Information and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework

Size: px
Start display at page:

Download "Information and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework"

Transcription

1 Information and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework Don t screw with my chain, dude! Jon Boyens Computer Security Division IT Laboratory November 18, 2014 ISACA

2 Agenda Ø Dra8 NIST Special Publica#on , Supply Chain Risk Management Prac7ces for Federal Informa7on Systems and Organiza7ons Ø NIST s Framework for Improving Cri7cal Infrastructure Cybersecurity (aka Cybersecurity Framework) Ø ICT Supply Chain Risk Management as it relates to the Cybersecurity Framework Ø 5 th UMD Grant: Cyber and Supply Chain Risk Portal educa#on and training module 2

3 Evolu#on of NIST ICT SCRM Work NIST CollaboraBon with Academia NIST IR 7622, NoBonal Supply Chain Risk Management PracBces for Federal InformaBon Systems DraL NIST SP , Supply Chain Risk Management PracBces for Federal InformaBon Systems and OrganizaBon NIST Workshop NIST ParBcipaBon in Standards and Best PracBces Cybersecurity Framework Roadmap CNCI 11/Interagency and Industry CollaboraBon 3

4 Counterfeits, Inten#onal Inser#on of Malware and Poor Prac#ces Poor coding pracbces Poor quality Integrator Unintended funcbonalibes Backdoor Virus Poor quality Provider End User/ Risk Owner Poor Performance Counterfeit Component 4

5 Organiza#on System Integrator External Service Provider External Service Provider External Service Provider External Service Provider External Service Provider Reduced Visibility, Understanding and Control

6 ICT SCRM Problem Defini#on ICT Supply Chain Risk Manage ment Growing sophis#ca#on of ICT Number and scale of informa#on systems Government s increasing reliance on COTS Speed and scale of globaliza#on Complex supply chain (logically long and geographically diverse) Significant increase in the number of en##es who touch products and services Natural disasters, poor product/service quality and poor security prac#ces Lack of visibility and understanding: how technology is developed, integrated and deployed and prac#ces to assure security. A lack of control of the decisions impac#ng the inherited risks and ability to effec#vely mi#gate those risks.

7 DRAFT NIST SP

8 NIST SP Overview Ø Scope, Purpose, Background, Methodology Ø Mul#- #ered Approach Ø Risk Management Process Ø ICT SCRM Controls Ø Associated NIST Rev. 4 Controls Ø Threat Events / Scenarios Ø SCRM Plan Template 8

9 9

10 Approach: Dra8 SP , Supply Chain Risk Management for Federal Informa#on Systems and Organiza#ons SP MulBBered OrganizaBonal Risk Management SP Security Controls SP r4 SP Risk Assessment

11 Mul#- #ered Approach Ø ICT SCRM responsibili#es at each level Ø ICT SCRM Plans span all three #ers Na#onal Ins#tute of Standards For Discussion and Technology Only 11

12 Monitor Frame Assess Operations Requirements (full SDLC) Mission Requirements (definition of critical mission threads) Threat Analysis Criticality Analysis Likelihood (exploitability) Organization Requirements/ Constraints Vulnerability Analysis Baseline Criticality Frame Assess Monitor Impact Analysis/Assessment Respond Accept, Reject, Transfer, Share, Mitigate Risk Respond 12

13 ICT SCRM Controls OVERLAY Extract NIST SP Rev 4 Security Controls Relevant to ICT SCRM ENHANCED OVERLAY Add Supplemental Guidance Add New Controls SECTION 3.5 PROVIDES Control Title, Tiers, and Supplemental Guidance Control family description, individual controls titles and descriptions, and supplemental guidance Ø 6 new controls/supplements Ø New family Provenance 13

14 SCRM Control Summary NIST SP SCRM CNTL NO REV. 4 CNTL NO. CONTROL NAME TIERS REV. SCRM 4 HIGH CONTROL ENHANCEMENT NAME BASELINE BASELINE SCRM_AC- 1 AC- 1 ACCESS CONTROL POLICY AND PROCEDURES X X X X X SCRM_AC- 2 AC- 2 ACCOUNT MANAGEMENT X X X X SCRM_AC- 3 AC- 3 ACCESS ENFORCEMENT X X X X SCRM_AC- 3(1) AC- 3 (8) SCRM_AC- 3(2) AC- 3 (9) ACCESS ENFORCEMENT REVOCATION OF ACCESS AUTHORIZATIONS X X X ACCESS ENFORCEMENT CONTROLLED RELEASE X X X SCRM_AC- 4 AC- 4 INFORMATION FLOW ENFORCEMENT X X X X 14

15 Threat Events/Scenarios Ø Threat events from NIST SP Ø Scenario framework To aid in Risk Analysis 4 example scenarios 15

16 ICT SCRM Plan Template 16

17 Comments to 2 nd Public Dra8 Ø 2 nd Public Dra8 SP released June 3 for 45- day public comment period (ended July 18) Ø ~430 Comments Ø Major themes in comments: Organiza#on s informa7on system vs ICT supply chain vs ICT SCRM infrastructure More info wrt supplier dialogue (formal and informal) Acquisi#on- related: High vs. Moderate Impact systems Fitness- for- use and technically acceptable Vendor No#ce of Denial/Non- Compliance and Appeal Cloud Gap between FedRAMP at SP ; FedRAMP at low- moderate impact and SP at high impact 17

18 Timeline & What s Next Ø Dra8 SP , currently dra8ing expected finished dra8 mid- to- late October Final (2Q FY15) or 3 rd Public Dra8 (3Q FY15) Ø NIST IRs on Cri#cality Analysis and Provenance (possibility) Ø Work with interagency group implemen#ng GSA/DOD EO Recommenda#on 18

19 NIST Cybersecurity Framework 19

20 Execu#ve Order 13636: Improving Cri#cal Infrastructure Cybersecurity It is the policy of the United States to enhance the security and resilience of the Na7on s cri7cal infrastructure and to maintain a cyber environment that encourages efficiency, innova7on, and economic prosperity while promo7ng safety, security, business confiden7ality, privacy, and civil liber7es President Barack Obama Execu#ve Order 13636, Feb. 12, 2013 The (NIST) was directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to cri#cal infrastructure Version 1.0 of the framework was released on Feb. 12, 2014, along with a roadmap for future work 20

21 The Cybersecurity Framework Is for Organizations Of any size, in any sector in the critical infrastructure That already have a mature cyber risk management and cybersecurity program That don t yet have a cyber risk management or cybersecurity program With a mission of helping keep up-to-date on managing risk and facing business or societal threats 21

22 Framework Components Aligns industry standards and best practices to the Framework Core in a particular implementation scenario Cybersecurity activities and informative references, organized around particular outcomes Supports prioritization and measurement while factoring in business needs Framework Profile Framework Core Enables communication of cyber risk across an organization Framework Implementation Tiers Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics

23 Framework Core 23

24 Framework Profiles Enables organiza#ons to establish a roadmap to reducing cybersecurity risk Can be used to describe current state and desired target state of specific cybersecurity ac#vi#es Created by determining which Categories are relevant to a par#cular organiza#on, sector, or other en#ty An organiza#on s risk management processes, legal / regulatory requirements, business / mission objec#ves, and organiza#onal constraints guide the selec#on of ac#vi#es during Profile development Ø 24

25 Framework Profile Alignment of Func#ons, Categories, and Subcategories with business requirements, risk tolerance, and resources of the organiza#on Enables organiza#ons to establish a roadmap for reducing cybersecurity risk that is well aligned with organiza#onal and sector goals, considers legal/regulatory requirements and industry best prac#ces, and reflects risk management priori#es Can be used to describe current state or desired target state of cybersecurity ac#vi#es 25

26 How to Use the Cybersecurity Framework Ø The Framework is designed to complement existing business and cybersecurity operations, and can be used to: Understand security status Establish / Improve a cybersecurity program Communicate cybersecurity requirements with stakeholders, including partners and suppliers Identify opportunities for new or revised standards Identify tools and technologies to help organizations use the Framework Integrate privacy and civil liberties considerations into a cybersecurity program 26

27 NIST Cybersecurity Framework ROADMAP 27

28 What s Next: Areas for Development, Alignment, and Collabora#on The Execu#ve Order calls for the framework to iden#fy areas for improvement that should be addressed through future collabora#on with par#cular sectors and standards- developing organiza#ons High- priority areas for development, alignment, and collabora#on were iden#fied based on stakeholder input: Authen#ca#on Automated Indicator Sharing Conformity Assessment Cybersecurity Workforce Data Analy#cs Federal Agency Cybersecurity Alignment Interna#onal Aspects, Impacts, and Alignment Supply Chain Risk Management Technical Privacy Standards 28

29 Supply Chain Risk Management Industry engagement across 16 cri#cal infrastructure sectors Organiza#onal strategy Execu#ve communica#on Standards, best prac#ces and guidelines mapping Anything needed wrt SCRM in Framework 2.0? SCRM Workshop(s): ~ mid- July 2015 Final Organiza#onal Strategy based on findings ALL BASED ON PRIVATE SECTOR INPUT!!

30 UMD Cyber and Supply Chain Risk Assessment Portal 30

31 UMD Cyber Risk Management Portal Ø Enterprise Risk Assessment Tool based on the Cybersecurity Framework that factors in an organiza#on's governance, network design and systems management prac#ces. Ø Supply Chain Assessment Tool based on NIST guidelines and prac#ces that evaluates an organiza#on's strategic control over its end to end IT supply chain and uses advanced algorithms to plot an organiza#on's capability/ maturity posi#on. Ø Mapping Tool to determine the vulnerability of key hubs and nodes in an ICT supply chain Ø Insurance Risk Analysis Tool, enables a publically- traded organiza#on to benchmark itself against a database of cyber security breaches by industry. Ø ExecuBve Dashboard to display and access assessment results. Ø News feeds and alerts rela#ve to cyber security Ø hyp://cyberchain.rhsmith.umd.edu 31

32 Thank you!! Contact: Jon Boyens 32

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014 Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014 Victoria Yan Pillitteri Advisor for Information Systems Security

More information

Cybersecurity Framework: Current Status and Next Steps

Cybersecurity Framework: Current Status and Next Steps Cybersecurity Framework: Current Status and Next Steps Federal Advisory Committee on Insurance November 6, 2014 Adam Sedgewick Senior IT Policy Advisor Adam.Sedgewick@nist.gov National Institute of Standards

More information

Critical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order 13636 Improving Critical Infrastructure Cybersecurity

Critical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order 13636 Improving Critical Infrastructure Cybersecurity Critical Infrastructure Cybersecurity Framework Overview and Status Executive Order 13636 Improving Critical Infrastructure Cybersecurity Executive Order: Improving Critical Infrastructure Cybersecurity

More information

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2014 ISACA Pittsburgh Information Security Awareness Day Victoria Yan

More information

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014 Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework September 23, 2014 Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to

More information

Cybersecurity Framework. Executive Order 13636 Improving Critical Infrastructure Cybersecurity

Cybersecurity Framework. Executive Order 13636 Improving Critical Infrastructure Cybersecurity Cybersecurity Framework Executive Order 13636 Improving Critical Infrastructure Cybersecurity National Institute of Standards and Technology (NIST) Mission To promote U.S. innovation and industrial competitiveness

More information

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity January 2016 cyberframework@nist.gov Improving Critical Infrastructure Cybersecurity It is the policy of the United States to enhance the security

More information

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 NARUC Winter Committee Meeting Committee & Staff Committee on Critical Infrastructure February 15,

More information

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 8 April 2015 cyberframework@nist.gov Agenda Mission of NIST Cybersecurity at NIST Cybersecurity Framework

More information

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity April 2016 cyberframework@nist.gov Pre-Cybersecurity Framework Threat Landscape 79% of reported victims were targets of opportunity 96% of

More information

Cyber Supply Chain Risk Management Portal

Cyber Supply Chain Risk Management Portal Cyber Supply Chain Risk Management Portal Dr. Sandor Boyson, Director, Supply Chain Management Center& Holly Mann, Chief InformaBon Officer R.H. Smith School Of Business The Cyber Supply Chain Challenge

More information

Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP EVA.KUIPER@HP.COM HP ENTERPRISE SECURITY SERVICES

Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP EVA.KUIPER@HP.COM HP ENTERPRISE SECURITY SERVICES Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP EVA.KUIPER@HP.COM HP ENTERPRISE SECURITY SERVICES Agenda Importance of Common Cloud Standards Outline current work undertaken Define

More information

Health Industry Implementation of the NIST Cybersecurity Framework

Health Industry Implementation of the NIST Cybersecurity Framework Health Industry Implementation of the NIST Cybersecurity Framework A Collaborative Presentation by HHS, NIST, HITRUST, Deloitte and Seattle Children s Hospital 1 Your presenters HHS Steve Curren, Acting

More information

NIST Cybersecurity Framework Overview

NIST Cybersecurity Framework Overview NIST Cybersecurity Framework Overview Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2nd ENISA International Conference on Cyber Crisis Cooperation and Exercises Executive Order

More information

NIST Cybersecurity Framework. ARC World Industry Forum 2014

NIST Cybersecurity Framework. ARC World Industry Forum 2014 NIST Cybersecurity Framework Vicky Yan Pillitteri NIST ARC World Industry Forum 2014 February 10-13, 2014 Orlando, FL Executive Order 13636 Improving Critical Infrastructure Cybersecurity It is the policy

More information

April 28, 2014. Ms. Hada Flowers Regulatory Secretariat Division General Services Administration 1800 F Street, NW, 2 nd Floor Washington, DC

April 28, 2014. Ms. Hada Flowers Regulatory Secretariat Division General Services Administration 1800 F Street, NW, 2 nd Floor Washington, DC April 28, 2014 Ms. Hada Flowers Regulatory Secretariat Division General Services Administration 1800 F Street, NW, 2 nd Floor Washington, DC RE: Information Technology Sector Coordinating Council (IT SCC)

More information

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity 18 November 2015 grance@nist.gov cyberframework@nist.gov National Institute of Standards and Technology About NIST NIST s mission is to develop

More information

Collaborative, Standards-Based Approaches to Improving Cybersecurity

Collaborative, Standards-Based Approaches to Improving Cybersecurity Collaborative, Standards-Based Approaches to Improving Cybersecurity ISACA-NCAC Annual Meeting May 24, 2016 Kevin Stine Kevin.Stine@nist.gov National Institute of Standards and Technology (NIST) About

More information

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015 Cybersecurity Audit Why are we still Vulnerable? November 30, 2015 John R. Robles, CISA, CISM, CRISC www.johnrrobles.com jrobles@coqui.net 787-647-3961 John R. Robles- 787-647-3961 1 9/11-2001 The event

More information

Main Research Gaps in Cyber Security

Main Research Gaps in Cyber Security Comprehensive Approach to cyber roadmap coordina5on and development Main Research Gaps in Cyber Security María Pilar Torres Bruna everis Aerospace and Defence Index CAMINO WP2: Iden8fica8on and Analysis

More information

PROTIVITI FLASH REPORT

PROTIVITI FLASH REPORT PROTIVITI FLASH REPORT Cybersecurity Framework: Where Do We Go From Here? February 25, 2014 Just over a year ago, President Barack Obama signed an Executive Order (EO) calling for increased cybersecurity

More information

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst TRACESECURITY WHITE PAPER GRC Simplified... Finally. A Guide to Successfully Implementing the NIST Cybersecurity Framework Jerry Beasley CISM and TraceSecurity Information Security Analyst TRACESECURITY

More information

Applying Framework to Mobile & BYOD

Applying Framework to Mobile & BYOD Applying Framework to Mobile & BYOD Framework for Improving Critical Infrastructure Cybersecurity National Association of Attorneys General Southern Region Meeting 13 March 2015 cyberframework@nist.gov

More information

Data Governance Framework: Bank of Canada

Data Governance Framework: Bank of Canada Data Governance Framework: Bank of Canada The views and opinions expressed herein are those of the author and do not necessarily reflect the official policy or posi8on of the Bank of Canada or any agency

More information

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE JANUARY 2015 U.S. DEPARTMENT OF ENERGY OFFICE OF ELECTRICITY DELIVERY AND ENERGY RELIABILITY Energy Sector Cybersecurity Framework Implementation

More information

Achieving Global Cyber Security Through Collaboration

Achieving Global Cyber Security Through Collaboration Achieving Global Cyber Security Through Collaboration Steve Purser Head of Core Operations Department November 2013 European Union Agency for Network and Information Security www.enisa.europa.eu Agenda

More information

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013. The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013. The Executive Order calls for the development of a voluntary risk based Cybersecurity Framework

More information

IT Governance in Organizations Experiencing Decentralization. Jelena Zdravkovic

IT Governance in Organizations Experiencing Decentralization. Jelena Zdravkovic IT Governance in Organizations Experiencing Decentralization Jelena Zdravkovic Department of Computer & Systems Sciences (DSV), Stockholm University, Sweden Giannoulis About the Speaker Title: Associate

More information

NIST Email Security Improvements. William C. Barker and Scott Rose October 22, 2015 M3AAWG 35 th General Meeting

NIST Email Security Improvements. William C. Barker and Scott Rose October 22, 2015 M3AAWG 35 th General Meeting NIST Email Security Improvements William C. Barker and Scott Rose October 22, 2015 M3AAWG 35 th General Meeting Presenters Scott Rose Computer Scientist, NIST ITL William (Curt) Barker Guest Researcher,

More information

Business Continuity for Cyber Threat

Business Continuity for Cyber Threat Business Continuity for Cyber Threat April 1, 2014 Workshop Session #3 3:00 5:30 PM Susan Rogers, MBCP, MBCI Cyberwise CP S2 What happens when a computer program can activate physical machinery? Between

More information

ICT Supply Chain Risk Management

ICT Supply Chain Risk Management ICT Supply Chain Risk Management Celia Paulsen Computer Security Division IT Laboratory Manager s Forum June 4, 2013 General Problem Definition Scope of Supplier Expansion and Foreign Involvement graphic

More information

National Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity

National Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity National Cybersecurity Challenges and NIST Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity Though no-one knows for sure, corporate America is believed to lose anything

More information

Informa.on Systems in Organiza.ons

Informa.on Systems in Organiza.ons Informa.on Systems in Organiza.ons MIS 2101 Week 7 / Chapter 7 Enhancing Business Processes Using Enterprise Informa.on Systems Photo: Objet Mathema+que by Man Ray, 1934 Chapter 7 Learning Objec.ves Core

More information

ENISA: Cybersecurity policy in Energy Dr. Andreas Mitrakas, LL.M., M.Sc., Head of Unit Quality & data mgt

ENISA: Cybersecurity policy in Energy Dr. Andreas Mitrakas, LL.M., M.Sc., Head of Unit Quality & data mgt ENISA: Cybersecurity policy in Energy Dr. Andreas Mitrakas, LL.M., M.Sc., Head of Unit Quality & data mgt Cyber European Union Security Agency for Network Energia, and Informa8on Rome, Security 24/09/15

More information

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 National Institute of Standards and Technology February 12, 2014 Table of Contents Executive Summary...1 1.0 Framework Introduction...3

More information

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014 NIST Cybersecurity Initiatives Keith Stouffer and Vicky Pillitteri NIST ARC World Industry Forum 2014 February 10-13, 2014 Orlando, FL National Institute of Standards and Technology (NIST) NIST s mission

More information

Supply Chain Risk Management Practices for Federal Information Systems and Organizations

Supply Chain Risk Management Practices for Federal Information Systems and Organizations 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 (Second Draft) NIST Special Publication 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations Jon Boyens

More information

Cyber Threat Intelligence Sharing: Lessons Learned, ObservaMons, RecommendaMons

Cyber Threat Intelligence Sharing: Lessons Learned, ObservaMons, RecommendaMons Cyber Threat Intelligence Sharing: Lessons Learned, ObservaMons, RecommendaMons Bob Gourley, Partner, Cognitio September 9, 2015 How we think. Disclaimer There is a great deal of text on these slides.

More information

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015 NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015 Overview The University of Pittsburgh NIST Cybersecurity Framework Pitt NIST Cybersecurity Framework Program Wrap Up Questions

More information

Business Analysis Center of Excellence The Cornerstone of Business Transformation

Business Analysis Center of Excellence The Cornerstone of Business Transformation February 20, 2013 Business Analysis Center of Excellence The Cornerstone of Business Transformation John E. Parker, CEO Enfocus Solutions Inc. www.enfocussolutions.com 0 John E. Parker (Introduc3on) President

More information

WSECU Cyber Security Journey. David Luchtel VP IT Infrastructure & Opera:ons

WSECU Cyber Security Journey. David Luchtel VP IT Infrastructure & Opera:ons WSECU Cyber Security Journey David Luchtel VP IT Infrastructure & Opera:ons Objec:ve of Presenta:on Share WSECU s journey Overview of WSECU s Security Program approach Overview of WSECU s self- assessment

More information

Mission. To provide higher technological educa5on with quality, preparing. competent professionals, with sound founda5ons in science, technology

Mission. To provide higher technological educa5on with quality, preparing. competent professionals, with sound founda5ons in science, technology Mission To provide higher technological educa5on with quality, preparing competent professionals, with sound founda5ons in science, technology and innova5on, commi

More information

Building Security In:

Building Security In: #CACyberSS2015 Building Security In: Intelligent Security Design, Development and Acquisition Steve Caimi Industry Solutions Specialist, US Public Sector Cybersecurity September 2015 A Little About Me

More information

Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security

Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security David Brezinski, Professional Services, Enterprise Security Architect Agenda Overview

More information

Developing Your Roadmap The Association of Independent Colleges and Universities of Massachusetts. October 3, 2013

Developing Your Roadmap The Association of Independent Colleges and Universities of Massachusetts. October 3, 2013 Developing Your Roadmap The Association of Independent Colleges and Universities of Massachusetts October 3, 2013 Agenda 1. Introductions 2. Higher Ed Industry Trends 3. Technology Trends in Higher Ed

More information

Managing Risk in the Supply Chain

Managing Risk in the Supply Chain Managing Risk in the Supply Chain Moderator: Derek Harp, ICS Security, SANS Institute Panelists: Nadya Bartol, VP Industry Affaires and Cybersecurity Strategist UTC Samara Moore, Senior Manager CIP Security

More information

Adding a Security Assurance Dimension to Supply Chain Practices

Adding a Security Assurance Dimension to Supply Chain Practices Adding a Security Assurance Dimension to Supply Chain Practices John Whited, CISSP, CSSLP Randall Brooks, CISSP, CSSLP Raytheon Company Session ID: GRC-401 Session Classification: Intermediate Agenda What

More information

Protec'ng Informa'on Assets - Week 8 - Business Continuity and Disaster Recovery Planning. MIS 5206 Protec/ng Informa/on Assets Greg Senko

Protec'ng Informa'on Assets - Week 8 - Business Continuity and Disaster Recovery Planning. MIS 5206 Protec/ng Informa/on Assets Greg Senko Protec'ng Informa'on Assets - Week 8 - Business Continuity and Disaster Recovery Planning MIS5206 Week 8 In the News Readings In Class Case Study BCP/DRP Test Taking Tip Quiz In the News Discuss items

More information

National Institute of Standards and Technology Smart Grid Cybersecurity

National Institute of Standards and Technology Smart Grid Cybersecurity National Institute of Standards and Technology Smart Grid Cybersecurity Vicky Yan Pillitteri Advisor for Information Systems Security SGIP SGCC Chair Victoria.yan@nist.gov 1 The National Institute of Standards

More information

CForum: A Community Driven Solution to Cybersecurity Challenges

CForum: A Community Driven Solution to Cybersecurity Challenges SESSION ID: AST3-R01 CForum: A Community Driven Solution to Cybersecurity Challenges Tom Conkle Cybersecurity Engineer G2, Inc. @TomConkle Greg Witte Sr. Security Engineer G2, Inc. @thenetworkguy Organizations

More information

DTCC Data Quality Survey Industry Report

DTCC Data Quality Survey Industry Report DTCC Data Quality Survey Industry Report November 2013 element 22 unlocking the power of your data Contents 1. Introduction 3 2. Approach and participants 4 3. Summary findings 5 4. Findings by topic 6

More information

HIPAA Breaches, Security Risk Analysis, and Audits

HIPAA Breaches, Security Risk Analysis, and Audits HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC What cons?tutes PHI? HIPAA provides a list of 18 iden?fiers that cons?tute PHI. Any one of these iden?fiers

More information

Westlaw Journal. What is the Cybersecurity Framework? Risk Management Process And Pathway to Corporate Liability? Expert Analysis

Westlaw Journal. What is the Cybersecurity Framework? Risk Management Process And Pathway to Corporate Liability? Expert Analysis Westlaw Journal Computer & Internet Litigation News and Analysis Legislation Regulation Expert Commentary VOLUME 31, ISSUE 14 / DECEMBER 12, 2013 Expert Analysis The Cybersecurity Framework: Risk Management

More information

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 National Institute of Standards and Technology February 12, 2014 Table of Contents Executive Summary...1 1.0 Framework Introduction...3

More information

Business Analysis Standardization A Strategic Mandate. John E. Parker CVO, Enfocus Solu7ons Inc.

Business Analysis Standardization A Strategic Mandate. John E. Parker CVO, Enfocus Solu7ons Inc. Business Analysis Standardization A Strategic Mandate John E. Parker CVO, Enfocus Solu7ons Inc. Agenda What is Business Analysis? Why Business Analysis is Important? Why Standardization of Business Analysis

More information

Do You Have The Right Practices In Your Cyber Supply Chain Tool Box? NDIA Systems Engineering Conference October 29, 2014

Do You Have The Right Practices In Your Cyber Supply Chain Tool Box? NDIA Systems Engineering Conference October 29, 2014 Do You Have The Right Practices In Your Cyber Supply Chain Tool Box? NDIA Systems Engineering Conference October 29, 2014 2 Today s Reality Is Deep & Complex Global ICT Supply Chains IT and Communications

More information

Implementing Executive Order and Presidential Policy Directive 21

Implementing Executive Order and Presidential Policy Directive 21 Implementing Executive Order 13636 and Presidential Policy Directive 21 2013 2014 Winter Energy Conference November 1, 2013 Bob Kolasky Director, EO-PPD Integrated Task Force Announcement of the EO and

More information

CAMFORD MANAGEMENT CONSULTANTS Preparing Your IT Strategy

CAMFORD MANAGEMENT CONSULTANTS Preparing Your IT Strategy CAMFORD MANAGEMENT CONSULTANTS Preparing Your IT Strategy We help law firms respond to pricing pressures and become more client- focused. Focusing on innova;on through strategic use of technology, bringing

More information

SECURITY RISK MANAGEMENT

SECURITY RISK MANAGEMENT SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W

More information

Top Practices in Health IT Compliance. Data Breach & Leading Program Prac3ces

Top Practices in Health IT Compliance. Data Breach & Leading Program Prac3ces Top Practices in Health IT Compliance Data Breach & Leading Program Prac3ces Overview Introduc3on to ID Experts & Secure Digital Solu3ons Healthcare Data Breach Trends & Drivers Data Incident Management

More information

CONTENTS. Introduc on 2. Undergraduate Program 4. BSC in Informa on Systems 4. Graduate Program 7. MSC in Informa on Science 7

CONTENTS. Introduc on 2. Undergraduate Program 4. BSC in Informa on Systems 4. Graduate Program 7. MSC in Informa on Science 7 1 1 2 CONTENTS Introducon 2 Undergraduate Program 4 BSC in Informaon Systems 4 Graduate Program 7 MSC in Informaon Science 7 MSC in Health Informacs 13 2 3 Introducon The School of Informaon Science at

More information

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study) James Stevens Senior Member, Technical Staff - CERT Division

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study) James Stevens Senior Member, Technical Staff - CERT Division Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study) James Stevens Senior Member, Technical Staff - CERT Division James Stevens is a senior member of the technical staff

More information

Establishing Effec/ve Data Governance

Establishing Effec/ve Data Governance Establishing Effec/ve Data Governance Data Quality Council Much of what I say is taken from 2 publica/ons put out by the na/onal Center for Educa/on Sta/s/cs and Na/onal Forum on Educa/on Sta/s/cs Forum

More information

Project Por)olio Management

Project Por)olio Management Project Por)olio Management Important markers for IT intensive businesses Rest assured with Infolob s project management methodologies What is Project Por)olio Management? Project Por)olio Management (PPM)

More information

NIST Cybersecurity Framework & A Tale of Two Criticalities

NIST Cybersecurity Framework & A Tale of Two Criticalities NIST Cybersecurity Framework & A Tale of Two Criticalities Vendor Management & Incident Response Presented by: John H Rogers, CISSP Advisory Services Practice Manager john.rogers@sagedatasecurity.com Presented

More information

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems Energy Sector Control Systems Working Group Supporting the Electricity Sector Coordinating Council, Oil & Natural Gas

More information

Analyzing Data to Make Be1er Decisions July 21, 2015. Trusted Analysis. Be1er Decisions. Stronger Department. / Page 1

Analyzing Data to Make Be1er Decisions July 21, 2015. Trusted Analysis. Be1er Decisions. Stronger Department. / Page 1 Analyzing Data to Make Be1er Decisions July 21, 2015 Trusted Analysis. Be1er Decisions. Stronger Department. / Page 1 DHS MGMT CUBE: Integra(ng the Data Informa(on technology tool that integrates the Department

More information

San Francisco Chapter. Presented by Mike O. Villegas, CISA, CISSP

San Francisco Chapter. Presented by Mike O. Villegas, CISA, CISSP Presented by Mike O. Villegas, CISA, CISSP Agenda Information Security (IS) Vision at Newegg.com Typical Issues at Most Organizations Information Security Governance Four Inter-related CoBIT Domains ISO

More information

Founda'onal IT Governance A Founda'onal Framework for Governing Enterprise IT Adapted from the ISACA COBIT 5 Framework

Founda'onal IT Governance A Founda'onal Framework for Governing Enterprise IT Adapted from the ISACA COBIT 5 Framework Founda'onal IT Governance A Founda'onal Framework for Governing Enterprise IT Adapted from the ISACA COBIT 5 Framework Steven Hunt Enterprise IT Governance Strategist NASA Ames Research Center Michael

More information

Capabili'es for Strengthening Cybersecurity Resilience

Capabili'es for Strengthening Cybersecurity Resilience Capabili'es for Strengthening Cybersecurity Resilience In the Homeland Security Enterprise September 2012 DHS Cybersecurity Strategy A cyberspace that: Is Secure and Resilient Enables Innova=on Protects

More information

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope March 6, 2014 Victoria King UPS (404) 828-6550 vking@ups.com Lisa J. Sotto Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com

More information

Privileged Administra0on Best Prac0ces :: September 1, 2015

Privileged Administra0on Best Prac0ces :: September 1, 2015 Privileged Administra0on Best Prac0ces :: September 1, 2015 Discussion Contents Privileged Access and Administra1on Best Prac1ces 1) Overview of Capabili0es Defini0on of Need 2) Preparing your PxM Program

More information

SOURCE, SELECT, MANAGE: THE CWM ATHLETE S TRIATHLON GUIDE SIG San Francisco Bay Symposium November 12, 2014. Matt Katz, VP Strategic Solutions

SOURCE, SELECT, MANAGE: THE CWM ATHLETE S TRIATHLON GUIDE SIG San Francisco Bay Symposium November 12, 2014. Matt Katz, VP Strategic Solutions SOURCE, SELECT, MANAGE: THE CWM ATHLETE S TRIATHLON GUIDE SIG San Francisco Bay Symposium November 12, 2014 Matt Katz, VP Strategic Solutions WELCOME! It s another beaueful day in the Bay Area! 2 OPTIONAL:

More information

A Framework to Gauge Cyber Defenses

A Framework to Gauge Cyber Defenses White Paper A Framework to Gauge Cyber Defenses NIST s Cybersecurity Framework Helps Critical Infrastructure Owners to Cost-Effectively Defend National & Economic Security of the U.S. Executive Summary

More information

NIST Cybersecurity Framework What It Means for Energy Companies

NIST Cybersecurity Framework What It Means for Energy Companies Daniel E. Frank J.J. Herbert Mark Thibodeaux NIST Cybersecurity Framework What It Means for Energy Companies November 14, 2013 Your Panelists Dan Frank J.J. Herbert Mark Thibodeaux 2 Overview The Cyber

More information

National Initiative for Cyber Security Education

National Initiative for Cyber Security Education 2014/PPWE/SEM2/007 Agenda Item: 5 National Initiative for Cyber Security Education Submitted by: United States Women Business and Smart Technology Seminar Beijing, China 23 May 2014 NICE OVERVIEW Women

More information

AVOIDING SILOED DATA AND SILOED DATA MANAGEMENT

AVOIDING SILOED DATA AND SILOED DATA MANAGEMENT AVOIDING SILOED DATA AND SILOED DATA MANAGEMENT Dalton Cervo Author, Consultant, Management Expert September 2015 This presenta?on contains extracts from books that are: Copyright 2011 John Wiley & Sons,

More information

Session 4: Programmes: the Core of the 10YFP

Session 4: Programmes: the Core of the 10YFP Session 4: Programmes: the Core of the 10YFP * Criteria * Initial and non-exhaustive list * 5 steps model to develop programmes * Request for additional programmas * Criteria and process for new programmes

More information

Applying IBM Security solutions to the NIST Cybersecurity Framework

Applying IBM Security solutions to the NIST Cybersecurity Framework IBM Software Thought Leadership White Paper August 2014 Applying IBM Security solutions to the NIST Cybersecurity Framework Help avoid gaps in security and compliance coverage as threats and business requirements

More information

San Jacinto College Banner & Enterprise Applica5on Review Task Force Report. November 01, 2011 FINAL

San Jacinto College Banner & Enterprise Applica5on Review Task Force Report. November 01, 2011 FINAL San Jacinto College Banner & Enterprise Applica5on Review Task Force Report November 01, 2011 FINAL 1 Content Review goal and approach 3 Barriers to effec5ve use of Banner: Consultant observa5ons 10 Consultant

More information

Lessons from Defending Cyberspace

Lessons from Defending Cyberspace Lessons from Defending Cyberspace The Challenge of Addressing National Cyber Risk Andy Purdy Workshop on Cyber Security Center for American Studies, Christopher Newport College 10 28-2009 Cyber Threat

More information

Obtaining Enterprise Cybersituational

Obtaining Enterprise Cybersituational SESSION ID: SPO-R06A Obtaining Enterprise Cybersituational Awareness Eric J. Eifert Sr. Vice President Managed Security Services DarkMatter Agenda My Background Key components of the Cyber Situational

More information

What s Driving Adop2on of IT Governance? ISACA North Texas Chapter. Aus2n Hu@on Hu@on Consul2ng October 11, 2012

What s Driving Adop2on of IT Governance? ISACA North Texas Chapter. Aus2n Hu@on Hu@on Consul2ng October 11, 2012 What s Driving Adop2on of IT Governance? ISACA North Texas Chapter Aus2n Hu@on Hu@on Consul2ng October 11, 2012 Learning Objec2ves Overview of the history of IT Governance The rela2onship to corporate

More information

Application of Supply Chain Concepts to the Analysis Process

Application of Supply Chain Concepts to the Analysis Process Application of Supply Chain Concepts to the Analysis Process Rob Handfield, PhD Bank of America University Distinguished Professor of Supply Chain Management Executive Director, Supply Chain Resource Cooperative

More information

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Ed McMurray, CISA, CISSP, CTGA CoNetrix Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats

More information

Panel Session: Lessons Learned in Smart Grid Cybersecurity

Panel Session: Lessons Learned in Smart Grid Cybersecurity PNNL-SA-91587 Panel Session: Lessons Learned in Smart Grid Cybersecurity TCIPG Industry Workshop Jeff Dagle, PE Chief Electrical Engineer Advanced Power and Energy Systems Pacific Northwest National Laboratory

More information

Cybersecurity The role of Internal Audit

Cybersecurity The role of Internal Audit Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government

More information

Ecom Infotech. Page 1 of 6

Ecom Infotech. Page 1 of 6 Ecom Infotech Page 1 of 6 Page 2 of 6 IBM Q Radar SIEM Intelligence 1. Security Intelligence and Compliance Analytics Organizations are exposed to a greater volume and variety of threats and compliance

More information

70% of US Business Will Be Impacted by the Cybersecurity Framework: Are You Ready?

70% of US Business Will Be Impacted by the Cybersecurity Framework: Are You Ready? SESSION ID: GRC-W04 70% of US Business Will Be Impacted by the Cybersecurity Framework: Are You Ready? Tom Conkle Cybersecurity Engineer G2, Inc. @TomConkle Greg Witte Senior Security Engineer G2, Inc.

More information

Implementing a Framework

Implementing a Framework Implementing a Framework 44th Tennessee Higher Education Information Technology Symposium 2015 Greg Jackson Cyber Security Analyst Dynetics Inc. Information Systems Assessment Services (ISAS) www.dynetics.com

More information

Industrial Control Systems Security Guide

Industrial Control Systems Security Guide Industrial Control Systems Security Guide Keith Stouffer, Engineering Lab National Institute of Standards and Technology NIST SP 800-82, Rev 2 and ICS Cybersecurity Testbed Keith Stouffer Project Leader,

More information

Workshop #1. Structuring complex partnered research projects and proposals

Workshop #1. Structuring complex partnered research projects and proposals Workshop #1 Structuring complex partnered research projects and proposals Facilitator: Belinda Leach, Associate Dean Research, College of Social and Applied Human Sciences Presenters: Ben Bradshaw, Belinda

More information

NIST Cloud Computing Program

NIST Cloud Computing Program NIST Program USG Roadmap Top 10 high priority requirements to accelerate USG adoption of the model NIST Mission: To promote U.S. innovation and industrial competitiveness by advancing measurement science,

More information

Legacy Archiving How many lights do you leave on? September 14 th, 2015

Legacy Archiving How many lights do you leave on? September 14 th, 2015 Legacy Archiving How many lights do you leave on? September 14 th, 2015 1 Introductions Wendy Laposata, Himforma(cs Tom Chase, Cone Health 2 About Cone Health More than 100 loca=ons 6 hospitals, 3 ambulatory

More information

Graduate Systems Engineering Programs: Report on Outcomes and Objec:ves

Graduate Systems Engineering Programs: Report on Outcomes and Objec:ves Graduate Systems Engineering Programs: Report on Outcomes and Objec:ves Alice Squires, alice.squires@stevens.edu Tim Ferris, David Olwell, Nicole Hutchison, Rick Adcock, John BrackeL, Mary VanLeer, Tom

More information

S24 Virtualiza.on Security from the Auditor Perspec.ve

S24 Virtualiza.on Security from the Auditor Perspec.ve S24 Virtualiza.on Security from the Auditor Perspec.ve Rob Clyde, CEO, Adap.ve Compu.ng; former CTO, Symantec David Lu, Senior Product Manager, Trend Micro Hemma Prafullchandra, CTO/SVP Products, HyTrust

More information

Fixed Scope Offering (FSO) for Oracle SRM

Fixed Scope Offering (FSO) for Oracle SRM Fixed Scope Offering (FSO) for Oracle SRM Agenda iapps Introduc.on Execu.ve Summary Business Objec.ves Solu.on Proposal Scope - Business Process Scope Applica.on Implementa.on Methodology Time Frames Team,

More information

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, nadya.bartol@utc.org. 2014 Utilities Telecom Council

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, nadya.bartol@utc.org. 2014 Utilities Telecom Council Voluntary Cybersecurity Initiatives in Critical Infrastructure Nadya Bartol, CISSP, SGEIT, nadya.bartol@utc.org 2014 Utilities Telecom Council Utility cybersecurity environment is full of collaborations

More information

Cybersecurity..Is your PE Firm Ready? October 30, 2014

Cybersecurity..Is your PE Firm Ready? October 30, 2014 Cybersecurity..Is your PE Firm Ready? October 30, 2014 The Panel Melinda Scott, Founding Partner, Scott Goldring Eric Feldman, Chief Information Officer, The Riverside Company Joe Campbell, CTO, PEF Services

More information