Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Portland Uses the Cybersecurity Framework and Critical Security Controls

According to the Trends in Security Framework Adoption Survey, conducted by Dimensional Research on behalf of Tenable, 44% of organizations use more than one security framework. That is half of the 88% of organizations that are using a framework. Combining frameworks is seemingly encouraged by the NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) because it includes cross-references to other frameworks, including the Center for Internet Security Critical Security Controls (CSC). I have spoken with people at multiple organizations who see the CSF and the CSC as complementary. The CSF is well suited for risk assessment and to identify gaps between current and target profiles, while the CSC is well suited to guide detailed technical control implementation.

44% of organizations use more than one security framework

You may be saying to yourself, “Implementing a single framework is challenging enough. How can anyone implement more than one?” It is true that security framework implementation is challenging; as a rule it is a long-term project requiring a multi-year budget commitment. A key to success is to prioritize business services based on risk assessment and then to start implementation of the most important controls for the highest risk services. Using the CSF and CSC together can help you accomplish just that. The CSF can help you prioritize business services, and the CSC controls are prioritized so you can start implementation with the first five controls, designated Foundation Cyber Hygiene. Achieve a quick win, adapt if needed based on lessons learned, and then address the next highest priority. The next highest priority may be the next business service, or it may be implementing additional security controls for the current business service.


Implementing multiple frameworks
Starting with the Foundational Cyber Hygiene controls for the Most Critical Business Service, you can progress to Additional Controls and/or Services


The City of Portland, Oregon is one organization that has taken this approach. It is using both the CSF and CSC frameworks to guide security program evolution. Christopher Paidhrin, Portland’s Information Security Manager, uses both frameworks to meet the following objectives:

  • Prioritize risk and remediation
  • Identify security gaps and selective metrics
  • Align business risk to Critical Security Controls
  • Prioritize budget and resources

The CSC technical control implementation is directed by Brian Ventura, one of the city’s Information Security Architects.

Both Christopher and Brian will be presenting a case study explaining Portland’s experience at an upcoming Multi-State Information Sharing and Analysis Center (MS-ISAC) webcast, A Prioritized Approach to Implement the NIST CSF Using the CIS Critical Security Controls.

Christopher Paidhrin is a CSF expert and frequent conference speaker. He will share Portland’s risk-based security roadmap and has generously offered to make his roadmap planning spreadsheet available to attendees. Brian Ventura is a CSC expert who frequently teaches a SANS course about planning, implementing, and auditing the Critical Security Controls. Brian will explain how the city is implementing the CSC Foundational Cyber Hygiene controls, including examples from SecurityCenter Continuous View™.

Please join them for the webcast. I have seen a sneak peek of their content and know that it will be worth your time.

Subscribe to the Tenable Blog

Try for Free Buy Now

Try Tenable.io Vulnerability Management


Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Try Nessus Professional Free


Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.