reporting to Interconnection, Internal,
O Reporting FBI/RCMP)
N CIP-008-3 R1.3 (Reporting Incidents to ES-ISAC)
D
CIP-009-3 R1 (Recovery Plans)
Contingency and Disaster Recovery CIP-009-3 R3 (Change Control for Recovery Plan)
R CIP-009-3 R4 (Backup and Restore)
E
C CIP-009-3 R2 (Exercises)
Testing / Exercises
O CIP-009-3 R5 (Testing Backup Media)
V
E
R
 Function Category Subcategory Informative Reference(s)
Hardware Device/Software Inventory ISO/IEC 27001
Network Mapping ISO/IEC 27002
HITRUST
Management Taxonomy NERC CIP
Valuation of Assets Electricity Sub-sector Cybersecurity
Asset Management
Lifecycle Tracking Capability Maturity Model (ES-C2M2)
FIPS 199
NIST SP 800-53 Rev. 4
End of Life NIST SP 800-60
SANS Top 20 Controls

ISO/IEC 27002
ISO
HITRUST
Vulnerability Awareness NISP SP 800-40
Vulnerability Management
NIST SP 800-53 Rev. 4
NIST SP 800-83
NIST SP 800-115
SANS Top 20 Controls
Vulnerability Assessment
Defining Risk Tolerance
ISO/IEC 2700
Risk Identification
ISO/IEC 27002
Risk Assessment ISO/IEC 27005
COBIT
FFIEC
Electricity Sub-sector Cybersecurity
Capability Maturity Model (ES-C2M2)
National Infrastructure Protection Plan
Risk Management
HIPAA
Analysis of Alternatives HITRUST
NIST SP 800-18
NIST SP 800-30
NIST SP 800-37
NIST SP 800-39
NIST SP 800-53 Rev. 4
SANS Top 20 Controls
K
N Threat Collection Management NIST 800-30
O Threat Intelligence Electricity Sub-sector Cybersecurity
W Threat Analysis Capability Maturity Model (ES-C2M2)

Business Requirements ISO/IEC 27001

ISO/IEC 27002
Legislative and Regulatory FFIEC
Compliance
HITRUST
COBIT
Contractual Requirements NIST SP 800-53 Rev. 4

Strategic Planning
FFIEC
Formal Cyber Security Program HIPAA
HITRUST
Lifecycle Management Electricity Sub-sector Cybersecurity
Capability Maturity Model (ES-C2M2)
Governance and Portfolio Management
Initiative Implementation Planning NIST SP 800-53 Rev. 4
NIST SP 800-100
Investment Planning and Costs SANS Top 20 Controls
NERC CIP
Incorporate Lessons Learned SOX 404
Succession Planning
 Understand Data Flows
Electricity Sub-sector Cybersecurity
Information Sharing and
Internal Communications Capability Maturity Model (ES-C2M2)
Communications
NIST SP 800-53 Rev. 4
External Communications

Understand the Facility Protection NIST SP 800-18

NIST SP 800-35
Understand the Physical Environment
NIST SP 800-53 Rev. 4
Understand Environmental Risks SANS Top 20 Controls

Identify Core Business FIPS 199

Understand Business Flows NIST SP 800-53 Rev. 4
Define Dependencies NIST SP 800-60
Understand Impact

NERC CIP
NIST SP 800-50
NIST SP 800-53 Rev. 4 (Awareness and
Training family)
NIST SP 800-100
Security Awareness User Awareness Training NIST Interagency Report 7628
Electricity Sub-sector Cybersecurity
Capability Maturity Model (ES-C2M2)
HIPAA
ISO/IEC 27002
SANS Top 20 Controls

FFIEC
Formal Training Electricity Sub-sector Cybersecurity
Capability Maturity Model (ES-C2M2)
Cybersecurity Professionals Training
NIST SP 800-50
and Development
NIST SP 800-53 Rev. 4
Exercise and Evaluation NIST SP 800-100
SANS Top 20 Controls

ISO/IEC 24760
ISO 27001
FFIEC
HIPAA
HITRUST
Identity, Credential and Access
Electricity Sub-sector Cybersecurity
Management
Capability Maturity Model (ES-C2M2)
NIST SP 800-12
NIST SP 800-32
NIST SP 800-63
SANS Top 20 Controls

HITRUST
ISO/IEC 27002
Application Security
NIST SP 800-23
NIST SP 800-53 Rev. 4
FFIEC
Data at Rest HIPAA
HITRUST
Information Protection ISO/IEC 27002
NERC CIP
Data in Transit NIST SP 800-53 Rev. 4
SANS Top 20 Controls

P
R
E
V
E
 FFIEC
System Protection
HITRUST
P ISO/IEC 27002
R NIST SP 800-14
E Network Protection NIST SP 800-41
V NIST SP 800-46
E Infrastructure Protection NIST SP 800-47
N NIST SP 800-53 Rev. 4
T Mobile Security NIST SP 800-77
NIST SP 800-82
NIST SP 800-123
Cloud Security PCI-DSS
SANS Top 20 Controls

HITRUST
Electricity Sub-sector Cybersecurity
Personnel Screening
Capability Maturity Model (ES-C2M2)
NIST SP 800-53 Rev. 4

FFIEC
HIPAA
HITRUST
ISO/IEC 27001
Physical Security
ISO/IEC 27002
NERC CIP
NIST SP 800-53 Rev. 4
SANS Top 20 Controls
 Supply Chain Security Management FFIEC
HITRUST
ISO/IEC 27002
Supply Chain Security Management Acquisition Security Electricity Sub-sector Cybersecurity
Capability Maturity Model (ES-C2M2)
SOX 404
Product or Service Requirements NIST SP 800-53 Rev. 4

NIST SP 800-40
NIST SP 800-53 Rev. 4
Configuration Management Patch Management NIST 800-126
NIST 800-128
SANS Top 20 Controls
FIPS 140-2
NIST SP 800-32
NIST SP 800-53 Rev. 4
Key Management
NIST SP 800-56
NIST 800-57
NIST SP 800-133

Risk, Vulnerability and Threat ISO/IEC 15288

Mitigation IEEE 1220-2005
Electricity Sub-sector Cybersecurity
Capability Maturity Model (ES-C2M2)
Secure Lifecycle Management
NIST SP 800-37
NIST SP 800-64
SDLC (System Development Life Cycle) NIST SP 800-53 Rev. 4
NIST SP 800-88

ISO/IEC 27006
Electricity Sub-sector Cybersecurity
Capability Maturity Model (ES-C2M2)
NIST 800-12
Network Monitoring
NIST SP 800-53 Rev. 4
NIST SP 800-92
NIST SP 800-137
SANS Top 20 Controls
D
E
T NIST 800-12
E Physical Monitoring
NIST SP 800-53 Rev. 4
C
T

Personnel Monitoring NIST SP 800-53 Rev. 4

NIST SP 800-53 Rev. 4

NIST SP 800-83
Intrusion Detection and Prevention
NIST SP 800-94
SANS Top 20 Controls

FFIEC
Electricity Sub-sector Cybersecurity
Event Lifecycle Management
Capability Maturity Model (ES-C2M2)
NIST SP 800-61

R
E
S
P
O
N
D
R
E ISO/IEC 27035
S HIPAA
P HITRUST
O ISO/IEC 27002
N NERC CIP
D Electricity Sub-sector Cybersecurity
Incident Management
Capability Maturity Model (ES-C2M2)
NIST Special Publication 800-61
NIST SP 800-53 Rev. 4
NIST SP 800-61
NIST SP 800-83
NIST 800-86

HIPAA
NERC CIP
NIST Special Publication 800-34
Contingency and Disaster Recovery
NIST SP 800-34
NIST SP 800-53 Rev. 4
SANS Top 20 Controls
R COBIT
E FFIEC
C HITRUST
O Business Continuity Management ISO 22301
V ISO/IEC 27002
E NIST SP 800-34
R NIST SP 800-53 Rev. 4
NIST SP 800-34
Crisis Communications
NIST SP 800-53 Rev. 4
COBIT
Continuous Improvement
NIST SP 800-53 Rev. 4
NIST SP 800-34
Cybersecurity Resiliency
NIST SP 800-53 Rev. 4