Building Security In:

Size: px
Start display at page:

Download "Building Security In:"

Transcription

1 #CACyberSS2015 Building Security In: Intelligent Security Design, Development and Acquisition Steve Caimi Industry Solutions Specialist, US Public Sector Cybersecurity September 2015

2 A Little About Me Twenty years in cybersecurity, enterprise software, networking, and telecommunications Security Specialist for the US Public Sector Security Product Manager Security Sales Engineer and Certified Instructor Network Engineer and Systems Administrator Combination of business and technical education MBA / Virginia Tech BS EE / Penn State CISSP# March 2004

3 Federal CIO Tony Scott Cloud Computing Forum & Workshop VIII July 7, 2015 On adding security later: Like duct-taping airbags to a 1965 Mustang Even if you could do it, the result would probably be pretty ugly It s expensive, hard to do... you end up with something no one wants Security By Design: Ensure that security is built into every layer Source: Federal Computing Week, July 7, 2015

4 California: A Cybersecurity Leader Brookings Institution characterizes States with strong cybersecurity plans: Characteristic Acknowledge the cybersecurity problem Implement strategic and multi-faceted cybersecurity plans Collect and act on cybersecurity metrics Rely on NIST standards rather than locally-developed plans State of CA Yes Yes Yes Partly

5 California Information Security Office (CISO) Chapter 5300 Section Information Security Minimum Security Controls California has adopted the National Institute of Standards and Technology (NIST) Special Publication (SP) as minimum information security control requirements to support implementation and compliance with the Federal Information Processing Standards (FIPS) Each state entity shall use the FIPS and NIST SP in the planning, development, implementation, and maintenance of their information security programs

6 SAM Chapter pages Over 40 sections Maintained by the State Updated every 3 years Painstakingly mapped to NIST SP California-specific

7 NIST Special Publication pages with 18 control families Hundreds of individual security controls Now on its fourth revision

8 DoD and NIST: Closer Alignment DoDI replaces DIACAP with the NIST Risk Management Framework (RMF) The cybersecurity requirements for DoD information technologies will be managed through the RMF consistent with the principals established in National Institute of Standards and Technology (NIST) SP NIST Risk Management Framework

9 Maybe there s a better way?

10 Imagine a simple yet effective framework... Intelligent Security Design Builds cybersecurity risk management directly into your overall risk management program Aligns with national standards Intelligent Security Development Improves your existing cybersecurity capabilities over time Uses standard language and terminology to discuss cybersecurity risks Intelligent Security Acquisition Enables you to prioritize cybersecurity investments for maximum impact Reduces human workloads to focus on higher value activities

11 It s Here. It s the NIST Cybersecurity Framework. And Other States Are Doing It. The State of Texas has aligned the Framework Functions to its agency security plan. Texas has developed a statewide framework that covers cybersecurity best practices and is mapped to the Framework subcategories. To mitigate supplier risk, the state also uses a vendor alignment template that is rooted in the Framework core. NIST Newsletter Update on the Cybersecurity Framework (July 1, 2015)

12 Framework Background

13 State CIO Priorities

14 National Institute of Standards and Technology Breadth and depth across vast subject areas Information Technology, telecommunications, energy, chemistry, math, physics, public safety, nanotechnology -- and much more Information Technology publications and best practices Computer Security Resource Center (CSRC) Cybersecurity Framework Cloud Computing Information Technology Laboratory Smart Grid National Strategy for Trusted Identities in Cyberspace (NSTIC) Mission To promote innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life

15 Improving Critical Infrastructure Cybersecurity Executive Order February 2013 It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.

16 NIST Cybersecurity Framework Outcome of Executive Order 13636, and result of collaboration between public and private sectors Manages cybersecurity risks in a cost-effective way, while protecting privacy and civil liberties References the globally accepted standards (COBIT, ISO/IEC, ISA, NIST, CCS) that are working well today Intended for worldwide adoption -- not US only Uses common terminology to discuss cybersecurity risk Ensures business drivers guide cybersecurity activities Considers cybersecurity risks as part of organization s overall risk management process

17 Promoting Cybersecurity Best Practices People Process Technology Framework covers all three

18 People Addressing the Role of People Framework helps organizations optimize their cybersecurity activities Aligns cybersecurity activities with business risk Prioritizes activities that are most important for critical service delivery Maximizes the impact of cybersecurity spending

19 People Facilitating Communication Framework uses a common language to discuss cybersecurity risk Improves communication among cybersecurity experts and senior leadership within an organization Improves communication with external vendors, partners, and contractors Aligns the Information Technology (IT) and Operations Technology (OT) teams

20 Process Complementing Existing Processes Framework works with existing risk management programs ISO 31000:20093 ISO/IEC 27005:20114 NIST SP Electricity Subsector Cybersecurity Risk Management Process (RMP) More...

21 Technology Future-Proofing Framework ensures future extensibility and enables technical innovation Remains technology-agnostic Evolves with technical advances and new business requirements Acknowledges global nature of cybersecurity risks Scales across borders

22 Applying to Everyone Framework enables all organizations to improve security and resilience Any size or type of organization Both public and private sectors Any degree of cybersecurity risk Any level of cybersecurity sophistication Anywhere in the world

23 Framework Basics

24 Framework Components Set of activities, desired outcomes, and applicable references common across critical infrastructure sectors 1 Framework Core 3 Framework Profile Alignment of Framework Core structure with the specific business requirements of a particular organization 2 Framework Implementation Tiers An organization s view on how well it manages risk, ranging from Partial (Tier 1) to Adaptive (Tier 4)

25 Framework Core: Four Parts Core Functions Categories Subcategories Informative Resources Identify Protect Detect Respond Recover

26 Core Part 1: Functions Core Functions Categories Subcategories Informative Resources Identify 1 Protect Detect High-level cybersecurity Respond goals Recover

27 Core Part 2: Categories Core Functions Categories Subcategories Informative Resources Identify Protect Detect Respond Recover 2 Subdivide Functions into specific activities

28 Core Part 3: Subcategories Core Functions Categories Subcategories Informative Resources Identify Protect Detect Respond Recover 3 Subdivide Categories into desired outcomes

29 Core Part 4: Informative Resources Core Functions Categories Subcategories Informative Resources Identify Protect Detect Respond Recover 4 Standards references to achieve the outcomes

30 Functions: High-Level Goals Core Functions ID PR DE Identify Protect Detect Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event RS RC Respond Recover Develop and implement the appropriate activities to take action regarding a detected cybersecurity event Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event

31 Categories: Specific Activities Core Function Categories ID.AM Asset Management (AM) The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization s risk strategy. Identify (ID) ID.BE ID.GV Business Environment (BE) Governance (GV) The organization s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. The policies, procedures, and processes to manage and monitor the organization s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cyber risk. ID.RA Risk Assessment (RA) The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. ID.RM Risk Management Strategy (RM) The organization s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.

32 Subcategories: Specific Outcomes Core Function Category Subcategories ID.AM-1 Physical devices and systems within the organization are inventoried ID.AM-2 Software platforms and applications within the organization are inventoried Identify (ID) Asset Management (ID.AM) ID.AM-3 ID.AM-4 Organizational communication and data flows are mapped External information systems are catalogued ID.AM-5 Resources (hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value ID.AM-6 Cybersecurity roles and responsibilities for the entire workforce and thirdparty stakeholders (suppliers, customers, partners) are established

33 Informative Resources Core Function Category Subcategory Informative Resources CCS CSC 1 Identify (ID) Asset Management (ID.AM) Physical device inventories (ID.AM-1) COBIT 5 BAI09.01, BAI09.02 ISA : ISA :2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A NIST SP Rev. 4 CM-8 International standards references Council on CyberSecurity (CCS) Control Objectives for Information and Related Technology (COBIT) International Society of Automation (ISA) International Organization for Standardization (ISO) International Electrotechnical Commission (IEC)

34 Informative Resources Core Function Category Subcategory Informative Resources CCS CSC 1 Identify (ID) Asset Management (ID.AM) Physical device inventories (ID.AM-1) COBIT 5 BAI09.01, BAI09.02 ISA : ISA :2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A NIST SP Rev. 4 CM-8

35 Tiers Tiers Reflect how an organization views cybersecurity risk and the processes in place to manage that risk Tier Tier Tier Tier Adaptive: Practices fully established and continuously improved Repeatable: Practices approved and established by organizational policy Risk Informed: Practices approved but not completely established by policy Partial: Informal, ad hoc, reactive responses

36 Profiles Profiles The alignment of the Framework core with an organizations business requirements, risk tolerance, and resources Describes the current state and desired future state Reveals gaps that can flow into action plan development Facilities a roadmap for reducing cybersecurity risk

37 Core Functions & Categories Core Know what you have Secure what you have Spot threats quickly Take action immediately Restore operations

38 Technology Doesn t Cover Everything Only half of the Framework s Categories are addressed by technology Highlights the importance of both people and process in cybersecurity

39 Using the Framework

40 Ways to Use the Framework Basic Review of Cybersecurity Practices Establishing or Improving a Cybersecurity Program Communicating Cybersecurity Requirements with Stakeholders Identifying Opportunities for Updated Informative References Methodology to Protect Privacy and Civil Liberties How well are we doing today? Can we assess and improve? Can we speak the same language? What else should we consider? Can we protect data better? Let s focus here

41 Improving a Cybersecurity Program Implement Action Plan Start Prioritize and Scope 7 1 Analyze Gaps 6 2 Orient Create Target Profile Create Current Profile Conduct Risk Assessment

42 1 Prioritize and Scope Identify business/mission objectives and high-level organizational priorities Make strategic decisions on cybersecurity Determine scope of systems and assets that support the mission Assess risk tolerance

43 Orient 2 Identify related systems, regulatory requirements, and overall risk approach Identify threats to systems and assets Identify vulnerabilities associated with systems and assets

44 Create Current Profile 3 Function Category Subcategory Current Profile Physical device inventories (ID.AM-1) Tier 1 Manual, spreadsheet-based system is insufficient and lacks network visibility. Software inventories (ID.AM-2) Tier 1 Asset management system cannot detect new software applications being deployed. Identify (ID) Asset Management (ID.AM) Communication/data flow maps (ID.AM-3) External system catalogs (ID.AM-4) Tier 2 Unused Flow maps are documented and approved but needs to be formalized by policy. Current business model does not require external system catalogs. Resource prioritization (ID.AM-5) Tier 4 Prioritization system is working well for our needs today. Roles/responsibilities clarification (ID.AM-6) Tier 3 New cybersecurity responsibilities need to be formalized by policy.

45 Conduct Risk Assessment 4 Fxn. Cat. Sub. Current Profile Risk Assessment ID.AM-1 ID.AM-2 Tier 1 Tier 1 Unacceptably high risks ID ID.AM ID.AM-3 ID.AM-4 ID.AM-5 Tier 2 Unused Tier 4 Acceptable risks at this time ID.AM-6 Tier 3

46 Create Target Profile 5 Fxn. Cat. Sub. Target Profile This is where we want to be Physical device and software inventories at Tier 4, Adaptive Practices fully established, continuously improved, and built into our overall risk management program ID ID.AM ID.AM-1 ID.AM-2 ID.AM-3 ID.AM-4 ID.AM-5 ID.AM-6 Tier 4 Tier 4 Tier 2 Unused Tier 4 Tier 3

47 Analyze Gaps 6 Fxn. Cat. Sub. Current Profile Fxn. Cat. Sub. Target Profile ID.AM-1 Tier 1 ID.AM-1 Tier 4 ID.AM-2 Tier 1 ID.AM-2 Tier 4 ID ID.AM ID.AM-3 ID.AM-4 ID.AM-5 Tier 2 Unused Tier 4 Enables a prioritized action plan ID ID.AM ID.AM-3 ID.AM-4 ID.AM-5 Tier 2 Unused Tier 4 ID.AM-6 Tier 3 ID.AM-6 Tier 3

48 7 Develop Action Plan: Informative Resources Fxn. Cat. Sub. Informative Resources NIST SP Revision 4 CCS CSC 1 CM-8 / Information System Component Inventory ID ID.AM ID.AM-1 ID.AM-2 COBIT 5 BAI09.01, BAI09.02 ISA : ISA :2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A NIST SP Rev. 4 CM-8 CCS CSC 2 COBIT 5 BAI09.01, BAI09.02, BAI09.05 ISA : ISA :2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A NIST SP Rev. 4 CM-8 Control: The organization: a. Develops and documents an inventory of information system components that: 1. Accurately reflects the current information system; 2. Includes all components within the authorization boundary of the information system; 3. Is at the level of granularity deemed necessary for tracking and reporting; and 4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]

49 Develop Action Plan: Device Inventory 7?? We need an accurate device inventory......but how can we know what devices we have?

50 Implement Action Plan: Device Discovery 7 Cisco Identity Services Engine (ISE) Discovers and accurately identifies devices connected to wired, wireless, and virtual private networks IS E NIST SP Revision 4 CM-8 / Information System Component Inventory Control: The organization: a. Develops and documents an inventory of information system components that: 1. Accurately reflects the current information system; 2. Includes all components within the authorization boundary of the information system; 3. Is at the level of granularity deemed necessary for tracking and reporting; and 4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]

51 Continuous Improvement: Not Once and Done! Implement Action Plan Prioritize and Scope 7 1 Analyze Gaps 6 2 Orient Create Target Profile Create Current Profile Conduct Risk Assessment

52 Cisco Security: Supporting the Framework

53 Cisco s Threat Centric Security Model Attack Continuum Before Discover Enforce Harden During Detect Block Defend After Scope Contain Remediate Network Endpoint Mobile Virtual Cloud and Web Point in Time Continuous

54 Cisco s Threat Centric Security Model Aligning with the Framework Core Before Discover Enforce Harden During Detect Block Defend After Scope Contain Remediate Identify Protect Detect Respond Recover

55 Technology Cisco Security Supports the Framework Security Products

56 People Process Cisco Security Supports the Framework Security Services

57 Conclusion

58 Building Security In: Let s see those airbags in the new Mustang... Security By Design: Security built into every layer Source: Federal Computing Week, July 7, 2015

59 NIST Cybersecurity Framework Enables... Intelligent Security Design Builds cybersecurity risk management directly into your overall risk management program Aligns with national standards Intelligent Security Development Improves your cybersecurity capabilities over time Uses standard language and terminology to discuss cybersecurity risks Intelligent Security Acquisition Enables you to prioritize cybersecurity investments for maximum impact Reduces human workloads to focus on higher value activates

60 What s Next NIST Roadmap for Improving The Framework Aligning the Cybersecurity Framework and the Risk Management Framework (RMF) Promoting better identification and authentication solutions (NSTIC pilots) Standardizing, automating, and sharing of threat information across sectors Developing and training the cybersecurity workforce of tomorrow (NICE initiative)

61 Call To Action Learn more about the Cybersecurity Challenge Learn more about the Threat-Centric Security Model Learn more about the Cybersecurity Framework Cisco Security Report Cisco Threat-Centric Security NIST Cybersecurity Framework

62 Stop by the Cisco booth!

63

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 National Institute of Standards and Technology February 12, 2014 Table of Contents Executive Summary...1 1.0 Framework Introduction...3

More information

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 National Institute of Standards and Technology February 12, 2014 Table of Contents Executive Summary...1 1.0 Framework Introduction...3

More information

NIST Cybersecurity Framework & A Tale of Two Criticalities

NIST Cybersecurity Framework & A Tale of Two Criticalities NIST Cybersecurity Framework & A Tale of Two Criticalities Vendor Management & Incident Response Presented by: John H Rogers, CISSP Advisory Services Practice Manager john.rogers@sagedatasecurity.com Presented

More information

Collaborative, Standards-Based Approaches to Improving Cybersecurity

Collaborative, Standards-Based Approaches to Improving Cybersecurity Collaborative, Standards-Based Approaches to Improving Cybersecurity ISACA-NCAC Annual Meeting May 24, 2016 Kevin Stine Kevin.Stine@nist.gov National Institute of Standards and Technology (NIST) About

More information

Cybersecurity Framework. Executive Order 13636 Improving Critical Infrastructure Cybersecurity

Cybersecurity Framework. Executive Order 13636 Improving Critical Infrastructure Cybersecurity Cybersecurity Framework Executive Order 13636 Improving Critical Infrastructure Cybersecurity National Institute of Standards and Technology (NIST) Mission To promote U.S. innovation and industrial competitiveness

More information

Improving Critical Infrastructure Cybersecurity Executive Order 13636. Preliminary Cybersecurity Framework

Improving Critical Infrastructure Cybersecurity Executive Order 13636. Preliminary Cybersecurity Framework 1 Improving Critical Infrastructure Cybersecurity Executive Order 13636 Preliminary Cybersecurity Framework 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35

More information

CRR-NIST CSF Crosswalk 1

CRR-NIST CSF Crosswalk 1 IDENTIFY (ID) Asset Management (AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative

More information

Cybersecurity Framework Security Policy Mapping Table

Cybersecurity Framework Security Policy Mapping Table Cybersecurity Framework Security Policy Mapping Table The following table illustrates how specific requirements of the US Cybersecurity Framework [1] are addressed by the ISO 27002 standard and covered

More information

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, nadya.bartol@utc.org. 2014 Utilities Telecom Council

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, nadya.bartol@utc.org. 2014 Utilities Telecom Council Voluntary Cybersecurity Initiatives in Critical Infrastructure Nadya Bartol, CISSP, SGEIT, nadya.bartol@utc.org 2014 Utilities Telecom Council Utility cybersecurity environment is full of collaborations

More information

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity January 2016 cyberframework@nist.gov Improving Critical Infrastructure Cybersecurity It is the policy of the United States to enhance the security

More information

Applying Framework to Mobile & BYOD

Applying Framework to Mobile & BYOD Applying Framework to Mobile & BYOD Framework for Improving Critical Infrastructure Cybersecurity National Association of Attorneys General Southern Region Meeting 13 March 2015 cyberframework@nist.gov

More information

NIST Cybersecurity Framework Overview

NIST Cybersecurity Framework Overview NIST Cybersecurity Framework Overview Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2nd ENISA International Conference on Cyber Crisis Cooperation and Exercises Executive Order

More information

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013. The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013. The Executive Order calls for the development of a voluntary risk based Cybersecurity Framework

More information

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 8 April 2015 cyberframework@nist.gov Agenda Mission of NIST Cybersecurity at NIST Cybersecurity Framework

More information

Happy First Anniversary NIST Cybersecurity Framework:

Happy First Anniversary NIST Cybersecurity Framework: Happy First Anniversary NIST Cybersecurity Framework: We ve Hardly Known Ya Chad Stowe, CISSP, CISA, MBA Who is your organization on Cybersecurity? Problem Statement Management has not been given the correct

More information

NIST Cybersecurity Framework. ARC World Industry Forum 2014

NIST Cybersecurity Framework. ARC World Industry Forum 2014 NIST Cybersecurity Framework Vicky Yan Pillitteri NIST ARC World Industry Forum 2014 February 10-13, 2014 Orlando, FL Executive Order 13636 Improving Critical Infrastructure Cybersecurity It is the policy

More information

Critical Manufacturing Cybersecurity Framework Implementation Guidance

Critical Manufacturing Cybersecurity Framework Implementation Guidance F Critical Manufacturing Cybersecurity Framework Implementation Guidance i Foreword The National Institute of Standards and Technology (NIST) released the 2014 Framework for Improving Critical Infrastructure

More information

Implementing a Framework

Implementing a Framework Implementing a Framework 44th Tennessee Higher Education Information Technology Symposium 2015 Greg Jackson Cyber Security Analyst Dynetics Inc. Information Systems Assessment Services (ISAS) www.dynetics.com

More information

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015 NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015 Overview The University of Pittsburgh NIST Cybersecurity Framework Pitt NIST Cybersecurity Framework Program Wrap Up Questions

More information

Cybersecurity Framework: Current Status and Next Steps

Cybersecurity Framework: Current Status and Next Steps Cybersecurity Framework: Current Status and Next Steps Federal Advisory Committee on Insurance November 6, 2014 Adam Sedgewick Senior IT Policy Advisor Adam.Sedgewick@nist.gov National Institute of Standards

More information

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity April 2016 cyberframework@nist.gov Pre-Cybersecurity Framework Threat Landscape 79% of reported victims were targets of opportunity 96% of

More information

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 financial_nccoe@nist.gov This revision incorporates comments from the public. Page Use case 1 Comments

More information

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity 18 November 2015 grance@nist.gov cyberframework@nist.gov National Institute of Standards and Technology About NIST NIST s mission is to develop

More information

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE JANUARY 2015 U.S. DEPARTMENT OF ENERGY OFFICE OF ELECTRICITY DELIVERY AND ENERGY RELIABILITY Energy Sector Cybersecurity Framework Implementation

More information

Discussion Draft of the Preliminary Cybersecurity Framework

Discussion Draft of the Preliminary Cybersecurity Framework 1 Discussion Draft of the Preliminary Cybersecurity Framework August 28, 2013 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 A Discussion Draft of the Preliminary

More information

Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security

Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security David Brezinski, Professional Services, Enterprise Security Architect Agenda Overview

More information

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT OVERVIEW The National Institute of Standards of Technology Framework for Improving Critical Infrastructure Cybersecurity (The NIST Framework) is a

More information

PROTIVITI FLASH REPORT

PROTIVITI FLASH REPORT PROTIVITI FLASH REPORT Cybersecurity Framework: Where Do We Go From Here? February 25, 2014 Just over a year ago, President Barack Obama signed an Executive Order (EO) calling for increased cybersecurity

More information

Applying IBM Security solutions to the NIST Cybersecurity Framework

Applying IBM Security solutions to the NIST Cybersecurity Framework IBM Software Thought Leadership White Paper August 2014 Applying IBM Security solutions to the NIST Cybersecurity Framework Help avoid gaps in security and compliance coverage as threats and business requirements

More information

Happy First Anniversary NIST Cyber Security Framework:

Happy First Anniversary NIST Cyber Security Framework: Happy First Anniversary NIST Cyber Security Framework: We ve Hardly Known Ya Chad Stowe, CISSP, CISA, MBA Problem Statement Management has not been given the correct information to understand and act upon

More information

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014 Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014 Victoria Yan Pillitteri Advisor for Information Systems Security

More information

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014 Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework September 23, 2014 Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to

More information

National Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity

National Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity National Cybersecurity Challenges and NIST Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity Though no-one knows for sure, corporate America is believed to lose anything

More information

America s New Cybersecurity Framework: Help or New Source of Exposure?

America s New Cybersecurity Framework: Help or New Source of Exposure? America s New Cybersecurity Framework: Help or New Source of Exposure? BY BEHNAM DAYANIM, RYAN NIER & ELIZABETH DORSI March 2014 Data theft is on the rise, and the federal government is concerned. In 2013

More information

A Framework to Gauge Cyber Defenses

A Framework to Gauge Cyber Defenses White Paper A Framework to Gauge Cyber Defenses NIST s Cybersecurity Framework Helps Critical Infrastructure Owners to Cost-Effectively Defend National & Economic Security of the U.S. Executive Summary

More information

The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session

The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session Robert Smith Systemwide IT Policy Director Compliance & Audit Educational Series 5/5/2016 1 Today s reality There are two kinds

More information

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2014 ISACA Pittsburgh Information Security Awareness Day Victoria Yan

More information

Nadya Bartol, CISSP, CGEIT VP, Industry Affairs and Cybersecurity Strategist UTC (Utilities Telecom Council) USA. 2014 Utilities Telecom Council 1

Nadya Bartol, CISSP, CGEIT VP, Industry Affairs and Cybersecurity Strategist UTC (Utilities Telecom Council) USA. 2014 Utilities Telecom Council 1 Nadya Bartol, CISSP, CGEIT VP, Industry Affairs and Cybersecurity Strategist UTC (Utilities Telecom Council) USA 2014 Utilities Telecom Council 1 Why do we need cybersecurity? Agriculture and Food Energy

More information

SECURITY RISK MANAGEMENT

SECURITY RISK MANAGEMENT SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W

More information

National Institute of Standards and Technology Smart Grid Cybersecurity

National Institute of Standards and Technology Smart Grid Cybersecurity National Institute of Standards and Technology Smart Grid Cybersecurity Vicky Yan Pillitteri Advisor for Information Systems Security SGIP SGCC Chair Victoria.yan@nist.gov 1 The National Institute of Standards

More information

The NIST Cybersecurity Framework

The NIST Cybersecurity Framework View the online version at http://us.practicallaw.com/5-599-6825 The NIST Cybersecurity Framework RICHARD RAYSMAN, HOLLAND & KNIGHT LLP AND JOHN ROGERS, BOOZ ALLEN HAMILTON A Practice Note discussing the

More information

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015 Cybersecurity Audit Why are we still Vulnerable? November 30, 2015 John R. Robles, CISA, CISM, CRISC www.johnrrobles.com jrobles@coqui.net 787-647-3961 John R. Robles- 787-647-3961 1 9/11-2001 The event

More information

Business Continuity for Cyber Threat

Business Continuity for Cyber Threat Business Continuity for Cyber Threat April 1, 2014 Workshop Session #3 3:00 5:30 PM Susan Rogers, MBCP, MBCI Cyberwise CP S2 What happens when a computer program can activate physical machinery? Between

More information

Which cybersecurity standard is most relevant for a water utility?

Which cybersecurity standard is most relevant for a water utility? Which cybersecurity standard is most relevant for a water utility? Don Dickinson 1 * 1 Don Dickinson, Phoenix Contact USA, 586 Fulling Mill Road, Middletown, Pennsylvania, USA, 17057 (*correspondence:

More information

Critical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order 13636 Improving Critical Infrastructure Cybersecurity

Critical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order 13636 Improving Critical Infrastructure Cybersecurity Critical Infrastructure Cybersecurity Framework Overview and Status Executive Order 13636 Improving Critical Infrastructure Cybersecurity Executive Order: Improving Critical Infrastructure Cybersecurity

More information

CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills DAU-South

CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills DAU-South CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS Steve Mills DAU-South 1 Overview Questions Cybersecurity Owners and Stakeholders Cybersecurity Why It Matters to DoD Program Managers Defense Science

More information

CONCEPTS IN CYBER SECURITY

CONCEPTS IN CYBER SECURITY CONCEPTS IN CYBER SECURITY GARY KNEELAND, CISSP SENIOR CONSULTANT CRITICAL INFRASTRUCTURE & SECURITY PRACTICE 1 OBJECTIVES FRAMEWORK FOR CYBERSECURITY CYBERSECURITY FUNCTIONS CYBERSECURITY CONTROLS COMPARATIVE

More information

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 NARUC Winter Committee Meeting Committee & Staff Committee on Critical Infrastructure February 15,

More information

FINRA Publishes its 2015 Report on Cybersecurity Practices

FINRA Publishes its 2015 Report on Cybersecurity Practices Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February

More information

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available

More information

CSF Support for HIPAA and NIST Implementation and Compliance

CSF Support for HIPAA and NIST Implementation and Compliance CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST Why does HITRUST exist? Multitude of challenges Significant government oversight Evolving

More information

Implementing the U.S. Cybersecurity Framework at Intel A Case Study

Implementing the U.S. Cybersecurity Framework at Intel A Case Study SESSION ID: STR-W01 Implementing the U.S. Cybersecurity Framework at Intel A Case Study Tim Casey Senior Strategic Risk Analyst Intel Information Security @timcaseycyber How would you represent your entire

More information

Risk Management for Industrial Control Systems (ICS) And Supervisory Control Systems (SCADA) Information For Senior Executives

Risk Management for Industrial Control Systems (ICS) And Supervisory Control Systems (SCADA) Information For Senior Executives Risk Management for Industrial Control Systems (ICS) And Supervisory Control Systems (SCADA) Information For Senior Executives (Revised March 2012) Disclaimer: To the extent permitted by law, this document

More information

Risk Management Framework (RMF): The Future of DoD Cyber Security is Here

Risk Management Framework (RMF): The Future of DoD Cyber Security is Here Risk Management Framework (RMF): The Future of DoD Cyber Security is Here Authors: Rebecca Onuskanich William Peterson 3300 N Fairfax Drive, Suite 308 Arlington, VA 22201 Phone: 571-481-9300 Fax: 202-315-3003

More information

Navigating the NIST Cybersecurity Framework

Navigating the NIST Cybersecurity Framework Navigating the NIST Cybersecurity Framework Explore the NIST Cybersecurity Framework and tools and processes needed for successful implementation. Abstract For federal agencies, addressing cybersecurity

More information

SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK

SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK BACKGROUND The National Institute of Standards and Technology (NIST) Special Publication 800-53 defines a comprehensive set of controls that is the basis

More information

Cybersecurity as a Risk Factor in doing business

Cybersecurity as a Risk Factor in doing business Cybersecurity as a Risk Factor in doing business 1 Data is the new raw material of business Economist UK, 2013. In trying to defend everything he defended nothing Frederick the Great, Prussia 1712-86.

More information

State Governments at Risk: The Data Breach Reality

State Governments at Risk: The Data Breach Reality State Governments at Risk: The Data Breach Reality NCSL Legislative Summit August 5, 2015 Doug Robinson, Executive Director National Association of State Chief Information Officers (NASCIO) About NASCIO

More information

Understanding the NIST Cybersecurity Framework September 30, 2014

Understanding the NIST Cybersecurity Framework September 30, 2014 Understanding the NIST Cybersecurity Framework September 30, 2014 Earlier this year the National Institute of Standard and Technology released the Framework for Improving Critical Infrastructure Cybersecurity

More information

Reliable, Repeatable, Measurable, Affordable

Reliable, Repeatable, Measurable, Affordable Reliable, Repeatable, Measurable, Affordable Defense-in-Depth Across Your Cyber Security Life-Cycle Faced with today s intensifying threat environment, where do you turn for cyber security answers you

More information

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013 An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information

More information

FFIEC Cybersecurity Assessment Tool

FFIEC Cybersecurity Assessment Tool Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,

More information

Changing Legal Landscape in Cybersecurity: Implications for Business

Changing Legal Landscape in Cybersecurity: Implications for Business Changing Legal Landscape in Cybersecurity: Implications for Business Presented to Greater Wilmington Cyber Security Group Presented by William R. Denny, Potter Anderson & Corroon LLP May 8, 2014 Topics

More information

NICE and Framework Overview

NICE and Framework Overview NICE and Framework Overview Bill Newhouse NIST NICE Leadership Team Computer Security Division Information Technology Lab National Institute of Standards and Technology TABLE OF CONTENTS Introduction to

More information

Increase insight. Reduce risk. Feel confident.

Increase insight. Reduce risk. Feel confident. Increase insight. Reduce risk. Feel confident. Define critical goals with enhanced visibility then enable security and compliance across your complex IT infrastructure. VIRTUALIZATION + CLOUD NETWORKING

More information

The Protection Mission a constant endeavor

The Protection Mission a constant endeavor a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring

More information

IEEE-Northwest Energy Systems Symposium (NWESS)

IEEE-Northwest Energy Systems Symposium (NWESS) IEEE-Northwest Energy Systems Symposium (NWESS) Paul Skare Energy & Environment Directorate Cybersecurity Program Manager Philip Craig Jr National Security Directorate Sr. Cyber Research Engineer The Pacific

More information

CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills Professor of Information Technology Steve.mills@dau.mil 256.922.

CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills Professor of Information Technology Steve.mills@dau.mil 256.922. CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS 1 Steve Mills Professor of Information Technology Steve.mills@dau.mil 256.922.8761 Overview Cybersecurity Policy Overview Questions Challenge #1 -

More information

April 28, 2014. Ms. Hada Flowers Regulatory Secretariat Division General Services Administration 1800 F Street, NW, 2 nd Floor Washington, DC

April 28, 2014. Ms. Hada Flowers Regulatory Secretariat Division General Services Administration 1800 F Street, NW, 2 nd Floor Washington, DC April 28, 2014 Ms. Hada Flowers Regulatory Secretariat Division General Services Administration 1800 F Street, NW, 2 nd Floor Washington, DC RE: Information Technology Sector Coordinating Council (IT SCC)

More information

Cybersecurity: The Legal, Legislative and Regulatory Outlook

Cybersecurity: The Legal, Legislative and Regulatory Outlook Cybersecurity: The Legal, Legislative and Regulatory Outlook Jamie Barnett Rear Admiral USN (Retired) Co-Chair, Telecommunications Partner in Cybersecurity Practice Cybersecurity Impact and Costs Direct

More information

Impact of New Internal Control Frameworks

Impact of New Internal Control Frameworks Impact of New Internal Control Frameworks Webcast: Tuesday, February 25, 2014 CPE Credit: 1 0 With You Today Bob Jacobson Principal, Risk Advisory Services Consulting Leader West Region Bob.Jacobson@mcgladrey.com

More information

Risk Management in Practice A Guide for the Electric Sector

Risk Management in Practice A Guide for the Electric Sector Risk Management in Practice A Guide for the Electric Sector Annabelle Lee Senior Technical Executive ICCS European Engagement Summit April 28, 2015 Before we continue let s get over our fears and myths

More information

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical

More information

Cloud Security Trust Cisco to Protect Your Data

Cloud Security Trust Cisco to Protect Your Data Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive

More information

CForum: A Community Driven Solution to Cybersecurity Challenges

CForum: A Community Driven Solution to Cybersecurity Challenges SESSION ID: AST3-R01 CForum: A Community Driven Solution to Cybersecurity Challenges Tom Conkle Cybersecurity Engineer G2, Inc. @TomConkle Greg Witte Sr. Security Engineer G2, Inc. @thenetworkguy Organizations

More information

Italy. EY s Global Information Security Survey 2013

Italy. EY s Global Information Security Survey 2013 Italy EY s Global Information Security Survey 2013 EY s Global Information Security Survey 2013 This year s survey our 16th edition captures the responses of 1,909 C-suite and senior level IT and information

More information

RMF. Cybersecurity and the Risk Management. Framework UNCLASSIFIED

RMF. Cybersecurity and the Risk Management. Framework UNCLASSIFIED Cybersecurity and the Risk Management Framework Wherewe ve been and where we re going Information Assurance DoD Instruction 8500.01,Para 1(d),adoptsthe term cybersecurity as it is defined in National Security

More information

Automation Suite for NIST Cyber Security Framework

Automation Suite for NIST Cyber Security Framework WHITEPAPER NIST Cyber Security Framework Automation Suite for NIST Cyber Security Framework NOVEMBER 2014 Automation Suite for NIST Cyber Security Framework The National Institute of Standards and Technology

More information

Westlaw Journal. What is the Cybersecurity Framework? Risk Management Process And Pathway to Corporate Liability? Expert Analysis

Westlaw Journal. What is the Cybersecurity Framework? Risk Management Process And Pathway to Corporate Liability? Expert Analysis Westlaw Journal Computer & Internet Litigation News and Analysis Legislation Regulation Expert Commentary VOLUME 31, ISSUE 14 / DECEMBER 12, 2013 Expert Analysis The Cybersecurity Framework: Risk Management

More information

FREQUENTLY ASKED QUESTIONS

FREQUENTLY ASKED QUESTIONS FREQUENTLY ASKED QUESTIONS Continuous Monitoring 1. What is continuous monitoring? Continuous monitoring is one of six steps in the Risk Management Framework (RMF) described in NIST Special Publication

More information

Bridging the Security Governance Divide in Utilities

Bridging the Security Governance Divide in Utilities Bridging the Security Governance Divide in Utilities About Me Energy Security Advisor to utilities, regulators, integrators, energy start-ups Member: GTM GridEdge Exec Council ISC-ISAC Corporate Board

More information

Designing & Building a Cybersecurity Program. Based on the NIST Cybersecurity Framework (CSF)

Designing & Building a Cybersecurity Program. Based on the NIST Cybersecurity Framework (CSF) Designing & Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson Lesson 1 June, 2015 1 About the Class This course covers the essential elements for planning, building

More information

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014 NIST Cybersecurity Initiatives Keith Stouffer and Vicky Pillitteri NIST ARC World Industry Forum 2014 February 10-13, 2014 Orlando, FL National Institute of Standards and Technology (NIST) NIST s mission

More information

State Agency Cyber Security Survey v 3.4 2 October 2014. State Agency Cybersecurity Survey v 3.4

State Agency Cyber Security Survey v 3.4 2 October 2014. State Agency Cybersecurity Survey v 3.4 State Agency Cybersecurity Survey v 3.4 The purpose of this survey is to identify your agencies current capabilities with respect to information systems/cyber security and any challenges and/or successes

More information

Cybersecurity Throughout DoD Acquisition

Cybersecurity Throughout DoD Acquisition Cybersecurity Throughout DoD Acquisition Tim Denman Cybersecurity Performance Learning Director DAU Learning Capabilities Integration Center Tim.Denman@dau.mil Acquisition.cybersecurity@dau.mil Cybersecurity

More information

Cybersecurity..Is your PE Firm Ready? October 30, 2014

Cybersecurity..Is your PE Firm Ready? October 30, 2014 Cybersecurity..Is your PE Firm Ready? October 30, 2014 The Panel Melinda Scott, Founding Partner, Scott Goldring Eric Feldman, Chief Information Officer, The Riverside Company Joe Campbell, CTO, PEF Services

More information

Why you should adopt the NIST Cybersecurity Framework

Why you should adopt the NIST Cybersecurity Framework www.pwc.com/cybersecurity Why you should adopt the NIST Cybersecurity Framework May 2014 The National Institute of Standards and Technology Cybersecurity Framework may be voluntary, but it offers potential

More information

Eliminating Cybersecurity Blind Spots

Eliminating Cybersecurity Blind Spots Eliminating Cybersecurity Blind Spots Challenges for Business April 15, 2015 Table of Contents Introduction... 3 Risk Management... 3 The Risk Blind Spot... 4 Continuous Asset Visibility... 5 Passive Network

More information

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing Executive Summary As cloud service providers mature, and expand and refine their offerings, it is increasingly difficult for

More information

A Flexible and Comprehensive Approach to a Cloud Compliance Program

A Flexible and Comprehensive Approach to a Cloud Compliance Program A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility

More information

Information Security Risk Management

Information Security Risk Management Information Security Risk Management Based on ISO/IEC 17799 Houman Sadeghi Kaji Spread Spectrum Communication System PhD., Cisco Certified Network Professional Security Specialist BS7799 LA info@houmankaji.net

More information

Structuring the Chief Information Security Officer Organization

Structuring the Chief Information Security Officer Organization Structuring the Chief Information Security Officer Organization December 1, 2015 Julia Allen Nader Mehravari Cyber Risk and Resilience Management Team CERT Division Software Engineering Institute Carnegie

More information

National Cyber Security Policy -2013

National Cyber Security Policy -2013 National Cyber Security Policy -2013 Preamble 1. Cyberspace 1 is a complex environment consisting of interactions between people, software and services, supported by worldwide distribution of information

More information

IG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY

IG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY IG MATURITY MODEL FOR FY 2015 FISMA 1 Ad-hoc 1.1 program is not formalized and activities are performed in a reactive manner resulting in an adhoc program that does not meet 2 requirements for a defined

More information

Agile Cyber Security Security for the Real World, Architectural Approach

Agile Cyber Security Security for the Real World, Architectural Approach Agile Cyber Security Security for the Real World, Architectural Approach Osama Al-Zoubi Senior Manger, Systems Engineering Fahad Aljutaily Senior Solution Architect, Security Market Trends Welcome to the

More information

istockphoto/ljupco 36 June 2015 practicallaw.com 2015 Thomson Reuters. All rights reserved.

istockphoto/ljupco 36 June 2015 practicallaw.com 2015 Thomson Reuters. All rights reserved. istockphoto/ljupco 36 June 2015 practicallaw.com The NIST Cybersecurity Framework Data breaches in organizations have rapidly increased in recent years. In 2014, the National Institute of Standards and

More information

Cybersecurity The role of Internal Audit

Cybersecurity The role of Internal Audit Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government

More information

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

More information

State of South Carolina Policy Guidance and Training

State of South Carolina Policy Guidance and Training State of South Carolina Policy Guidance and Training Policy Workshop All Agencies Business Continuity Management Policy June 2014 Agenda Questions & Follow-Up Policy Workshop Overview & Timeline Policy

More information