Nationwide Cyber Security Review (NCSR) Frequently Asked Questions

Transcription

1 Nationwide Cyber Security Review (NCSR) Frequently Asked Questions

2 Table of Contents NCSR Frequently Asked Questions Nationwide Cyber Security Review (NCSR)... 1 Frequently Asked Questions What is the Nationwide Cyber Security Review? Is participation in the NCSR mandatory? What does the NCSR cost? What are the benefits of participating in the NCSR? How is the NCSR different than other audits, surveys, assessments, reviews, etc.? What is the Control Maturity Mode (CMM)? Which organizations can participate in the NCSR? Who from my organization should participate in the NCSR? Where is the NCSR located and how do I register for it? What is the timeframe to complete and submit the Survey? How is CIS MS- ISAC protecting the data associated with the 2014 NCSR? What does it mean to be a Sub- Entity? How are my reports shared? Can MS- ISAC share the NCSR Individualized Reports with other individuals, organizations, or entities? How will DHS and MS- ISAC use my results, and will my organization be identified? How can I use my NCSR results? What if I completed the previous NCSR, will I have access to my information? Does participation in the NCSR impact or align with funding awarded under the Federal Emergency Management Agency (FEMA) Homeland Security Grant Program (HSGP)? Who do I contact for NCSR- related questions or concerns? Where can I obtain information on additional cybersecurity services offered by the DHS National Cyber Security Division (NCSD) or the MS- ISAC?... 7 Page 2 of 7

3 1. What is the Nationwide Cyber Security Review? Answer: The NCSR, or Nationwide Cyber Security Review, is a voluntary self- assessment survey designed to evaluate cyber security management within state, local, tribal and territorial governments. The Senate Appropriations Committee has requested an ongoing effort to chart nationwide progress in cybersecurity and identify emerging areas of concern. In response, the U.S. Department of Homeland Security has partnered with the Center for Internet Security s Multi- State Information Sharing and Analysis Center (MS- ISAC), the National Association of Counties (NACo) and the National Association of State Chief Information Officers (NASCIO) to develop and conduct the second NCSR. 2. Is participation in the NCSR mandatory? Answer: No, the NCSR is a voluntary review (i.e., participation is not federally mandated). However, (for example) State Chief Information Officers are free to encourage participation from their State agencies in order to support this Congressional initiative. 3. What does the NCSR cost? Answer: Nothing. There is no cost to the participating organization beyond the time and effort taken by personnel to complete and submit the NCSR, which is between 1 and 2 hours. 4. What are the benefits of participating in the NCSR? Answer: Once completed, participants will have access to a variety of reports that measures the level of adoption of security controls within the organization and includes recommendations on how to raise the organization s risk awareness. After the review period, MS- ISAC and DHS will aggregate all review data and share in- depth statistical analysis with all participants via the NCSR Summary Report (the names of participants and their organizations will not be identified in this report). These reports and metrics can be utilized by your organization any way deemed fit, for example they can be utilized to assess the developing maturity of your organization or used for budget justification. 5. How is the NCSR different than other audits, surveys, assessments, reviews, etc.? Answer: The NCSR focuses on the security practices adopted within an organization, as well as the degree to which risk is used to select and manage security controls. The NCSR is not designed to audit an organization s compliance toward any specific regulation, standard, or model, and will not be used for regulatory purposes. The model that is used to assess your organization is called the Control Maturity Model. Page 3 of 7

4 6. What is the Control Maturity Mode (CMM)? Answer: The NCSR relies on five escalating categories of security control maturity, called the Control Maturity Model. These levels of maturity are based on key milestone activities for information risk management. These milestones are closely aligned with security governance processes and maturity indexes embodied within ISO Information Security Management system, Control Objective s for Information Technology (CobIT), Statement on Auditing Standards 6 (SAS #6) and National Institute of Standards and Technology (NIST) Special Publications 800 series methodologies for information security management and control. For further information regarding the CMM visit our website at 7. Which organizations can participate in the NCSR? Answer: All States (and all agencies within), Local government jurisdictions (and all departments within), Tribal and Territorial governments. While any department can take the survey, information technology, health, revenue and transportation state departments are highly encouraged to participate in the NCSR. 8. Who from my organization should participate in the NCSR? Answer: The NCSR seeks participation from personnel service in any of the following roles within their organization: Chief Information Officer (CIO); Chief Information Security Officer (CISO); Chief Security Officer (CSO); Chief Technology Officer (CTO); Director of Information Technology (IT)/Information Systems (IS); or Individuals responsible for Information Technology management. Since the questions cover a large breadth of information security and privacy areas, you do have the option of assigning more than one user to fill out portions of the survey through the tool, or by downloading a.pdf of the question list to be filled out in hardcopy, which can then be collated and entered into the NCSR by the primary point of contact. 9. Where is the NCSR located and how do I register for it? Answer: The NCSR is accessible via the NCSR link on the homepage of the NCSR Website. To register, visit and complete the registration form. Page 4 of 7

5 Once your registration is complete, a user account will be created and a link to the Nationwide Cyber Security Review (NCSR) survey on the secure Navis platform, powered by Coalfire Systems, Inc. will be ed to the point of contact for your organization. Once logged in, additional security questions will be required. Once the security questions are created, additional users can be created for your organization, or you can begin taking the survey. For additional questions, to NCSR@cisecurity.org. 10. What is the timeframe to complete and submit the Survey? Answer: The NCSR starts on October 1, 2014 and ends on November 30, The NCSR is planned to coincide with the DHS National Cyber Security Awareness Month, which occurs annually in October. During this timeframe, you will be able to access the NCSR questions, save your progress, and resume the review anytime by logging back into the NCSR website. However, the survey must be completed and submitted by November 30, How is CIS MS- ISAC protecting the data associated with the 2014 NCSR? Answer: Security is a central tenet to CIS- MS- ISAC and from the start it has been incorporated into the development of the NCSR Survey Tool. The NCSR will be hosted on the secure Navis platform, powered by Coalfire Systems, Inc. Coalfire Systems has an established record for excellence and security and is one of the top IT Governance, Risk and Compliance firms. MS- ISAC and Coalfire have worked together to safeguard your information. 12. What does it mean to be a Sub- Entity? Answer: The NCSR Survey Tool has the functionality to organize participating entities in a hierarchical structure. This will provide STLL governments that have a centralized governance structure, the ability to recruit and monitor the completion of the survey for agencies or departments within their authority. For example, the State of Y, with centralized oversight, can recruit departments or agencies under their jurisdiction to take the survey. If the organizations have mutually agreed, then the State of Y will have access to results of any of the departments it recruited, as well as a special summary report of the results of its agencies/departments. Individual agencies of the State of Y cannot see each other s progress or results on the survey. The intention behind this is to supplement the flow of information for entities that have a centralized governance structure. 13. How are my reports shared? Answer: If you are registered as a sub- entity to another organization, then your information is automatically available to that specific organization. However, if you are not a sub- entity, the decision to disseminate all Reports is entirely up to you (and/or your organization). Page 5 of 7

6 14. Can MS- ISAC share the NCSR Individualized Reports with other individuals, organizations, or entities? Answer: MS- ISAC will not share your information unless your organization has agreed to have your results rolled up (shared) to a central, oversight organization. That relationship is established and agreed to at the time that your organization is registered. Your information is never shared with any other organizations outside of that relationship. 15. How will DHS and MS- ISAC use my results, and will my organization be identified? Answer: Once the NCSR concludes on November 30, DHS and MS- ISAC will aggregate all responses and analyze the results to produce the NCSR Summary Report. The NCSR Summary Report will be non- attributable to individual participants; participant names, and their organizations, will not be identified within the NCSR Summary Report. This Summary Report will be presented to Congress in Q1 of How can I use my NCSR results? Answer: The reports can be used to document support for cybersecurity programs, guide implementation of security controls and be provided to decision makers to encourage additional investments in infrastructure or training. As part of the Individual Reports, you will receive tailored suggested practices based upon leading cyber security standards and best practices, including NIST, ISO, PCI DSS and others. In addition, NCSR will provide you with a report that compares your organization s score to those of similar organizations. If you have taken previous or future iterations of the NCSR, you will have the ability to track the maturity of your information security program over the course of time. The more you participate in the NCSR, the more useful information you get. 17. What if I completed the previous NCSR, will I have access to my information? Answer: Absolutely, if your entity has taken the previous NCSR, then you will be provided with a unique Historical Report based upon your previous organizations previous and current results. This is a feature that will also be in future iterations of the NCSR to provide you insight on how your security program is maturing. Page 6 of 7

7 18. Does participation in the NCSR impact or align with funding awarded under the Federal Emergency Management Agency (FEMA) Homeland Security Grant Program (HSGP)? Answer: No, the NCSR will not directly impact funding awarded under the FEMA HSGP. Participation in the NCSR, and the resulting reports, will not guarantee cybersecurity funding under the FEMA HSGP. However, DHS and MS- ISAC are exploring the possibility of incorporating future iteration of the NCSR into the FEMA grants process. 19. Who do I contact for NCSR- related questions or concerns? Answer: If you should have any questions or would like additional information please NCSR@cisecurity.org or contact Kathleen Patentreger, NCSR Program Director, at (518) Where can I obtain information on additional cybersecurity services offered by the DHS National Cyber Security Division (NCSD) or the MS- ISAC? Answer: Requests for various NCSD programs and other services can be made by ing us at NCSR@cisecurity.com. Page 7 of 7