Exercise: Baldrige Cybersecurity Excellence Builder (BCEB)
This lab introduces the student to the Baldrige Cybersecurity Excellence Builder (BCEB), a self-assessment tool to help organizations assess how effectively they are implementing the NIST Cybersecurity Framework (NIST CSF). It applies concepts learned during Lesson 3D in Module 3: Managing Security, Safety, and Risk of the Cyber-Physical Industry course.
Even though it was designed to be compatible with the CSF, it can also be used for organizations that use other approaches to cybersecurity operations and risk management.
This exercise will helps the student :
- Become familiar with the Criteria for Performance Excellence from the Malcolm Baldrige National Quality Awards (MBNQA) program
- Become familiar with the cybersecurity-related criteria that the BCEB adds to MBNQA, and how they are designed to work together
- Apply ADLI (Approach-Deployment-Learning-Integration) to BCEB process categories
- Apply LeTCI (Levels-Trends-Comparison-Integration) to BCEB results category
- Download the Baldrige Cybersecurity Excellence Builder (BCEB) v1.0: https://www.nist.gov/sites/default/files/documents/2017/04/03/baldrige-cybersecurity-excellence-builder-v1.0.pdf
- Download the FitHabits Case Study: https://www.nist.gov/sites/default/files/documents/2017/02/06/2016-FitHabits-Case-Study.pdf
- Download resources listed above
- Print BCEB p. 24 and 25 (Assessment Rubric) for each participant
- Print BCEB p. 31 and 32 (Self-Analysis Worksheet) for each participant
- Print an extra copy of BCEB p. 31 and 32 for teams only (to use in consensus process)
- Print BCEB p. 29 and 30 (Overview) for each participant – Optional but can be helpful
- K0002: * Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
- K0008: Knowledge of applicable business processes and operations of customer organizations.
- K0048: Knowledge of Risk Management Framework (RMF) requirements.
- K0053: Knowledge of measures or indicators of system performance and availability.
- K0054: Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities.
- K0084: Knowledge of structured analysis principles and methods.
- K0101: Knowledge of the organization’s enterprise information technology (IT) goals and objectives.
- K0146: Knowledge of the organization's core business/mission processes.
- K0149: Knowledge of organization's risk tolerance and/or risk management approach.
- K0150: Knowledge of enterprise incident response program, roles, and responsibilities.
- K0169: Knowledge of information technology (IT) supply chain security and risk management policies, requirements, and procedures.
- K0198: Knowledge of organizational process improvement concepts and process maturity models (e.g., Capability Maturity Model Integration (CMMI) for Development, CMMI for Services, and CMMI for Acquisitions).
- K0258: Knowledge of test procedures, principles, and methodologies (e.g., Capabilities and Maturity Model Integration (CMMI)).
- K0612: Knowledge of what constitutes a “threat” to a network.
- S0034: Skill in discerning the protection needs (i.e., security controls) of information systems and networks.
- S0038: Skill in identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system
- S0085: Skill in conducting audits or reviews of technical systems.
- S0359: Skill to use critical thinking to analyze organizational patterns and relationships.
- A0106: Ability to think critically.
- A0117: Ability to relate strategy, business, and technology in the context of organizational dynamics.
- A0118: Ability to understand technology, management, and leadership issues related to organization processes and problem solving.
- A0119: Ability to understand the basic concepts and issues related to cyber and its organizational impact.
- Policy, Legal, Ethics, and Compliance (PLE)
- Industrial Control Systems (ICS)