CYBER SOLUTIONS HANDBOOK
|
|
- Emery Pierce
- 8 years ago
- Views:
Transcription
1 Commercial Solutions CYBER SOLUTIONS HANDBOOK Making Sense of Standards and Framework Booz Allen Hamilton Commercial Solutions, combines industry knowledge and relevant experience with the right people and technologies to reduce risk, improve safety and increase profitability for your business. Together, we can enable you to thrive today, tomorrow and beyond.
2 CYBER SOLUTIONS HANDBOOK Making Sense of Standards and Frameworks The strength of an organization s cybersecurity program is now a market differentiator, and cybersecurity is a key business enabler. Today, chief information security officers (CISO) and their equivalents are facing increased responsibility amid a series of quickly evolving and often enterprise-wide challenges. Remediation-centric defense is not enough to combat current cyber threats, and CISOs must build an effective communication link between the server room and the board room in order to have an effective program. This paper is one of a series of handbooks that provide pragmatic insight and assistance on how to address the key issues facing cybersecurity leaders today. Businesses understand the importance of cybersecurity. Once relegated to the IT department as an afterthought, cybersecurity is now part of a company s core strategic planning and investment portfolio. Pressure is high to ensure that all of the company s assets and operations are secure; boards and executives are looking to CISOs for answers. Yet change is constant and quick, and standards and frameworks have risen to the forefront as a strategy to tackle this new environment. These paradigms present opportunity for insight and growth, but only if they are used in the appropriate context and it can be difficult to sort through this alphabet soup. This handbook provides context for the numerous cybersecurity standards and frameworks that currently exist. We put forth concrete recommendations for evolving the legacy mindset of program compliance to one of program maturity and risk-based security. However, there is no formula for security; there is a difference between being compliant and being secure. Focusing on maturity rather than checking the box provides organizations both the flexibility and the comprehensive view necessary to manage their risks and achieve their goals. Developing a robust maturity model is a significant undertaking, but there are existing models that can be used to rapidly evolve programs. Applying these models correctly, while taking into consideration the appropriate industry standards and frameworks, will align your security program to your organizational strategy, while providing concrete and risk-based guidance on how you can advance your program to enable the business. 2
3 Addressing an Alphabet Soup of Cybersecurity Standards and Frameworks In the rush to address an increasingly complex cyber environment and provide a standardized, structured approach to cybersecurity, we have, ironically, created innumerable options. From A (audits) to Z (Zachman Framework), it is easy to drown in the confusing alphabet soup of standards and frameworks. 1 As demonstrated by the examples below, these criteria span industries and vary in approach. There are well-known industry governance and control frameworks such as the Control Objectives for Information [and Related] Technology (COBIT) by ISACA, and international best practice standards such as the certifiable ISO/IEC Government entities, such as the National Institute for Standards and Technology (NIST), try to centralize and drive common practices, standards, lexicon, and requirements (e.g., the catalog of security controls in NIST Special Publication ). We have control and risk management guidance focused on the financial industry, such as Basel (I, II, III), Gramm-Leach-Bliley Act (GLBA), and the Federal Financial Institutions Examinations Council (FFIEC). We see specialized guidance in the healthcare industry, such as the Health Information Trust 2 Alliance (HITRUST) framework and Health Insurance Portability and Accountability Act (HIPAA) controls. There are even structures for specifying product security standards, such as Common Criteria. So how can we begin to sift through all this information? Which framework might help you? The short answer is, probably most of them. Some you ll have to comply with, while others are great reference material. However, picking and choosing the right elements among all this available guidance is difficult, and still even if you are the most gifted security architect of all time mostly leaves you with a check- the-box approach. So what to do? Read on. 1 A large number of cybersecurity standards and frameworks have emerged in recent years; the acronym jargon used to describe these as made it all the more difficult to understand and apply relevant guidance 3
4 The NIST Cybersecurity Framework: Key Takeaways On top of these existing standards and frameworks, a new initiative kicked off in early 2013 when the Obama Administration enacted Executive Order and Presidential Policy Directive (PPD-21), primarily focused on improving cybersecurity among private sector critical infrastructure organizations. Many companies regard these directives as the writing on the wall for eventual federal regulation around cybersecurity for private companies. A primary product that emerged was a voluntary Cybersecurity Framework for managing cyber risks, spearheaded by NIST. Released in mid-february 2014, the Framework is a compilation of standards, guidelines, and best practices for managing cybersecurity-related risk, while protecting information confidentiality, individual privacy, and civil liberties. Although adoption of the NIST Framework is voluntary, many analysts suggest that it may be perceived as a future de facto standard of care, which could be used to measure companies in regulatory enforcements, class actions, and other lawsuits following cyber attacks and privacy breaches. The NIST Framework provides two important and fundamental elements for establishing or improving a cybersecurity program: (1) content and (2) an approach for using that content. When first glancing at the underpinnings, the Framework may appear as little more than a compilation of existing industry standards and frameworks. While its substance essentially points to such established industry guidance, this reflects the inputs gathered by NIST from among hundreds of industry cybersecurity practitioners. Consensus is good. In regard to approach, NIST provides some very high-level yet useful guidance for how to use the content. It describes using the Framework to establish an understanding of where the program currently is, and by infusing an understanding of cyber risk, security professionals can then develop targets and an action plan for meeting those targets. This is certainly an evolutionary step forward toward aligning security to organizational risk, but it still uses existing standards and frameworks (i.e., compliance material) as the guide for improvement. 4
5 Acknowledging the Difference between Compliance and Security Despite the good intentions of standards and frameworks, the fundamental truth is that there is no formula for security. Many companies are compliant with certain regulations because they are mandated by law. While avoiding legal exposures, fines, sanctions, and potential jail time is a good motivator, it does not make your company more secure. Standards and frameworks can help identify the landscape of potential areas you might want to address. They also might let you set a minimum level of performance. However, standards often force you to be either compliant or non-compliant. There is not always a middle ground or consideration for unique organizational risk. Too often you are either a one or a zero. If not used in the appropriate context, standards are a generic solution to a highly individualized problem set. Cybersecurity is intimately tied to your business strategy and operations, and it must be personalized to your organization. With the CISO role becoming a strategic business enabler, we can no longer afford to check a box. Your company s strategies, risks, goals, and operations should shape the cybersecurity program. This is even more critical with restricted budgets and resources, so you need to know where and how to scale your investments. The NIST Framework begins to shift the mindset of security leaders towards a risk-based approach. However, the NIST Framework is still a high-level construct designed to help think about the problem, and does not include robust or actionable guidance to mature a cybersecurity program. But the Framework s authors acknowledge this fact. They advise leveraging external guidance, including existing maturity models, to drive a security program forward. Valuing Maturity over Checkboxes Rather than focusing on a standard, look at your program with a maturity lens. Understand the various degrees of risk you face and then, within a well- established structure, decide where you need to invest and develop. It is up to you to prioritize the control areas that you must address first, your current maturity in those areas, and what you must do to increase your maturity. Focusing on your maturity provides you with an opportunity to identify where your program stands today, where it must be in the future, and how to get there. A maturity approach is not one size fits all. Rather, you need to conduct an honest assessment of your baseline maturity in the areas that are key to your success. You also must establish your target states. These targets will vary based on your business needs and various exposures to cyber risk. A large multinational corporation, for example, might determine that it needs an advanced capability to internally monitor the risk presented by its hundreds of suppliers, while a smaller company with just a few suppliers might be able to outsource this to an established, low-cost third party. The two target states for each of these control groups would be very different. By building your approach based on risk and maturity, instead of blindly complying with standards, you move the responsibility of security from an outside entity to your organization. 5
6 The Characteristics of a Strong Maturity Model Developing a strong maturity model is a significant undertaking; most organizations do not have the resources to take this on. However, there are existing models out there to use, developed by sector bodies or private companies. So what does a good model look like? It covers both a broad range of topics and provides significant depth in each topic to ensure comprehensive and detailed guidance needed to enhance your cybersecurity program. Effective cybersecurity maturity models include: Functional and enabling controls Functional controls are more technical/operational in nature (e.g., application security, vulnerability assessment), while enabling controls pertain to governance, risk management, and other organizational functions that support (i.e., enable) the technical operations Logical organization of high-level and low-level views Logically organized objectives and measures that are used to pinpoint and evaluate specific aspects of your security program A maturity spectrum of granular and measureable details A clear scale of maturity, defined by characteristics and indicators to accurately assess your level of maturity People, process, and technology dimensions Multifaceted views that let you evaluate each control area in its key component parts A foundation grounded in established best practices Developed from best practices across industry, government, and academia. 6
7 Using a Maturity Model to Evolve a Cybersecurity Program Appropriately applying a maturity model is as important as developing or choosing the right one. The following is an overview of one proven approach on how to put an effective maturity model into practice. As illustrated in Figure 1, this approach focuses on placing the model as the centerpiece of the organization setting the tone for both program structure and assessment. Figure 1 Cybersecurity Maturity Model Implementation Approach Step 1: Align Cybersecurity with Organizational Strategy Boil down your organization s strategic objectives and core value-generating operations into a set of short, declarative, and concrete statements. Understand which operations must continue to enable the sources of most value. In addition, consider the strategic actions your company is or will soon be taking in order to thrive in your future environment. These statements often can be written as We will or We must assertions. Examples include: We will expand globally, We must ensure our supply chain operations are not interrupted, or We will innovate by providing our customers new digital offerings. Once you have the strategic objectives, identify the cybersecurity risks that could impede them (see Figure 2). Figure 2 Strategic Objective Examples and Related Cybersecurity Risks Objective Globalization We will expand globally Cybersecurity Risks Note: Example Only Not Comprehensive Untrusted IT Equipment used in foreign offices Third party with unrestricted access to customer information Unsecured mobile devices Poor personnel screening practices Supply Chain We must ensure our supply chain operations are not interrupted. Research and Development We will innovate by providing our customers new digital offerings Malware introduced from third-party suppliers Non-transparent supplier security practices Corrupted data in business process workflows DDoS exposures in web-facing applications Poorly protected source code for new digital product Development environment is open to many individuals Poor situational awareness of internal access to sensitive R&D information 7
8 Step 2: Apply a Risk-based Prioritization It is unlikely that you will have the resources or time to focus on all parts of your business. You will need to prioritize. Leading companies often use threat and risk workshops to help identify and prioritize cyber risks, while gaining key points of consensus along the way. During these workshops, you will need to explore your risk tolerance as it relates to the various parts of your business. You may consider discussing potential strategic surprise threats that could deliver large-scale negative impact to the business. By conducting this exercise, you should gain a clear prioritization of the cyber risks that you need to address first. Step 3: Assess Your Maturity Once you identify your risk priorities, you can then begin to understand what control families would likely mitigate that risk. As mentioned above, your maturity model should address both functional and enabling control families. Addressing a risk will often involve multiple control families, and the integration of these families is critical to a robust and cohesive cybersecurity program. Figure 3 lists a high-level summary of which security control families could likely address a given risk. Figure 3 Sample Cybersecurity Risks and Applicable Control Families Objective Cybersecurity Risks Sample Applicable Control Families Globalization 1. Unsecured mobile devices Mobile Security Strategy & Policy Supply Chain 2. Non-transparent supplier security practices Governance Strategy & Policy Supplier Security Management Research and Development 3. Poor awareness of internal access to sensitive R&D information Personnel Screening Situational Awareness Now that you have an idea of (1) your biggest risks and (2) which cybersecurity control families most closely map to them, it is time to assess maturity. Perhaps you would like to understand organizational preparedness for poor situational awareness (risk #3). In this scenario, three primary control families are most applicable to helping mitigate this risk, and we would need to assess maturity for them all. To illustrate, we ll assess maturity in the situational awareness control family (see Figure 4). 8
9 Figure 4 Representative Assessment of the Situational Awareness Control Family To assess the maturity of the situational awareness control family, you need to break it down into discrete, manageable elements that you can assess, called control objectives. These control objectives are areas and actions you need to perform well in order to increase your capability for that control family. In this case, the elements that make up situational awareness are Security Event Collection, Analysis, and Response. Enhance your capabilities with these, and you will strengthen your situational awareness. Before you can assess where you need to be, you should first understand where you are today. Consider how effective your processes and technology are performing for each control objective. You also need to look at how well your people are performing within the entire control family. Note that since the same people cut across control objectives, they are usually assessed separately. You should have well-defined indicators of each level of maturity ( Lead through Platinum levels). These are concrete actions and characteristics that help you gauge your current baseline maturity. If you are using a company with a maturity model, be sure that they have developed clear and well-vetted levels that map to industry best practices. Otherwise, you will be measuring your maturity by gut instinct alone. Across the three objectives within this control family, maturity varies widely across the dimensions of people, process, and technology. The organization s process and technology maturity to collect and analyze event data is very low, meaning it would be very difficult to track internal employee access to sensitive R&D information. On the other hand, the people who conduct situational awareness activities have requisite skills and abilities. To manage this risk, however, the organization will need to invest in maturing the processes and technologies for event collection and analysis. 9
10 Step 4: Make a Plan After understanding your program s baseline maturity, you will need to establish your target states. Make sure these targets are relevant to your organization, industry, and strategic objectives. Don t assume that every control family needs to be at the highest maturity level that will be a very expensive and unnecessary mistake. You will need to define the target states that make the most sense for the amount of risk that your business leaders will tolerate. Once you have target states set and your gaps identified, you can begin to think of the gapclosing options to meet those target states. Patterns and priorities should begin to emerge. Keep in mind that the maturity ratings are much less important than the reasons behind them. This process should surface the specific challenges you need to address, regardless of the specific rating. From the gaps and priorities of your maturity assessment, you can build your plan. Identify the most critical needs, as well as what you can accomplish in the short and long term. Create a roadmap that shapes these needs into concrete initiatives. Each initiative should have a defined beginning, end, owners, timelines, resource requirements, and key dependencies. You should align your investment strategy behind these initiatives and map them back to the strategic initiatives that you identified at the beginning of this process. As you implement them, be sure to track your progress and report back to your executive leadership. You should be able to describe your efforts in the business context that your senior leaders will understand. 10
11 Example in Action: Top Financial Institution Integrates Corporate and Cybersecurity Strategies to Maximize Protection against Cyber Threats Challenge: Recognizing the key role of cybersecurity in their operations and objectives, the board of directors of a global Fortune 100 financial institution mandated a comprehensive review of the security program and an investment strategy that would enable the company s strategic objectives. Although they were in compliance with federal regulations, they knew that there was a difference between being compliant, and having strong cybersecurity. The organization needed a partner with an effective maturity model that was robust, comprehensive, and developed from industry best practices. They did not have the time, experience, or budget to develop one themselves, and they also felt the need for an objective perspective, so they came to Booz Allen Hamilton. Solution: Booz Allen worked with stakeholders to identify key threats facing the organization in the next 5 years, assess the maturity of its cyber program (focusing on 24 functional and enabling control families), and analyze organizational readiness to develop its program. The organization also collaborated with Booz Allen to compare the key findings, gaps, and recommendations from the maturity and organizational assessments to its draft investment plan. The client organization was able to use Booz Allen s proprietary maturity model to install a simplified, rational, and easy-to-communicate framework to engage stakeholders and enhance bank security. Through a series of threat workshops, the client was able to use this framework to identify and prioritize current and future threats, including emerging and "surprise" threats that it might encounter over the next 5 years. For the maturity assessment, the client organization utilized Booz Allen s CyberM 3 Reference Model, which helped identify key gap areas. Through collaboration with Booz Allen, the security organization was able to identify sensible recommendations for improving the security program. Together, the teams reviewed the client s existing investment strategy, and provided key recommendations that helped stakeholders successfully shape the organization s roadmap and program for the next 5 years. Result: By engaging Booz Allen experts and its maturity-based reference model, the board of directors was able to successfully merge the organization s security and corporate strategies to maximize protection against the increasing cybersecurity threat. 11
12 CONCLUSION As businesses adapt to running at the speed of cyber, they rush to apply standards and frameworks to help them make sense of it all. But there is no standard for security. There are no boxes you can check, and no matter how compliant you are, it does not mean you are any more secure. The solution is more difficult than that. It takes a deeper understanding of where your company wants to go and how your security program will help your company get there. It takes an honest assessment of your current maturity and a vision of where it needs to be. It takes smart decisions about where you invest your limited resources. Your Board of Directors and your CEO are looking to you for you for answers. That s because they know that cybersecurity is critical to their success. They know that cybersecurity is now a business enabler To learn how Booz Allen Hamilton can help your business thrive, contact: Booz Allen Hamilton Matthew Doan Senior Associate doan_matthew@bah.com Matthew Doan is a Senior Associate in Booz Allen's commercial cyber practice. In his role, he works with leaders across multiple industries in aligning cyber security programs to manage risk and meet the needs of the business. Mr. Doan specializes in programmatic assessment, enterprise risk management, strategysetting, and organizational design. Ian Bramson Lead Associate bramson_ian@bah.com Ian Bramson is a Lead Associate at Booz Allen, focusing on addressing challenges for commercial clients. Mr. Bramson blends business, technology, and strategy to develop enterprise cyber security solutions across multiple industries and the public sector. He specializes in strategic planning, organizational design, cyber diagnostics, governance, and change management. Laura Eise Lead Associate eise_laura@bah.com Laura Eise is a cybersecurity consultant in Booz Allen s commercial cyber practice. She works across multiple industries to assess and mature cybersecurity programs, and develop reference models for solving cyber challenges. Ms. Eise specializes in risk management, strategy development, training, and awareness. Copyright 2014 Booz Allen Hamilton Inc. The information contained herein is subject to change without notice. The only warranties for Booz Allen Hamilton products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Booz Allen Hamilton shall not be liable for technical or editorial errors or omissions contained herein. Trademark acknowledgements if needed.
Cyber Solutions Handbook
Cyber Solutions Handbook Making Sense of Standards and Frameworks by Matthew Doan doan_matthew@bah.com Ian Bramson bramson_ian@bah.com Laura Eise eise_laura@bah.com Cyber Solutions Handbook Making Sense
More informationFFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors
Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed
More informationWhy you should adopt the NIST Cybersecurity Framework
www.pwc.com/cybersecurity Why you should adopt the NIST Cybersecurity Framework May 2014 The National Institute of Standards and Technology Cybersecurity Framework may be voluntary, but it offers potential
More informationHow To Write A Cybersecurity Framework
NIST Cybersecurity Framework Overview Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2nd ENISA International Conference on Cyber Crisis Cooperation and Exercises Executive Order
More informationCybersecurity Framework. Executive Order 13636 Improving Critical Infrastructure Cybersecurity
Cybersecurity Framework Executive Order 13636 Improving Critical Infrastructure Cybersecurity National Institute of Standards and Technology (NIST) Mission To promote U.S. innovation and industrial competitiveness
More informationThe NIST Cybersecurity Framework
View the online version at http://us.practicallaw.com/5-599-6825 The NIST Cybersecurity Framework RICHARD RAYSMAN, HOLLAND & KNIGHT LLP AND JOHN ROGERS, BOOZ ALLEN HAMILTON A Practice Note discussing the
More informationThe Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant
THE MARKET LEADER IN IT, SECURITY AND COMPLIANCE SERVICES FOR COMMUNITY FINANCIAL INSTITUTIONS The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant Agenda
More informationCyber ROI. A practical approach to quantifying the financial benefits of cybersecurity
Cyber ROI A practical approach to quantifying the financial benefits of cybersecurity Cyber Investment Challenges In 2015, global cybersecurity spending is expected to reach an all-time high of $76.9
More informationCybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014
Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014 Victoria Yan Pillitteri Advisor for Information Systems Security
More informationIT Insights. Managing Third Party Technology Risk
IT Insights Managing Third Party Technology Risk According to a recent study by the Institute of Internal Auditors, more than 65 percent of organizations rely heavily on third parties, yet most allocate
More informationCritical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order 13636 Improving Critical Infrastructure Cybersecurity
Critical Infrastructure Cybersecurity Framework Overview and Status Executive Order 13636 Improving Critical Infrastructure Cybersecurity Executive Order: Improving Critical Infrastructure Cybersecurity
More informationEMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES
EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES Aligning information with business and operational objectives ESSENTIALS Leverage EMC Consulting as your trusted advisor to move your and compliance
More informationWhite Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA
White Paper Achieving GLBA Compliance through Security Information Management White Paper / GLBA Contents Executive Summary... 1 Introduction: Brief Overview of GLBA... 1 The GLBA Challenge: Securing Financial
More informationCA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.
TECHNOLOGY BRIEF: REDUCING COST AND COMPLEXITY WITH GLOBAL GOVERNANCE CONTROLS CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes. Table of Contents Executive
More informationCybersecurity Framework: Current Status and Next Steps
Cybersecurity Framework: Current Status and Next Steps Federal Advisory Committee on Insurance November 6, 2014 Adam Sedgewick Senior IT Policy Advisor Adam.Sedgewick@nist.gov National Institute of Standards
More informationNavigating the NIST Cybersecurity Framework
Navigating the NIST Cybersecurity Framework Explore the NIST Cybersecurity Framework and tools and processes needed for successful implementation. Abstract For federal agencies, addressing cybersecurity
More informationAmerica s New Cybersecurity Framework: Help or New Source of Exposure?
America s New Cybersecurity Framework: Help or New Source of Exposure? BY BEHNAM DAYANIM, RYAN NIER & ELIZABETH DORSI March 2014 Data theft is on the rise, and the federal government is concerned. In 2013
More informationA Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst
TRACESECURITY WHITE PAPER GRC Simplified... Finally. A Guide to Successfully Implementing the NIST Cybersecurity Framework Jerry Beasley CISM and TraceSecurity Information Security Analyst TRACESECURITY
More informationHP and netforensics Security Information Management solutions. Business blueprint
HP and netforensics Security Information Management solutions Business blueprint Executive Summary Every day there are new destructive cyber-threats and vulnerabilities that may limit your organization
More informationExecutive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014
Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework September 23, 2014 Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to
More informationCyber Governance Preparing for the Inevitable Perimeter Breach
SAP Brief SAP Extensions SAP Regulation Management by Greenlight, Cyber Governance Edition Objectives Cyber Governance Preparing for the Inevitable Perimeter Breach Augment your preventive cybersecurity
More informationCybersecurity Audit Why are we still Vulnerable? November 30, 2015
Cybersecurity Audit Why are we still Vulnerable? November 30, 2015 John R. Robles, CISA, CISM, CRISC www.johnrrobles.com jrobles@coqui.net 787-647-3961 John R. Robles- 787-647-3961 1 9/11-2001 The event
More informationcyberr by e-management The Leader in Cybersecurity Risk Intelligence (RI) Cybersecurity Risk: What You Don t Know CAN Hurt You!
cyberr by e-management The Leader in Cybersecurity Risk Intelligence (RI) Cybersecurity Risk: What You Don t Know CAN Hurt You! Cybersecurity is all over the news. Target, University of Maryland, Neiman
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2014 ISACA Pittsburgh Information Security Awareness Day Victoria Yan
More informationTable of contents. Best practices in open source governance. Managing the selection and proliferation of open source software across your enterprise
Best practices in open source governance Managing the selection and proliferation of open source software across your enterprise Table of contents The importance of open source governance... 2 Executive
More informationCloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015
Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015 2015 CloudeAssurance Page 1 Table of Contents Copyright and Disclaimer... 3 Appendix A: Introduction... 4 Appendix
More informationWhite Paper on Financial Industry Regulatory Climate
White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during
More informationDiane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899
Submitted via email: cyberframework@nist.gov April 8, 2013 Diane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899 Re: Developing a Framework
More informationistockphoto/ljupco 36 June 2015 practicallaw.com 2015 Thomson Reuters. All rights reserved.
istockphoto/ljupco 36 June 2015 practicallaw.com The NIST Cybersecurity Framework Data breaches in organizations have rapidly increased in recent years. In 2014, the National Institute of Standards and
More informationCORE Security and GLBA
CORE Security and GLBA Addressing the Graham-Leach-Bliley Act with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com www.coresecurity.com
More informationUncheck Yourself. by Karen Scarfone. Build a Security-First Approach to Avoid Checkbox Compliance. Principal Consultant Scarfone Cybersecurity
Uncheck Yourself Build a Security-First Approach to Avoid Checkbox Compliance by Karen Scarfone Principal Consultant Scarfone Cybersecurity Sponsored by www.firehost.com (US) +1 844 682 2859 (UK) +44 800
More informationHow To Understand And Manage Cybersecurity Risk
White Paper A Framework to Gauge Cyber Defenses NIST s Cybersecurity Framework Helps Critical Infrastructure Owners to Cost-Effectively Defend National & Economic Security of the U.S. Executive Summary
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 NARUC Winter Committee Meeting Committee & Staff Committee on Critical Infrastructure February 15,
More informationRE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity
October 10, 2014 Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899 RE: Experience with the Framework for Improving Critical Infrastructure
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationBest Practices in ICS Security for System Operators. A Wurldtech White Paper
Best Practices in ICS Security for System Operators A Wurldtech White Paper No part of this document may be distributed, reproduced or posted without the express written permission of Wurldtech Security
More informationHP Strategic IT Advisory Services
HP Strategic IT Advisory Services Optimizing the value of IT investment Brochure The world has changed dramatically, and we increasingly live in a world where enterprise and personal IT experiences are
More informationSOCIAL MEDIA MOBILE DEVICES CLOUD SERVICES INTERNET OF THINGS (IOT)
INFORMATION SECURITY AND CYBER LIABILITY RISK MANAGEMENT THE FIFTH ANNUAL SURVEY ON THE CURRENT STATE OF AND TRENDS IN INFORMATION SECURITY AND CYBER LIABILITY RISK MANAGEMENT Sponsored by October 2015
More informationPROTIVITI FLASH REPORT
PROTIVITI FLASH REPORT Cybersecurity Framework: Where Do We Go From Here? February 25, 2014 Just over a year ago, President Barack Obama signed an Executive Order (EO) calling for increased cybersecurity
More informationSymantec Security Program Assessment
Leverage security maturity to prioritize achievement of enterprise goals The Symantec Security Program Assessment evaluates the maturity of your information security program providing an understanding
More informationAchieving Security through Compliance
Achieving Security through Compliance Policies, plans, and procedures Table of Contents This white paper was written by: McAfee Foundstone Professional Services Overview...3 The Rock Foundation...3 Governance...3
More informationUNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION
UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION Technical Conference on Critical Infrastructure Protection Issues Identified in Order No. 791 Prepared Statement of Melanie Seader, Senior
More informationWhite Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management
White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.
More informationExperience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.
Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies
More informationfs viewpoint www.pwc.com/fsi
fs viewpoint www.pwc.com/fsi June 2013 02 11 16 21 24 Point of view Competitive intelligence A framework for response How PwC can help Appendix It takes two to tango: Managing technology risk is now a
More informationHP Fortify Software Security Center
HP Fortify Software Security Center Proactively Eliminate Risk in Software Trust Your Software 92% of exploitable vulnerabilities are in software National Institute for Standards and Technology (NIST)
More informationIMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE
IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE ABSTRACT Changing regulatory requirements, increased attack surfaces and a need to more efficiently deliver access to the business
More informationDeveloping National Frameworks & Engaging the Private Sector
www.pwc.com Developing National Frameworks & Engaging the Private Sector Focus on Information/Cyber Security Risk Management American Red Cross Disaster Preparedness Summit Chicago, IL September 19, 2012
More informationApplying IBM Security solutions to the NIST Cybersecurity Framework
IBM Software Thought Leadership White Paper August 2014 Applying IBM Security solutions to the NIST Cybersecurity Framework Help avoid gaps in security and compliance coverage as threats and business requirements
More informationBrochure HP Workflow Discovery for FSI
Brochure HP Workflow Discovery for FSI Enhance productivity, improve processes and reduce costs Businesses today need to run more efficiently, and you re probably considering every alternative to help
More informationPrivacy and Data Protection
Hewlett-Packard Company 3000 Hanover Street Palo Alto, CA 94304 hp.com HP Policy Position Privacy and Data Protection Current Global State of Privacy and Data Protection The rapid expansion and pervasiveness
More informationIntel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security
Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security David Brezinski, Professional Services, Enterprise Security Architect Agenda Overview
More informationTestimony of Dan Nutkis CEO of HITRUST Alliance. Before the Oversight and Government Reform Committee, Subcommittee on Information Technology
Testimony of Dan Nutkis CEO of HITRUST Alliance Before the Oversight and Government Reform Committee, Subcommittee on Information Technology Hearing entitled: Cybersecurity: The Evolving Nature of Cyber
More informationSAP ERP FINANCIALS ENABLING FINANCIAL EXCELLENCE. SAP Solution Overview SAP Business Suite
SAP Solution Overview SAP Business Suite SAP ERP FINANCIALS ENABLING FINANCIAL EXCELLENCE ESSENTIAL ENTERPRISE BUSINESS STRATEGY PROVIDING A SOLID FOUNDATION FOR ENTERPRISE FINANCIAL MANAGEMENT 2 Even
More informationConnecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm
Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom kpmg.bm Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom 1 Connecting the dots:
More informationThe Changing IT Risk Landscape Understanding and managing existing and emerging risks
The Changing IT Risk Landscape Understanding and managing existing and emerging risks IIA @ Noon Kareem Sadek Senior Manager, Deloitte Canada Chris Close Senior Manager, Deloitte Canada December 2, 2015
More informationWhy you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More informationApril 8, 2013. Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899
Salt River Project P.O. Box 52025 Mail Stop: CUN204 Phoenix, AZ 85072 2025 Phone: (602) 236 6011 Fax: (602) 629 7988 James.Costello@srpnet.com James J. Costello Director, Enterprise IT Security April 8,
More informationBusiness resilience: The best defense is a good offense
IBM Business Continuity and Resiliency Services January 2009 Business resilience: The best defense is a good offense Develop a best practices strategy using a tiered approach Page 2 Contents 2 Introduction
More informationAddress C-level Cybersecurity issues to enable and secure Digital transformation
Home Overview Challenges Global Resource Growth Impacting Industries Address C-level Cybersecurity issues to enable and secure Digital transformation We support cybersecurity transformations with assessments,
More informationCyber and Data Risk What Keeps You Up at Night?
Legal Counsel to the Financial Services Industry Cyber and Data Risk What Keeps You Up at Night? December 10, 2014 Introduction & Overview Today s Discussion: Evolving nature of data and privacy risks
More informationDesigning Compliant and Sustainable Security Programs 1 Introduction
Designing Compliant and Sustainable Security Programs 1 Introduction The subject of this White Paper addresses several methods that have been successfully employed by DYONYX to efficiently design, and
More informationExecutive Summary. Cybersecurity cannot be completely solved, and will remain a risk we must actively manage.
Executive Summary Statement of Nadya Bartol Vice President, Industry Affairs and Cybersecurity Strategist Utilities Telecom Council Before the Subcommittee on Oversight and Subcommittee on Energy Committee
More informationFrequently Asked Questions about the HITRUST Risk Management Framework
Frequently Asked Questions about the HITRUST Risk Management Framework Addressing common questions and misconceptions about the HITRUST CSF, CSF Assurance Program and supporting methods and tools, and
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 8 April 2015 cyberframework@nist.gov Agenda Mission of NIST Cybersecurity at NIST Cybersecurity Framework
More informationManaging relationship equilibrium in outsourcing
Managing relationship equilibrium in outsourcing HP s relationship governance model and methodology Executive summary... 2 The governance balance... 3 HP s unique governance model... 5 Partner-based, collaborative
More informationVendor Risk Management Financial Organizations
Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current
More informationAchieving Security through Compliance
White Paper Achieving Security through Compliance Policies, plans, and procedures Part I By Jeff Tucker, Principal Security Consultant McAfee Foundstone Professional Services Table of Contents Overview
More informationigrc: Intelligent Governance, Risk, and Compliance White Paper
igrc: Intelligent Governance, Risk, and Compliance White Paper 2013 2013 Edgile, Inc. All Rights Reserved Executive Overview This whitepaper discusses the business needs addressed by Edgile s igrc solution,
More informationPACB One-Day Cybersecurity Workshop
PACB One-Day Cybersecurity Workshop WHAT IS CYBERSECURITY? PRESENTED BY: JON WALDMAN, SBS CISA, CRISC 1 Contact Information Jon Waldman Partner, Senior IS Consultant CISA, CRISC Masters of Info Assurance
More informationBridging the HIPAA/HITECH Compliance Gap
CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According
More informationWhite Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA
White Paper Achieving HIPAA Compliance through Security Information Management White Paper / HIPAA Contents Executive Summary... 1 Introduction: Brief Overview of HIPAA... 1 The HIPAA Challenge: Protecting
More informationNIST Cybersecurity Framework. ARC World Industry Forum 2014
NIST Cybersecurity Framework Vicky Yan Pillitteri NIST ARC World Industry Forum 2014 February 10-13, 2014 Orlando, FL Executive Order 13636 Improving Critical Infrastructure Cybersecurity It is the policy
More informationFrom checkboxes to frameworks
From checkboxes to frameworks CISO insights on moving from compliance to risk-based cybersecurity programs ibm.com/ibmcai ibmcai.com 2 From checkboxes to frameworks: CISO insights on moving from compliance
More informationHow To Transform It Risk Management
The transformation of IT Risk Management kpmg.com The transformation of IT Risk Management The role of IT Risk Management Scope of IT risk management Examples of IT risk areas of focus How KPMG can help
More informationHP ITSM Assessment Services Helping you reach the levels of service your business requires
HP ITSM Assessment Services Helping you reach the levels of service your business requires HP ITSM Assessment Services are designed to help you achieve the IT service levels your business requires by reducing
More informationCybersecurity: A View from the Boardroom
An Executive Brief from Cisco Cybersecurity: A View from the Boardroom In the modern economy, every company runs on IT. That makes security the business of every person in the organization, from the chief
More informationSEC Cybersecurity Findings May Establish De Facto Standard
Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com SEC Cybersecurity Findings May Establish De Facto
More informationImplementing the U.S. Cybersecurity Framework at Intel A Case Study
SESSION ID: STR-W01 Implementing the U.S. Cybersecurity Framework at Intel A Case Study Tim Casey Senior Strategic Risk Analyst Intel Information Security @timcaseycyber How would you represent your entire
More informationIncreasing Security Defenses in Cost-Sensitive Healthcare IT Environments
Increasing Security Defenses in Cost-Sensitive Healthcare IT Environments Regulatory and Risk Background When the Health Insurance Portability and Accountability Act Security Standard (HIPAA) was finalized
More informationDodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare
Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare Strengthening Cybersecurity Defenders #ISC2Congress Healthcare and Security "Information Security is simply a personal
More informationChanging Legal Landscape in Cybersecurity: Implications for Business
Changing Legal Landscape in Cybersecurity: Implications for Business Presented to Greater Wilmington Cyber Security Group Presented by William R. Denny, Potter Anderson & Corroon LLP May 8, 2014 Topics
More informationBusiness Continuity in Healthcare
Business Continuity in Healthcare Cynthia Simeone, CBCP, PMP Director Business Resilience Catholic Health Initiatives Scott Ream President Virtual Corporation 1 Session Speakers Cynthia Simeone, CBCP,
More informationHIPAA and HITRUST - FAQ
A COALFIRE WHITE PAPER HIPAA and HITRUST - FAQ by Andrew Hicks, MBA, CISA, CCM, CRISC, HITRUST CSF Practitioner Director, Healthcare Practice Lead Coalfire February 2013 Introduction Organizations are
More informationNIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT
NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT OVERVIEW The National Institute of Standards of Technology Framework for Improving Critical Infrastructure Cybersecurity (The NIST Framework) is a
More informationThe Cybersecurity Journey How to Begin an Integrated Cybersecurity Program. Version 1.0 March 2005
The Cybersecurity Journey How to Begin an Integrated Cybersecurity Program March 2005 Legal and Copyright Notice The Chemical Industry Data Exchange (CIDX) is a nonprofit corporation, incorporated in the
More informationCLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY
CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY CLOSING THE DOOR TO CYBER ATTACKS Cybersecurity and information security have become key challenges for
More informationCyberprivacy and Cybersecurity for Health Data
Experience the commitment Cyberprivacy and Cybersecurity for Health Data Building confidence in health systems Providing better health care quality at lower cost will be the key aim of all health economies
More informationCybersecurity: Mission integration to protect your assets
Cybersecurity: Mission integration to protect your assets C Y B E R S O L U T I O N S P O L I C Y O P E R AT I O N S P E O P L E T E C H N O L O G Y M A N A G E M E N T Ready for what s next Cyber solutions
More informationApplying Framework to Mobile & BYOD
Applying Framework to Mobile & BYOD Framework for Improving Critical Infrastructure Cybersecurity National Association of Attorneys General Southern Region Meeting 13 March 2015 cyberframework@nist.gov
More informationWILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES
WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES This special report examines the cyber risk disclosures made by the retail sector of the Fortune 1000.
More informationCYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS
CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS PREPARING FOR ADVANCED CYBER THREATS Cyber attacks are evolving faster than organizations
More informationJOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015
JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 The following consists of the joint explanatory statement to accompany the Cybersecurity Act of 2015. This joint explanatory statement
More informationManaging cyber risks with insurance
www.pwc.com.tr/cybersecurity Managing cyber risks with insurance Key factors to consider when evaluating how cyber insurance can enhance your security program June 2014 Managing cyber risks to sensitive
More informationBuilding Security In:
#CACyberSS2015 Building Security In: Intelligent Security Design, Development and Acquisition Steve Caimi Industry Solutions Specialist, US Public Sector Cybersecurity September 2015 A Little About Me
More informationRealizing business flexibility through integrated SOA policy management.
SOA policy management White paper April 2009 Realizing business flexibility through integrated How integrated management supports business flexibility, consistency and accountability John Falkl, distinguished
More informationCOBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)
COBIT 5 For Cyber Security Governance and Management Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE) Cybersecurity Governance using COBIT5 Cyber Defence Summit Riyadh, KSA
More informationSuzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA
8 th Annual Safeguarding Health Information: Building Assurance through HIPAA Security HHS Office of Civil Rights and National Institute of Standards & Technology Wednesday September 2, 2015 Suzanne B.
More information