Background
ACME Manufacturing is a computer peripheral manufacturer with an annual income of $0.5B, and approximately 7,000 employees. In the past year, they have been impacted by cyber security attacks which have caused them significant productivity loss, and a lawsuit whose results included a mandate that they would have to increase their cyber-security protection and undergo annual audits to prove progress towards a more secure environment, that is inline with their industry peers.
As a result, their Board of Directors and through them, their Chief Financial Officer (CFO) has instructed their Chief Information Security Officer (CISO), to perform a standardized Security Assessment, understand how secure they are today as compared to other, similarly sized US based manufacturing companies, set goals to reach the higher end of their peer group’s median scores in this assessment, and then perform a number of Cyber Risk Quantification workshops to ensure that their security initiatives (controls) are addressing not only areas of improvement needed based on the assessment findings, but also prioritized based on the cost of different cyber security attack vectors that they are susceptible to. In the upcoming hands-on-labs, you will be performing the tasks requested by the CFO, with a few short detours to review how organizations in other industries, such as Energy, would perform similar actions.
You will be using the Axio360 platform to perform these actions as a set of Hands-on-labs.
Getting Started
In this lab, we will navigate to the Axio360 website for eLearning instances, log into it, and get started with an Assessment workshop/exercise using the NIST CSF Assessment.
- Navigate to https://demo-360.axio.com and sign in. Use your corporate email address. You might have received a temporary password, if not, click Forgot password. An email with a reset link will be sent, if you do not receive that email within 5 minutes, check your Junk Mail folder.
Your landing page will show several sample assessments once you’ve logged in, like the following (the Assessment Scores may vary slightly):
Assessment overview page post login
If you do not have any assessments in your instance, you see this on the main portal page:
Welcome page post login
You can expand and collapse the left navigation menu, click >> to expand and read the full text menu items. Click << to collapse the menu.
New Assessment
We will start a new Assessment initially to work through some of the features we just learned about, along with satisfying the requirements of the CFO. The first assessment we will do is on ACME’s IT department.
1. From the bottom left aggregate menu, select the up chevron (1) and create a new CSF Full Assessment (2).
Aggregate menu
2. On the New Assessment modal, enter
- the Assessment Name. For example, use HOL ACME IT Assessment (test).
- a Description. For example, type in All of the organization IT assets.
3. For the Tags, select View Full Tag Tree on the bottom right to see the list of Tags available.
Full tag tree
4. Expand the Industry node, select Manufacturing.
5. Expand the Organization node, select Division or Business Unit or Another Subunit. For this lab, we only assess the IT unit of ACME Manufacturing.
6. Expand the System Type node, select IT.
7. Click Save Tags. Tags can also be added via text entry.
8. Ignore the Target Source field for now and click Save.
Working Through an Assessment
Starting with the current assessment, the first question in the NIST CSF Full assessment is in the IDENTIFY (ID) section, and the category ID.AM – Asset Management. It specifically asks to rank where ACME manufacturing is on Physical devices and systems within the organization are inventoried. Typically this is asked of a group of key stakeholders.
1. While this question is selected, navigate to the right tabbed menu, and select Advice. On the Advice tab, you can ask question, see questions from other users, or see responses from Axio to questions asked. This type of content might not be there for all questions and categories of an assessment. Customer teams usually create this content with their team interactions and questions for Axio support services members.
Advice tab
2. In the Assessment Management section, hover over Partially Implemented to see inline help Subcategory is implemented with material gaps. Hover over the Largely Implemented, to see inline help Subcategory is implemented with gaps that are not material.
A good way to ascertain which answer to select is to hover over each option the first time you’re answering these types of questions. Additional information about each question is also available in the Advice tab on the top right.
For this example exercise, select Largely Implemented.
Adding Actions, Evidence and Notes
1. Select the Evidence tab and add the following in Owner Rationale:
ACME Manufacturing’s IT group uses Microsoft’s Endpoint Configuration Manager, a component of which is formerly known as Microsoft Systems Center. This proactively identifies all hardware and software running on IT devices. At this stage we have implemented this fully for software, but partially for hardware.
2. Click Save, to make sure the Owner Rationale is saved.
3. Under Links to Supporting Evidence, type ACME Manufacturing IT MS Endpoint Config Mgr. Implementation 02_20_22.
4. In the location field, type in SharePoint (if you don’t specify a location, you will not be able to save). In real-world scenarios, you would provide the actual link.
5. Click Save.
6. Select the Activity Tab and under Target, select Fully Implemented.
7. Click the Calendar under target, select a date on a weekday 1 year from today.
8. Under Action Items enter the following Enable and enforce hardware inventory in Microsoft's Endpoint Configuration Manager. Normally this is assigned to the person responsible for the software or component in question.
In this case, assign it a date corresponding to the date selected for the Target date above. If you don’t see the calendar icon, click in the Action Items text box.
Note: Axio360 can be integrates with ticeting systems, such as ServiceNow’s Service Manager.
9. Under Notes, type in ACME Manufacturing has standardized on Microsoft’s Endpoint Configuration Manager for several functions, including software and hardware inventory. Microsoft’s Endpoint Configuration Manager including Microsoft’s Configuration Manager, formerly known as Systems Center, Microsoft Intune, Microsoft Desktop Analytics, Microsoft Autopilot, and several other features and it will be referred to in several locations in this assessment.
10. Click Save. This is very important here!
Note: It is usually helpful to have a second person running the workshop, to take notes, while the first person leads the workshop.
11. For the next question, Software platforms and applications within the organization are inventoried hover over Fully Implemented to read the definition and select Fully Implemented.
12. Select the Evidence tab to copy and paste the content you added in the previous question starting with ACME Manufacturing’s IT group uses Microsoft’s Endpoint Configuration Manager….
13. Under Links to Supporting Evidence, repeat ACME Manufacturing IT MS Endpoint Config Mgr. Implementation 02_20_21.
As part of this exercise, we explore how to navigate to other sections of an assessment works and we look at using target profiles.
1. To navigate to a question in another section of the NIST CSF Full, in the tree view or the tabbed top navigation select PROTECT.
2. From the left Identify menu, select Awareness and Training.
3. Next to your user avatar find Profile, switch from Current to Target.
This sets our next actions as the targets we are trying to achieve over time. Setting questions as targets can also be done by toggling via "click+shift" when selecting a question.
4. For each of the five questions, set the Target to Fully Implemented, and use the calendar to set a date to 1 year from today.
5. Change the Profile back to Current. The targets plus the dates have been modified for each of these questions:
Target changed including dates
Inheritance or Subcategory Delegation and Flagged Items
Fill in remaining data points for the exercise as provided below.
1. Under Question 1 for All users are informed and trained, select Fully Implemented. The IT group has been proactive about educating not just IT employees, but all ACME Manufacturing employees.
2. This question applies to all of ACME Manufacturing, click on the Delegate Subcategory to Another Assessment button and then select Publish. This will mean that other assessments don’t have to redo the response to this question. This feature is also referred to as Inheritance. This will now show the question as published/delegated:
Target changed including dates
Click the Flag.
3. Navigate back to the IDENTIFY (ID) function, for question 5 under Asset Management Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value, click on the Flag.
4. For this question, on Next click the up chevron.
Flagged option
5. Select Flagged. This allows you to navigate through all your flagged items.
6. Click Next. Clicking Next takes you back to question 1 in the PROTECT (PR) function under Awareness and Training. Using flags this way allows you to flag items you’d like to get back to later and quickly navigating through only flagged items.
Assessment Sharing
Now that we’ve made some progress on this Assessment, let’s share it with others who can help (or view).
1. Navigate to your user accout icon, select Share Assessment.
2. On the Ownership and Sharing screen, invite someone from your company – must have same domain name (please note that it is possible to invite people from other companies, but requires the Admin for your instance to allow external sharing).
3. Let the invitee know they may receive an email and ask them to please to ignore it.
4. Once you have added that person, notice the pencil icon to the right. The default is Edit, you may change it to read only. For this exercise, keep the default Can edit permission.
Flagged option
5. Under the Invite line, select Add Message and type:
Hi <Employee Name>:
Please ignore this invite that would normally be used to allow you to review the assessment and modify as needed.
Thanks
6. Click Invite.
7. Click Done. You have now shared this assessment with the employee as intended.
Generating a Report
While this assessment is far from complete, we will generate a report for this exercise.
1. On the bottom left, click Full Report. 1.When prompted, select Display notes inline.
2. Click on Generate Report.
3. Depending on the amount of data already entered, generating a report might take a moment. Once the report is ready, generate a PDF version of the NIST CSF, Axio generated report. You will get a screen notification that the Report generation is complete. Select View to view the report.
Comments
0 comments
Please sign in to leave a comment.