Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security
|
|
- Cecil Maxwell
- 8 years ago
- Views:
Transcription
1 Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security David Brezinski, Professional Services, Enterprise Security Architect
2 Agenda Overview Where to begin What the NIST CSF is and is not Limitations of CSF CSF overview and components Methods and ideas for alignment Outcomes and evolution Final points of consideration An example: User and management security awareness 2
3 The definition of genius is taking the complex and making it simple. - Albert Einstein Why do things seem so complicated? 3
4 Where to begin Control standards, regulations and risk-management methodologies
5 NIST CSF What it is and why National Institute of Standards and Technology Cybersecurity Framework Encompasses security-risk across people and process as well; Not just technologycentric Use is voluntary Tool and method for evaluating current as is and developing to be security profile which facilitates creating a roadmap to improve posture Guidance created based on existing standards and best-practices (private and public sector were involved in the creation) Establishes a common language and taxonomy; simplifies communications between technical staff and business leaders Common categories of security activities mapped back to cybersecurity standards The CSF is a living document Why? Released (Version 1.0) February 12, 2014, it is in direct response and support of President Obama's February 2013 Executive Order "Improving Critical Infrastructure Cybersecurity." Helps organizations to identify, understand, manage and reduce cybersecurity risks by prioritizing security investments 5
6 NIST CSF What it is not National Institute of Standards and Technology Cybersecurity Framework Prescriptive An IT governance framework like CoBIT A replacement for existing risk management methodologies (but can augment and compliment OR fill gap if none exists) Foolproof or a silver bullet. No, implementing the CSF does not mean your immune to being compromised! One size fits all approach A substitute for thoughtful review, evaluation and pragmatism in addressing risk concerns and priorities The Framework is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure. Organizations will continue to have unique risks different threats, different vulnerabilities, different risk tolerances and how they implement the practices in the Framework will vary. Organizations can determine activities that are important to critical service delivery and can prioritize investments to maximize the impact of each dollar spent. Ultimately, the Framework is aimed at reducing and better managing cybersecurity risks. Source: NIST Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, page 2. 6
7 Limitations of CSF Progress, not perfection Lack of data privacy standards No consideration for organizational unique threat adversaries, motivations and data/information assets (targets) Regulatory, statutory, contractual obligations Technical debt Timeframe and resources to fully adopt This is where specific organizational context is required 7
8 CSF - Overview Three primary components: 1) Profile: Comprised of two views; current as is and target to be 2) Implementation Tiers (1 4): Partial, Risk Informed, Repeatable, Adaptive 3) Core: - Functions: Identify, Protect, Detect, Respond, Recover - Categories, subcategories and Informative References Source for slide content: 8
9 CSF - Overview Implementation Tiers: Tier 1 Partial: Risk management process and program ad hoc, reactive. Cybersecurity activities and risk management visibility limited. Tier 2 Risk Informed: Risk management practices approved by management may not be fully established across organization. Cybersecurity activities and risk management concerns have some level of visibility but may not be all-encompassing across organization. Tier 3 Repeatable: Risk management practices are clearly approved and defined, adhered to and consistent methods in place to respond to and address risks across the organization. Tier 4 Adaptive: Organization adapts, evolves risk management, cybersecurity practices based on lessons learned and predictive analysis. Cybersecurity risk management is part of culture. Tiers can provide context for the organization relative to how they view and manage cybersecurity risks Source for slide content: 9
10 CSF - Overview Implementation Tiers Intel Example Tier 1 Tier 2 Tier 3 Tier 4 Source for slide content: STR-W01-Implementing-the-US-Cybersecurity-Framework-at-Intel-A-Case-Study_Final 10
11 CSF - Overview Core - Functions Identify Understanding of assets, data, systems and capabilities to effectively apply and manage cybersecurity risks Protect Controls and safeguards (processes, methods) to protect against cybersecurity threats Detect Methods for proactive and continuous monitoring, alerts and events Respond Incident response activities, procedures Recover Business continuity, resilience and breach recovery processes Source for slide content: 11
12 CSF - Overview Core - Categories Categories Data Security (DS): Protect information & data from natural and man-made hazards to achieve organizational Data Security (DS): Protect information & data from natural and man-made hazards to achieve organizational confidentiality, integrity, and availability requirements. Source for slide content: STR-W01-Implementing-the-US-Cybersecurity-Framework-at-Intel-A-Case-Study_Final 12
13 CSF - Overview Core Subcategories (getting more granular) Subcategories Data Security (DS): Protect information & data from natural and man-made hazards to achieve organizational PR.DS-1: Protect data (including phys records) during storage to achieve PR.DS-1: Protect data (including physical records) during storage to achieve confidentiality, integrity, and availability goals Source for slide content: STR-W01-Implementing-the-US-Cybersecurity-Framework-at-Intel-A-Case-Study_Final 13
14 CSF - Overview Core References (control frameworks) References Data Security (DS): Protect information & data from natural and man-made hazards to achieve organizational PR.DS-1: Protect data (including phys records) during storage to achieve COBIT APO01.06, BAI02.01 ISO/IEC A COBIT APO01.06, BAI02.01 ISO/IEC A CCS CSC 17 NIST SP Rev 4 SC-28 Source for slide content: STR-W01-Implementing-the-US-Cybersecurity-Framework-at-Intel-A-Case-Study_Final 14
15 CSF - Overview The CSF provides a common method for organizations to: 1. Baseline and describe as is current posture 2. Describe to be target state 3. Identify and prioritize improvements 4. Assess progress 5. Communicate to stakeholders Source for slide content: 15
16 CSF Methods and ideas for alignment Start small but think BIG: Identify stakeholders Core group Communicate Align on scope, expectations to pilot Tailor tiers (organizational context) SME s assess current state review, scores Create tool for assessment & identify SME s Validate targets with Core team Set Targets (profile) Compare current to targets Identify gaps Plan for drill down prioritization of strategy/plans Communicate recommendations 16
17 CSF Methods and ideas for alignment Recommend pilot of top level (categories) as starting point which will allow for: Identifying critical gap areas for further strategic investment, prioritization and focus Minimize getting bogged down by going too deep out of gate Create a consistent dialogue and vernacular within the organization relative to risk management and risk-posture baseline Crawl Walk then Run! Set expectations and align the organizational context to the CSF to maximize its use and benefit Starting point to better understand and articulate the complete risk picture across the organization Wash, rinse repeat. Lessons will be learned along the way. Make adjustments and keep the communication channels open 17
18 CSF Outcomes and evolution - examples SME roll-up of self-assessment (current profile against top-level categories): Evaluating by functional area provided greater insights Source for slide content: STR-W01-Implementing-the-US-Cybersecurity-Framework-at-Intel-A-Case-Study_Final 18
19 CSF Outcomes and evolution - examples SME roll-up of self-assessment (current profile against top-level categories) outliers and differences (gaps): Highlight outliers 1 1 Highlight major differences Source for slide content: STR-W01-Implementing-the-US-Cybersecurity-Framework-at-Intel-A-Case-Study_Final 19
20 CSF Outcomes and evolution - examples Results! Again, this in turn can be used for further strategic prioritization, resource investment and deeper assessment against specific and desired outcomes Category Actual Identify 3 Business Environment 2 Asset Management 2 Governance 4 Risk Assessment 2 Risk Management Strategy 2 Protect 2 Access Control 1 Awareness/Training 2 Data Security 2 Protective Process & Procedures 2 Maintenance 3 Protective Technologies 2 Detect 1 Anomalies/Events 3 Security Continuous Monitoring 4 Detection Process 2 Threat Intelligence 3 Respond 2 Response Planning 1 Communication 3 Analysis 2 Mitigations 2 Improvements 3 Recover 3 Recovery Planning 2 Improvements 2 Communications 4 Target Delta THE RISK LANDSCAPE! ACTUAL GAPS OVER Source for slide content: STR-W01-Implementing-the-US-Cybersecurity-Framework-at-Intel-A-Case-Study_Fina 20
21 Final points of consideration It is the start of a journey Enables continuity and continuous improvement Branch out and connect with partners and others who are taking this journey Keep it simple! Do not go too deep too fast or try to eat the elephant Understanding your cyber risk and managing cyber investment priorities allows for real advancements in your security program (quit playing Whac-a- Mole!) Leveraging the CSF can help drive better risk management, prioritized investments and foster better communication across state organizations 21
22 User and Management Security Awareness & Training 22
23 Every Organization has at least one Dave! 23
24 CSF Protect Awareness and training example Awareness and Training (PR.AT): The organization s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements. PR.AT-1: All users are informed and trained PR.AT-2: Privileged users understand roles & responsibilities PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand roles & responsibilities PR.AT-4: Senior executives understand roles & responsibilities PR.AT-5: Physical and information security personnel understand roles & responsibilities CCS CSC 9 COBIT 5 APO07.03, BAI05.07 ISA : ISO/IEC 27001:2013 A NIST SP Rev. 4 AT-2, PM-13 CCS CSC 9 COBIT 5 APO07.02, DSS06.03 ISA : , ISO/IEC 27001:2013 A.6.1.1, A NIST SP Rev. 4 AT-3, PM-13 CCS CSC 9 COBIT 5 APO07.03, APO10.04, APO10.05 ISA : ISO/IEC 27001:2013 A.6.1.1, A NIST SP Rev. 4 PS-7, SA-9 CCS CSC 9 COBIT 5 APO07.03 ISA : ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, NIST SP Rev. 4 AT-3, PM-13 CCS CSC 9 COBIT 5 APO07.03 ISA : ISO/IEC 27001:2013 A.6.1.1, A.7.2.2, NIST SP Rev. 4 AT-3, PM-13 Source for slide content: 24
25 CSF Protect Awareness and training example Subcategory - PR.AT-1: All users are informed and trained Informative References CCS CSC 9 COBIT 5 APO07.03, BAI05.07 ISA : ISO/IEC 27001:2013 A NIST SP Rev. 4 AT-2, PM-13 Source for slide content: 25
26 References 26
27 References Intel RSA 2015 Presentation: Intel CSF white paper: NIST CSF Website: NIST Revision 4: NIST Cybersecurity Framework Version pdf 27
28 Thank, credits and contact info! To the Intel team! Blazing the trail and making the cyber world a safer place! Special thanks to Tim Casey (Tim.Casey@intel.com) for allowing me to borrow his work for this presentation. Thanks to Kent Landfield (Intel Security) for his review and input on the content and flow! Thank you to my Mom and Dad for bringing me into the world and my first picture being in a white hat. Coincidence? I think not! Contact info: David_Brezinski@mcafee.com, David.Brezinski@intel.com 28
29 .
Implementing the U.S. Cybersecurity Framework at Intel A Case Study
SESSION ID: STR-W01 Implementing the U.S. Cybersecurity Framework at Intel A Case Study Tim Casey Senior Strategic Risk Analyst Intel Information Security @timcaseycyber How would you represent your entire
More informationWhy you should adopt the NIST Cybersecurity Framework
www.pwc.com/cybersecurity Why you should adopt the NIST Cybersecurity Framework May 2014 The National Institute of Standards and Technology Cybersecurity Framework may be voluntary, but it offers potential
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 National Institute of Standards and Technology February 12, 2014 Table of Contents Executive Summary...1 1.0 Framework Introduction...3
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 National Institute of Standards and Technology February 12, 2014 Table of Contents Executive Summary...1 1.0 Framework Introduction...3
More informationNIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015
NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015 Overview The University of Pittsburgh NIST Cybersecurity Framework Pitt NIST Cybersecurity Framework Program Wrap Up Questions
More informationImproving Critical Infrastructure Cybersecurity Executive Order 13636. Preliminary Cybersecurity Framework
1 Improving Critical Infrastructure Cybersecurity Executive Order 13636 Preliminary Cybersecurity Framework 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
More informationThe President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.
The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013. The Executive Order calls for the development of a voluntary risk based Cybersecurity Framework
More informationCRR-NIST CSF Crosswalk 1
IDENTIFY (ID) Asset Management (AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative
More informationWhy you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More informationThe Cybersecurity Framework in Action: An Intel Use Case
SOLUTION BRIEF Cybersecurity Framework Risk Management The Cybersecurity Framework in Action: An Intel Use Case Intel Publishes a Cybersecurity Framework Use Case Advancing cybersecurity across the global
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity January 2016 cyberframework@nist.gov Improving Critical Infrastructure Cybersecurity It is the policy of the United States to enhance the security
More informationNIST Cybersecurity Framework & A Tale of Two Criticalities
NIST Cybersecurity Framework & A Tale of Two Criticalities Vendor Management & Incident Response Presented by: John H Rogers, CISSP Advisory Services Practice Manager john.rogers@sagedatasecurity.com Presented
More informationUnderstanding the NIST Cybersecurity Framework September 30, 2014
Understanding the NIST Cybersecurity Framework September 30, 2014 Earlier this year the National Institute of Standard and Technology released the Framework for Improving Critical Infrastructure Cybersecurity
More informationBuilding Security In:
#CACyberSS2015 Building Security In: Intelligent Security Design, Development and Acquisition Steve Caimi Industry Solutions Specialist, US Public Sector Cybersecurity September 2015 A Little About Me
More informationExecutive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014
Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework September 23, 2014 Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to
More informationThe NIST Cybersecurity Framework
View the online version at http://us.practicallaw.com/5-599-6825 The NIST Cybersecurity Framework RICHARD RAYSMAN, HOLLAND & KNIGHT LLP AND JOHN ROGERS, BOOZ ALLEN HAMILTON A Practice Note discussing the
More informationPROTIVITI FLASH REPORT
PROTIVITI FLASH REPORT Cybersecurity Framework: Where Do We Go From Here? February 25, 2014 Just over a year ago, President Barack Obama signed an Executive Order (EO) calling for increased cybersecurity
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2014 ISACA Pittsburgh Information Security Awareness Day Victoria Yan
More informationCyber Security Framework: Intel s Implementation Tools & Approach
Cyber Security Framework: Intel s Implementation Tools & Approach Tim Casey Senior Strategic Risk Analyst @timcaseycyber NIST Workshop #6 October 29, 2014 Intel s Goals in Using the CSF Establish alignment
More informationHow To Understand And Manage Cybersecurity Risk
White Paper A Framework to Gauge Cyber Defenses NIST s Cybersecurity Framework Helps Critical Infrastructure Owners to Cost-Effectively Defend National & Economic Security of the U.S. Executive Summary
More informationCybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014
Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014 Victoria Yan Pillitteri Advisor for Information Systems Security
More informationDiscussion Draft of the Preliminary Cybersecurity Framework
1 Discussion Draft of the Preliminary Cybersecurity Framework August 28, 2013 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 A Discussion Draft of the Preliminary
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 NARUC Winter Committee Meeting Committee & Staff Committee on Critical Infrastructure February 15,
More informationNIST Cybersecurity Framework. ARC World Industry Forum 2014
NIST Cybersecurity Framework Vicky Yan Pillitteri NIST ARC World Industry Forum 2014 February 10-13, 2014 Orlando, FL Executive Order 13636 Improving Critical Infrastructure Cybersecurity It is the policy
More informationThe NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session
The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session Robert Smith Systemwide IT Policy Director Compliance & Audit Educational Series 5/5/2016 1 Today s reality There are two kinds
More informationistockphoto/ljupco 36 June 2015 practicallaw.com 2015 Thomson Reuters. All rights reserved.
istockphoto/ljupco 36 June 2015 practicallaw.com The NIST Cybersecurity Framework Data breaches in organizations have rapidly increased in recent years. In 2014, the National Institute of Standards and
More informationHealth Industry Implementation of the NIST Cybersecurity Framework
Health Industry Implementation of the NIST Cybersecurity Framework A Collaborative Presentation by HHS, NIST, HITRUST, Deloitte and Seattle Children s Hospital 1 Your presenters HHS Steve Curren, Acting
More informationApplying IBM Security solutions to the NIST Cybersecurity Framework
IBM Software Thought Leadership White Paper August 2014 Applying IBM Security solutions to the NIST Cybersecurity Framework Help avoid gaps in security and compliance coverage as threats and business requirements
More informationVoluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, nadya.bartol@utc.org. 2014 Utilities Telecom Council
Voluntary Cybersecurity Initiatives in Critical Infrastructure Nadya Bartol, CISSP, SGEIT, nadya.bartol@utc.org 2014 Utilities Telecom Council Utility cybersecurity environment is full of collaborations
More informationCybersecurity Framework. Executive Order 13636 Improving Critical Infrastructure Cybersecurity
Cybersecurity Framework Executive Order 13636 Improving Critical Infrastructure Cybersecurity National Institute of Standards and Technology (NIST) Mission To promote U.S. innovation and industrial competitiveness
More informationCybersecurity Audit Why are we still Vulnerable? November 30, 2015
Cybersecurity Audit Why are we still Vulnerable? November 30, 2015 John R. Robles, CISA, CISM, CRISC www.johnrrobles.com jrobles@coqui.net 787-647-3961 John R. Robles- 787-647-3961 1 9/11-2001 The event
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity April 2016 cyberframework@nist.gov Pre-Cybersecurity Framework Threat Landscape 79% of reported victims were targets of opportunity 96% of
More informationHow To Write A Cybersecurity Framework
NIST Cybersecurity Framework Overview Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2nd ENISA International Conference on Cyber Crisis Cooperation and Exercises Executive Order
More informationCybersecurity Framework: Current Status and Next Steps
Cybersecurity Framework: Current Status and Next Steps Federal Advisory Committee on Insurance November 6, 2014 Adam Sedgewick Senior IT Policy Advisor Adam.Sedgewick@nist.gov National Institute of Standards
More informationRisk Management in Practice A Guide for the Electric Sector
Risk Management in Practice A Guide for the Electric Sector Annabelle Lee Senior Technical Executive ICCS European Engagement Summit April 28, 2015 Before we continue let s get over our fears and myths
More informationNIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT
NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT OVERVIEW The National Institute of Standards of Technology Framework for Improving Critical Infrastructure Cybersecurity (The NIST Framework) is a
More informationCybersecurity Framework Security Policy Mapping Table
Cybersecurity Framework Security Policy Mapping Table The following table illustrates how specific requirements of the US Cybersecurity Framework [1] are addressed by the ISO 27002 standard and covered
More informationENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE
ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE JANUARY 2015 U.S. DEPARTMENT OF ENERGY OFFICE OF ELECTRICITY DELIVERY AND ENERGY RELIABILITY Energy Sector Cybersecurity Framework Implementation
More informationWestlaw Journal. What is the Cybersecurity Framework? Risk Management Process And Pathway to Corporate Liability? Expert Analysis
Westlaw Journal Computer & Internet Litigation News and Analysis Legislation Regulation Expert Commentary VOLUME 31, ISSUE 14 / DECEMBER 12, 2013 Expert Analysis The Cybersecurity Framework: Risk Management
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationHITRUST CSF Assurance Program
HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview
More informationCyber and Data Risk What Keeps You Up at Night?
Legal Counsel to the Financial Services Industry Cyber and Data Risk What Keeps You Up at Night? December 10, 2014 Introduction & Overview Today s Discussion: Evolving nature of data and privacy risks
More informationTestimony of Dan Nutkis CEO of HITRUST Alliance. Before the Oversight and Government Reform Committee, Subcommittee on Information Technology
Testimony of Dan Nutkis CEO of HITRUST Alliance Before the Oversight and Government Reform Committee, Subcommittee on Information Technology Hearing entitled: Cybersecurity: The Evolving Nature of Cyber
More informationSCADA Security @ City of Raleigh. Martin Petherbridge, CPA, CIA Internal Audit Manager Shirley McFadden, CPA, CIA Senior Internal Auditor
SCADA Security @ City of Raleigh Martin Petherbridge, CPA, CIA Internal Audit Manager Shirley McFadden, CPA, CIA Senior Internal Auditor Agenda 1. PLCs, SCADA and Stuxnet 2. Selecting Audit Standards 3.
More informationChanging Legal Landscape in Cybersecurity: Implications for Business
Changing Legal Landscape in Cybersecurity: Implications for Business Presented to Greater Wilmington Cyber Security Group Presented by William R. Denny, Potter Anderson & Corroon LLP May 8, 2014 Topics
More informationFrequently Asked Questions about the HITRUST Risk Management Framework
Frequently Asked Questions about the HITRUST Risk Management Framework Addressing common questions and misconceptions about the HITRUST CSF, CSF Assurance Program and supporting methods and tools, and
More informationHappy First Anniversary NIST Cybersecurity Framework:
Happy First Anniversary NIST Cybersecurity Framework: We ve Hardly Known Ya Chad Stowe, CISSP, CISA, MBA Who is your organization on Cybersecurity? Problem Statement Management has not been given the correct
More informationA Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst
TRACESECURITY WHITE PAPER GRC Simplified... Finally. A Guide to Successfully Implementing the NIST Cybersecurity Framework Jerry Beasley CISM and TraceSecurity Information Security Analyst TRACESECURITY
More informationCForum: A Community Driven Solution to Cybersecurity Challenges
SESSION ID: AST3-R01 CForum: A Community Driven Solution to Cybersecurity Challenges Tom Conkle Cybersecurity Engineer G2, Inc. @TomConkle Greg Witte Sr. Security Engineer G2, Inc. @thenetworkguy Organizations
More informationIntelligence Driven Security
Intelligence Driven Security RSA Advanced Cyber Defense Workshop Shane Harsch Senior Solutions Principal, RSA 1 Agenda Approach & Activities Operations Intelligence Infrastructure Reporting & Top Findings
More informationSuzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA
8 th Annual Safeguarding Health Information: Building Assurance through HIPAA Security HHS Office of Civil Rights and National Institute of Standards & Technology Wednesday September 2, 2015 Suzanne B.
More informationFFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors
Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed
More informationNIST Cybersecurity Framework What It Means for Energy Companies
Daniel E. Frank J.J. Herbert Mark Thibodeaux NIST Cybersecurity Framework What It Means for Energy Companies November 14, 2013 Your Panelists Dan Frank J.J. Herbert Mark Thibodeaux 2 Overview The Cyber
More informationThe NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide
SOLUTION BRIEF NIST FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide SOLUTION BRIEF CA DATABASE
More informationNadya Bartol, CISSP, CGEIT VP, Industry Affairs and Cybersecurity Strategist UTC (Utilities Telecom Council) USA. 2014 Utilities Telecom Council 1
Nadya Bartol, CISSP, CGEIT VP, Industry Affairs and Cybersecurity Strategist UTC (Utilities Telecom Council) USA 2014 Utilities Telecom Council 1 Why do we need cybersecurity? Agriculture and Food Energy
More informationBusiness Continuity for Cyber Threat
Business Continuity for Cyber Threat April 1, 2014 Workshop Session #3 3:00 5:30 PM Susan Rogers, MBCP, MBCI Cyberwise CP S2 What happens when a computer program can activate physical machinery? Between
More informationfs viewpoint www.pwc.com/fsi
fs viewpoint www.pwc.com/fsi June 2013 02 11 16 21 24 Point of view Competitive intelligence A framework for response How PwC can help Appendix It takes two to tango: Managing technology risk is now a
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance IT Governance Policy Mergers and Acquisitions Policy Terms and Definitions Policy 164.308 12.4 12.5 EDM01 EDM02 EDM03 Information Security Privacy Policy Securing Information Systems Policy
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 8 April 2015 cyberframework@nist.gov Agenda Mission of NIST Cybersecurity at NIST Cybersecurity Framework
More informationAmerica s New Cybersecurity Framework: Help or New Source of Exposure?
America s New Cybersecurity Framework: Help or New Source of Exposure? BY BEHNAM DAYANIM, RYAN NIER & ELIZABETH DORSI March 2014 Data theft is on the rise, and the federal government is concerned. In 2013
More informationState Agency Cyber Security Survey v 3.4 2 October 2014. State Agency Cybersecurity Survey v 3.4
State Agency Cybersecurity Survey v 3.4 The purpose of this survey is to identify your agencies current capabilities with respect to information systems/cyber security and any challenges and/or successes
More informationDiscussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples The
More informationCybersecurity..Is your PE Firm Ready? October 30, 2014
Cybersecurity..Is your PE Firm Ready? October 30, 2014 The Panel Melinda Scott, Founding Partner, Scott Goldring Eric Feldman, Chief Information Officer, The Riverside Company Joe Campbell, CTO, PEF Services
More informationIT ASSET MANAGEMENT Securing Assets for the Financial Services Sector
IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 financial_nccoe@nist.gov This revision incorporates comments from the public. Page Use case 1 Comments
More informationDelving Into FCC's 'Damn Important' Cybersecurity Report
Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com Delving Into FCC's 'Damn Important' Cybersecurity
More informationIAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope
IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope March 6, 2014 Victoria King UPS (404) 828-6550 vking@ups.com Lisa J. Sotto Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com
More informationCyberprivacy and Cybersecurity for Health Data
Experience the commitment Cyberprivacy and Cybersecurity for Health Data Building confidence in health systems Providing better health care quality at lower cost will be the key aim of all health economies
More informationACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector
ACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 financial_nccoe@nist.gov This revision incorporates comments from the public. Page Use case 1 Comments
More informationImpact of New Internal Control Frameworks
Impact of New Internal Control Frameworks Webcast: Tuesday, February 25, 2014 CPE Credit: 1 0 With You Today Bob Jacobson Principal, Risk Advisory Services Consulting Leader West Region Bob.Jacobson@mcgladrey.com
More informationAutomation Suite for NIST Cyber Security Framework
WHITEPAPER NIST Cyber Security Framework Automation Suite for NIST Cyber Security Framework NOVEMBER 2014 Automation Suite for NIST Cyber Security Framework The National Institute of Standards and Technology
More informationUsing the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6
to Assess Cybersecurity Preparedness 1 of 6 Introduction Long before the signing in February 2013 of the White House Executive Order Improving Critical Infrastructure Cybersecurity, HITRUST recognized
More informationCritical Manufacturing Cybersecurity Framework Implementation Guidance
F Critical Manufacturing Cybersecurity Framework Implementation Guidance i Foreword The National Institute of Standards and Technology (NIST) released the 2014 Framework for Improving Critical Infrastructure
More informationCONCEPTS IN CYBER SECURITY
CONCEPTS IN CYBER SECURITY GARY KNEELAND, CISSP SENIOR CONSULTANT CRITICAL INFRASTRUCTURE & SECURITY PRACTICE 1 OBJECTIVES FRAMEWORK FOR CYBERSECURITY CYBERSECURITY FUNCTIONS CYBERSECURITY CONTROLS COMPARATIVE
More informationRemarks for Admiral David Simpson WTA Advocates for Rural Broadband Spring Meeting Cybersecurity Panel
Remarks for Admiral David Simpson WTA Advocates for Rural Broadband Spring Meeting Cybersecurity Panel May 5th, 2015 10:00-11:30 a.m. Hyatt Regency, Indian Wells, CA Thank you all for welcoming me. It
More informationDon t Get Left in the Dust: How to Evolve from CISO to CIRO
SESSION ID: CXO-W04 Don t Get Left in the Dust: How to Evolve from CISO to CIRO JC-JC James Christiansen VP Information Risk Management Accuvant jchristiansen@accuvant.com Bradley J. Schaufenbuel, CISSP
More informationNIST Unveils Preliminary Cybersecurity Framework
November 25, 2013 Practice Group: Cyber Law and Cybersecurity NIST Unveils Preliminary Cybersecurity Framework By Roberta D. Anderson On October 22, the National Institute of Standards and Technology (NIST)
More informationIntegrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Education
Integrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Education Amy Banks, U.S. Department of Education, Center for School Preparedness, Office of Safe and Healthy Students Hamed Negron-Perez,
More informationAn Overview of Information Security Frameworks. Presented to TIF September 25, 2013
An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information
More informationDesigning & Building a Cybersecurity Program. Based on the NIST Cybersecurity Framework (CSF)
Designing & Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson Lesson 1 June, 2015 1 About the Class This course covers the essential elements for planning, building
More informationHIPAA and HITRUST - FAQ
A COALFIRE WHITE PAPER HIPAA and HITRUST - FAQ by Andrew Hicks, MBA, CISA, CCM, CRISC, HITRUST CSF Practitioner Director, Healthcare Practice Lead Coalfire February 2013 Introduction Organizations are
More informationCybersecurity: What CFO s Need to Know
Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More informationNational Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity
National Cybersecurity Challenges and NIST Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity Though no-one knows for sure, corporate America is believed to lose anything
More informationClick to edit Master title style
EVOLUTION OF CYBERSECURITY Click to edit Master title style IDENTIFYING BEST PRACTICES PHILIP DIEKHOFF, IT RISK SERVICES TECHNOLOGY THE DARK SIDE AGENDA Defining cybersecurity Assessing your cybersecurity
More informationUNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION
UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION Technical Conference on Critical Infrastructure Protection Issues Identified in Order No. 791 Prepared Statement of Melanie Seader, Senior
More informationBusiness Continuity in Healthcare
Business Continuity in Healthcare Cynthia Simeone, CBCP, PMP Director Business Resilience Catholic Health Initiatives Scott Ream President Virtual Corporation 1 Session Speakers Cynthia Simeone, CBCP,
More informationFINRA Publishes its 2015 Report on Cybersecurity Practices
Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February
More informationCybersecurity@RTD Program Overview and 2015 Outlook
Cybersecurity@RTD Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD Information Technology Department of Finance & Administration
More informationWhich cybersecurity standard is most relevant for a water utility?
Which cybersecurity standard is most relevant for a water utility? Don Dickinson 1 * 1 Don Dickinson, Phoenix Contact USA, 586 Fulling Mill Road, Middletown, Pennsylvania, USA, 17057 (*correspondence:
More informationHappy First Anniversary NIST Cyber Security Framework:
Happy First Anniversary NIST Cyber Security Framework: We ve Hardly Known Ya Chad Stowe, CISSP, CISA, MBA Problem Statement Management has not been given the correct information to understand and act upon
More informationInto the cybersecurity breach
Into the cybersecurity breach Tim Sanouvong State Sector Cyber Risk Services Deloitte & Touche LLP April 3, 2015 Agenda Setting the stage Cyber risks in state governments Cyber attack vectors Preparing
More informationDo you know your privacy risks? How new technologies, changing business models, and emerging regulations are changing the data-protection landscape
January 2013 Do you know your privacy risks? How new technologies, changing business models, and emerging regulations are changing the data-protection landscape At a glance Threats to data security both
More informationCybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015
Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting January 9, 2015 Agenda Key Risks Incorporating Internal Audit Resources for Internal Auditors Questions 2 Key Risks 3 4 Key
More informationCyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record
Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record Roberta Stempfley Acting Assistant Secretary for Cybersecurity and Communications
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool
ICBA Summary of FFIEC Cybersecurity Assessment Tool July 2015 Contact: Jeremy Dalpiaz Assistant Vice President Cyber Security and Data Security Policy Jeremy.Dalpiaz@icba.org www.icba.org ICBA Summary
More informationApril 8, 2013. Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899
Salt River Project P.O. Box 52025 Mail Stop: CUN204 Phoenix, AZ 85072 2025 Phone: (602) 236 6011 Fax: (602) 629 7988 James.Costello@srpnet.com James J. Costello Director, Enterprise IT Security April 8,
More informationHow we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz)
How we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz) Domain.Local DC Client DomainAdmin Attack Operator Advise Protect Detect Respond
More informationEMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES
EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES Aligning information with business and operational objectives ESSENTIALS Leverage EMC Consulting as your trusted advisor to move your and compliance
More informationWhite Paper on Financial Industry Regulatory Climate
White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during
More information