CSE-03: NIST Cybersecurity Framework | Cybersecurity Ethics

Cybersecurity Ethics — Week 1 · Module 03

NIST Cybersecurity Framework

The course anchor. Five Functions, four subcategories you will see in every assessment, and the conceptual scaffolding for everything else.

13 slides ~13 minutes NIST CSF v1.1 / v2.0

Slide 2 of 13 · Origin

What the CSF Actually Is

Voluntary. Risk-based. Mandated by no one — adopted by almost everyone.

Why this course uses it: the syllabus explicitly maps CIS2253 to four CSF subcategories — ID.BE, ID.GV, PR.AT, PR.IP. Every weekly checkpoint comes back to those four. Memorize them now.

Slide 3 of 13 · The Core

Five Functions Across the Lifecycle

v2.0 added a sixth (Govern) at the center. v1.1's five remain the operational verbs.

This course only deeply covers Identify and Protect. Detect/Respond/Recover live in your IR courses. Why these two? Because Identify and Protect are where the ethical decisions happen before the breach — and the ethical job is mostly upstream.

Slide 4 of 13 · Subcategory 1 of 4

ID.BE — Business Environment

"The organization's mission, objectives, stakeholders, and activities are understood and prioritized..." (CSF v1.1, paraphrased.) You cannot defend what you cannot describe.

ID.BE-3 ("Priorities for organizational mission, objectives, and activities are established and communicated") is the one most often missing in real organizations — and the one whose absence makes every later decision arbitrary.

Slide 5 of 13 · Subcategory 2 of 4

ID.GV — Governance

"Policies, procedures, and processes to manage and monitor the organization's regulatory, legal, risk, environmental, and operational requirements..." Four subcategories.

Slide 6 of 13 · Subcategory 3 of 4

PR.AT — Awareness and Training

"Personnel and partners are provided cybersecurity awareness education..." Five subcategories addressing different audiences.

Slide 7 of 13 · Subcategory 4 of 4

PR.IP — Information Protection Processes

12 subcategories — the largest in CSF v1.1. Where the daily work lives.

Slide 8 of 13 · The framework's purpose

CSF Does Not Tell You What to Do

It tells you what to think about. The decisions are yours.

This is why CSF is the right anchor for an ethics course. Ethics is not "follow the rules" — it is "what are the rules for, and which one applies here." CSF asks the same questions in cybersecurity language.

Slide 9 of 13 · Reference case

Equifax 2017: Failure Across All Four

147M records. ~$700M in regulatory settlements (FTC, CFPB, 50 state AGs); $1.4B+ total remediation per Equifax SEC filings.

Slide 10 of 13 · Forward connection

CSF in Solarium Recommendations

The 2020 Cyberspace Solarium Commission report repeatedly anchors its proposals in the NIST CSF.

Pillar 4 — Reshape the Cyber Ecosystem

Recommends a National Cybersecurity Certification and Labeling Authority. The labels would be CSF-aligned. Procurement decisions become CSF-aligned by extension.

Pillar 3 — Promote National Resilience

Recommends a National Data Security and Privacy Protection Law. Would extend CSF-style requirements to private-sector data handling at federal level.

Why preview Solarium now: Week 4 covers Solarium in depth. Knowing CSF first means you will read the recommendations as concrete proposals, not vague aspirations. The frameworks are how policy gets translated into engineering reality.

Slide 11 of 13 · The course map

Where You Will See Each Subcategory

Every weekly checkpoint and the final exam will ask you to identify which CSF subcategory is implicated by a scenario. This module is the only place we go subcategory-by-subcategory. Everywhere else, we apply.

Slide 12 of 13 · What this gives you

Why CSF Is the Security Professional's Native Vocabulary

It is shared

Auditors, regulators, vendors, and your CISO all speak it. "We have an ID.GV-2 gap" lands. "No one talks to legal" sounds like a complaint.

It is risk-aware, not control-bound

CSF assumes you make tradeoffs. Control frameworks pretend you do not. The first is closer to reality.

It is morally honest

CSF does not tell you "what is enough." It tells you what to think about. The "enough" question is yours, and it is an ethical one.

The structural argument of this course: ethics in cybersecurity is not a separate domain from technical practice. The CSF subcategories are the ethical decisions, just expressed in defensive language.

Slide 13 of 13

Module 03 Takeaways

Six anchors to carry through every remaining module.

1CSF is voluntary, risk-based, and a shared vocabulary. Not a checklist, not a control set, not a regulation.

2Five Functions: Identify, Protect, Detect, Respond, Recover. This course owns Identify and Protect.

3ID.BE — mission and stakeholders understood. Without this, every other decision is arbitrary.

4ID.GV — policy, roles, legal/regulatory + privacy/civil liberties managed. Whistleblowing starts where ID.GV ends.

5PR.AT — awareness and training, including the alert-fatigue / discrimination tradeoff.

6PR.IP — the daily work, where the compromises hide. Configs, SDLC, backups, vulnerability management.

Next up: CSE-L01 — The Governance Gap. EDT lab where a security analyst discovers an ID.GV failure mid-audit.