Week 11 Lab: Applying the NIST Cybersecurity Framework (CSF 2.0)
Overview
In this lab you will apply the NIST Cybersecurity Framework (CSF 2.0) to realistic organisational scenarios.
You will work in groups to:
- Build a mini CSF Profile (Current vs Target)
- Assess organisational maturity using CSF Tiers (1-4)
- Use the Cyber Defense Matrix (CDM) to map strengths and gaps
- Analyse a realistic incident using the NIST Functions
Total time: ~2 hours
Group size: up to 5 students
--
Note:
You may use any tool for documtation Word, Excel, Power Point or even handwritten notes
Learning Outcomes
By the end of this lab, you should be able to:
- Identify relevant CSF Functions, Categories and Subcategories
- Assess organisational maturity using CSF Tiers
- Build simple Current and Target Profiles
- Use the Cyber Defense Matrix to map controls across asset classes
- Apply the CSF to incident analysis and propose improvements
Online Resources
NIST CSF 2.0
- Overview: https://www.nist.gov/cyberframework
- CSF Core (Functions, Categories, Subcategories):
- NIST CSF Reference Tool (filter Categories/Subcategories):
- Profiles: https://www.nist.gov/cyberframework/profiles
Cyber Defense Matrix
- CDM official site: https://cyberdefensematrix.com
Optional References
- MITRE ATT&CK: https://attack.mitre.org
- CISA Cyber Essentials: https://www.cisa.gov/cyber-essentials
- NCSC CAF: https://www.ncsc.gov.uk/caf
Group Instructions
- Form groups of up to 5 students
- Choose one scenario
- Complete all three tasks
- Use the linked tools to justify your choices
- Prepare a 2-3 minute presentation summary at the end
Scenario Options (Choose One)
Scenario A - Small Private Clinic (Healthcare)
A small private clinic with around 20 staff manages patient care, billing and imaging services. The clinic relies heavily on cloud-based systems but lacks dedicated cybersecurity expertise.
Expanded details:
- Electronic health records (EHR) hosted on a third-party cloud provider
- Medical images stored with a separate imaging provider
- Staff use unmanaged Windows desktops and personal mobile devices
- Policies for password use, data handling and device security are outdated
- No formal incident response plan or reporting process
- No maintained asset inventory for devices or cloud services
- Personal browser extensions and cloud storage apps installed on work machines
- Weekly backups configured by a previous IT contractor but never tested
- Billing handled by an external supplier with unclear security practices
- Several staff recently received phishing emails imitating the clinic director
Key risks: patient data loss or exposure, ransomware infection, supply chain misuse, unauthorised device access.
Scenario B - Retail Shop with E-commerce
A local retail shop runs both a physical store and an online shop. The business depends on a small internal team and a freelance web developer who manages the website infrastructure.
Expanded details:
- Customer data stored in a local MySQL database and exported into spreadsheets
- Online shop hosted on shared hosting with minimal isolation
- Payment transactions are handled by a third-party processor (PCI DSS not verified)
- No centralised monitoring; logs stored separately on hosting provider
- High staff turnover leads to outdated user accounts and weak onboarding
- Many staff use personal laptops for work without security controls
- Passwords reused across systems; no MFA enabled anywhere
- Website has not been penetration tested or updated in two years
- Backups depend entirely on the freelance developer’s availability
- No process for patching plugins, themes or the CMS
Key risks: credential compromise, insider misuse, unauthorised access to payment data, SQL injection, data loss.
Scenario C - University Computing Department (Education / Research)
The department manages teaching systems, research data and student information. The environment is mixed, with legacy lab servers and modern cloud tools used inconsistently.
Expanded details:
- Systems include: VLE, shared drives, research servers, Git repositories, lab machines
- Backups vary by system; not routinely tested or documented
- Phishing targeting staff and students occurs weekly
- Asset management is informal; no inventory of laptops or software versions
- External research partners require VPN or shared account access
- Some teaching labs rely on outdated software and unpatched versions
- Staff responsible for security rely on ad-hoc practices
- Incident reporting is inconsistent and rarely documented
- Students run VMs and tools that occasionally disrupt lab networks
- Privilege assignments vary; some staff have excessive access
Key risks: data leakage, misconfiguration, unauthorised access, loss of research data.
Scenario D - Local Government Services (Public Sector)
A council delivers digital services for citizen payments, document uploads and service requests. It operates with budget constraints and legacy systems.
Expanded details:
- Citizen data includes scanned ID documents, payment info and personal records
- Legacy applications accessible only via VPN but poorly documented
- Cloud services used by individual departments without central oversight
- Supply chain risks unclear; third-party suppliers vary in security maturity
- Limited incident response capability; no structured reporting or playbooks
- Logs exist but not monitored or correlated
- Staff frequently store data on USB drives or email themselves documents
- Multi-factor authentication not widely implemented
- Patching cycles slow due to system dependencies
- Leadership unclear about roles and responsibilities for cyber governance
Key risks: supply chain compromise, privacy breaches, insider risks, legacy vulnerabilities.
Scenario E - SaaS Start-up (Cloud-Native)
A small SaaS start-up develops a cloud-based application on AWS. The environment is fast-moving, with frequent code deployments and minimal formal governance.
Expanded details:
- Uses ECS, Lambda, API Gateway, S3, CloudWatch, and DynamoDB
- Customer files stored in multiple S3 buckets with inconsistent permissions
- Some contractors share a single IAM account; MFA not enforced for all users
- No defined risk management or governance process
- Monitoring and alerting noisy; many CloudWatch alerts ignored
- Uses third-party APIs for authentication (OAuth), payments and messaging
- Automated backups exist but have never been restored or tested
- Dependency management inconsistent; npm packages not regularly updated
- Code reviews informal; changes sometimes merged without approval
- No formal incident response or runbooks for engineers
Key risks: cloud misconfigurations, insecure CI/CD pipeline, dependency vulnerabilities, leaked credentials.
Task 1 - Build a Mini NIST CSF Profile (≈ 30 minutes)
You will use the NIST CSF Reference Tool to explore Categories, Subcategories and outcomes:
Required tool:
https://csrc.nist.gov/Projects/cybersecurity-framework/Filters#/csf/filters
1.1 Select 4-6 Relevant CSF Categories
Choose Categories that clearly relate to your scenario.
Examples include:
- PR.DS - Data Security
- PR.AA - Identity and Access Control
- ID.AM - Asset Management
- DE.CM - Continuous Monitoring
- RS.MA - Incident Management
- GV.SC - Supply Chain Risk Management
Use the Reference Tool above to explore details.
1.2 Assign the Current Tier
Use the NIST explanation of Tiers from the lecture or NIST CSF 2.0 document:
Tier definitions: Page 29 https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf
- Tier 1 - Partial
- Tier 2 - Risk Informed
- Tier 3 - Repeatable
- Tier 4 - Adaptive
1.3 Describe the Current Profile
A short statement for each Category:
- current practices
- what is missing
1.4 Define the Target Profile
For each Category:
- Set a Target Tier
- Write a Target Outcome
Task 1 Output Table
| Category | Current Tier | Current Outcome | Target Tier | Target Outcome |
|---|---|---|---|---|
| PR.DS | 1 | Backups exist but are not tested or encrypted | 3 | Backups encrypted, tested quarterly, monitored |
| ... | ... | ... | ... | ... |
Task 2 - Cyber Defense Matrix (CDM) Mapping (≈ 30 minutes)
You will use the Cyber Defense Matrix to map security activities for one asset class.
Required tool:
https://cyberdefensematrix.com
2.1 Choose what Asset Class that applies to your scenario
- Devices
- Applications
- Networks
- Data
- Users
2.2 Map Current vs Needed Capability
| Function | Current capability | Improvement needed |
|---|---|---|
| Identify | ||
| Protect | ||
| Detect | ||
| Respond | ||
| Recover |
Consider:
- Identify: inventory, data classification
- Protect: access control, configuration
- Detect: logs, alerts, monitoring
- Respond: playbooks, communication
- Recover: backup, restore testing
2.3 Highlight Gaps and Responsibilities
Identify the two biggest gaps, and state who should own them:
- Security team
- IT operations
- Developers
- Third-party suppliers
- Management
Task 3 - NIST Function-Based Incident Mapping (≈ 20 minutes)
In this task you will analyse a realistic incident from your scenario and map it to the five NIST CSF Functions.
The goal is to understand what failed, what should have happened and how to improve maturity.
Optional tool for reference:
MITRE ATT&CK Navigator https://attack.mitre.org
3.1 Choose a Realistic Incident
Select an incident that fits your scenario. Examples include:
- Phishing leading to credential theft
- Misconfigured cloud storage (e.g., open S3 bucket)
- Lost or stolen laptop / USB drive
- Ransomware affecting shared drives
- Contractor account compromised
- SQL injection or web application breach
Write a short note (2-3 sentences) describing what happened.
3.2 Map the Incident to the NIST Functions
Complete the table by describing:
- what happened in your scenario, and
- what should have happened if appropriate controls were in place.
| Function | What happened? / What should happen? |
|---|---|
| Identify | |
| Protect | |
| Detect | |
| Respond | |
| Recover |
Use the Functions to structure your explanation rather than retelling the incident chronologically.
3.3 Recommend Improvements
Propose three to five specific improvements based on the gaps identified in your mapping.
Each improvement should contribute to raising the relevant Tier or improving the Target Profile.
Example improvements:
- Enforce MFA for all privileged or external access
- Implement centralised logging with alerting for suspicious activity
......
Keep your recommendations realistic for the organisation in your scenario.
Final Group Output
Each group will deliver a 2-3 minute summary covering:
- Scenario chosen
- Mini CSF Profile (Task 1)
- Categories
- Current vs Target Tiers
- Most important gap
- CDM mapping (Task 2)
- Asset class
- Key capability gap
- Incident mapping (Task 3)
- Incident summary
- Key improvements proposed
No slides are required.
Use your tables to explain your findings clearly.
Best,
Ali.