Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

Transcription

1 Cybersecurity Audit Why are we still Vulnerable? November 30, 2015 John R. Robles, CISA, CISM, CRISC John R. Robles

2 9/ The event that dramatically changed how the Federal government works to minimize threats to government resources and society as a whole. John R. Robles

3 Homeland Security Presidential Directive 7 (December 17, 2003) Homeland Security Presidential Directive 7 established a national policy for Federal departments and agencies to: identify and prioritize critical infrastructure and to protect them from terrorist attacks. John R. Robles

4 Cyberspace Policy Review On February 9, 2009, President Obama gave his National Security and Homeland Security Advisors 60 days to conduct a Cyberspace Policy Review. June 2009, The Cyberspace Policy Review was published John R. Robles

5 Cyberspace Policy Review Recommendations 1. Appoint a cybersecurity policy official responsible for coordinating the Nation s cybersecurity policies and activities; 2. Prepare for the President s approval an updated national strategy 3. Designate cybersecurity as one of the President s key management priorities and establish performance metrics. 6. Initiate a national public awareness and education campaign to promote cybersecurity. 8. Prepare a cybersecurity incident response plan; 9. Develop a framework for research and development strategies. Build a cybersecurity-based identity management vision and strategy ************* John R. Robles

6 Executive Order Improving Critical Infrastructure Cybersecurity (March 2013) On February 12, 2013, the President issued Executive Order 13636, stating that the cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. John R. Robles

7 Executive Order Improving Critical Infrastructure Cybersecurity (March 2013) Section 1. Policy It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that: Encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties Now, How do we do it? John R. Robles

8 Executive Order Improving Critical Infrastructure Cybersecurity (March 2013) Section 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure. The Secretary of Commerce shall direct the Director of the National Institute of Standards and Technology (NIST) to lead the development of a framework to reduce cyber risks to critical infrastructure (the "Cybersecurity Framework"). John R. Robles

9 Executive Order Improving Critical Infrastructure Cybersecurity (March 2013) The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. The Cybersecurity Framework shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible. The Cybersecurity Framework shall be consistent with voluntary international standards (Read ISO 27001!) John R. Robles

10 NIST and the Cybersecurity Framework (February 14, 2014) In meeting the requirements of the Executive Order, NIST developed the Cybersecurity Framework (2014). It includes: Set of standards, methodologies, procedures, and processes that addresses cyber risks. Information security measures and controls, to help owners and operators of critical infrastructure to identify, assess, and manage cyber risk. Identifies areas for improvement that should be addressed through future collaboration and Guidance for measuring the performance of an entity in implementing the John Cybersecurity R. Robles Framework. 10

11 The Cybersecurity Framework Overview of the Framework The Framework is a risk-based approach to managing cybersecurity risk, and is composed of three parts: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles John R. Robles

12 The Cybersecurity Framework The Framework Core is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Framework Core consists of five concurrent and continuous Functions Identify, Protect, Detect, Respond, Recover. John R. Robles

13 Developing the NIST Cybersecurity Framework (CSF) (Latest Update, July 1, 2015) ISACA (+140,000 members in 180 countries) participated with NIST in the development of the CSF. ISACA also developed and published a document to assist in the implementation of the CSF. The document is titled: Implementing the NIST Cybersecurity Framework Note: ISACA expects IT auditors to review compliance with the CSF in an audit of their organization s cybersecurity capabilities. John R. Robles

14 Audit Cybesecurity If your organization is part of the 16 Critical Infrasture areas, then the Federal Government would appreciate your implementation and compliance with the Cyber Security Framework (CSF). After implementation Perform a Cybersecurity Audit John R. Robles

15 Audit Cybersecurity Why Audit Cybersecurity? A cybersecurity audit is performed to determine if a: private enterprise, government agency, or Non government organization (NGO) is adequately Using and Maintaining : [a stable, safe, and resilient cyberspace or cyber ecosystem.] John R. Robles

16 Audit Cybersecurity How to Audit the Implemention of the Framework The Framework places cybersecurity activities into five functions: Identify, Protect, Detect, Respond, and Recover. Memorize these functions. It'll be on the test! Organizations should implement controls in each of these areas. John R. Robles

17 Audit Cybersecurity Repeated cybersecurity intrusions into the nation s critical infrastructure have demonstrated: the need for a stronger approach to manage cybersecurity. Implementing and auditing the Framework will help organizations align and communicate their risk posture to: Internal Board of Directors and the Audit Committee Senior and middle Management Operational personnel External Government regulators Clients Business partners John R. Robles

18 How to: Audit Cybersecurity Table of Contents of the ISACA guide Chapter 1: Introduction to COBIT 5 Chapter 2: Introduction to NIST Cybersecurity Framework 1.0 Chapter 3: Framework Implementation Chapter 4: Communicating Cybersecurity Requirements with Stakeholders. John R. Robles

19 Audit Cybersecurity Implementation of Cybersecurity according to NIST CSF and ISACA Guidelines Step 1: Establish Scope and Priorities Step 2. Orient Step 3. Create a Current Profile What is current status of cybersecurity? Step 4. Conduct a Risk Assessment Step 5. Create a Target Profile What status of cybersecurity do you want to achieve? Step 6. Determine, Analyze, and Prioritize Gaps Step 7. Implement an Action Plan Step 8. Review the Action Plan Step 9. Manage the Implementation Life Cycle John R. Robles

20 Audit Cybersecurity Step 1: Prioritize and Scope Establish priorities and scope of business/mission objectives This information allows organizations to make strategic decisions regarding the scope of systems and assets that support the selected business lines or processes within the organization. Step 2: Orient Identify threats to, and vulnerabilities of, systems identified in the Prioritize and Scope step. Step 3: Create a Current Profile Identify the current state of the cybersecurity program by establishing a current state profile. John R. Robles

21 Audit Cybersecurity Step 4: Conduct a Risk Assessment Conduct a risk assessment using an accepted methodology. Step 5: Create a Target Profile Develop a risk-informed target state profile. The target state profile focuses on the assessment of the Framework Categories and Subcategories describing the organization s desired cybersecurity outcomes. Step 6: Determine, Analyze, and Prioritize Gaps Conduct a gap analysis to determine opportunities for improving the current state. The gaps are identified by overlaying the current state profile with the target state profile. John R. Robles

22 Audit Cybersecurity Step 7: Implement Action Plan Required actions are taken to close the gaps and work toward obtaining the target state. Note: As an auditor, I want to see a documented Cyber Security Improvement Action Plan. Very, very, very important! I would start the audit with the assumed audit conclusion that the security is not optimal. If there is No Plan, OK, then, lets start fresh with Step 1. If your are a Security Officer (Top Dog!)and you don t know why or how to do a Risk Analysis, then You should NOT be a Security Officer. John R. Robles

23 Audit Cybersecurity Goals of implementing CSF An effective audit of cybersecurity will consist of determining how well the Cybersecurity Framework or CSF has been implemented. We ask questions to determine if during the implementation process the following control areas are in compliance: Identify Protect Detect Respond Recovery John R. Robles

24 Audit Cybersecurity Identify Do assets identification controls include: Assets Management Governance Risk Assessment Risk Management Protect Do assets protection controls include: Access Control Data Security Information Protection of Processes and Information Protective Technology, and finally Awareness and Training John R. Robles

25 Audit Cybersecurity Detect Do incidents detection controls include: Identifications of abnormal incidents Continuous Monitoring of Active Security!!!!! Detection of abnormal incidents Respond Do response to incidents controls include: Communications Analysis Mitigation Improvements Recover Do controls for recovery from an incident include: Recovery Planning Improvements Communications John R. Robles

26 Audit Cybersecurity To Assist in performing a Cybersecurity Audit ISACA has published a CyberCrime Audit Assurance Program John R. Robles

27 Audit Cybersecurity VI. Audit/Assurance Program 1. Planning and Scoping the Audit 2. Understanding Supporting Infrastructure 3. Governance 4. Organization 5. Organizational Policies 6. Business Role in Cybercrime Prevention 7. IT Management 8. Incident Management Policy And Procedures 9. Incident Management Implementation 10. Crisis Management VII. Maturity Assessment VIII. Maturity Assessment vs. Target Assessment John R. Robles

28 Audit Cybersecurity This is another document ISACA has published to assist the Cybersecurity Auditor John R. Robles

29 The Cybersecurity Audit Report Prepare draft report Positive aspects of the audit, if any Negative aspects of the audit, if any The auditor will always find areas for improvement comments Recommendations for improving and mitigating negative issues. Discuss with stakeholders Update draft based on comments received Obtain management approval of draft. Present Final Report Document priority items that should be immediately addressed. Establish High and Medium priority recommendations. Establish time table to implement improvements John R. Robles

30 Audit Cybersecurity References Homeland Cybersecurity Home Page NIST Cybersecurity Framework Home Page Isaca Cybersecurity Nexus Home Page John R. Robles

31 Gracias! Questions and Some Answers John R. Robles, CISA, CISM, CRISC John R. Robles