C2M2 and the NIST Cyber Framework: Applying DOE's NIST Cyber Security Framework Guidance
|
|
- Liliana Bailey
- 8 years ago
- Views:
Transcription
1 C2M2 and the NIST Cyber Framework: Applying DOE's NIST Cyber Security Framework Guidance June 18, 2015
2 Victoria Yan Pillitteri, National Institute of Standards & Technology (NIST) Smart Grid Cybersecurity Committee Chair
3 Cybersecurity Committee The SGIP Cybersecurity Committee is collaborative forum that develops resources that smart grid stakeholders can leverage to help understand and manage cybersecurity risk. Cybersecurity is a critical, crosscutting issue for the Smart Grid
4 Update: Cybersecurity Task Force The Cybersecurity Task Force is developing a case study highlighting how different utilities have implemented various voluntary cybersecurity frameworks including results, benefits, and key lessons learned. Next Task Force virtual meeting: Tuesday, June 23 at 10 AM Eastern To learn more contact: victoria.pillitteri@nist.gov and ellisonm@dteenergy.com
5 Christopher S. Taylor, is currently a senior Engineering Analyst for Southern Company s IT Security Team.
6 Agenda NIST Cybersecurity Framework and Implementation Guidance C2M2 Overview Southern s C2M2 to NIST Framework Tool Comparative Analysis
7 NIST Cybersecurity Framework
8 NIST Cyber Security Framework Developed in response to Executive Order Calls for development of a voluntary Cybersecurity Framework Framework provides a prioritized, flexible, repeatable, performancebased, and cost effective approach to manage cybersecurity risk The Framework is composed of 3 parts Framework Core Framework Implementation Tiers Framework Profile In January 2015, DOE released the Energy Sector s Cybersecurity Framework Implementation Guidance C2M2 is DOE s recommended implementation tool
9 Cybersecurity Framework Implementation Guidance Provides standard approach aligned with Framework s 7-step process Create a Target Profile Prioritize and Scope Orient Determine, Analyze, Prioritize Gaps Create a Current Profile Implement Action Plan Conduct a Risk Assessment Advocates use of C2M2 to implement Framework because: Widespread use Supports Benchmarking Sector-specific guidance Descriptive guidance C2M2 mapped to Framework Self-evaluation toolkit
10 C2M2 Overview
11 C2M2 Overview ES-C2M2 is a DOE developed tool that helps organizations evaluate, prioritize, and improve cybersecurity capabilities Maturity Model Definition: An organized way to identify competencies and areas of improvement C2M2 is used to evaluate business unit s practices, processes, and procedures
12 Risk Management Asset, Change and Configuration Management Identity and Access Management Threat and Vulnerability Management Situational Awareness Information Sharing and Communications Event and Incident Response, Continuity of Operations Supply Chain and External Dependencies Management Workforce Management Cyberseacurity Program Management Maturity Indicator Levels C2M2 Components 3 Managed 2 Performed 1 Initiated 0 Not Performed 4 Maturity Indicator Levels: Defined progressions of practices Each cell contains the defining practices for the domain at that maturity indicator level 10 Model Domains: Logical groupings of cyber security practices
13 Sample C2M2 Evaluation Results The C2M2 Toolkit generates a graphical summary of the results divided by C2M2 domain and MIL level Detailed results and analysis are also provided for each domain
14 Southern s C2M2 to NIST Framework Tool
15 Categories Subcategories Informative References C2M2 to NIST Framework Mapping DOE s Implementation Guidance mapped C2M2 practices to NIST s Framework Core and Implementation Tier CSF Core C2M2 CSF Tiers C2M2 CSF Functions CSF Tiers IDENTIFY PROTECT DETECT RESPOND RECOVER Tier 1: Partial Tier 2: Risk Informed Tier 3: Repeatable Tier 4: Adaptive
16 Automating the C2M2 to NIST Process Current Implementation of Framework using C2M2 C2M2 toolkit and assessment process provide data required to implement the Framework Implementation guidance maps C2M2 controls to Framework User must then manually extract data from C2M2 toolkit into the Framework The C2M2 to NIST Framework tool automates the rest of the process Automates extraction of data from C2M2 Toolkit and populates the NIST Framework Uses notes section of C2M2 toolkit to develop target profiles Generates tables and charts of Framework Core Generates tables and charts of Framework Implementation Tier
17 IDENTIFY Sample C2M2 to NIST Framework Tool Output Functio C2M2 Profiles Function Category Subcategory n MIL Practice Current Target Asset Management (AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization s risk strategy. ID.AM-1: Physical devices and systems within the organization are inventoried ID.AM-2: Software platforms and applications within the organization are inventoried NIST Framework s 7 Steps Prioritize and Scope Orient Create a Current Profile Conduct a Risk Assessment ACM-1a ACM-1c ACM-1e ACM-1f ACM-1a ACM-1c ACM-1e ACM-1f FI FI LI PI FI FI LI PI Create a Target Profile C2M2 Activity C2M2 Activity C2M2 Activity C2M2 Activity C2M2 Activity C2M2 Activity C2M2 Activity C2M2 Activity Determine, Analyze, Prioritize Gaps Implement Action Plan Gaps C2M2 Notes C2M2 Notes C2M2 Notes C2M2 Notes C2M2 Notes C2M2 Notes C2M2 Notes C2M2 Notes
18 Sample NIST Framework Function Results MIL 1 MIL 2 MIL 3 TOTALS Identify Protect Detect Respond Recover Fully Implemented Largely Implemented Partially Implemented Not Implemented Subtotals: Fully Implemented Largely Implemented Partially Implemented Not Implemented Subtotals: Fully Implemented Largely Implemented Partially Implemented Not Implemented Subtotals: Fully Implemented Largely Implemented Partially Implemented Not Implemented Subtotals: Fully Implemented Largely Implemented Partially Implemented Not Implemented Subtotals: TOTALS The Framework Core Provides a set of activities to achieve specific cybersecurity outcomes and references examples of guidance to achieve those outcomes NIST Framework Results by Function
19 Sample NIST Framework Implementation Tier Results Tier 1 (Partial) Tier 2 ( Risk Informed) Tier 3 (Repeatable) Tier 4 (Adaptive) Fully Implemented Largely Implemented Partially Implemented Not Implemented Totals The Implementation Tiers Provides context on how an organization views cybersecurity risk and the processes in place to manage risk.
20 Displaying the CSF Results by Function Option 1: Map C2M2 by NIST CSF Function and MILs Leverages C2M2 Scoring Criteria (Partial Credit) Preserves MIL Levels to understand complexity of mitigation efforts Many-to-Many relationships so must determine whether to remove duplicates NIST Framework by Function and MIL NIST Framework by Function and MIL (No Duplicates)
21 Displaying the CSF Results by Function Option 2: Map C2M2 by NIST CSF Function but remove MILs Leverages C2M2 Scoring Criteria (Partial Credit) Removes MILs to conform to NIST CSF s flat architecture Many-to-Many relationships so must determine whether to remove duplicates NIST Framework by Function NIST Framework by Function (No Duplicates)
22 Displaying the CSF Results by Function Option 3: Map C2M2 by NIST CSF Function but remove MILs and Partial Credit Removes C2M2 Scoring Criteria (Partial Credit) to achieve complete or not complete Removes MILs to conform to NIST CSF s flat architecture Many-to-Many relationships so must determine whether to remove duplicates NIST Framework by Function NIST Framework by Function (No Duplicates)
23 Displaying the CSF Results by Function Option 4: Map C2M2 by NIST CSF Function and Category Determines average score for each subcategory and rounds down Must determine whether to preserve partial credit NIST Framework by Function and Category NIST Framework by Function and Category (No Duplicates)
24 Displaying the CSF Results by Tier Map C2M2 by NIST CSF Tier Many-to-Many relationships so must determine whether to remove duplicates Must determine whether to preserve partial credit NIST Framework by Tier NIST Framework by Tier (No Duplicates) Partial Credit No Partial Credit Partial Credit No Partial Credit
25 C2M2 to NIST Toolkit: Comparative Analysis
26 Comparative Analysis: Sortable Results Survey Reponses Per Question Ordered By Domain/Objective/Practice Sort: Domain/Obj/ Practice Sort: Domain/MIL/ Practice Sort: Domain/ Average Score Low to High Sort: Average Score Low to High Sort: Domain/ Average Score High to Low Sort: Average Score High to Low Sort: Standard Deviation Domain Objective MIL Practice C2M2 - Organization 1 C2M2 - Organization 2 C2M2 - Organization 3 C2M2 - Organization 4 Standard Average Deviation Score Score Score Score 01. Risk Management 01. Establish Cyber Security Risk Management 2 RM-1a Strategy FI FI FI FI Risk Management 01. Establish Cyber Security Risk Management 2 RM-1b Strategy FI FI FI FI Risk Management 01. Establish Cyber Security Risk Management 3 RM-1c Strategy FI FI FI FI Risk Management 01. Establish Cyber Security Risk Management 3 RM-1d Strategy FI FI FI FI Risk Management 01. Establish Cyber Security Risk Management 3 RM-1e Strategy FI FI FI FI Risk Management 02. Manage Cyber Security Risk 1 RM-2a FI FI FI FI Risk Management 02. Manage Cyber Security Risk 1 RM-2b FI FI FI FI Risk Management 02. Manage Cyber Security Risk 2 RM-2c LI LI FI FI Risk Management 02. Manage Cyber Security Risk 2 RM-2d FI FI FI FI Risk Management 02. Manage Cyber Security Risk 2 RM-2e FI FI FI FI Risk Management 02. Manage Cyber Security Risk 2 RM-2f FI FI FI FI Risk Management 02. Manage Cyber Security Risk 2 RM-2g FI FI FI FI Risk Management 02. Manage Cyber Security Risk 3 RM-2h FI PI LI FI Risk Management 02. Manage Cyber Security Risk 3 RM-2i FI FI LI FI Risk Management 02. Manage Cyber Security Risk 3 RM-2j FI LI LI FI Risk Management 03. Management Activities 2 RM-3a PI LI FI FI Risk Management 03. Management Activities 2 RM-3b FI FI FI FI Risk Management 03. Management Activities 2 RM-3c FI LI FI LI Risk Management 03. Management Activities 2 RM-3d FI FI FI FI Risk Management 03. Management Activities 3 RM-3e FI LI FI LI Risk Management 03. Management Activities 3 RM-3f PI FI FI FI Risk Management 03. Management Activities 3 RM-3g FI FI FI FI Risk Management 03. Management Activities 3 RM-3h FI LI FI FI Risk Management 03. Management Activities 3 RM-3i FI FI FI FI 3 0 Takes C2M2 input from multiple assessments and puts them in a sortable results table Only focused on C2M2, not the NIST CSF
27 Comparative Analysis: Summary (Avg Scores) Domain Average Score Domain C2M2 - Organization 1 C2M2 - Organization 2 C2M2 - Organization 3 C2M2 - Organization 4 Score Score Score Score Avg Score 01. Risk Management Asset, Change, and Configuration Management Identity and Access Management Threat and Vunerability Management Situational Awareness Information Sharing and Communications Event and Incident Response, Continuity of Operations Supply Chain and External Dependencies Management Workforce Management Cybersecurity Program Management Domain Average Score Creates a summary worksheet of the C2M2 assessment results 1 st section is an average score for each domain by organization assessed
28 Comparative Analysis: Summary (Low Scores) Average (Partial or Less) Practice C2M2 - Organization 1 C2M2 - Organization 2 C2M2 - Organization 3 C2M2 - Organization 4 Score Score Score Score Avg Score TVM-1h TVM-1j TVM-2m EDM-2c CPM-4b IR-3m TVM-1e SA-3b EDM-3a TVM-1d SA-2d SA-2e SA-2f SA-2h SA-3d IR-1g IR-2g IR-2h IR-3f IR-3g EDM-2d EDM-2e EDM-2f EDM-2h EDM-2i EDM-3g WM-1g WM-3g WM-4c WM-4d CPM-1g Domain Average Score 2 nd section is all activities that average Partial or less Only focused on C2M2, not the NIST CSF
29 Comparative Analysis: Summary (Low Scores) Standard Deviation - Top 10 Domain C2M2 - Organization 1 C2M2 - Organization 2 C2M2 - Organization 3 C2M2 - Organization 4 Score Score Score Score Std Deviation ACM-2d PI NI FI FI 1.50 IAM-3a FI NI FI FI 1.50 TVM-3a FI NI FI FI 1.50 TVM-3g FI NI FI FI 1.50 SA-4g FI NI FI FI 1.50 EDM-3d FI NI FI FI 1.50 EDM-3g NI PI NI FI 1.41 IAM-2i FI NI FI LI 1.41 IR-2e PI NI LI FI 1.29 SA-3f PI PI NI FI 1.26 Domain Average Score 3 rd section is the 10 activities with the greatest deviation in responses Only focused on C2M2, not the NIST CSF Ideal for benchmarking and determining why there are differences Possible reasons include: maturity, size, mission, or interpretation of survey questions
30 Proof of Concept Demonstration Demonstrated to DOE that process can be automated Next release of C2M2 toolkit should incorporate new capabilities (ECD 2016) Identify Industry Requirements for Implementing Framework Currently adoption of NIST Framework is a labor-intensive manual process Need to identify requirements to make adopting the Framework practical Automated Tools Standardized Charts Standardized Tables Standardized Reports Comparative Analysis Next Steps Role of Cybersecurity Framework Taskforce? Other Stakeholder Participation DOE, SGIP, NIST, C 3? Mechanism for providing feedback?
Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, nadya.bartol@utc.org. 2014 Utilities Telecom Council
Voluntary Cybersecurity Initiatives in Critical Infrastructure Nadya Bartol, CISSP, SGEIT, nadya.bartol@utc.org 2014 Utilities Telecom Council Utility cybersecurity environment is full of collaborations
More informationNIST CYBERSECURITY FRAMEWORK IMPLEMENTATION: ENERGY SECTOR APPROACH
NIST CYBERSECURITY FRAMEWORK IMPLEMENTATION: ENERGY SECTOR APPROACH SANS ICS Security Summit March 18, 2014 Jason D. Christopher Nadya Bartol Ed Goff Agenda Background Use of Existing Tools: C2M2 Case
More informationElectricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study) James Stevens Senior Member, Technical Staff - CERT Division
Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study) James Stevens Senior Member, Technical Staff - CERT Division James Stevens is a senior member of the technical staff
More informationENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE
ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE JANUARY 2015 U.S. DEPARTMENT OF ENERGY OFFICE OF ELECTRICITY DELIVERY AND ENERGY RELIABILITY Energy Sector Cybersecurity Framework Implementation
More informationNational Institute of Standards and Technology Smart Grid Cybersecurity
National Institute of Standards and Technology Smart Grid Cybersecurity Vicky Yan Pillitteri Advisor for Information Systems Security SGIP SGCC Chair Victoria.yan@nist.gov 1 The National Institute of Standards
More informationNIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015
NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015 Overview The University of Pittsburgh NIST Cybersecurity Framework Pitt NIST Cybersecurity Framework Program Wrap Up Questions
More informationNIST Cybersecurity Framework. ARC World Industry Forum 2014
NIST Cybersecurity Framework Vicky Yan Pillitteri NIST ARC World Industry Forum 2014 February 10-13, 2014 Orlando, FL Executive Order 13636 Improving Critical Infrastructure Cybersecurity It is the policy
More informationCybersecurity Framework. Executive Order 13636 Improving Critical Infrastructure Cybersecurity
Cybersecurity Framework Executive Order 13636 Improving Critical Infrastructure Cybersecurity National Institute of Standards and Technology (NIST) Mission To promote U.S. innovation and industrial competitiveness
More informationRisk Management in Practice A Guide for the Electric Sector
Risk Management in Practice A Guide for the Electric Sector Annabelle Lee Senior Technical Executive ICCS European Engagement Summit April 28, 2015 Before we continue let s get over our fears and myths
More informationCybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014
Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014 Victoria Yan Pillitteri Advisor for Information Systems Security
More informationHow To Write A Cybersecurity Framework
NIST Cybersecurity Framework Overview Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2nd ENISA International Conference on Cyber Crisis Cooperation and Exercises Executive Order
More informationCybersecurity Framework: Current Status and Next Steps
Cybersecurity Framework: Current Status and Next Steps Federal Advisory Committee on Insurance November 6, 2014 Adam Sedgewick Senior IT Policy Advisor Adam.Sedgewick@nist.gov National Institute of Standards
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2014 ISACA Pittsburgh Information Security Awareness Day Victoria Yan
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 8 April 2015 cyberframework@nist.gov Agenda Mission of NIST Cybersecurity at NIST Cybersecurity Framework
More informationThe President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.
The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013. The Executive Order calls for the development of a voluntary risk based Cybersecurity Framework
More informationState Agency Cyber Security Survey v 3.4 2 October 2014. State Agency Cybersecurity Survey v 3.4
State Agency Cybersecurity Survey v 3.4 The purpose of this survey is to identify your agencies current capabilities with respect to information systems/cyber security and any challenges and/or successes
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 NARUC Winter Committee Meeting Committee & Staff Committee on Critical Infrastructure February 15,
More informationRE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity
October 10, 2014 Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899 RE: Experience with the Framework for Improving Critical Infrastructure
More informationIEEE-Northwest Energy Systems Symposium (NWESS)
IEEE-Northwest Energy Systems Symposium (NWESS) Paul Skare Energy & Environment Directorate Cybersecurity Program Manager Philip Craig Jr National Security Directorate Sr. Cyber Research Engineer The Pacific
More informationCybersecurity Audit Why are we still Vulnerable? November 30, 2015
Cybersecurity Audit Why are we still Vulnerable? November 30, 2015 John R. Robles, CISA, CISM, CRISC www.johnrrobles.com jrobles@coqui.net 787-647-3961 John R. Robles- 787-647-3961 1 9/11-2001 The event
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity 18 November 2015 grance@nist.gov cyberframework@nist.gov National Institute of Standards and Technology About NIST NIST s mission is to develop
More informationU.S. DEPARTMENT OF ENERGY ENERGY SECTOR CYBERSECURITY OVERVIEW. November 12, 2012 NASEO
U.S. DEPARTMENT OF ENERGY ENERGY SECTOR CYBERSECURITY OVERVIEW November 12, 2012 NASEO ISER Response: from site focused to system focused Emergency Preparedness, Response, and Restoration Analysis and
More informationExecutive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014
Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework September 23, 2014 Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to
More informationCritical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order 13636 Improving Critical Infrastructure Cybersecurity
Critical Infrastructure Cybersecurity Framework Overview and Status Executive Order 13636 Improving Critical Infrastructure Cybersecurity Executive Order: Improving Critical Infrastructure Cybersecurity
More informationUnderstanding the NIST Cybersecurity Framework September 30, 2014
Understanding the NIST Cybersecurity Framework September 30, 2014 Earlier this year the National Institute of Standard and Technology released the Framework for Improving Critical Infrastructure Cybersecurity
More informationCYBERSECURITY CAPABILITY MATURITY MODEL (C2M2) FACILITATOR GUIDE
CYBERSECURITY CAPABILITY MATURITY MODEL (C2M2) FACILITATOR GUIDE Version 1.1 February 2014 TABLE OF CONTENTS Acknowledgments... iii 1. Introduction... 1 1.1 Purpose of This Guide... 1 1.2 Intended Audience...
More informationApplying Framework to Mobile & BYOD
Applying Framework to Mobile & BYOD Framework for Improving Critical Infrastructure Cybersecurity National Association of Attorneys General Southern Region Meeting 13 March 2015 cyberframework@nist.gov
More informationApplying IBM Security solutions to the NIST Cybersecurity Framework
IBM Software Thought Leadership White Paper August 2014 Applying IBM Security solutions to the NIST Cybersecurity Framework Help avoid gaps in security and compliance coverage as threats and business requirements
More informationIG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY
IG MATURITY MODEL FOR FY 2015 FISMA 1 Ad-hoc 1.1 program is not formalized and activities are performed in a reactive manner resulting in an adhoc program that does not meet 2 requirements for a defined
More informationDOE Cyber Security Policy Perspectives
DOE Cyber Security Policy Perspectives Mike Smith Senior Cyber Policy Advisor to the Assistant Secretary Department of Energy Overview of DOE Cybersecurity Priorities Protecting the DOE Enterprise from
More informationBuilding Security In:
#CACyberSS2015 Building Security In: Intelligent Security Design, Development and Acquisition Steve Caimi Industry Solutions Specialist, US Public Sector Cybersecurity September 2015 A Little About Me
More informationNIST Cybersecurity Framework What It Means for Energy Companies
Daniel E. Frank J.J. Herbert Mark Thibodeaux NIST Cybersecurity Framework What It Means for Energy Companies November 14, 2013 Your Panelists Dan Frank J.J. Herbert Mark Thibodeaux 2 Overview The Cyber
More informationFacilitated Self-Evaluation v1.0
Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) Patricia Hoffman Facilitated Self-Evaluation v1.0 Assistant Secretary Office of Electricity Delivery and Energy Reliability U.S.
More informationHappy First Anniversary NIST Cybersecurity Framework:
Happy First Anniversary NIST Cybersecurity Framework: We ve Hardly Known Ya Chad Stowe, CISSP, CISA, MBA Who is your organization on Cybersecurity? Problem Statement Management has not been given the correct
More informationNadya Bartol, CISSP, CGEIT VP, Industry Affairs and Cybersecurity Strategist UTC (Utilities Telecom Council) USA. 2014 Utilities Telecom Council 1
Nadya Bartol, CISSP, CGEIT VP, Industry Affairs and Cybersecurity Strategist UTC (Utilities Telecom Council) USA 2014 Utilities Telecom Council 1 Why do we need cybersecurity? Agriculture and Food Energy
More informationImplementing the U.S. Cybersecurity Framework at Intel A Case Study
SESSION ID: STR-W01 Implementing the U.S. Cybersecurity Framework at Intel A Case Study Tim Casey Senior Strategic Risk Analyst Intel Information Security @timcaseycyber How would you represent your entire
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 National Institute of Standards and Technology February 12, 2014 Table of Contents Executive Summary...1 1.0 Framework Introduction...3
More informationWater Sector Approach to Cybersecurity Risk Management
Water Sector Approach to Cybersecurity Risk Management Wasser Berlin International March 24, 2015 Copyright 2015 American Water Works Association Cyber Threats are Real Director of National Intelligence
More informationThe NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session
The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session Robert Smith Systemwide IT Policy Director Compliance & Audit Educational Series 5/5/2016 1 Today s reality There are two kinds
More informationNational Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity
National Cybersecurity Challenges and NIST Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity Though no-one knows for sure, corporate America is believed to lose anything
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity January 2016 cyberframework@nist.gov Improving Critical Infrastructure Cybersecurity It is the policy of the United States to enhance the security
More informationModeling and Simulation (M&S) for Homeland Security
Modeling and Simulation (M&S) for Homeland Security Dr. Charles Hutchings Deputy Director, Modeling and Simulation Test and Standards Division Science and Technology Directorate June 23, 2008 Outline How
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 National Institute of Standards and Technology February 12, 2014 Table of Contents Executive Summary...1 1.0 Framework Introduction...3
More informationInformation and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework
Information and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework Don t screw with my chain, dude! Jon Boyens Computer Security Division IT Laboratory November
More informationCForum: A Community Driven Solution to Cybersecurity Challenges
SESSION ID: AST3-R01 CForum: A Community Driven Solution to Cybersecurity Challenges Tom Conkle Cybersecurity Engineer G2, Inc. @TomConkle Greg Witte Sr. Security Engineer G2, Inc. @thenetworkguy Organizations
More informationIntel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security
Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security David Brezinski, Professional Services, Enterprise Security Architect Agenda Overview
More informationContinuous Monitoring in a Risk Management Framework. US Census Bureau Oct 2012
Monitoring in a Risk Management Framework US Census Bureau Oct 2012 Agenda Drivers for Monitoring What is Monitoring Monitoring in a Risk Management Framework (RMF) RMF Cost Efficiencies RMF Lessons Learned
More informationNIST Cybersecurity Initiatives. ARC World Industry Forum 2014
NIST Cybersecurity Initiatives Keith Stouffer and Vicky Pillitteri NIST ARC World Industry Forum 2014 February 10-13, 2014 Orlando, FL National Institute of Standards and Technology (NIST) NIST s mission
More informationADVANCED DISTRIBUTION MANAGEMENT SYSTEMS OFFICE OF ELECTRICITY DELIVERY & ENERGY RELIABILITY SMART GRID R&D
ADVANCED DISTRIBUTION MANAGEMENT SYSTEMS OFFICE OF ELECTRICITY DELIVERY & ENERGY RELIABILITY SMART GRID R&D Eric Lightner Director Federal Smart Grid Task Force July 2015 2 OE Mission The Office of Electricity
More informationCybersecurity: What CFO s Need to Know
Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction
More informationSECURE POWER SYSTEMS PROFESSIONALS (SPSP) PROJECT PHASE 3, FINAL REPORT: RECRUITING, SELECTING, AND DEVELOPING SECURE POWER SYSTEMS PROFESSIONALS
1 SECURE POWER SYSTEMS PROFESSIONALS (SPSP) PROJECT PHASE 3, FINAL REPORT: RECRUITING, SELECTING, AND DEVELOPING SECURE POWER SYSTEMS PROFESSIONALS Synopsis SPSP Project Overview Phase I Summary Phase
More informationWhy you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More informationCritical Manufacturing Cybersecurity Framework Implementation Guidance
F Critical Manufacturing Cybersecurity Framework Implementation Guidance i Foreword The National Institute of Standards and Technology (NIST) released the 2014 Framework for Improving Critical Infrastructure
More informationNIST Cybersecurity Framework & A Tale of Two Criticalities
NIST Cybersecurity Framework & A Tale of Two Criticalities Vendor Management & Incident Response Presented by: John H Rogers, CISSP Advisory Services Practice Manager john.rogers@sagedatasecurity.com Presented
More informationPROTIVITI FLASH REPORT
PROTIVITI FLASH REPORT Cybersecurity Framework: Where Do We Go From Here? February 25, 2014 Just over a year ago, President Barack Obama signed an Executive Order (EO) calling for increased cybersecurity
More informationBusiness Continuity for Cyber Threat
Business Continuity for Cyber Threat April 1, 2014 Workshop Session #3 3:00 5:30 PM Susan Rogers, MBCP, MBCI Cyberwise CP S2 What happens when a computer program can activate physical machinery? Between
More informationCRR-NIST CSF Crosswalk 1
IDENTIFY (ID) Asset Management (AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative
More informationOctober 9, 2014. Lyman Terni, Consultant Tim Villano, Chief Technology Officer. Current Awareness of the Cybersecurity Framework
October 9, 2014 Ascendant Compliance Management is an independent consulting firm assisting Registered Investment Advisers and Broker-Dealers with regulatory compliance. Our firm has an IT Risk Assessment
More informationWhich cybersecurity standard is most relevant for a water utility?
Which cybersecurity standard is most relevant for a water utility? Don Dickinson 1 * 1 Don Dickinson, Phoenix Contact USA, 586 Fulling Mill Road, Middletown, Pennsylvania, USA, 17057 (*correspondence:
More informationDHS Cyber Security & Resilience Resources: Cyber Preparedness, Risk Mitigation, & Incident Response
February 2015 DHS Cyber Security & Resilience Resources: Cyber Preparedness, Risk Mitigation, & Incident Response Cyber Security Advisor Program Office of Cybersecurity & Communications National Protection
More informationNIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT
NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT OVERVIEW The National Institute of Standards of Technology Framework for Improving Critical Infrastructure Cybersecurity (The NIST Framework) is a
More informationCONCEPTS IN CYBER SECURITY
CONCEPTS IN CYBER SECURITY GARY KNEELAND, CISSP SENIOR CONSULTANT CRITICAL INFRASTRUCTURE & SECURITY PRACTICE 1 OBJECTIVES FRAMEWORK FOR CYBERSECURITY CYBERSECURITY FUNCTIONS CYBERSECURITY CONTROLS COMPARATIVE
More informationCybersecurity@RTD Program Overview and 2015 Outlook
Cybersecurity@RTD Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD Information Technology Department of Finance & Administration
More information70% of US Business Will Be Impacted by the Cybersecurity Framework: Are You Ready?
SESSION ID: GRC-W04 70% of US Business Will Be Impacted by the Cybersecurity Framework: Are You Ready? Tom Conkle Cybersecurity Engineer G2, Inc. @TomConkle Greg Witte Senior Security Engineer G2, Inc.
More informationNIST Cybersecurity Framework Manufacturing Implementation
NIST Cybersecurity Framework Manufacturing Implementation Keith Stouffer Project Leader, Cybersecurity for Smart Manufacturing Systems Engineering Lab, NIST Manufacturing Cybersecurity Research at NIST
More informationIT ASSET MANAGEMENT Securing Assets for the Financial Services Sector
IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 financial_nccoe@nist.gov This revision incorporates comments from the public. Page Use case 1 Comments
More informationEnhancing NASA Cyber Security Awareness From the C-Suite to the End-User
Enhancing NASA Cyber Security Awareness From the C-Suite to the End-User Valarie Burks Deputy Chief Information Officer, IT Security Division National Aeronautics and Space Administration (NASA) Agenda
More informationCopyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience
Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience Management Model (CERT -RMM), both developed at Carnegie
More informationThe NIST Cybersecurity Framework
View the online version at http://us.practicallaw.com/5-599-6825 The NIST Cybersecurity Framework RICHARD RAYSMAN, HOLLAND & KNIGHT LLP AND JOHN ROGERS, BOOZ ALLEN HAMILTON A Practice Note discussing the
More informationA Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst
TRACESECURITY WHITE PAPER GRC Simplified... Finally. A Guide to Successfully Implementing the NIST Cybersecurity Framework Jerry Beasley CISM and TraceSecurity Information Security Analyst TRACESECURITY
More informationRSA CYBERSECURITY POVERTY INDEX 2015
RSA CYBERSECURITY POVERTY INDEX 2015 OVERVIEW Welcome to RSA s inaugural Cybersecurity Poverty Index. The Cybersecurity Poverty Index is the result of an annual maturity self-assessment completed by organizations
More informationNHTSA S AUTOMOTIVE CYBERSECURITY RESEARCH. Arthur Carter, Frank Barickman, NHTSA
NHTSA S AUTOMOTIVE CYBERSECURITY RESEARCH Arthur Carter, Frank Barickman, NHTSA Electronic Systems Safety Research Division Electronic Systems Safety (ESS) Research Division conducts research to ensure
More informationPREPARED DIRECT TESTIMONY OF SCOTT KING ON BEHALF OF SOUTHERN CALIFORNIA GAS COMPANY
BEFORE THE PUBLIC UTILITIES COMMISSION OF THE STATE OF CALIFORNIA Application of SOUTHERN CALIFORNIA GAS COMPANY (U 0 G) for Review of its Safety Model Assessment Proceeding Pursuant to Decision 1-1-0.
More informationSecure360. Measuring the Maturity of your Information Security Program Impossible? Presented by: Mark Carney, VP of Strategic Services
Secure360 Measuring the Maturity of your Information Security Program Impossible? Presented by: Mark Carney, VP of Strategic Services Question about Life HOW DO YOU KNOW IF YOU ARE GETTING THE MOST OUT
More informationHow To Protect Your Data From Being Hacked
Cyber Division & Manufacturing Division Joint Working Group Cyber Security for the Advanced Manufacturing Enterprise Manufacturing Division Meeting June 4, 2014 Michael McGrath, ANSER michael.mcgrath@anser.org
More informationAutomation Suite for NIST Cyber Security Framework
WHITEPAPER NIST Cyber Security Framework Automation Suite for NIST Cyber Security Framework NOVEMBER 2014 Automation Suite for NIST Cyber Security Framework The National Institute of Standards and Technology
More informationAmerica s New Cybersecurity Framework: Help or New Source of Exposure?
America s New Cybersecurity Framework: Help or New Source of Exposure? BY BEHNAM DAYANIM, RYAN NIER & ELIZABETH DORSI March 2014 Data theft is on the rise, and the federal government is concerned. In 2013
More informationHealth Industry Implementation of the NIST Cybersecurity Framework
Health Industry Implementation of the NIST Cybersecurity Framework A Collaborative Presentation by HHS, NIST, HITRUST, Deloitte and Seattle Children s Hospital 1 Your presenters HHS Steve Curren, Acting
More informationImproving Critical Infrastructure Cybersecurity Executive Order 13636. Preliminary Cybersecurity Framework
1 Improving Critical Infrastructure Cybersecurity Executive Order 13636 Preliminary Cybersecurity Framework 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
More informationRECOMMENDED CHARTER FOR THE IDENTITY ECOSYSTEM STEERING GROUP
RECOMMENDED CHARTER FOR THE IDENTITY ECOSYSTEM STEERING GROUP 1. Identity Ecosystem Steering Group Charter The National Strategy for Trusted Identities in Cyberspace (NSTIC or Strategy), signed by President
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More informationRe: Experience with the Framework for Improving Critical Infrastructure Cybersecurity ( Framework )
10 October 2014 Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899 Re: Experience with the Framework for Improving Critical Infrastructure
More informationCyber Security The Leadership Opportunity for Joint Action Agencies. 2013 APPA Joint Action Workshop
Cyber Security The Leadership Opportunity for Joint Action Agencies 2013 APPA Joint Action Workshop Doug Westlund N-Dimension Solutions Inc. Cyber Security for the Smart Grid Cyber Risk Reduction Questions
More informationNIST Cybersecurity Framework Impacting Your Company? April 24, 2014 Presented By Sheila FitzPatrick, NetApp Jeff Greene, Symantec Andy Serwin, MoFo
2014 Morrison & Foerster LLP All Rights Reserved mofo.com NIST Cybersecurity Framework Impacting Your Company? April 24, 2014 Presented By Sheila FitzPatrick, NetApp Jeff Greene, Symantec Andy Serwin,
More informationImplementing Practical Information Security Programs
Implementing Practical Information Security Programs CISO Summit March 17-19, 2013 Presented by: David Cass, SVP & Chief Information Security Officer, Elsevier Information Security & Data Protection Office
More informationSPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Behavioral Interview Guidelines by Job Roles
PNNL-24140 SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Behavioral Interview Guidelines by Job Roles March 2015 LR O Neil TJ Conway DH Tobey FL Greitzer AC Dalton
More informationFFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors
Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed
More informationWhy you should adopt the NIST Cybersecurity Framework
www.pwc.com/cybersecurity Why you should adopt the NIST Cybersecurity Framework May 2014 The National Institute of Standards and Technology Cybersecurity Framework may be voluntary, but it offers potential
More informationLooking at the SANS 20 Critical Security Controls
Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of
More informationBusiness Continuity / Disaster Recovery Context
Capability Business Continuity / Disaster Recovery Context What is Business Continuity? The Business Continuity Program Life Cycle Copyright: Virtual Corporation, 1994 2006 Modified U.S. DoD Graphic Normal
More informationThe NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide
SOLUTION BRIEF NIST FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide SOLUTION BRIEF CA DATABASE
More informationSPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles
PNNL-24138 SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles March 2015 LR O Neil TJ Conway DH Tobey FL Greitzer AC Dalton PK Pusey Prepared for the
More informationA RIPE Implementation of the NIST Cyber Security Framework
A RIPE Implementation of the NIST Cyber Security Framework Adding the How-To to the NIST CSF Perry Pederson October 2014 The Langner Group Arlington Hamburg Munich Contents EXECUTIVE SUMMARY... 3 THE NIST
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity April 2016 cyberframework@nist.gov Pre-Cybersecurity Framework Threat Landscape 79% of reported victims were targets of opportunity 96% of
More informationREQUEST FOR INFORMATION
Department of Management Services REQUEST FOR INFORMATION Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services 3 September 2015 6506 Loisdale Rd, Ste 325
More informationAn Overview of Large US Military Cybersecurity Organizations
An Overview of Large US Military Cybersecurity Organizations Colonel Bruce D. Caulkins, Ph.D. Chief, Cyber Strategy, Plans, Policy, and Exercises Division United States Pacific Command 2 Agenda United
More informationCybersecurity Framework Security Policy Mapping Table
Cybersecurity Framework Security Policy Mapping Table The following table illustrates how specific requirements of the US Cybersecurity Framework [1] are addressed by the ISO 27002 standard and covered
More informationAn Enterprise Continuous Monitoring Technical Reference Architecture
An Enterprise Continuous Monitoring Technical Reference Architecture 12/14/2010 Presenter: Peter Mell Senior Computer Scientist National Institute of Standards and Technology http://twitter.com/petermmell
More informationDocket No. DHS-2015-0017, Notice of Request for Public Comment Regarding Information Sharing and Analysis Organizations
Submitted via ISAO@hq.dhs.gov and www.regulations.gov July 10, 2015 Mr. Michael Echols Director, JPMO-ISAO Coordinator NPPD, Department of Homeland Security 245 Murray Lane, Mail Stop 0615 Arlington VA
More information