Building Security In:
|
|
- Willa Miller
- 8 years ago
- Views:
Transcription
1 #CACyberSS2015 Building Security In: Intelligent Security Design, Development and Acquisition Steve Caimi Industry Solutions Specialist, US Public Sector Cybersecurity September 2015
2 A Little About Me Twenty years in cybersecurity, enterprise software, networking, and telecommunications Security Specialist for the US Public Sector Security Product Manager Security Sales Engineer and Certified Instructor Network Engineer and Systems Administrator Combination of business and technical education MBA / Virginia Tech BS EE / Penn State CISSP# March 2004
3 Federal CIO Tony Scott Cloud Computing Forum & Workshop VIII July 7, 2015 On adding security later: Like duct-taping airbags to a 1965 Mustang Even if you could do it, the result would probably be pretty ugly It s expensive, hard to do... you end up with something no one wants Security By Design: Ensure that security is built into every layer Source: Federal Computing Week, July 7, 2015
4 California: A Cybersecurity Leader Brookings Institution characterizes States with strong cybersecurity plans: Characteristic Acknowledge the cybersecurity problem Implement strategic and multi-faceted cybersecurity plans Collect and act on cybersecurity metrics Rely on NIST standards rather than locally-developed plans State of CA Yes Yes Yes Partly
5 California Information Security Office (CISO) Chapter 5300 Section Information Security Minimum Security Controls California has adopted the National Institute of Standards and Technology (NIST) Special Publication (SP) as minimum information security control requirements to support implementation and compliance with the Federal Information Processing Standards (FIPS) Each state entity shall use the FIPS and NIST SP in the planning, development, implementation, and maintenance of their information security programs
6 SAM Chapter pages Over 40 sections Maintained by the State Updated every 3 years Painstakingly mapped to NIST SP California-specific
7 NIST Special Publication pages with 18 control families Hundreds of individual security controls Now on its fourth revision
8 DoD and NIST: Closer Alignment DoDI replaces DIACAP with the NIST Risk Management Framework (RMF) The cybersecurity requirements for DoD information technologies will be managed through the RMF consistent with the principals established in National Institute of Standards and Technology (NIST) SP NIST Risk Management Framework
9 Maybe there s a better way?
10 Imagine a simple yet effective framework... Intelligent Security Design Builds cybersecurity risk management directly into your overall risk management program Aligns with national standards Intelligent Security Development Improves your existing cybersecurity capabilities over time Uses standard language and terminology to discuss cybersecurity risks Intelligent Security Acquisition Enables you to prioritize cybersecurity investments for maximum impact Reduces human workloads to focus on higher value activities
11 It s Here. It s the NIST Cybersecurity Framework. And Other States Are Doing It. The State of Texas has aligned the Framework Functions to its agency security plan. Texas has developed a statewide framework that covers cybersecurity best practices and is mapped to the Framework subcategories. To mitigate supplier risk, the state also uses a vendor alignment template that is rooted in the Framework core. NIST Newsletter Update on the Cybersecurity Framework (July 1, 2015)
12 Framework Background
13 State CIO Priorities
14 National Institute of Standards and Technology Breadth and depth across vast subject areas Information Technology, telecommunications, energy, chemistry, math, physics, public safety, nanotechnology -- and much more Information Technology publications and best practices Computer Security Resource Center (CSRC) Cybersecurity Framework Cloud Computing Information Technology Laboratory Smart Grid National Strategy for Trusted Identities in Cyberspace (NSTIC) Mission To promote innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life
15 Improving Critical Infrastructure Cybersecurity Executive Order February 2013 It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.
16 NIST Cybersecurity Framework Outcome of Executive Order 13636, and result of collaboration between public and private sectors Manages cybersecurity risks in a cost-effective way, while protecting privacy and civil liberties References the globally accepted standards (COBIT, ISO/IEC, ISA, NIST, CCS) that are working well today Intended for worldwide adoption -- not US only Uses common terminology to discuss cybersecurity risk Ensures business drivers guide cybersecurity activities Considers cybersecurity risks as part of organization s overall risk management process
17 Promoting Cybersecurity Best Practices People Process Technology Framework covers all three
18 People Addressing the Role of People Framework helps organizations optimize their cybersecurity activities Aligns cybersecurity activities with business risk Prioritizes activities that are most important for critical service delivery Maximizes the impact of cybersecurity spending
19 People Facilitating Communication Framework uses a common language to discuss cybersecurity risk Improves communication among cybersecurity experts and senior leadership within an organization Improves communication with external vendors, partners, and contractors Aligns the Information Technology (IT) and Operations Technology (OT) teams
20 Process Complementing Existing Processes Framework works with existing risk management programs ISO 31000:20093 ISO/IEC 27005:20114 NIST SP Electricity Subsector Cybersecurity Risk Management Process (RMP) More...
21 Technology Future-Proofing Framework ensures future extensibility and enables technical innovation Remains technology-agnostic Evolves with technical advances and new business requirements Acknowledges global nature of cybersecurity risks Scales across borders
22 Applying to Everyone Framework enables all organizations to improve security and resilience Any size or type of organization Both public and private sectors Any degree of cybersecurity risk Any level of cybersecurity sophistication Anywhere in the world
23 Framework Basics
24 Framework Components Set of activities, desired outcomes, and applicable references common across critical infrastructure sectors 1 Framework Core 3 Framework Profile Alignment of Framework Core structure with the specific business requirements of a particular organization 2 Framework Implementation Tiers An organization s view on how well it manages risk, ranging from Partial (Tier 1) to Adaptive (Tier 4)
25 Framework Core: Four Parts Core Functions Categories Subcategories Informative Resources Identify Protect Detect Respond Recover
26 Core Part 1: Functions Core Functions Categories Subcategories Informative Resources Identify 1 Protect Detect High-level cybersecurity Respond goals Recover
27 Core Part 2: Categories Core Functions Categories Subcategories Informative Resources Identify Protect Detect Respond Recover 2 Subdivide Functions into specific activities
28 Core Part 3: Subcategories Core Functions Categories Subcategories Informative Resources Identify Protect Detect Respond Recover 3 Subdivide Categories into desired outcomes
29 Core Part 4: Informative Resources Core Functions Categories Subcategories Informative Resources Identify Protect Detect Respond Recover 4 Standards references to achieve the outcomes
30 Functions: High-Level Goals Core Functions ID PR DE Identify Protect Detect Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event RS RC Respond Recover Develop and implement the appropriate activities to take action regarding a detected cybersecurity event Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event
31 Categories: Specific Activities Core Function Categories ID.AM Asset Management (AM) The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization s risk strategy. Identify (ID) ID.BE ID.GV Business Environment (BE) Governance (GV) The organization s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. The policies, procedures, and processes to manage and monitor the organization s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cyber risk. ID.RA Risk Assessment (RA) The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. ID.RM Risk Management Strategy (RM) The organization s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.
32 Subcategories: Specific Outcomes Core Function Category Subcategories ID.AM-1 Physical devices and systems within the organization are inventoried ID.AM-2 Software platforms and applications within the organization are inventoried Identify (ID) Asset Management (ID.AM) ID.AM-3 ID.AM-4 Organizational communication and data flows are mapped External information systems are catalogued ID.AM-5 Resources (hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value ID.AM-6 Cybersecurity roles and responsibilities for the entire workforce and thirdparty stakeholders (suppliers, customers, partners) are established
33 Informative Resources Core Function Category Subcategory Informative Resources CCS CSC 1 Identify (ID) Asset Management (ID.AM) Physical device inventories (ID.AM-1) COBIT 5 BAI09.01, BAI09.02 ISA : ISA :2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A NIST SP Rev. 4 CM-8 International standards references Council on CyberSecurity (CCS) Control Objectives for Information and Related Technology (COBIT) International Society of Automation (ISA) International Organization for Standardization (ISO) International Electrotechnical Commission (IEC)
34 Informative Resources Core Function Category Subcategory Informative Resources CCS CSC 1 Identify (ID) Asset Management (ID.AM) Physical device inventories (ID.AM-1) COBIT 5 BAI09.01, BAI09.02 ISA : ISA :2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A NIST SP Rev. 4 CM-8
35 Tiers Tiers Reflect how an organization views cybersecurity risk and the processes in place to manage that risk Tier Tier Tier Tier Adaptive: Practices fully established and continuously improved Repeatable: Practices approved and established by organizational policy Risk Informed: Practices approved but not completely established by policy Partial: Informal, ad hoc, reactive responses
36 Profiles Profiles The alignment of the Framework core with an organizations business requirements, risk tolerance, and resources Describes the current state and desired future state Reveals gaps that can flow into action plan development Facilities a roadmap for reducing cybersecurity risk
37 Core Functions & Categories Core Know what you have Secure what you have Spot threats quickly Take action immediately Restore operations
38 Technology Doesn t Cover Everything Only half of the Framework s Categories are addressed by technology Highlights the importance of both people and process in cybersecurity
39 Using the Framework
40 Ways to Use the Framework Basic Review of Cybersecurity Practices Establishing or Improving a Cybersecurity Program Communicating Cybersecurity Requirements with Stakeholders Identifying Opportunities for Updated Informative References Methodology to Protect Privacy and Civil Liberties How well are we doing today? Can we assess and improve? Can we speak the same language? What else should we consider? Can we protect data better? Let s focus here
41 Improving a Cybersecurity Program Implement Action Plan Start Prioritize and Scope 7 1 Analyze Gaps 6 2 Orient Create Target Profile Create Current Profile Conduct Risk Assessment
42 1 Prioritize and Scope Identify business/mission objectives and high-level organizational priorities Make strategic decisions on cybersecurity Determine scope of systems and assets that support the mission Assess risk tolerance
43 Orient 2 Identify related systems, regulatory requirements, and overall risk approach Identify threats to systems and assets Identify vulnerabilities associated with systems and assets
44 Create Current Profile 3 Function Category Subcategory Current Profile Physical device inventories (ID.AM-1) Tier 1 Manual, spreadsheet-based system is insufficient and lacks network visibility. Software inventories (ID.AM-2) Tier 1 Asset management system cannot detect new software applications being deployed. Identify (ID) Asset Management (ID.AM) Communication/data flow maps (ID.AM-3) External system catalogs (ID.AM-4) Tier 2 Unused Flow maps are documented and approved but needs to be formalized by policy. Current business model does not require external system catalogs. Resource prioritization (ID.AM-5) Tier 4 Prioritization system is working well for our needs today. Roles/responsibilities clarification (ID.AM-6) Tier 3 New cybersecurity responsibilities need to be formalized by policy.
45 Conduct Risk Assessment 4 Fxn. Cat. Sub. Current Profile Risk Assessment ID.AM-1 ID.AM-2 Tier 1 Tier 1 Unacceptably high risks ID ID.AM ID.AM-3 ID.AM-4 ID.AM-5 Tier 2 Unused Tier 4 Acceptable risks at this time ID.AM-6 Tier 3
46 Create Target Profile 5 Fxn. Cat. Sub. Target Profile This is where we want to be Physical device and software inventories at Tier 4, Adaptive Practices fully established, continuously improved, and built into our overall risk management program ID ID.AM ID.AM-1 ID.AM-2 ID.AM-3 ID.AM-4 ID.AM-5 ID.AM-6 Tier 4 Tier 4 Tier 2 Unused Tier 4 Tier 3
47 Analyze Gaps 6 Fxn. Cat. Sub. Current Profile Fxn. Cat. Sub. Target Profile ID.AM-1 Tier 1 ID.AM-1 Tier 4 ID.AM-2 Tier 1 ID.AM-2 Tier 4 ID ID.AM ID.AM-3 ID.AM-4 ID.AM-5 Tier 2 Unused Tier 4 Enables a prioritized action plan ID ID.AM ID.AM-3 ID.AM-4 ID.AM-5 Tier 2 Unused Tier 4 ID.AM-6 Tier 3 ID.AM-6 Tier 3
48 7 Develop Action Plan: Informative Resources Fxn. Cat. Sub. Informative Resources NIST SP Revision 4 CCS CSC 1 CM-8 / Information System Component Inventory ID ID.AM ID.AM-1 ID.AM-2 COBIT 5 BAI09.01, BAI09.02 ISA : ISA :2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A NIST SP Rev. 4 CM-8 CCS CSC 2 COBIT 5 BAI09.01, BAI09.02, BAI09.05 ISA : ISA :2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A NIST SP Rev. 4 CM-8 Control: The organization: a. Develops and documents an inventory of information system components that: 1. Accurately reflects the current information system; 2. Includes all components within the authorization boundary of the information system; 3. Is at the level of granularity deemed necessary for tracking and reporting; and 4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]
49 Develop Action Plan: Device Inventory 7?? We need an accurate device inventory......but how can we know what devices we have?
50 Implement Action Plan: Device Discovery 7 Cisco Identity Services Engine (ISE) Discovers and accurately identifies devices connected to wired, wireless, and virtual private networks IS E NIST SP Revision 4 CM-8 / Information System Component Inventory Control: The organization: a. Develops and documents an inventory of information system components that: 1. Accurately reflects the current information system; 2. Includes all components within the authorization boundary of the information system; 3. Is at the level of granularity deemed necessary for tracking and reporting; and 4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]
51 Continuous Improvement: Not Once and Done! Implement Action Plan Prioritize and Scope 7 1 Analyze Gaps 6 2 Orient Create Target Profile Create Current Profile Conduct Risk Assessment
52 Cisco Security: Supporting the Framework
53 Cisco s Threat Centric Security Model Attack Continuum Before Discover Enforce Harden During Detect Block Defend After Scope Contain Remediate Network Endpoint Mobile Virtual Cloud and Web Point in Time Continuous
54 Cisco s Threat Centric Security Model Aligning with the Framework Core Before Discover Enforce Harden During Detect Block Defend After Scope Contain Remediate Identify Protect Detect Respond Recover
55 Technology Cisco Security Supports the Framework Security Products
56 People Process Cisco Security Supports the Framework Security Services
57 Conclusion
58 Building Security In: Let s see those airbags in the new Mustang... Security By Design: Security built into every layer Source: Federal Computing Week, July 7, 2015
59 NIST Cybersecurity Framework Enables... Intelligent Security Design Builds cybersecurity risk management directly into your overall risk management program Aligns with national standards Intelligent Security Development Improves your cybersecurity capabilities over time Uses standard language and terminology to discuss cybersecurity risks Intelligent Security Acquisition Enables you to prioritize cybersecurity investments for maximum impact Reduces human workloads to focus on higher value activates
60 What s Next NIST Roadmap for Improving The Framework Aligning the Cybersecurity Framework and the Risk Management Framework (RMF) Promoting better identification and authentication solutions (NSTIC pilots) Standardizing, automating, and sharing of threat information across sectors Developing and training the cybersecurity workforce of tomorrow (NICE initiative)
61 Call To Action Learn more about the Cybersecurity Challenge Learn more about the Threat-Centric Security Model Learn more about the Cybersecurity Framework Cisco Security Report Cisco Threat-Centric Security NIST Cybersecurity Framework
62 Stop by the Cisco booth!
63
Framework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 National Institute of Standards and Technology February 12, 2014 Table of Contents Executive Summary...1 1.0 Framework Introduction...3
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 National Institute of Standards and Technology February 12, 2014 Table of Contents Executive Summary...1 1.0 Framework Introduction...3
More informationNIST Cybersecurity Framework & A Tale of Two Criticalities
NIST Cybersecurity Framework & A Tale of Two Criticalities Vendor Management & Incident Response Presented by: John H Rogers, CISSP Advisory Services Practice Manager john.rogers@sagedatasecurity.com Presented
More informationImproving Critical Infrastructure Cybersecurity Executive Order 13636. Preliminary Cybersecurity Framework
1 Improving Critical Infrastructure Cybersecurity Executive Order 13636 Preliminary Cybersecurity Framework 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
More informationCybersecurity Framework. Executive Order 13636 Improving Critical Infrastructure Cybersecurity
Cybersecurity Framework Executive Order 13636 Improving Critical Infrastructure Cybersecurity National Institute of Standards and Technology (NIST) Mission To promote U.S. innovation and industrial competitiveness
More informationCRR-NIST CSF Crosswalk 1
IDENTIFY (ID) Asset Management (AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative
More informationCybersecurity Framework Security Policy Mapping Table
Cybersecurity Framework Security Policy Mapping Table The following table illustrates how specific requirements of the US Cybersecurity Framework [1] are addressed by the ISO 27002 standard and covered
More informationVoluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, nadya.bartol@utc.org. 2014 Utilities Telecom Council
Voluntary Cybersecurity Initiatives in Critical Infrastructure Nadya Bartol, CISSP, SGEIT, nadya.bartol@utc.org 2014 Utilities Telecom Council Utility cybersecurity environment is full of collaborations
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity January 2016 cyberframework@nist.gov Improving Critical Infrastructure Cybersecurity It is the policy of the United States to enhance the security
More informationApplying Framework to Mobile & BYOD
Applying Framework to Mobile & BYOD Framework for Improving Critical Infrastructure Cybersecurity National Association of Attorneys General Southern Region Meeting 13 March 2015 cyberframework@nist.gov
More informationThe President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.
The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013. The Executive Order calls for the development of a voluntary risk based Cybersecurity Framework
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 8 April 2015 cyberframework@nist.gov Agenda Mission of NIST Cybersecurity at NIST Cybersecurity Framework
More informationHow To Write A Cybersecurity Framework
NIST Cybersecurity Framework Overview Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2nd ENISA International Conference on Cyber Crisis Cooperation and Exercises Executive Order
More informationHappy First Anniversary NIST Cybersecurity Framework:
Happy First Anniversary NIST Cybersecurity Framework: We ve Hardly Known Ya Chad Stowe, CISSP, CISA, MBA Who is your organization on Cybersecurity? Problem Statement Management has not been given the correct
More informationCybersecurity Framework: Current Status and Next Steps
Cybersecurity Framework: Current Status and Next Steps Federal Advisory Committee on Insurance November 6, 2014 Adam Sedgewick Senior IT Policy Advisor Adam.Sedgewick@nist.gov National Institute of Standards
More informationNIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015
NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015 Overview The University of Pittsburgh NIST Cybersecurity Framework Pitt NIST Cybersecurity Framework Program Wrap Up Questions
More informationCritical Manufacturing Cybersecurity Framework Implementation Guidance
F Critical Manufacturing Cybersecurity Framework Implementation Guidance i Foreword The National Institute of Standards and Technology (NIST) released the 2014 Framework for Improving Critical Infrastructure
More informationNIST Cybersecurity Framework. ARC World Industry Forum 2014
NIST Cybersecurity Framework Vicky Yan Pillitteri NIST ARC World Industry Forum 2014 February 10-13, 2014 Orlando, FL Executive Order 13636 Improving Critical Infrastructure Cybersecurity It is the policy
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity 18 November 2015 grance@nist.gov cyberframework@nist.gov National Institute of Standards and Technology About NIST NIST s mission is to develop
More informationDiscussion Draft of the Preliminary Cybersecurity Framework
1 Discussion Draft of the Preliminary Cybersecurity Framework August 28, 2013 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 A Discussion Draft of the Preliminary
More informationIntel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security
Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security David Brezinski, Professional Services, Enterprise Security Architect Agenda Overview
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity April 2016 cyberframework@nist.gov Pre-Cybersecurity Framework Threat Landscape 79% of reported victims were targets of opportunity 96% of
More informationENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE
ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE JANUARY 2015 U.S. DEPARTMENT OF ENERGY OFFICE OF ELECTRICITY DELIVERY AND ENERGY RELIABILITY Energy Sector Cybersecurity Framework Implementation
More informationNIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT
NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT OVERVIEW The National Institute of Standards of Technology Framework for Improving Critical Infrastructure Cybersecurity (The NIST Framework) is a
More informationIT ASSET MANAGEMENT Securing Assets for the Financial Services Sector
IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 financial_nccoe@nist.gov This revision incorporates comments from the public. Page Use case 1 Comments
More informationApplying IBM Security solutions to the NIST Cybersecurity Framework
IBM Software Thought Leadership White Paper August 2014 Applying IBM Security solutions to the NIST Cybersecurity Framework Help avoid gaps in security and compliance coverage as threats and business requirements
More informationCybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014
Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014 Victoria Yan Pillitteri Advisor for Information Systems Security
More informationHappy First Anniversary NIST Cyber Security Framework:
Happy First Anniversary NIST Cyber Security Framework: We ve Hardly Known Ya Chad Stowe, CISSP, CISA, MBA Problem Statement Management has not been given the correct information to understand and act upon
More informationHow To Understand And Manage Cybersecurity Risk
White Paper A Framework to Gauge Cyber Defenses NIST s Cybersecurity Framework Helps Critical Infrastructure Owners to Cost-Effectively Defend National & Economic Security of the U.S. Executive Summary
More informationPROTIVITI FLASH REPORT
PROTIVITI FLASH REPORT Cybersecurity Framework: Where Do We Go From Here? February 25, 2014 Just over a year ago, President Barack Obama signed an Executive Order (EO) calling for increased cybersecurity
More informationAmerica s New Cybersecurity Framework: Help or New Source of Exposure?
America s New Cybersecurity Framework: Help or New Source of Exposure? BY BEHNAM DAYANIM, RYAN NIER & ELIZABETH DORSI March 2014 Data theft is on the rise, and the federal government is concerned. In 2013
More informationExecutive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014
Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework September 23, 2014 Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to
More informationNational Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity
National Cybersecurity Challenges and NIST Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity Though no-one knows for sure, corporate America is believed to lose anything
More informationThe NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session
The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session Robert Smith Systemwide IT Policy Director Compliance & Audit Educational Series 5/5/2016 1 Today s reality There are two kinds
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2014 ISACA Pittsburgh Information Security Awareness Day Victoria Yan
More informationNadya Bartol, CISSP, CGEIT VP, Industry Affairs and Cybersecurity Strategist UTC (Utilities Telecom Council) USA. 2014 Utilities Telecom Council 1
Nadya Bartol, CISSP, CGEIT VP, Industry Affairs and Cybersecurity Strategist UTC (Utilities Telecom Council) USA 2014 Utilities Telecom Council 1 Why do we need cybersecurity? Agriculture and Food Energy
More informationThe NIST Cybersecurity Framework
View the online version at http://us.practicallaw.com/5-599-6825 The NIST Cybersecurity Framework RICHARD RAYSMAN, HOLLAND & KNIGHT LLP AND JOHN ROGERS, BOOZ ALLEN HAMILTON A Practice Note discussing the
More informationCybersecurity Audit Why are we still Vulnerable? November 30, 2015
Cybersecurity Audit Why are we still Vulnerable? November 30, 2015 John R. Robles, CISA, CISM, CRISC www.johnrrobles.com jrobles@coqui.net 787-647-3961 John R. Robles- 787-647-3961 1 9/11-2001 The event
More informationSECURITY RISK MANAGEMENT
SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W
More informationBusiness Continuity for Cyber Threat
Business Continuity for Cyber Threat April 1, 2014 Workshop Session #3 3:00 5:30 PM Susan Rogers, MBCP, MBCI Cyberwise CP S2 What happens when a computer program can activate physical machinery? Between
More informationWhich cybersecurity standard is most relevant for a water utility?
Which cybersecurity standard is most relevant for a water utility? Don Dickinson 1 * 1 Don Dickinson, Phoenix Contact USA, 586 Fulling Mill Road, Middletown, Pennsylvania, USA, 17057 (*correspondence:
More informationCYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills DAU-South
CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS Steve Mills DAU-South 1 Overview Questions Cybersecurity Owners and Stakeholders Cybersecurity Why It Matters to DoD Program Managers Defense Science
More informationCONCEPTS IN CYBER SECURITY
CONCEPTS IN CYBER SECURITY GARY KNEELAND, CISSP SENIOR CONSULTANT CRITICAL INFRASTRUCTURE & SECURITY PRACTICE 1 OBJECTIVES FRAMEWORK FOR CYBERSECURITY CYBERSECURITY FUNCTIONS CYBERSECURITY CONTROLS COMPARATIVE
More informationCyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown
Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available
More informationCritical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order 13636 Improving Critical Infrastructure Cybersecurity
Critical Infrastructure Cybersecurity Framework Overview and Status Executive Order 13636 Improving Critical Infrastructure Cybersecurity Executive Order: Improving Critical Infrastructure Cybersecurity
More informationFINRA Publishes its 2015 Report on Cybersecurity Practices
Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February
More informationNational Institute of Standards and Technology Smart Grid Cybersecurity
National Institute of Standards and Technology Smart Grid Cybersecurity Vicky Yan Pillitteri Advisor for Information Systems Security SGIP SGCC Chair Victoria.yan@nist.gov 1 The National Institute of Standards
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 NARUC Winter Committee Meeting Committee & Staff Committee on Critical Infrastructure February 15,
More informationNavigating the NIST Cybersecurity Framework
Navigating the NIST Cybersecurity Framework Explore the NIST Cybersecurity Framework and tools and processes needed for successful implementation. Abstract For federal agencies, addressing cybersecurity
More informationRisk Management Framework (RMF): The Future of DoD Cyber Security is Here
Risk Management Framework (RMF): The Future of DoD Cyber Security is Here Authors: Rebecca Onuskanich William Peterson 3300 N Fairfax Drive, Suite 308 Arlington, VA 22201 Phone: 571-481-9300 Fax: 202-315-3003
More informationHow To Manage Risk On A Scada System
Risk Management for Industrial Control Systems (ICS) And Supervisory Control Systems (SCADA) Information For Senior Executives (Revised March 2012) Disclaimer: To the extent permitted by law, this document
More informationSECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK
SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK BACKGROUND The National Institute of Standards and Technology (NIST) Special Publication 800-53 defines a comprehensive set of controls that is the basis
More informationCSF Support for HIPAA and NIST Implementation and Compliance
CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST Why does HITRUST exist? Multitude of challenges Significant government oversight Evolving
More informationImplementing the U.S. Cybersecurity Framework at Intel A Case Study
SESSION ID: STR-W01 Implementing the U.S. Cybersecurity Framework at Intel A Case Study Tim Casey Senior Strategic Risk Analyst Intel Information Security @timcaseycyber How would you represent your entire
More informationAn Overview of Information Security Frameworks. Presented to TIF September 25, 2013
An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationUnderstanding the NIST Cybersecurity Framework September 30, 2014
Understanding the NIST Cybersecurity Framework September 30, 2014 Earlier this year the National Institute of Standard and Technology released the Framework for Improving Critical Infrastructure Cybersecurity
More informationCYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills Professor of Information Technology Steve.mills@dau.mil 256.922.
CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS 1 Steve Mills Professor of Information Technology Steve.mills@dau.mil 256.922.8761 Overview Cybersecurity Policy Overview Questions Challenge #1 -
More informationCybersecurity as a Risk Factor in doing business
Cybersecurity as a Risk Factor in doing business 1 Data is the new raw material of business Economist UK, 2013. In trying to defend everything he defended nothing Frederick the Great, Prussia 1712-86.
More informationIEEE-Northwest Energy Systems Symposium (NWESS)
IEEE-Northwest Energy Systems Symposium (NWESS) Paul Skare Energy & Environment Directorate Cybersecurity Program Manager Philip Craig Jr National Security Directorate Sr. Cyber Research Engineer The Pacific
More informationReliable, Repeatable, Measurable, Affordable
Reliable, Repeatable, Measurable, Affordable Defense-in-Depth Across Your Cyber Security Life-Cycle Faced with today s intensifying threat environment, where do you turn for cyber security answers you
More informationCForum: A Community Driven Solution to Cybersecurity Challenges
SESSION ID: AST3-R01 CForum: A Community Driven Solution to Cybersecurity Challenges Tom Conkle Cybersecurity Engineer G2, Inc. @TomConkle Greg Witte Sr. Security Engineer G2, Inc. @thenetworkguy Organizations
More informationNICE and Framework Overview
NICE and Framework Overview Bill Newhouse NIST NICE Leadership Team Computer Security Division Information Technology Lab National Institute of Standards and Technology TABLE OF CONTENTS Introduction to
More informationState Governments at Risk: The Data Breach Reality
State Governments at Risk: The Data Breach Reality NCSL Legislative Summit August 5, 2015 Doug Robinson, Executive Director National Association of State Chief Information Officers (NASCIO) About NASCIO
More informationChanging Legal Landscape in Cybersecurity: Implications for Business
Changing Legal Landscape in Cybersecurity: Implications for Business Presented to Greater Wilmington Cyber Security Group Presented by William R. Denny, Potter Anderson & Corroon LLP May 8, 2014 Topics
More informationIncrease insight. Reduce risk. Feel confident.
Increase insight. Reduce risk. Feel confident. Define critical goals with enhanced visibility then enable security and compliance across your complex IT infrastructure. VIRTUALIZATION + CLOUD NETWORKING
More informationRisk Management in Practice A Guide for the Electric Sector
Risk Management in Practice A Guide for the Electric Sector Annabelle Lee Senior Technical Executive ICCS European Engagement Summit April 28, 2015 Before we continue let s get over our fears and myths
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationItaly. EY s Global Information Security Survey 2013
Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information
More informationDesigning & Building a Cybersecurity Program. Based on the NIST Cybersecurity Framework (CSF)
Designing & Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson Lesson 1 June, 2015 1 About the Class This course covers the essential elements for planning, building
More informationistockphoto/ljupco 36 June 2015 practicallaw.com 2015 Thomson Reuters. All rights reserved.
istockphoto/ljupco 36 June 2015 practicallaw.com The NIST Cybersecurity Framework Data breaches in organizations have rapidly increased in recent years. In 2014, the National Institute of Standards and
More informationNIST Cybersecurity Initiatives. ARC World Industry Forum 2014
NIST Cybersecurity Initiatives Keith Stouffer and Vicky Pillitteri NIST ARC World Industry Forum 2014 February 10-13, 2014 Orlando, FL National Institute of Standards and Technology (NIST) NIST s mission
More informationFREQUENTLY ASKED QUESTIONS
FREQUENTLY ASKED QUESTIONS Continuous Monitoring 1. What is continuous monitoring? Continuous monitoring is one of six steps in the Risk Management Framework (RMF) described in NIST Special Publication
More informationCybersecurity: The Legal, Legislative and Regulatory Outlook
Cybersecurity: The Legal, Legislative and Regulatory Outlook Jamie Barnett Rear Admiral USN (Retired) Co-Chair, Telecommunications Partner in Cybersecurity Practice Cybersecurity Impact and Costs Direct
More informationCybersecurity Throughout DoD Acquisition
Cybersecurity Throughout DoD Acquisition Tim Denman Cybersecurity Performance Learning Director DAU Learning Capabilities Integration Center Tim.Denman@dau.mil Acquisition.cybersecurity@dau.mil Cybersecurity
More informationInformation Security Program Management Standard
State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES
More informationRMF. Cybersecurity and the Risk Management. Framework UNCLASSIFIED
Cybersecurity and the Risk Management Framework Wherewe ve been and where we re going Information Assurance DoD Instruction 8500.01,Para 1(d),adoptsthe term cybersecurity as it is defined in National Security
More informationAddressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense
A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical
More informationAutomation Suite for NIST Cyber Security Framework
WHITEPAPER NIST Cyber Security Framework Automation Suite for NIST Cyber Security Framework NOVEMBER 2014 Automation Suite for NIST Cyber Security Framework The National Institute of Standards and Technology
More informationCybersecurity..Is your PE Firm Ready? October 30, 2014
Cybersecurity..Is your PE Firm Ready? October 30, 2014 The Panel Melinda Scott, Founding Partner, Scott Goldring Eric Feldman, Chief Information Officer, The Riverside Company Joe Campbell, CTO, PEF Services
More informationA Flexible and Comprehensive Approach to a Cloud Compliance Program
A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility
More informationImpact of New Internal Control Frameworks
Impact of New Internal Control Frameworks Webcast: Tuesday, February 25, 2014 CPE Credit: 1 0 With You Today Bob Jacobson Principal, Risk Advisory Services Consulting Leader West Region Bob.Jacobson@mcgladrey.com
More informationApril 28, 2014. Ms. Hada Flowers Regulatory Secretariat Division General Services Administration 1800 F Street, NW, 2 nd Floor Washington, DC
April 28, 2014 Ms. Hada Flowers Regulatory Secretariat Division General Services Administration 1800 F Street, NW, 2 nd Floor Washington, DC RE: Information Technology Sector Coordinating Council (IT SCC)
More informationIG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY
IG MATURITY MODEL FOR FY 2015 FISMA 1 Ad-hoc 1.1 program is not formalized and activities are performed in a reactive manner resulting in an adhoc program that does not meet 2 requirements for a defined
More informationSecurity Controls Assessment for Federal Information Systems
Security Controls Assessment for Federal Information Systems Census Software Process Improvement Program September 11, 2008 Kevin Stine Computer Security Division National Institute of Standards and Technology
More informationEliminating Cybersecurity Blind Spots
Eliminating Cybersecurity Blind Spots Challenges for Business April 15, 2015 Table of Contents Introduction... 3 Risk Management... 3 The Risk Blind Spot... 4 Continuous Asset Visibility... 5 Passive Network
More informationCloud Security Trust Cisco to Protect Your Data
Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive
More informationWhy you should adopt the NIST Cybersecurity Framework
www.pwc.com/cybersecurity Why you should adopt the NIST Cybersecurity Framework May 2014 The National Institute of Standards and Technology Cybersecurity Framework may be voluntary, but it offers potential
More informationState Agency Cyber Security Survey v 3.4 2 October 2014. State Agency Cybersecurity Survey v 3.4
State Agency Cybersecurity Survey v 3.4 The purpose of this survey is to identify your agencies current capabilities with respect to information systems/cyber security and any challenges and/or successes
More informationBridging the Security Governance Divide in Utilities
Bridging the Security Governance Divide in Utilities About Me Energy Security Advisor to utilities, regulators, integrators, energy start-ups Member: GTM GridEdge Exec Council ISC-ISAC Corporate Board
More informationInformation and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework
Information and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework Don t screw with my chain, dude! Jon Boyens Computer Security Division IT Laboratory November
More informationPreparing for the Convergence of Risk Management & Business Continuity
Preparing for the Convergence of Risk Management & Business Continuity Disaster Recovery Journal Webinar Series September 5, 2012 2012 Strategic BCP, Inc. All rights reserved. strategicbcp.com 1 Today
More informationHealth Industry Implementation of the NIST Cybersecurity Framework
Health Industry Implementation of the NIST Cybersecurity Framework A Collaborative Presentation by HHS, NIST, HITRUST, Deloitte and Seattle Children s Hospital 1 Your presenters HHS Steve Curren, Acting
More informationNational Cyber Security Policy -2013
National Cyber Security Policy -2013 Preamble 1. Cyberspace 1 is a complex environment consisting of interactions between people, software and services, supported by worldwide distribution of information
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationOVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii
The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department
More informationAppendix B: Mapping Cybersecurity Assessment Tool to NIST
Appendix B: to NIST Cybersecurity Framework In 2014, the National Institute of Standards and Technology (NIST) released a Cybersecurity Framework for all sectors. The following provides a mapping of the
More informationState of South Carolina Policy Guidance and Training
State of South Carolina Policy Guidance and Training Policy Workshop All Agencies Business Continuity Management Policy June 2014 Agenda Questions & Follow-Up Policy Workshop Overview & Timeline Policy
More information