NIST Cybersecurity Framework prompt-bibliotheek

Assess our current cybersecurity posture using the NIST CSF 2.0 framework:

Organization context:
- Industry: [critical infrastructure sector or other]
- Organization size: [employees, locations, revenue]
- Risk environment: [threat landscape, regulatory requirements]
- Current security maturity: [basic/developing/mature/advanced]

For each CSF 2.0 function, assess current state:

GOVERN (GV): Cybersecurity risk management strategy, roles, policies
- GV.OC: Organizational context and risk management strategy
- GV.RM: Risk management strategy integrated with enterprise risk
- GV.RR: Roles, responsibilities, and authorities
- GV.PO: Policy, processes, and procedures
- GV.OV: Cybersecurity supply chain risk management

IDENTIFY (ID): Understanding assets, risks, and vulnerabilities
- ID.AM: Asset management (inventory, classification)
- ID.RA: Risk assessment (threat, vulnerability, impact)
- ID.IM: Improvement (lessons learned, continuous improvement)

PROTECT (PR): Safeguards to limit impact
- PR.AA: Identity management and access control
- PR.AT: Awareness and training
- PR.DS: Data security (protection at rest and in transit)
- PR.PS: Platform security (secure configuration, maintenance)
- PR.IR: Technology infrastructure resilience

DETECT (DE): Activities to discover cybersecurity events
- DE.CM: Continuous monitoring
- DE.AE: Adverse event analysis

RESPOND (RS): Actions upon detected cybersecurity incident
- RS.MA: Incident management
- RS.AN: Incident analysis
- RS.MI: Incident mitigation
- RS.CO: Incident reporting and communication

RECOVER (RC): Plans for resilience and restoration
- RC.RP: Recovery planning
- RC.CO: Recovery communications

For each category and subcategory relevant to our organization:
- Current Implementation Tier (0=Not Implemented, 1=Partial, 2=Risk Informed, 3=Repeatable, 4=Adaptive)
- Evidence of implementation (policies, procedures, tools, controls)
- Gaps and weaknesses
- Priority for improvement (Critical/High/Medium/Low)

Summarize overall maturity by function and provide prioritized improvement roadmap.

Define our target cybersecurity posture (Target Profile) using NIST CSF 2.0:

Strategic context:
- Business objectives: [growth, digital transformation, new markets, M&A]
- Risk appetite: [conservative/moderate/aggressive]
- Regulatory drivers: [compliance requirements]
- Threat landscape: [specific threats we face]
- Resource constraints: [budget, staff, expertise]
- Timeline: [1 year, 3 years, 5 years]

For each CSF function and category:
- Target Implementation Tier (desired maturity level)
- Rationale for target tier (why this level is appropriate for our risk)
- Priority outcomes and informative references to implement
- Estimated resources and timeline
- Dependencies and prerequisites

Create a Target Profile that balances risk reduction with business enablement and resource reality.

Address specific focus areas:
- Govern: Enhance board-level cybersecurity oversight, integrate with ERM
- Identify: Complete asset inventory, conduct annual risk assessments
- Protect: Implement zero trust architecture, deploy MFA universally
- Detect: Deploy EDR/SIEM, establish 24/7 SOC or MDR service
- Respond: Develop incident playbooks, conduct tabletop exercises
- Recover: Achieve [RTO/RPO targets], test DR quarterly

Provide gap analysis: Current vs. Target Profile, highlighting priority improvements to close gaps.

Establish cybersecurity governance per NIST CSF 2.0 GOVERN function:

GV.OC: Organizational Context
- Mission and objectives: [our business mission and how cybersecurity supports it]
- Critical assets and functions: [what must be protected]
- Legal, regulatory, contractual requirements: [GDPR, HIPAA, PCI DSS, contractual SLAs]
- Stakeholders: [customers, regulators, partners, board]

GV.RM: Risk Management Strategy
- Cybersecurity risk appetite statement: [acceptable vs. unacceptable risks]
- Integration with enterprise risk management (ERM)
- Risk assessment methodology and frequency
- Risk treatment priorities and criteria
- Risk reporting to executive leadership and board

GV.RR: Roles, Responsibilities, Authorities
- CISO or equivalent: [role, reporting line, authority]
- Security team structure: [SOC, GRC, engineering, etc.]
- Business unit responsibilities: [what business owns]
- Board oversight: [board committee, meeting frequency, reporting]
- Third-party roles: [MSSPs, consultants, auditors]

GV.PO: Policies, Processes, Procedures
- Information security policy framework
- Acceptable use, access control, data protection, incident response policies
- Procedure documentation and maintenance
- Policy approval and review cycle

GV.OV: Cybersecurity Supply Chain Risk Management
- Supply chain risk management policy
- Supplier security requirements
- Vendor risk assessment and monitoring
- Contractual security clauses
- Software supply chain security (SBOM, dependency scanning)

Create governance charter, RACI matrix, and policy framework document.

Implement asset management per NIST CSF ID.AM:

ID.AM-01: Inventory of physical devices and systems
- Servers, workstations, mobile devices, network equipment, IoT
- Asset attributes: owner, location, function, criticality
- Automated discovery tools: [CMDB, asset management platform]

ID.AM-02: Inventory of software platforms and applications
- Operating systems, applications, SaaS subscriptions
- Software licenses and versions
- End-of-life tracking

ID.AM-03: Organizational communication and data flows
- Network diagrams and data flow maps
- External information systems and connections
- Communication paths and protocols

ID.AM-04: External information systems
- Cloud services (IaaS, PaaS, SaaS)
- Partners and interconnected organizations
- Data sharing agreements

ID.AM-05: Resources (hardware, devices, data, personnel) prioritized
- Criticality classification (Tier 1 critical, Tier 2 important, Tier 3 routine)
- Business impact if unavailable
- Data classification (public, internal, confidential, restricted)

Create comprehensive asset register with criticality ratings and ownership for our environment:
[Describe infrastructure, applications, data, users]

Map to Informative References: ISO 27001 A.8.1, CIS Controls 1-2, NIST SP 800-53 CM-8

Develop risk assessment program per NIST CSF ID.RA:

ID.RA-01: Asset vulnerabilities identified and documented
- Vulnerability scanning (internal, external, application)
- Penetration testing (frequency: [annual/biannual])
- Security assessments and audits
- Vulnerability remediation SLAs (Critical: X days, High: Y days)

ID.RA-02: Cyber threat intelligence received from information sharing forums
- Threat intelligence sources: [ISACs, vendor feeds, open source]
- Threat intelligence analysis and integration
- Sharing of threat indicators with peers and authorities

ID.RA-03: Threats (internal and external) identified and documented
- Threat modeling for critical assets and applications
- Attack scenarios (ransomware, phishing, insider threat, supply chain)
- Adversary tactics, techniques, and procedures (MITRE ATT&CK)

ID.RA-04 to ID.RA-07: Impact analysis
- Potential impacts identified and documented (confidentiality, integrity, availability)
- Likelihood determination
- Risk assessment (likelihood x impact)
- Risk response and treatment decisions
- Residual risk acceptance

ID.RA-08 to ID.RA-10: Continuous improvement
- Lessons learned from incidents and exercises
- Risk assessment updates based on changes (new systems, threats, business)
- Risk profile communicated to stakeholders

Our risk assessment approach:
- Methodology: [qualitative/quantitative/hybrid]
- Frequency: [annual formal assessment, continuous monitoring]
- Scope: [all systems, critical systems, specific projects]
- Tools: [risk assessment software, GRC platforms]

Create risk register, assessment procedures, and reporting templates.

Implement identity and access control per NIST CSF PR.AA:

PR.AA-01: Identities and credentials managed for users, services, hardware
- User provisioning/deprovisioning (joiner/mover/leaver process)
- Service accounts and API keys management
- Device and certificate management
- Identity lifecycle management

PR.AA-02: Identities authenticated
- Multi-factor authentication (MFA) for [all users / remote access / privileged accounts]
- Authentication technologies: [SSO, SAML, OAuth, FIDO2]
- Password policies (length, complexity, no forced rotation per NIST 800-63B)
- Passwordless authentication strategy

PR.AA-03 to PR.AA-06: Access authorization and management
- Role-based access control (RBAC) or attribute-based access control (ABAC)
- Least privilege enforcement
- Privileged access management (PAM) for administrative accounts
- Access reviews (frequency: [quarterly/annual])
- Access request and approval workflow
- Segregation of duties for sensitive functions

PR.AA-07: Federated identity and attribute sharing
- SSO implementation: [Okta, Azure AD, Google Workspace]
- Federated access for partners and customers
- Attribute-based access control for cloud resources

Our environment:
- User count: [employees, contractors, customers]
- Identity systems: [Active Directory, Entra ID, Okta, custom]
- Privileged users: [number, roles]
- Critical systems requiring enhanced access controls: [list]

Create IAM policy, provisioning procedures, and access control matrix.

Implement data security measures per NIST CSF PR.DS:

PR.DS-01: Data-at-rest protected
- Encryption standards: [AES-256, TDE for databases]
- Full disk encryption for endpoints
- Encryption of backups and archives
- Key management and rotation

PR.DS-02: Data-in-transit protected
- TLS 1.2+ for web traffic
- VPN for remote access: [IPsec, WireGuard]
- Encrypted email (S/MIME, PGP) for sensitive communications
- Secure file transfer (SFTP, FTPS)

PR.DS-03 to PR.DS-05: Asset and configuration management
- Asset disposal and media sanitization (wiping, destruction)
- Secure configuration baselines (CIS Benchmarks, vendor hardening guides)
- Configuration management and change control
- Protection against unauthorized changes (FIM, version control)

PR.DS-06 to PR.DS-08: Data integrity and availability
- Integrity checking mechanisms (hashing, digital signatures)
- Separation of development, test, and production environments
- Backup and restoration procedures (frequency, retention, testing)

PR.DS-09 to PR.DS-11: Data protection monitoring and compliance
- Data loss prevention (DLP) for sensitive data
- Monitoring for unauthorized data exfiltration
- Data protection compliance (GDPR, CCPA, HIPAA)

Our data landscape:
- Data types and classification: [customer PII, payment data, proprietary IP, public]
- Storage locations: [on-prem databases, cloud storage, SaaS applications]
- Data flows: [collection, processing, sharing, retention]

Create data protection policy, encryption standards, and DLP rules.

Establish continuous monitoring per NIST CSF DE.CM:

DE.CM-01 to DE.CM-03: Network and system monitoring
- Network monitoring (traffic analysis, IDS/IPS)
- System monitoring (event logs, performance, configurations)
- Physical environment monitoring (if applicable: data centers, facilities)

DE.CM-04 to DE.CM-05: Malicious activity detection
- Malicious code detection (antivirus, EDR)
- Unauthorized mobile code, hardware, software detection
- Anomaly and behavioral analysis (UEBA)

DE.CM-06 to DE.CM-09: Monitoring capabilities and coverage
- External service provider monitoring (vendor security, SLA compliance)
- Vulnerability monitoring and scanning (continuous, not just periodic)
- Baseline configurations for monitoring (normal vs. anomalous)
- Comprehensive coverage of all critical assets

Monitoring architecture:
- Log sources: [servers, network devices, applications, cloud, endpoints]
- Centralized logging: [SIEM platform, log management]
- Monitoring tools: [EDR, NDR, SIEM, vulnerability scanners]
- Coverage: [24/7 SOC, business hours, automated alerting]

Monitoring use cases and alerts:
- Failed authentication attempts (brute force, credential stuffing)
- Privilege escalation
- Lateral movement indicators
- Data exfiltration patterns
- Malware and ransomware indicators
- Configuration changes to critical systems
- Vulnerability exploitation attempts

Create monitoring policy, use case library, alert tuning procedures, and escalation matrix.

Implement adverse event analysis per NIST CSF DE.AE:

DE.AE-01: Baseline of network operations and expected data flows
- Normal traffic patterns and baselines
- Expected user behaviors
- Typical system performance and resource usage

DE.AE-02 to DE.AE-04: Event detection and correlation
- Detected events analyzed to understand attack targets and methods
- Event correlation across multiple sources (SIEM correlation rules)
- Impact of events determined (severity, scope, affected assets)

DE.AE-05 to DE.AE-08: Alerting and response
- Incident alert thresholds defined (when to escalate to incident)
- Incident declared and documented when thresholds met
- Information shared with stakeholders per communication plan
- Detection processes tested and improved

Our detection capabilities:
- SIEM: [platform, log sources, correlation rules]
- Threat intelligence integration: [feeds, IOC matching]
- Analysis team: [SOC analysts, tier 1/2/3 structure, or MSSP]
- Alert volume and false positive rate: [current state]

Create event analysis playbook:
- Alert triage procedures
- Investigation steps by alert type
- Escalation criteria (when alert becomes incident)
- Documentation requirements
- Continuous improvement (alert tuning, new detections)

Map to MITRE ATT&CK for detection coverage across tactics and techniques.

Develop incident management per NIST CSF RS.MA:

RS.MA-01 to RS.MA-02: Incident response plan and execution
- Incident response plan documented and approved
- Incident response roles and responsibilities (incident commander, technical, communications, legal)
- Incident response execution per plan
- Incident handling procedures (detection, analysis, containment, eradication, recovery)

RS.MA-03 to RS.MA-05: Communication and stakeholder management
- Incident information shared with relevant stakeholders (internal, customers, regulators, law enforcement)
- Coordination with internal and external stakeholders
- Voluntary information sharing with external communities (ISACs, threat intelligence groups)

Incident response framework:

1. Preparation
- Incident response team: [members, on-call rotation]
- Tools and resources: [forensic tools, backup systems, communication channels]
- Incident response playbooks by scenario (ransomware, data breach, DDoS, insider threat)

2. Detection and Analysis
- Incident detection sources (monitoring alerts, user reports, threat intel)
- Incident classification and severity (Critical/High/Medium/Low)
- Initial analysis and scoping

3. Containment, Eradication, Recovery
- Short-term containment (isolate affected systems)
- Long-term containment (patching, hardening)
- Eradication (remove malware, close vulnerabilities, remove attacker access)
- Recovery and restoration (rebuild systems, restore from clean backups, return to normal operations)

4. Post-Incident Activity
- Lessons learned review (what worked, what didn't, how to improve)
- Evidence retention for legal and regulatory purposes
- Update threat intelligence and detection rules

Our incident response context:
- Incident history: [types and frequency of incidents we've faced]
- MTTR: [current mean time to resolve]
- Communication requirements: [breach notification laws, customer SLAs]

Create incident response plan, playbooks for common scenarios, communication templates, and training schedule (tabletop exercises, simulations).

Develop recovery capabilities per NIST CSF RC.RP:

RC.RP-01 to RC.RP-03: Recovery plan execution
- Recovery plan executed during or after cybersecurity incident
- Recovery strategy aligned with business continuity and disaster recovery plans
- Recovery time and point objectives met (RTO/RPO targets: [specify])

RC.RP-04 to RC.RP-05: Updates and improvements
- Recovery plan updated based on lessons learned
- Recovery planning integrated with incident management

Recovery framework:

1. Business Impact Analysis
- Critical business functions: [identify critical processes]
- Maximum tolerable downtime (MTD): [by function]
- Recovery time objective (RTO): [target time to restore]
- Recovery point objective (RPO): [acceptable data loss]

2. Recovery Strategies
- Data recovery: [backup and restoration procedures]
- System recovery: [rebuild, restore from image, failover to DR site]
- Alternative processing: [manual workarounds, degraded mode operations]
- Third-party recovery services: [DRaaS, cold/warm/hot site]

3. Recovery Procedures
- Step-by-step recovery procedures for critical systems
- Recovery sequence and dependencies
- Validation and testing steps
- Rollback procedures if recovery fails

4. Recovery Testing
- Test scenarios (ransomware recovery, infrastructure failure, data corruption)
- Test frequency: [annual full DR test, quarterly component tests]
- Test documentation and results
- Gap remediation based on test findings

5. Communication During Recovery
- Internal communications (status updates, recovery progress)
- Customer communications (service status, expected restoration)
- Stakeholder updates (leadership, board, regulators)

Our recovery priorities:
- Tier 1 critical systems: [must recover within X hours]
- Tier 2 important systems: [must recover within Y hours]
- Tier 3 routine systems: [recover within Z days]

Create recovery plans, testing schedule, and communication templates for recovery scenarios.

Assess our NIST CSF Implementation Tier and plan progression:

CSF Tiers represent organizational maturity in cybersecurity risk management:

Tier 1: Partial
- Risk management: Ad hoc, reactive
- Integrated risk management: Limited awareness
- External participation: Limited or no collaboration
- Workforce: Cybersecurity awareness limited

Tier 2: Risk Informed
- Risk management: Approved policies, not all consistent
- Integrated risk management: Awareness of cyber risk at org level
- External participation: Organization knows external entities
- Workforce: Awareness of roles and responsibilities

Tier 3: Repeatable
- Risk management: Formal policies, regularly updated
- Integrated risk management: Org-wide approach, risk-informed decisions
- External participation: Regular collaboration and information sharing
- Workforce: Appropriately resourced and trained

Tier 4: Adaptive
- Risk management: Adaptive, continuous improvement
- Integrated risk management: Real-time risk awareness across organization
- External participation: Proactive sharing and collaboration
- Workforce: Cybersecurity is part of organizational culture

Current Tier Assessment:
- Overall tier: [1-4]
- Risk Management Program tier: [assess]
- Integrated Risk Management tier: [assess]
- External Participation tier: [assess]
- Workforce tier: [assess]

Target Tier: [desired maturity level]
Rationale: [why this tier aligns with our risk appetite and resources]

Progression Plan:
- Year 1: Achieve Tier [X]
  - Actions: [formalize policies, implement tools, train workforce]
- Year 2: Achieve Tier [Y]
  - Actions: [integrate with ERM, establish external partnerships, continuous improvement]
- Year 3: Achieve Tier [Z]
  - Actions: [adaptive capabilities, real-time monitoring, culture of cybersecurity]

Create tier progression roadmap with milestones, resource requirements, and success metrics.