Cyber Solutions Handbook
|
|
- Audra George
- 8 years ago
- Views:
Transcription
1 Cyber Solutions Handbook Making Sense of Standards and Frameworks by Matthew Doan Ian Bramson Laura Eise
2 Cyber Solutions Handbook Making Sense of Standards and Frameworks The strength of an organization s cybersecurity program is now a market differentiator, and cybersecurity is a key business enabler. Today, chief information security officers (CISO) and their equivalents are facing increased responsibility amid a series of quickly evolving and often enterprise-wide challenges. Remediation-centric defense is not enough to combat current cyber threats, and CISOs must build an effective communication link between the server room and the board room in order to have an effective program. This paper is one of a series of handbooks that provide pragmatic insight and assistance on how to address the key issues facing cybersecurity leaders today. Businesses understand the importance of cybersecurity. Once relegated to the IT department as an afterthought, cybersecurity is now part of a company s core strategic planning and investment portfolio. ressure is high to ensure that all of the company s assets and operations are secure; boards and executives are looking to CISOs for answers. Yet change is constant and quick, and standards and frameworks have risen to the forefront as a strategy to tackle this new environment. These paradigms present opportunity for insight and growth, but only if they are used in the appropriate context and it can be difficult to sort through this alphabet soup. This handbook provides context for the numerous cybersecurity standards and frameworks that currently exist. We put forth concrete recommendations for evolving the legacy mindset of program compliance to one of program maturity and risk-based security. However, there is no formula for security; there is a difference between being compliant and being secure. Focusing on maturity rather than checking the box provides organizations both the flexibility and the comprehensive view necessary to manage their risks and achieve their goals. Developing a robust maturity model is a significant undertaking, but there are existing models that can be used to rapidly evolve programs. Applying these models correctly, while taking into consideration the appropriate industry standards and frameworks, will align your security program to your organizational strategy, while providing concrete and risk-based guidance on how you can advance your program to enable the business. Addressing an Alphabet Soup of Cybersecurity Standards and Frameworks In the rush to address an increasingly complex cyber environment and provide a standardized, structured approach to cybersecurity, we have, ironically, created innumerable options. From A (audits) to Z (Zachman Framework), it is easy to drown in the confusing alphabet soup of standards and frameworks. 1 As demonstrated by the examples below, these criteria span industries and vary in approach. There are well-known industry governance and control frameworks such as the Control Objectives for Information [and Related] Technology (COBIT) by ISACA, and international best practice standards such as the certifiable ISO/IEC Government entities, such as the National Institute for Standards and Technology (NIST), try to centralize and drive common practices, standards, lexicon, and requirements (e.g., the catalog of security controls in NIST Special ublication ). We have control and risk management guidance focused on the financial industry, such as Basel (I, II, III), Gramm-Leach-Bliley Act (GLBA), and the Federal Financial Institutions Examinations Council (FFIEC). We see specialized guidance in the healthcare industry, such as the Health Information Trust 1 A large number of cybersecurity standards and frameworks have emerged in recent years; the acronym jargon used to describe these has made it all the more difficult to understand and apply relevant guidance. 1
3 Alliance (HITRUST) framework and Health Insurance ortability and Accountability Act (HIAA) controls. There are even structures for specifying product security standards, such as Common Criteria. So how can we begin to sift through all this information? Which framework might help you? The short answer is, probably most of them. Some you ll have to comply with, while others are great reference material. However, picking and choosing the right elements among all this available guidance is difficult, and still even if you are the most gifted security architect of all time mostly leaves you with a checkthe-box approach. So what to do? Read on. The NIST Cybersecurity Framework: Key Takeaways On top of these existing standards and frameworks, a new initiative kicked off in early 2013 when the Obama Administration enacted Executive Order and residential olicy Directive (D-21), primarily focused on improving cybersecurity among private sector critical infrastructure organizations. Many companies regard these directives as the writing on the wall for eventual federal regulation around cybersecurity for private companies. A primary product that emerged was a voluntary Cybersecurity Framework for managing cyber risks, spearheaded by NIST. Released in mid-february 2014, the Framework is a compilation of standards, guidelines, and best practices for managing cybersecurity-related risk, while protecting information confidentiality, individual privacy, and civil liberties. Although adoption of the NIST Framework is voluntary, many analysts suggest that it may be perceived as a future de facto standard of care, which could be used to measure companies in regulatory enforcements, class actions, and other lawsuits following cyber attacks and privacy breaches. The NIST Framework provides two important and fundamental elements for establishing or improving a cybersecurity program: (1) content and (2) an approach for using that content. When first glancing at the underpinnings, the Framework may appear as little more than a compilation of existing industry standards and frameworks. While its substance essentially points to such established industry guidance, this reflects the inputs gathered by NIST from among hundreds of industry cybersecurity practitioners. Consensus is good. In regard to approach, NIST provides some very high-level yet useful guidance for how to use the content. It describes using the Framework to establish an understanding of where the program currently is, and by infusing an understanding of cyber risk, security professionals can then develop targets and an action plan for meeting those targets. This is certainly an evolutionary step forward toward aligning security to organizational risk, but it still uses existing standards and frameworks (i.e., compliance material) as the guide for improvement. Acknowledging the Difference between Compliance and Security Despite the good intentions of standards and frameworks, the fundamental truth is that there is no formula for security. Many companies are compliant with certain regulations because they are mandated by law. While avoiding legal exposures, fines, sanctions, and potential jail time is a good motivator, it does not make your company more secure. Standards and frameworks can help identify the landscape of potential areas you might want to address. They also might let you set a minimum level of performance. However, standards often force you to be either compliant or non-compliant. There is not always a middle ground or consideration for unique organizational risk. Too often you are either a one or a zero. If not used in the appropriate context, standards are a generic solution to a highly individualized problem set. Cybersecurity is intimately tied to your business strategy and operations, and it must be personalized to your organization. With the CISO role becoming a strategic business enabler, we can no longer afford to check a box. Your company s strategies, risks, goals, and operations should shape the cybersecurity program. This is even more critical with restricted budgets and resources, so you need to know where and how to scale your investments. The NIST Framework begins to shift the mindset of security leaders towards a risk-based approach. However, the NIST Framework is still a high-level construct designed to help think about the problem, and does not include robust or actionable guidance to mature a cybersecurity program. But the Framework s authors acknowledge this fact. They advise leveraging external guidance, including existing maturity models, to drive a security program forward. Valuing Maturity over Checkboxes Rather than focusing on a standard, look at your program with a maturity lens. Understand the various degrees of risk you face and then, within a wellestablished structure, decide where you need to invest and develop. It is up to you to prioritize the control areas that you must address first, your current maturity in those areas, and what you must do to increase your maturity. Focusing on your maturity provides you with an opportunity to identify where your program stands today, where it must be in the future, and how to get there. A maturity approach is not one size fits all. Rather, you need to conduct an honest assessment of your baseline maturity in the areas that are key to your success. You also must establish your target states. These targets will vary based on your business needs and various exposures to cyber risk. A large multinational corporation, for example, might determine that it needs an advanced capability to internally monitor the risk presented by its hundreds of suppliers, while a smaller company with just a few suppliers might be able to outsource this to an established, low-cost third party. The two target states for each of these control groups would be very different. By building your approach based on risk and maturity, instead of blindly complying with standards, you move the responsibility of security from an outside entity to your organization. The Characteristics of a Strong Maturity Model Developing a strong maturity model is a significant undertaking; most organizations do not have the resources to take this on. However, there are existing models out there to use, developed by sector bodies or private companies. So what does a good model look like? It covers both a broad range of topics and provides significant depth in each topic to ensure comprehensive and detailed guidance needed to enhance your cybersecurity program. Effective cybersecurity maturity models include: Functional and enabling controls Functional controls are more technical/operational in nature (e.g., application security, vulnerability assessment), while enabling controls pertain to governance, risk management, and other organizational functions that support (i.e., enable) the technical operations Logical organization of high-level and low-level views Logically organized objectives and measures that are used to pinpoint and evaluate specific aspects of your security program A maturity spectrum of granular and measureable details A clear scale of maturity, defined by characteristics and indicators to accurately assess your level of maturity eople, process, and technology dimensions Multifaceted views that let you evaluate each control area in its key component parts A foundation grounded in established best practices Developed from best practices across industry, government, and academia. Using a Maturity Model to Evolve a Cybersecurity rogram Appropriately applying a maturity model is as important as developing or choosing the right one. The following is an overview of one proven approach on how to put an effective maturity model into practice. As illustrated in Exhibit 1, this approach focuses on placing the model 2 3
4 Exhibit 1 Cybersecurity Maturity Model Implementation Approach Exhibit 3 Sample Cybersecurity Risks and Applicable Control Families 1 2 Apply a 3 Assess your 4 risk-based maturity Exhibit 2 Strategic Objective Examples and Related Cybersecurity Risks Objective Align cyber security with organizational strategy Globalization We will expand globally. Supply Chain We must ensure our supply chain operations are not interrupted. Research and Development We will innovate by providing our customers new digital offerings. prioritization Cybersecurity Risks Note: Example Only Not Comprehensive o Untrusted IT equipment used in foreign offices o Third party with unrestricted access to customer information o Unsecured mobile devices o oor personnel screening practices o Malware introduced from third-party suppliers o Non-transparent supplier security practices o Corrupted data in business process workflows o DDoS exposures in web-facing applications Make a plan o oorly protected source code for new digital product o Development environment is open to many individuals o oor situational awareness of internal access to sensitive R&D information Objective Sample Cybersecurity Risks Sample Applicable Control Families Globalization Supply Chain Research and Development 1. Unsecured mobile devices 2. Non-transparent supplier security practices 3. oor awareness of internal access to sensitive R&D information Exhibit 4 Representative Assessment of the Situational Awareness Control Family o Mobile Security o Strategy & olicy o Governance o Strategy & olicy o Supplier Security Management o ersonnel Screening o Situational Awareness o Situational Awareness Control Objectives Lead Bronze Silver Gold latinum Security Event Collection Security Event Analysis T T as the centerpiece of the organization setting the tone for both program structure and assessment. Step 1: Align Cybersecurity with Organizational Strategy Boil down your organization s strategic objectives and core value-generating operations into a set of short, declarative, and concrete statements. Understand which operations must continue to enable the sources of most value. In addition, consider the strategic actions your company is or will soon be taking in order to thrive in your future environment. These statements often can be written as We will or We must assertions. Examples include: We will expand globally, We must ensure our supply chain operations are not interrupted, or We will innovate by providing our customers new digital offerings. Once you have the strategic objectives, identify the cybersecurity risks that could impede them (see Exhibit 2). Step 2: Apply a Risk-based rioritization It is unlikely that you will have the resources or time to focus on all parts of your business. You will need to prioritize. Leading companies often use threat and risk workshops to help identify and prioritize cyber risks, while gaining key points of consensus along the way. During these workshops, you will need to explore your risk tolerance as it relates to the various parts of your business. You may consider discussing potential strategic surprise threats that could deliver large-scale Security Event Response eople rocess T Technology eople Baseline Maturity negative impact to the business. By conducting this exercise, you should gain a clear prioritization of the cyber risks that you need to address first. Step 3: Assess Your Maturity Once you identify your risk priorities, you can then begin to understand what control families would T likely mitigate that risk. As mentioned above, your maturity model should address both functional and enabling control families. Addressing a risk will often involve multiple control families, and the integration of these families is critical to a robust and cohesive cybersecurity program. Exhibit 3 lists a high-level 4 5
5 summary of which security control families could likely address a given risk. Now that you have an idea of (1) your biggest risks and (2) which cybersecurity control families most closely map to them, it is time to assess maturity. erhaps you would like to understand organizational preparedness for poor situational awareness (risk #3). In this scenario, three primary control families are most applicable to helping mitigate this risk, and we would need to assess maturity for them all. To illustrate, we ll assess maturity in the situational awareness control family (see Exhibit 4). To assess the maturity of the situational awareness control family, you need to break it down into discrete, manageable elements that you can assess, called control objectives. These control objectives are areas and actions you need to perform well in order to increase your capability for that control family. In this case, the elements that make up situational awareness are Security Event Collection, Analysis, and Response. Enhance your capabilities with these, and you will strengthen your situational awareness. Before you can assess where you need to be, you should first understand where you are today. Consider how effective your processes and technology are performing for each control objective. You also need to look at how well your people are performing within the entire control family. Note that since the same people cut across control objectives, they are usually assessed separately. You should have well-defined indicators of each level of maturity ( Lead through latinum levels). These are concrete actions and characteristics that help you gauge your current baseline maturity. If you are using a company with a maturity model, be sure that they have developed clear and well-vetted levels that map to industry best practices. Otherwise, you will be measuring your maturity by gut instinct alone. Across the three objectives within this control family, maturity varies widely across the dimensions of people, process, and technology. The organization s process and technology maturity to collect and analyze event data is very low, meaning it would be very difficult to track internal employee access to sensitive R&D information. On the other hand, the people who conduct situational awareness activities have requisite skills and abilities. To manage this risk, however, the organization will need to invest in maturing the processes and technologies for event collection and analysis. Step 4: Make a lan After understanding your program s baseline maturity, you will need to establish your target states. Make sure these targets are relevant to your organization, industry, and strategic objectives. Don t assume that every control family needs to be at the highest maturity level that will be a very expensive and unnecessary mistake. You will need to define the target states that make the most sense for the amount of risk that your business leaders will tolerate. Once you have target states set and your gaps identified, you can begin to think of the gap-closing options to meet those target states. atterns and priorities should begin to emerge. Keep in mind that the maturity ratings are much less important than the reasons behind them. This process should surface the specific challenges you need to address, regardless of the specific rating. From the gaps and priorities of your maturity assessment, you can build your plan. Identify the most critical needs, as well as what you can accomplish in the short and long term. Create a roadmap that shapes these needs into concrete initiatives. Each initiative should have a defined beginning, end, owners, timelines, resource requirements, and key dependencies. You should align your investment strategy behind these initiatives and map them back to the strategic initiatives that you identified at the beginning of this process. As you implement them, be sure to track your progress and report back to your executive leadership. You should be able to describe your efforts in the business context that your senior leaders will understand. Example in Action: Top Financial Institution Integrates Corporate and Cybersecurity Strategies to Maximize rotection against Cyber Threats Challenge: Recognizing the key role of cybersecurity in their operations and objectives, the board of directors of a global Fortune 100 financial institution mandated a comprehensive review of the security program and an investment strategy that would enable the company s strategic objectives. Although they were in compliance with federal regulations, they knew that there was a difference between being compliant, and having strong cybersecurity. The organization needed a partner with an effective maturity model that was robust, comprehensive, and developed from industry best practices. They did not have the time, experience, or budget to develop one themselves, and they also felt the need for an objective perspective, so they came to Booz Allen Hamilton. Solution: Booz Allen worked with stakeholders to identify key threats facing the organization in the next 5 years, assess the maturity of its cyber program (focusing on 24 functional and enabling control families), and analyze organizational readiness to develop its program. The organization also collaborated with Booz Allen to compare the key findings, Conclusion As businesses adapt to running at the speed of cyber, they rush to apply standards and frameworks to help them make sense of it all. But there is no standard for security. There are no boxes you can check, and no matter how compliant you are, it does not mean you are any more secure. The solution is more difficult than that. It takes a deeper understanding of where your company wants to go and how your security program will help your company get there. It takes an honest assessment of your current gaps, and recommendations from the maturity and organizational assessments to its draft investment plan. The client organization was able to use Booz Allen s proprietary maturity model to install a simplified, rational, and easy-to-communicate framework to engage stakeholders and enhance bank security. Through a series of threat workshops, the client was able to use this framework to identify and prioritize current and future threats, including emerging and "surprise" threats that it might encounter over the next 5 years. For the maturity assessment, the client organization utilized Booz Allen s CyberM 3 Reference Model, which helped identify key gap areas. Through collaboration with Booz Allen, the security organization was able to identify sensible recommendations for improving the security program. Together, the teams reviewed the client s existing investment strategy, and provided key recommendations that helped stakeholders successfully shape the organization s roadmap and program for the next 5 years. Result: By engaging Booz Allen experts and its maturity-based reference model, the board of directors was able to successfully merge the organization s security and corporate strategies to maximize protection against the increasing cybersecurity threat. maturity and a vision of where it needs to be. It takes smart decisions about where you invest your limited resources. Your Board of Directors and your CEO are looking to you for you for answers. That s because they know that cybersecurity is critical to their success. They know that cybersecurity is now a business enabler. 6 7
6 About the Authors Matthew Doan is a Senior Associate in Booz Allen's commercial cyber practice. In his role, he works with leaders across multiple industries in aligning cyber security programs to manage risk and meet the needs of the business. Mr. Doan specializes in programmatic assessment, enterprise risk management, strategysetting, and organizational design. Ian Bramson is a Lead Associate at Booz Allen, focusing on addressing challenges for commercial clients. Mr. Bramson blends business, technology, and strategy to develop enterprise cyber security solutions across multiple industries and the public sector. He specializes in strategic planning, organizational design, cyber diagnostics, governance, and change management. Laura Eise is a cybersecurity consultant in Booz Allen s commercial cyber practice. She works across multiple industries to assess and mature cybersecurity programs, and develop reference models for solving cyber challenges. Ms. Eise specializes in risk management, strategy development, training, and awareness. About Booz Allen Booz Allen Hamilton has been at the forefront of strategy and technology consulting for nearly a century. The firm provides business and technology solutions to major corporations in the financial services, heath, and energy markets, leveraging capabilities and expertise developed over decades of helping US government clients in the defense, intelligence, and civil markets solve their toughest problems. Booz Allen is headquartered in McLean, Virginia, employs approximately 23,000 people, and had revenue of $5.76 billion for the 12 months ended March 31, In 2014, Booz Allen celebrates its 100th anniversary year. To learn more, visit www. boozallen.com. (NYSE: BAH) Contact Information: Matthew Doan Senior Associate doan_matthew@bah.com Ian Bramson Lead Associate bramson_ian@bah.com Laura Eise Lead Associate eise_laura@bah.com To learn more about the firm and to download digital versions of this article and other Booz Allen Hamilton publications, visit 8 9
7 rincipal Offices Huntsville, Alabama Sierra Vista, Arizona Los Angeles, California San Diego, California San Francisco, California Colorado Springs, Colorado Denver, Colorado District of Columbia Orlando, Florida ensacola, Florida Sarasota, Florida Tampa, Florida Atlanta, Georgia Honolulu, Hawaii O Fallon, Illinois Indianapolis, Indiana Leavenworth, Kansas Aberdeen, Maryland Annapolis Junction, Maryland Hanover, Maryland Lexington ark, Maryland Linthicum, Maryland Rockville, Maryland Troy, Michigan Kansas City, Missouri Omaha, Nebraska Red Bank, New Jersey New York, New York Rome, New York Dayton, Ohio hiladelphia, ennsylvania Charleston, South Carolina Houston, Texas San Antonio, Texas Abu Dhabi, United Arab Emirates Alexandria, Virginia Arlington, Virginia Chantilly, Virginia Charlottesville, Virginia Falls Church, Virginia Herndon, Virginia McLean, Virginia Norfolk, Virginia Stafford, Virginia Seattle, Washington The most complete, recent list of offices and their addresses and telephone numbers can be found on Booz Allen Hamilton Inc
CYBER SOLUTIONS HANDBOOK
Commercial Solutions CYBER SOLUTIONS HANDBOOK Making Sense of Standards and Framework Booz Allen Hamilton Commercial Solutions, combines industry knowledge and relevant experience with the right people
More informationUtilizing and Visualizing Geolocation Data for Powerful Analysis
Utilizing and Visualizing Geolocation Data for Powerful Analysis by Walton Smith smith_walton@bah.com Timothy Ferro ferro_timothy@bah.com Table of Contents Introduction... 1 Delivering Geolocation Data
More informationSupply Chain Data Standards in Healthcare
Supply Chain Data Standards in Healthcare by Michael Zirkle zirkle_michael@bah.com Ryan Gallagher gallagher_ryan_b@bah.com Seth Rogier rogier_seth@bah.com Table of Contents Making Healthcare Safer and
More informationThe Social Financial Advisor: A Path Forward
The Social Financial Advisor: A Path Forward Take the Right Route to Using Social Media by Chris Estes estes_chris@bah.com Todd Inskeep inskeep_todd@bah.com Getting Social Is It Time for Advisors to Face
More informationAnalytical Program Management
Analytical Program Management Integrating Cost, Schedule, and Risk MISSION Analytical Program Management Integrating Cost, Schedule, and Risk Analytical Program Management 1 One of the greatest challenges
More informationby Christopher P. Bell bell_christopher_p@bah.com Elizabeth Conjar conjar_elizabeth@bah.com
Organizational Network Analysis Improving Intelligence and Information Sharing Capability among Homeland Security and Emergency Management Stakeholders by Christopher P. Bell bell_christopher_p@bah.com
More informationMeeting the Challenges of the Modern CIO
Meeting the Challenges of the Modern CIO by Darrin London, PMP london_darrin@bah.com Daniel E. Williams, PMP williams_daniel_2@bah.com Table of Contents Introduction...1 Challenges Faced by the Modern
More informationAscent to the Cloud. Four Focus Areas for a Successful Enterprise Migration. by Michael Farber farber_michael@bah.com
Ascent to the Cloud Four Focus Areas for a Successful Enterprise Migration by Michael Farber farber_michael@bah.com Kevin Winter winter_kevin@bah.com Munjeet Singh singh_munjeet@bah.com Ascent to the
More informationRealizing the Promise of Health Information Exchange
Realizing the Promise of Health Information Exchange by Timathie Leslie Leslie_Timathie@bah.com Realizing the Promise of Health Information Exchange Health information exchange (HIE) the electronic movement
More informationManaging Risk in Global ICT Supply Chains
Managing Risk in Global ICT Supply Chains Best Practices and Standards for Acquiring ICT Ready for what s next. Managing Risk in Global ICT Supply Chains Emerging best practices and standards can significantly
More informationEngaging Mobility in the Oil and Gas Sector
Engaging Mobility in the Oil and Gas Sector Engaging Mobility in the Oil and Gas Sector To open a dialogue about the impact of rapid mobile adoption in the energy industry, Booz Allen Hamilton, Bitzer
More informationThe Cybersecurity Executive Order
The Cybersecurity Executive Order Exploiting Emerging Cyber Technologies and Practices for Collaborative Success by Mike McConnell mcconnell_mike@bah.com Sedar Labarre labarre_sedar@bah.com David Sulek
More informationHow To Manage Security In A Federal System
Security Authorization An Approach for Community Cloud Computing Environments by Perry Bryden bryden_perry@bah.com Daniel C. Kirkpatrick kirkpatrick_daniel@bah.com Farideh Moghadami moghadami_farideh@bah.com
More informationRealizing the Promise of Health Information Exchange
Realizing the Promise of Health Information Exchange Realizing the Promise of Health Information Exchange Health information exchange (HIE) the electronic movement of health-related information among organizations
More informationDeveloping a Business Case for Cloud
Developing a Business Case for Cloud Analyzing Return on Investment for Cloud Alternatives May Yield Surprising Results by Paul Ingholt ingholt_paul@bah.com Cynthia O Brien o brien_cynthia@bah.com John
More informationIntegrating IT Service Management Practices into the Defense Acquisition Lifecycle
Integrating IT Service Management Practices into the Defense Acquisition Lifecycle by Francis Arambulo arambulo_francis@bah.com Michael Thompson thompson_michael_p@bah.com Table of Contents Introduction...1
More informationEffectiveness and Efficiency
Effectiveness and Efficiency Lessons for Building and Managing a Culture of Performance by Dave Mader mader_dave@bah.com Jay Dodd dodd_ joseph@bah.com Tom Miller miller_tom@bah.com Douglas Schlemmer schlemmer_douglas@bah.com
More informationOvercoming Deployment Challenges for Financial Crimes Platforms
Overcoming Deployment Challenges for Financial Crimes Platforms by Brian Stoeckert stoeckert_brian@bah.com James Flowe flowe_james@bah.com Contents Introduction...1 Fragmented Approach to Fraud Prevention...1
More informationInformation Security Governance
Information Governance Government Considerations for the Cloud Computing Environment by Jamie Miller miller_jamie@bah.com Larry Candler candler_larry@bah.com Hannah Wald wald_hannah@bah.com Table of Contents
More informationStrategic Information Management Through Data Classification Reducing Corporate Risk and Cost by Gaining Control of Business Information Assets
Strategic Information Management Through Data Classification Reducing Corporate Risk and Cost by Gaining Control of Business Information Assets by Glen Day day_glen@bah.com Strategic Information Management
More informationTurning Big Data into Opportunity
Turning Big Data into Opportunity The Data Lake by Mark Herman herman_mark@bah.com Michael Delurey delurey_mike@bah.com Table of Contents Introduction... 1 A New Mindset... 1 Ingesting Data into the Data
More informationOvercoming Deployment Challenges for Financial Crimes Platforms
Overcoming Deployment Challenges for Financial Crimes Platforms Convergent Risk Management for Financial Institutions Ready for what s next. Contents Introduction 1 Fragmented Approach to Fraud Prevention
More informationCyber ROI. A practical approach to quantifying the financial benefits of cybersecurity
Cyber ROI A practical approach to quantifying the financial benefits of cybersecurity Cyber Investment Challenges In 2015, global cybersecurity spending is expected to reach an all-time high of $76.9
More informationHow To Reduce Greenhouse Gas Emissions Through A Regional Performance Based Framework
Miles to Go Before They're Green Reducing Surface Transportation Greenhouse Gas Emissions Through a Regional Performance-Based Framework by Gary Rahl Rahl_Gary@bah.com David Erne Erne_David@bah.com Victoria
More informationFFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors
Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed
More informationEnabling Cloud Analytics with Data-Level Security
Enabling Cloud Analytics with Data-Level Security Tapping the Full Value of Big Data and the Cloud by Jason Escaravage escaravage_jason@bah.com Peter Guerra guerra_peter@bah.com Table of Contents Introduction...
More informationby Keith Catanzano catanzano_keith@bah.com
Enhanced Training for a 21st-Century Military A convergence of new technologies and advanced learning techniques will help the military meet its growing training requirements, despite budget constraints
More informationCYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS
CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS PREPARING FOR ADVANCED CYBER THREATS Cyber attacks are evolving faster than organizations
More informationWhy you should adopt the NIST Cybersecurity Framework
www.pwc.com/cybersecurity Why you should adopt the NIST Cybersecurity Framework May 2014 The National Institute of Standards and Technology Cybersecurity Framework may be voluntary, but it offers potential
More informationCybersecurity: Mission integration to protect your assets
Cybersecurity: Mission integration to protect your assets C Y B E R S O L U T I O N S P O L I C Y O P E R AT I O N S P E O P L E T E C H N O L O G Y M A N A G E M E N T Ready for what s next Cyber solutions
More informationCybersecurity Framework. Executive Order 13636 Improving Critical Infrastructure Cybersecurity
Cybersecurity Framework Executive Order 13636 Improving Critical Infrastructure Cybersecurity National Institute of Standards and Technology (NIST) Mission To promote U.S. innovation and industrial competitiveness
More informationHow To Write A Cybersecurity Framework
NIST Cybersecurity Framework Overview Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2nd ENISA International Conference on Cyber Crisis Cooperation and Exercises Executive Order
More informationMarshaling Data for Enterprise Insights A 10-Year Vision for the US Department of Homeland Security
Marshaling Data for Enterprise Insights A 10-Year Vision for the US Department of Homeland Security Marshaling Data for Enterprise Insights A 10-Year Vision for the US Department of Homeland Security As
More informationThe Integrated Data Exchange Program
From Stovepipes to Secure Exchanges An Integrated Approach to Protecting Shared Federal Data by Greg Brill brill_gregory@bah.com Khurram Chaudry chaudry_khurram@bah.com From Stovepipes to Secure Exchanges
More informationThe Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant
THE MARKET LEADER IN IT, SECURITY AND COMPLIANCE SERVICES FOR COMMUNITY FINANCIAL INSTITUTIONS The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant Agenda
More informationConfronting Complexity in Managing a Cyber Crisis Lessons Learned for Responding at Network Speed
Confronting Complexity in Managing a Cyber Crisis Lessons Learned for Responding at Network Speed by Admiral Mike McConnell, USN, Retired Senior Executive Advisor, Former Vice Chairman Former Director
More informationCyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats
Cyber4sight TM Threat Intelligence Services Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats Preparing for Advanced Cyber Threats Cyber attacks are evolving faster than organizations
More informationIntegrated Risk Management. Balancing Risk and Budget
Integrated Risk Management The Current Risk Landscape Organizations which depend upon information systems are challenged by serious threats that can exploit both known and unknown vulnerabilities in systems.
More informationCybersecurity Framework: Current Status and Next Steps
Cybersecurity Framework: Current Status and Next Steps Federal Advisory Committee on Insurance November 6, 2014 Adam Sedgewick Senior IT Policy Advisor Adam.Sedgewick@nist.gov National Institute of Standards
More informationJob Market Intelligence:
March 2014 Job Market Intelligence: Report on the Growth of Cybersecurity Jobs Matching People & Jobs Reemployment & Education Pathways Resume Parsing & Management Real-Time Jobs Intelligence Average #
More informationCybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014
Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014 Victoria Yan Pillitteri Advisor for Information Systems Security
More informationA Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst
TRACESECURITY WHITE PAPER GRC Simplified... Finally. A Guide to Successfully Implementing the NIST Cybersecurity Framework Jerry Beasley CISM and TraceSecurity Information Security Analyst TRACESECURITY
More informationCritical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order 13636 Improving Critical Infrastructure Cybersecurity
Critical Infrastructure Cybersecurity Framework Overview and Status Executive Order 13636 Improving Critical Infrastructure Cybersecurity Executive Order: Improving Critical Infrastructure Cybersecurity
More informationThe NIST Cybersecurity Framework
View the online version at http://us.practicallaw.com/5-599-6825 The NIST Cybersecurity Framework RICHARD RAYSMAN, HOLLAND & KNIGHT LLP AND JOHN ROGERS, BOOZ ALLEN HAMILTON A Practice Note discussing the
More informationIT Insights. Managing Third Party Technology Risk
IT Insights Managing Third Party Technology Risk According to a recent study by the Institute of Internal Auditors, more than 65 percent of organizations rely heavily on third parties, yet most allocate
More informationPulling Up Your SOX. Companies Can Gain from Compliance with U.S. Governance Act. Lisa Fabish fabish_lisa@bah.com. Stuart Groves groves_stuart@bah.
by Lisa Fabish fabish_lisa@bah.com Stuart Groves groves_stuart@bah.com Robert Oushoorn oushoorn_robert@bah.com Otto Waterlander waterlander_otto@bah.com Pulling Up Your SOX Companies Can Gain from Compliance
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2014 ISACA Pittsburgh Information Security Awareness Day Victoria Yan
More informationWhite Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA
White Paper Achieving GLBA Compliance through Security Information Management White Paper / GLBA Contents Executive Summary... 1 Introduction: Brief Overview of GLBA... 1 The GLBA Challenge: Securing Financial
More informationBooz Allen Hamilton Systems Delivery Group
Booz Allen Hamilton Systems Delivery Group Booz Allen Hamilton Systems Delivery Group Systems Delivery at Booz Allen In today s environment, large software projects routinely run significantly over budget
More informationBIG SHIFTS WHAT S NEXT IN AML
Commercial Solutions Financial Crimes Commercial Solutions BIG SHIFTS WHAT S NEXT IN AML The next big shift in the fight against financial crime and money laundering is advanced machine learning and sophisticated
More informationThe Federal Government s Key Role in Healthcare Innovation
The Federal Government s Key Role in Healthcare Innovation by Lucy Stribley Stribley_lucy@bah.com Lisa Egbuonu-Davis, MD Egbuonu-davis_lisa@bah.com Patrick Fritz Fritz_patrick@bah.com The Federal Government
More informationCyber Training. Developing the Next Generation of Cyber Analysts. Ready for what s next.
Cyber Training Developing the Next Generation of Cyber Analysts Ready for what s next. Table of Contents The Crisis Moment...1 The Cyber Skills Gap...1 Developing a World-Class Cyber Workforce...2 Emulating
More informationIRS DECLARES NOV. 14 AS SPECIAL TAXPAYER PROBLEM SOLVING DAY. WASHINGTON -- The Internal Revenue Service will reach out to help taxpayers
IRS DECLARES NOV. 14 AS SPECIAL TAXPAYER PROBLEM SOLVING DAY WASHINGTON -- The Internal Revenue Service will reach out to help taxpayers across the country Nov. 14 in a special Saturday trouble-shooting
More informationRE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity
October 10, 2014 Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899 RE: Experience with the Framework for Improving Critical Infrastructure
More informationHarnessing Big Data to Solve Complex Problems: The Cloud Analytics Reference Architecture
Harnessing Big Data to Solve Complex Problems: The Cloud Analytics Reference Architecture Table of Contents Introduction... 1 Cloud Analytics Reference Architecture... 1 Using All the Data... 3 Better
More informationManagement Spans and Layers. Streamlining the Out-of-Shape Organization
Management Spans and Layers Streamlining the Out-of-Shape Organization Originally published as: Management Spans and Layers: Streamlining the Out-of-Shape Organization, by Ian Buchanan, Jong Hyun Chang,
More informationData Lake-based Approaches to Regulatory- Driven Technology Challenges
Data Lake-based Approaches to Regulatory- Driven Technology Challenges How a Data Lake Approach Improves Accuracy and Cost Effectiveness in the Extract, Transform, and Load Process for Business and Regulatory
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 NARUC Winter Committee Meeting Committee & Staff Committee on Critical Infrastructure February 15,
More informationInformation About Filing a Case in the United States Tax Court. Attached are the forms to use in filing your case in the United States Tax Court.
Information About Filing a Case in the United States Tax Court Attached are the forms to use in filing your case in the United States Tax Court. It is very important that you take time to carefully read
More informationMobile Application Security. Helping Organizations Develop a Secure and Effective Mobile Application Security Program
Mobile Application Security Helping Organizations Develop a Secure and Effective Mobile Application Security Program by James Fox fox_james@bah.com Shahzad Zafar zafar_shahzad@bah.com Mobile applications
More informationCyberM 3 Business Enablement: Cybersecurity That Empowers Your Business with Comprehensive Information Security
CyberM 3 Business Enablement: Cybersecurity That Empowers Your Business with Comprehensive Information Security The Challenge Is Constant: Complex Operations Are Ripe for Cyber Attack Sophisticated, complex
More informationAmerica s New Cybersecurity Framework: Help or New Source of Exposure?
America s New Cybersecurity Framework: Help or New Source of Exposure? BY BEHNAM DAYANIM, RYAN NIER & ELIZABETH DORSI March 2014 Data theft is on the rise, and the federal government is concerned. In 2013
More informationMassive Data Analytics and the Cloud A Revolution in Intelligence Analysis
Massive Data Analytics and the Cloud A Revolution in Intelligence Analysis by Michael Farber farber_michael@bah.com Mike Cameron cameron_mike@bah.com Christopher Ellis ellis_christopher@bah.com Josh Sullivan,
More informationcyberr by e-management The Leader in Cybersecurity Risk Intelligence (RI) Cybersecurity Risk: What You Don t Know CAN Hurt You!
cyberr by e-management The Leader in Cybersecurity Risk Intelligence (RI) Cybersecurity Risk: What You Don t Know CAN Hurt You! Cybersecurity is all over the news. Target, University of Maryland, Neiman
More informationWhite Paper on Financial Industry Regulatory Climate
White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during
More informationJob Market Intelligence: Cybersecurity Jobs, 2015. 2015 Burning Glass Technologies
Job Market Intelligence: Cybersecurity Jobs, 2015 Introduction: Cybersecurity and the Job Market American employers have realized the vital importance of cybersecurity but that realization has created
More informationDiane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899
Submitted via email: cyberframework@nist.gov April 8, 2013 Diane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899 Re: Developing a Framework
More informationExecutive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014
Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework September 23, 2014 Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to
More informationSEC Cybersecurity Findings May Establish De Facto Standard
Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com SEC Cybersecurity Findings May Establish De Facto
More informationThe Obama Administration and Community Health Centers
The Obama Administration and Community Health Centers Community health centers are a critical source of health care for millions of Americans particularly those in underserved communities. Thanks primarily
More informationNON-RESIDENT INDEPENDENT, PUBLIC, AND COMPANY ADJUSTER LICENSING CHECKLIST
NON-RESIDENT INDEPENDENT, PUBLIC, AND COMPANY ADJUSTER LICENSING CHECKLIST ** Utilize this list to determine whether or not a non-resident applicant may waive the Oklahoma examination or become licensed
More informationTHE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS
THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS Download the entire guide and follow the conversation at SecurityRoundtable.org Collaboration and communication between technical
More informationThe Economics of Cloud Computing
The Economics of Cloud Computing Addressing the Benefits of Infrastructure in the Cloud by Ted Alford alford_theodore@bah.com Gwen Morton morton_gwen@bah.com The Economics of Cloud Computing Addressing
More informationPublic School Teacher Experience Distribution. Public School Teacher Experience Distribution
Public School Teacher Experience Distribution Lower Quartile Median Upper Quartile Mode Alabama Percent of Teachers FY Public School Teacher Experience Distribution Lower Quartile Median Upper Quartile
More informationPROTIVITI FLASH REPORT
PROTIVITI FLASH REPORT Cybersecurity Framework: Where Do We Go From Here? February 25, 2014 Just over a year ago, President Barack Obama signed an Executive Order (EO) calling for increased cybersecurity
More informationCORE Security and GLBA
CORE Security and GLBA Addressing the Graham-Leach-Bliley Act with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com www.coresecurity.com
More informationBooz Allen Cloud Solutions. Our Capability-Based Approach
Booz Allen Cloud Solutions Our Capability-Based Approach Booz Allen Cloud Solutions Our Capability-Based Approach Booz Allen Cloud Solutions Our Capability-Based Approach In today s budget-conscious environment,
More informationRapid Prototyping. The Agile Creation of Solutions for Modern Defense & Intelligence. by Lee Wilbur wilbur_lee@bah.com
Rapid Prototyping The Agile Creation of Solutions for Modern Defense & Intelligence by Lee Wilbur wilbur_lee@bah.com Allan Steinhardt steinhardt_allan@bah.com Rapid Prototyping The Agile Creation of Solutions
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationApril 8, 2013. Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899
Salt River Project P.O. Box 52025 Mail Stop: CUN204 Phoenix, AZ 85072 2025 Phone: (602) 236 6011 Fax: (602) 629 7988 James.Costello@srpnet.com James J. Costello Director, Enterprise IT Security April 8,
More informationNIST Cybersecurity Framework Impacting Your Company? April 24, 2014 Presented By Sheila FitzPatrick, NetApp Jeff Greene, Symantec Andy Serwin, MoFo
2014 Morrison & Foerster LLP All Rights Reserved mofo.com NIST Cybersecurity Framework Impacting Your Company? April 24, 2014 Presented By Sheila FitzPatrick, NetApp Jeff Greene, Symantec Andy Serwin,
More informationFast Facts About The Cyber Security Job Market
Cybersecurity Cybersecurity is the measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack. Cybersecurity is the faster growing IT job, growing
More informationCLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY
CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY CLOSING THE DOOR TO CYBER ATTACKS Cybersecurity and information security have become key challenges for
More informationThink Outside Your ERP Mission-Focused Inventory Strategies
Think Outside Your ERP Mission-Focused Inventory Strategies by Ray Haeme haeme_ray@bah.com Margo Cohen cohen_margo@bah.com Eric Michlowitz michlowitz_eric@bah.com Think Outside Your ERP Mission-Focused
More informationSOCIAL MEDIA MOBILE DEVICES CLOUD SERVICES INTERNET OF THINGS (IOT)
INFORMATION SECURITY AND CYBER LIABILITY RISK MANAGEMENT THE FIFTH ANNUAL SURVEY ON THE CURRENT STATE OF AND TRENDS IN INFORMATION SECURITY AND CYBER LIABILITY RISK MANAGEMENT Sponsored by October 2015
More informationHow To Understand And Manage Cybersecurity Risk
White Paper A Framework to Gauge Cyber Defenses NIST s Cybersecurity Framework Helps Critical Infrastructure Owners to Cost-Effectively Defend National & Economic Security of the U.S. Executive Summary
More informationMarriage Equality Relationships in the States
Marriage Equality Relationships in the States January 7, 2015 The legal recognition of same-sex relationships has been a divisive issue across the United States, particularly during the past two decades.
More informationImpacts of Sequestration on the States
Impacts of Sequestration on the States Alabama Alabama will lose about $230,000 in Justice Assistance Grants that support law STOP Violence Against Women Program: Alabama could lose up to $102,000 in funds
More informationistockphoto/ljupco 36 June 2015 practicallaw.com 2015 Thomson Reuters. All rights reserved.
istockphoto/ljupco 36 June 2015 practicallaw.com The NIST Cybersecurity Framework Data breaches in organizations have rapidly increased in recent years. In 2014, the National Institute of Standards and
More informationIntel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security
Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security David Brezinski, Professional Services, Enterprise Security Architect Agenda Overview
More informationWhite Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management
White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.
More informationManned Information Security
Manned Information Security Adversary Pursuit and Active Network Defense root9b Technologies (RTNB) Presented By: John Harbaugh, COO CONFIDENTIALITY NOTICE This briefing, including any attachments, is
More informationJOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.
JOB ANNOUNCEMENT Chief Security Officer, Cheniere Energy, Inc. Position Overview The Vice President and Chief Security Risk Officer (CSRO) reports to the Chairman, Chief Executive Officer and President
More informationUnderstanding the Affordable Care Act
Understanding the Affordable Care Act The Affordable Care Act (officially called the Patient Protection and Affordable Care Act) is the law that mandates that everyone in the United States maintain health
More informationCybersecurity Audit Why are we still Vulnerable? November 30, 2015
Cybersecurity Audit Why are we still Vulnerable? November 30, 2015 John R. Robles, CISA, CISM, CRISC www.johnrrobles.com jrobles@coqui.net 787-647-3961 John R. Robles- 787-647-3961 1 9/11-2001 The event
More informationNext-Generation Governance Enhanced Decisionmaking Through a Mission-Focused, Data-Driven Approach
Next-Generation Governance Enhanced Decisionmaking Through a Mission-Focused, Data-Driven Approach April 2011 A white paper prepared by Booz Allen Hamilton: Center of Excellence for Strategic Technology
More informationIRS UNVEILS TOLL-FREE NUMBER, PREPARES FOR PROBLEM SOLVING DAY IN NEW ROUND OF TAXPAYER HELP
FOR RELEASE: 10/12/98 IR-98-67 IRS UNVEILS TOLL-FREE NUMBER, PREPARES FOR PROBLEM SOLVING DAY IN NEW ROUND OF TAXPAYER HELP WASHINGTON -- The Internal Revenue Service started a new round of taxpayer help
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 8 April 2015 cyberframework@nist.gov Agenda Mission of NIST Cybersecurity at NIST Cybersecurity Framework
More informationExecutive Summary. Cybersecurity cannot be completely solved, and will remain a risk we must actively manage.
Executive Summary Statement of Nadya Bartol Vice President, Industry Affairs and Cybersecurity Strategist Utilities Telecom Council Before the Subcommittee on Oversight and Subcommittee on Energy Committee
More informationCybersecurity: A View from the Boardroom
An Executive Brief from Cisco Cybersecurity: A View from the Boardroom In the modern economy, every company runs on IT. That makes security the business of every person in the organization, from the chief
More information