PROTIVITI FLASH REPORT
|
|
- Britton Shields
- 8 years ago
- Views:
Transcription
1 PROTIVITI FLASH REPORT Cybersecurity Framework: Where Do We Go From Here? February 25, 2014 Just over a year ago, President Barack Obama signed an Executive Order (EO) calling for increased cybersecurity for the critical infrastructure of the United States. 1 On the anniversary of this EO s release, the National Institute of Standards and Technology (NIST) issued the final version of its Framework for Improving Critical Infrastructure Cybersecurity (Framework) and a companion NIST Roadmap for Improving Critical Infrastructure Cybersecurity (Roadmap). The Framework and Roadmap are the result of a 12 month development process which included the release of multiple versions for public comment and working sessions with the private sector and security stakeholders. As defined by the EO, critical infrastructure consists of systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. This definition encompasses IT and Industrial Control Systems (ICS) that are both physical and digital and includes processes, not just their automation. Therefore, public and private owners and operators as well as other entities all have a role in securing the nation s critical infrastructure. An overarching objective of the EO is to provide these organizations with a consistent and iterative approach to identifying, assessing and managing cybersecurity risk. Application of the Framework is technology neutral. Overview of the Framework The Framework is a risk-based approach to managing cybersecurity risk. It is composed of three components: the Framework Core, the Framework Implementation Tiers, and the Framework Profile. Each of these components reinforces the connection between business drivers and cybersecurity activities. We provided an overview of each component, as described in a preliminary framework draft released in August 2013 to provide the basis for the last collaborative workshop before finalization. 2 The most significant change in the final Framework from prior working versions is the removal of a separate privacy appendix because it was viewed as being overly prescriptive and costly to implement. In lieu of that prescriptive approach, a more general set of recommended privacy practices was provided for companies to consider in view of their specific circumstances, e.g., size, degree of cybersecurity risk or current cybersecurity sophistication. Thus the Framework acknowledges there is no one-size-fits-all. 1 Protiviti Flash Report, President Obama Signs Executive Order to Take Initial Steps to Improve Critical Infrastructure Cybersecurity, February 14, 2013, available at 2 Protiviti Flash Report, Cybersecurity Framework: What Happens When the Clock Winds Down?, September 13, 2013, available at
2 The Framework relies on a variety of existing standards, guidelines and practices. Building on these existing standards, guidelines and practices, the Framework provides a common taxonomy and mechanism for industry and government organizations to: (1) Describe their current cybersecurity posture; (2) Describe their target state for cybersecurity; (3) Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; (4) Assess progress toward the target state; (5) Communicate among internal and external stakeholders about cybersecurity risk and posture. Although the Framework is focused on the U.S., it provides a model for international cooperation in strengthening critical infrastructure and even uses components of many international standards in its composition. It emphasizes using business drivers to guide the advancement of cybersecurity activities and integrating cybersecurity into an organization s risk management framework. In addition, it emphasizes a desire to protect civil liberties and privacy; however, it does not provide an approach for integrating that objective into cybersecurity programs. As noted earlier, the Framework consists of three components. The first, the Framework Core, is a set of best practices for cybersecurity activities, outcomes and references to assist in developing an individual organization s profile. The Core consists of five concurrent and continuous functions Identify, Protect, Detect, Respond and Recover. When considered together, these five functions provide a high-level, strategic view of the lifecycle of an organization s management of cybersecurity risk. The Framework then provides references to existing standards, guidelines and practices an organization can adopt. The second component, Framework Implementation Tiers, provides a mechanism to understand the characteristics, risk management rigor and level of the implementation/approach to managing cybersecurity risk. There are four tiers ranging from Partial (Tier 1) to Adaptive (Tier 4). Interestingly, the Framework specifically says the four tiers are not meant to define the maturity level of cybersecurity. Given that the four tiers reflect a progression from informal, reactive responses to approaches that are agile and risk-informed, they provide context on how an organization views cybersecurity risk and the processes in place to manage that risk considering its current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives and organizational constraints. The third component, the Framework Profile, assists organizations in articulating their current state and target cybersecurity activities. Comparison of Profiles (e.g., the current state and desired state) may reveal gaps to be addressed to meet cybersecurity risk management objectives. An action plan to address these gaps can contribute to a roadmap for measuring progress as the organization advances toward its desired state. Prioritization of gap mitigation is driven by the organization s business priorities and requirements (including cost-effectiveness and innovation), risk tolerances and available resources. This risk-based approach enables an organization to gauge resource estimates (e.g., staffing, funding) to achieve cybersecurity goals in a cost-effective, prioritized manner. Profiles can be used to conduct self-assessments and communicate within an organization or between organizations. Protiviti 2
3 Observations on the Framework Overall, the Framework is a helpful document for those organizations that have not spent much time focusing on information or industrial control security. For those that have, it is completely consistent with all efforts we have seen in our work in the security and privacy space. We do not see anything in the Framework that is particularly new, although the Categories and Sub- Categories in Appendix A may provide an area or two a company had not thought of yet. We also find the emphasis for balancing a cybersecurity program with preserving civil liberties and privacy to be important and timely. As the Framework is intended to be a living document, it is our expectation that cybersecurity controls and procedures will evolve and be included in future versions. The downside is that whatever is published in any version of the Framework will also be available to those parties who are trying to circumvent established controls. The good news is that the Framework serves to raise the level of awareness of the issue and need for action beyond the headlines. The new Framework is a risk-based approach to information security, an approach we support and have been articulating for some time. Below are some observations regarding the Framework: The approach to leveraging the Framework is identical to the way many organizations perform program assessments today: Define the business priorities and the scope of the program; Define the assets in scope and the threats to them; Create an As Is or baseline profile of the organization s security program implementation; Perform a risk assessment of the organization s readiness; Create a To Be statement/objective for the security program; Define gaps between the As Is and To Be states, assess their impact and prioritize remediation activities; and Implement the action plan. Organizations familiar with risk management programs like ISO 31000, ISO and NIST and/or information security programs like ISO 27001/2 and NIST will find the approach and nomenclature familiar. For those organizations currently evaluating their security programs against these standards, they can easily apply this Framework instead as they assess their cybersecurity profile. However, the Framework does not go to the control level; therefore, ISO (for example) will still need to be used to address those requirements. The Framework is voluntary. It is intended to complement an organization s existing risk management program and allows it to do whatever it determines is correct and appropriate in the circumstances. We believe this makes great sense. There is a reference to organizations including the feasibility to implement as a criteria for selecting their specific organizational goals for cybersecurity, which allows for flexibility and discretion. There is a suggestion for organizations to progress past Tier 1 (Partial). That objective appears to be a reasonable one. It is equivalent to what we would recognize as being at least Risk Informed, i.e., Stage 2 or 3 on the Capability Maturity Continuum. Protiviti 3
4 Appendix A to the document provides excellent examples of the specific elements that should be included in a cybersecurity program. The Informative References further assist the organization in linking the Framework to current actions or more familiar standards and guidelines. This linkage is very helpful. It is possible that over time, the Framework could be used as a way to communicate the security levels of an organization and provide a basis for certifications: Perhaps the Framework will replace the need for audits and other methods of intraand extra-company assessments as the focus is directed to certifications. Like other ISO and NIST standards, the Framework may need to mature before it becomes universally accepted. Because there are no specific controls identified or audit procedures to follow, the assignment of tiers is not an objective process. To illustrate, ISO needed its control-specific companion ISO before meaningful certification could be performed. They say it takes two to tango. Even if a company executes the development of a profile, there has to be another organization willing to accept it. Because the Framework is new, we are at the beginning of the acceptance curve. Although capable of being accepted globally, there may be some resistance to a U.S.-based Framework in other countries and regions. Summary Cybersecurity threats exploit the increased number of vulnerabilities that result from the growth in complexity and connectivity of critical infrastructure systems, placing the security, economy, and public safety and health of the United States (or any other country) at risk. Mitigating cybersecurity risk not only introduces new investment costs that need to be considered by management, but insufficient mitigation plans can also negatively impact revenues and cause customer loss and severe reputation damage that all impact the bottom line. Created through collaboration between government and the private sector, the new Framework uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses. Use of the new Framework is the next step to improve the cybersecurity of U.S. critical infrastructure, providing guidance for individual organizations while increasing the cybersecurity posture of the nation s critical infrastructure as a whole. The Framework is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure. Organizations will continue to have unique risks different threats, different vulnerabilities and different risk tolerances and how they implement the practices in the Framework will vary accordingly. The Framework is a dynamic document that will continue to be updated and improved as industry and government organizations monitor progress and provide feedback on implementation results. As the Framework is put into practice, lessons learned will be integrated into future versions. This will help ensure it targets the needs of critical infrastructure owners and operators as they face an ever-changing and challenging environment of new threats, risks and solutions. Protiviti 4
5 About Protiviti Protiviti ( is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 35 percent of FORTUNE 1000 and FORTUNE Global 500 companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index Protiviti Inc. An Equal Opportunity Employer M/F/D/V. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.
Framework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 National Institute of Standards and Technology February 12, 2014 Table of Contents Executive Summary...1 1.0 Framework Introduction...3
More informationCybersecurity Framework. Executive Order 13636 Improving Critical Infrastructure Cybersecurity
Cybersecurity Framework Executive Order 13636 Improving Critical Infrastructure Cybersecurity National Institute of Standards and Technology (NIST) Mission To promote U.S. innovation and industrial competitiveness
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 National Institute of Standards and Technology February 12, 2014 Table of Contents Executive Summary...1 1.0 Framework Introduction...3
More informationHow To Write A Cybersecurity Framework
NIST Cybersecurity Framework Overview Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2nd ENISA International Conference on Cyber Crisis Cooperation and Exercises Executive Order
More informationCritical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order 13636 Improving Critical Infrastructure Cybersecurity
Critical Infrastructure Cybersecurity Framework Overview and Status Executive Order 13636 Improving Critical Infrastructure Cybersecurity Executive Order: Improving Critical Infrastructure Cybersecurity
More informationNIST Cybersecurity Framework What It Means for Energy Companies
Daniel E. Frank J.J. Herbert Mark Thibodeaux NIST Cybersecurity Framework What It Means for Energy Companies November 14, 2013 Your Panelists Dan Frank J.J. Herbert Mark Thibodeaux 2 Overview The Cyber
More informationAmerica s New Cybersecurity Framework: Help or New Source of Exposure?
America s New Cybersecurity Framework: Help or New Source of Exposure? BY BEHNAM DAYANIM, RYAN NIER & ELIZABETH DORSI March 2014 Data theft is on the rise, and the federal government is concerned. In 2013
More informationHow To Understand And Manage Cybersecurity Risk
White Paper A Framework to Gauge Cyber Defenses NIST s Cybersecurity Framework Helps Critical Infrastructure Owners to Cost-Effectively Defend National & Economic Security of the U.S. Executive Summary
More informationWestlaw Journal. What is the Cybersecurity Framework? Risk Management Process And Pathway to Corporate Liability? Expert Analysis
Westlaw Journal Computer & Internet Litigation News and Analysis Legislation Regulation Expert Commentary VOLUME 31, ISSUE 14 / DECEMBER 12, 2013 Expert Analysis The Cybersecurity Framework: Risk Management
More informationNIST Cybersecurity Framework. ARC World Industry Forum 2014
NIST Cybersecurity Framework Vicky Yan Pillitteri NIST ARC World Industry Forum 2014 February 10-13, 2014 Orlando, FL Executive Order 13636 Improving Critical Infrastructure Cybersecurity It is the policy
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 NARUC Winter Committee Meeting Committee & Staff Committee on Critical Infrastructure February 15,
More informationCybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014
Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014 Victoria Yan Pillitteri Advisor for Information Systems Security
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2014 ISACA Pittsburgh Information Security Awareness Day Victoria Yan
More informationImproving Critical Infrastructure Cybersecurity Executive Order 13636. Preliminary Cybersecurity Framework
1 Improving Critical Infrastructure Cybersecurity Executive Order 13636 Preliminary Cybersecurity Framework 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
More informationCybersecurity Audit Why are we still Vulnerable? November 30, 2015
Cybersecurity Audit Why are we still Vulnerable? November 30, 2015 John R. Robles, CISA, CISM, CRISC www.johnrrobles.com jrobles@coqui.net 787-647-3961 John R. Robles- 787-647-3961 1 9/11-2001 The event
More informationCybersecurity Framework: Current Status and Next Steps
Cybersecurity Framework: Current Status and Next Steps Federal Advisory Committee on Insurance November 6, 2014 Adam Sedgewick Senior IT Policy Advisor Adam.Sedgewick@nist.gov National Institute of Standards
More informationENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE
ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE JANUARY 2015 U.S. DEPARTMENT OF ENERGY OFFICE OF ELECTRICITY DELIVERY AND ENERGY RELIABILITY Energy Sector Cybersecurity Framework Implementation
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 8 April 2015 cyberframework@nist.gov Agenda Mission of NIST Cybersecurity at NIST Cybersecurity Framework
More informationThe NIST Cybersecurity Framework
View the online version at http://us.practicallaw.com/5-599-6825 The NIST Cybersecurity Framework RICHARD RAYSMAN, HOLLAND & KNIGHT LLP AND JOHN ROGERS, BOOZ ALLEN HAMILTON A Practice Note discussing the
More informationWhy you should adopt the NIST Cybersecurity Framework
www.pwc.com/cybersecurity Why you should adopt the NIST Cybersecurity Framework May 2014 The National Institute of Standards and Technology Cybersecurity Framework may be voluntary, but it offers potential
More informationA Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst
TRACESECURITY WHITE PAPER GRC Simplified... Finally. A Guide to Successfully Implementing the NIST Cybersecurity Framework Jerry Beasley CISM and TraceSecurity Information Security Analyst TRACESECURITY
More informationExecutive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014
Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework September 23, 2014 Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to
More informationApplying Framework to Mobile & BYOD
Applying Framework to Mobile & BYOD Framework for Improving Critical Infrastructure Cybersecurity National Association of Attorneys General Southern Region Meeting 13 March 2015 cyberframework@nist.gov
More informationIntel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security
Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security David Brezinski, Professional Services, Enterprise Security Architect Agenda Overview
More informationNIST Cybersecurity Framework & A Tale of Two Criticalities
NIST Cybersecurity Framework & A Tale of Two Criticalities Vendor Management & Incident Response Presented by: John H Rogers, CISSP Advisory Services Practice Manager john.rogers@sagedatasecurity.com Presented
More informationWhy you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More informationBuilding Security In:
#CACyberSS2015 Building Security In: Intelligent Security Design, Development and Acquisition Steve Caimi Industry Solutions Specialist, US Public Sector Cybersecurity September 2015 A Little About Me
More informationIG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY
IG MATURITY MODEL FOR FY 2015 FISMA 1 Ad-hoc 1.1 program is not formalized and activities are performed in a reactive manner resulting in an adhoc program that does not meet 2 requirements for a defined
More informationChanging Legal Landscape in Cybersecurity: Implications for Business
Changing Legal Landscape in Cybersecurity: Implications for Business Presented to Greater Wilmington Cyber Security Group Presented by William R. Denny, Potter Anderson & Corroon LLP May 8, 2014 Topics
More informationWhich cybersecurity standard is most relevant for a water utility?
Which cybersecurity standard is most relevant for a water utility? Don Dickinson 1 * 1 Don Dickinson, Phoenix Contact USA, 586 Fulling Mill Road, Middletown, Pennsylvania, USA, 17057 (*correspondence:
More informationCForum: A Community Driven Solution to Cybersecurity Challenges
SESSION ID: AST3-R01 CForum: A Community Driven Solution to Cybersecurity Challenges Tom Conkle Cybersecurity Engineer G2, Inc. @TomConkle Greg Witte Sr. Security Engineer G2, Inc. @thenetworkguy Organizations
More informationCybersecurity..Is your PE Firm Ready? October 30, 2014
Cybersecurity..Is your PE Firm Ready? October 30, 2014 The Panel Melinda Scott, Founding Partner, Scott Goldring Eric Feldman, Chief Information Officer, The Riverside Company Joe Campbell, CTO, PEF Services
More informationistockphoto/ljupco 36 June 2015 practicallaw.com 2015 Thomson Reuters. All rights reserved.
istockphoto/ljupco 36 June 2015 practicallaw.com The NIST Cybersecurity Framework Data breaches in organizations have rapidly increased in recent years. In 2014, the National Institute of Standards and
More informationUnderstanding the NIST Cybersecurity Framework September 30, 2014
Understanding the NIST Cybersecurity Framework September 30, 2014 Earlier this year the National Institute of Standard and Technology released the Framework for Improving Critical Infrastructure Cybersecurity
More informationFINANCIAL SERVICES FLASH REPORT
FINANCIAL SERVICES FLASH REPORT OCC Finalizes Its Heightened Standards for Large Financial Institutions September 15, 2014 Transforming Heightened Expectations to Minimum Standards On September 2, 2014,
More informationNIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015
NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015 Overview The University of Pittsburgh NIST Cybersecurity Framework Pitt NIST Cybersecurity Framework Program Wrap Up Questions
More informationIAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope
IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope March 6, 2014 Victoria King UPS (404) 828-6550 vking@ups.com Lisa J. Sotto Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com
More informationUNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION
UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION Technical Conference on Critical Infrastructure Protection Issues Identified in Order No. 791 Prepared Statement of Melanie Seader, Senior
More informationThe President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.
The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013. The Executive Order calls for the development of a voluntary risk based Cybersecurity Framework
More informationNo. 33 February 19, 2013. The President
Vol. 78 Tuesday, No. 33 February 19, 2013 Part III The President Executive Order 13636 Improving Critical Infrastructure Cybersecurity VerDate Mar2010 17:57 Feb 15, 2013 Jkt 229001 PO 00000 Frm 00001
More informationReport: An Analysis of US Government Proposed Cyber Incentives. Author: Joe Stuntz, MBA EP 14, McDonough School of Business
S 2 ERC Project: Cyber Threat Intelligence Exchange Ecosystem: Economic Analysis Report: An Analysis of US Government Proposed Cyber Incentives Author: Joe Stuntz, MBA EP 14, McDonough School of Business
More informationNational Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity
National Cybersecurity Challenges and NIST Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity Though no-one knows for sure, corporate America is believed to lose anything
More informationImproving Cybersecurity and Resilience through Acquisition [DRAFT] IMPLEMENTATION PLAN
Improving Cybersecurity and Resilience through Acquisition [DRAFT] IMPLEMENTATION PLAN Version 1.0 February 2014 Page 1 of 7 Table of Contents Introduction... 3 Purpose... 3 Plan Development Process...
More informationCloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing
Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing Executive Summary As cloud service providers mature, and expand and refine their offerings, it is increasingly difficult for
More informationThe NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session
The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session Robert Smith Systemwide IT Policy Director Compliance & Audit Educational Series 5/5/2016 1 Today s reality There are two kinds
More informationHealth Industry Implementation of the NIST Cybersecurity Framework
Health Industry Implementation of the NIST Cybersecurity Framework A Collaborative Presentation by HHS, NIST, HITRUST, Deloitte and Seattle Children s Hospital 1 Your presenters HHS Steve Curren, Acting
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More informationAmid Ongoing Transformation and Compliance Challenges, Cybersecurity Represents Top IT Concern in Financial Services Industry
Amid Ongoing Transformation and Compliance Challenges, Cybersecurity Represents Top IT Concern in Financial Services Industry IT leaders are battening down the hatches, according to Protiviti s latest
More informationCritical Manufacturing Cybersecurity Framework Implementation Guidance
F Critical Manufacturing Cybersecurity Framework Implementation Guidance i Foreword The National Institute of Standards and Technology (NIST) released the 2014 Framework for Improving Critical Infrastructure
More informationVoluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, nadya.bartol@utc.org. 2014 Utilities Telecom Council
Voluntary Cybersecurity Initiatives in Critical Infrastructure Nadya Bartol, CISSP, SGEIT, nadya.bartol@utc.org 2014 Utilities Telecom Council Utility cybersecurity environment is full of collaborations
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity 18 November 2015 grance@nist.gov cyberframework@nist.gov National Institute of Standards and Technology About NIST NIST s mission is to develop
More informationNIST CYBERSECURITY FRAMEWORK IMPLEMENTATION: ENERGY SECTOR APPROACH
NIST CYBERSECURITY FRAMEWORK IMPLEMENTATION: ENERGY SECTOR APPROACH SANS ICS Security Summit March 18, 2014 Jason D. Christopher Nadya Bartol Ed Goff Agenda Background Use of Existing Tools: C2M2 Case
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool
ICBA Summary of FFIEC Cybersecurity Assessment Tool July 2015 Contact: Jeremy Dalpiaz Assistant Vice President Cyber Security and Data Security Policy Jeremy.Dalpiaz@icba.org www.icba.org ICBA Summary
More informationInformation and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework
Information and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework Don t screw with my chain, dude! Jon Boyens Computer Security Division IT Laboratory November
More informationINFORMATION TECHNOLOGY FLASH REPORT
INFORMATION TECHNOLOGY FLASH REPORT ISACA Releases COBIT 5: Updated Framework for the Governance and Management of IT May 18, 2012 In April, ISACA released COBIT 5 as a replacement for its current globally
More informationPayment Card Industry Data Security Standards
Payment Card Industry Data Security Standards Discussion Objectives Agenda Introduction PCI Overview and History The Protiviti Difference Questions and Discussion 2 2014 Protiviti Inc. CONFIDENTIAL: This
More informationExperience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.
Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies
More informationThe Cybersecurity Framework and the SAFETY Act a Primer for Temple Business School
The Cybersecurity Framework and the SAFETY Act a Primer for Temple Business School MARCH 31, 2014 2013 Venable LLP 1 EO 13636: Improving Critical Infrastructure Cybersecurity Directs to NIST to develop
More informationGet Confidence in Mission Security with IV&V Information Assurance
Get Confidence in Mission Security with IV&V Information Assurance September 10, 2014 Threat Landscape Regulatory Framework Life-cycles IV&V Rigor and Independence Threat Landscape Continuously evolving
More informationNIST Cybersecurity Initiatives. ARC World Industry Forum 2014
NIST Cybersecurity Initiatives Keith Stouffer and Vicky Pillitteri NIST ARC World Industry Forum 2014 February 10-13, 2014 Orlando, FL National Institute of Standards and Technology (NIST) NIST s mission
More informationBECAUSE CYBERSECURITY RISKS ARE ENTERPRISE RISKS. www.blankrome.com/cybersecurity
Working together, Blank Rome LLP and Good Harbor Security Risk Management LLC, haved teamed to provide a comprehensive solution for protecting your company s property and reputation from the unprecedented
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationCyber Security. U.S. Executive Order 13636 and Critical Security Capabilities to Consider. Intel Corporation. White Paper. Authors
Cyber Security Intel Corporation U.S. Executive Order 13636 and Critical Security Capabilities to Consider White Paper Authors Amit Agrawal (Security Strategist, Intel) Jack Lawson (Director - Security,
More informationDecember 13, 2013. Submitted via email to csfcomments@nist.gov
December 13, 2013 Submitted via email to csfcomments@nist.gov National Institute of Standards and Technology Information Technology Laboratory ATTN: Adam Sedgewick 100 Bureau Drive, Stop 8930 Gaithersburg,
More informationManaging Regulatory Compliance and AML Risk in a Virtual Currency World
Managing Regulatory Compliance and AML Risk in a Virtual Currency World Issue When you first think of virtual currency (also known as digital currency), the video gaming industry may be what first comes
More informationHow To Get A Tech Startup To Comply With Regulations
Agile Technology Controls for Startups a Contradiction in Terms or a Real Opportunity? Implementing Dynamic, Flexible and Continuously Optimized IT General Controls POWERFUL INSIGHTS Issue It s not a secret
More informationApril 8, 2013. Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899
Salt River Project P.O. Box 52025 Mail Stop: CUN204 Phoenix, AZ 85072 2025 Phone: (602) 236 6011 Fax: (602) 629 7988 James.Costello@srpnet.com James J. Costello Director, Enterprise IT Security April 8,
More informationHITRUST CSF Assurance Program
HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview
More informationThe NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide
SOLUTION BRIEF NIST FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide SOLUTION BRIEF CA DATABASE
More informationHow To Transform It Risk Management
The transformation of IT Risk Management kpmg.com The transformation of IT Risk Management The role of IT Risk Management Scope of IT risk management Examples of IT risk areas of focus How KPMG can help
More informationBilling Code: 3510-EA
Billing Code: 3510-EA DEPARTMENT OF COMMERCE Office of the Secretary National Institute of Standards and Technology National Telecommunications and Information Administration [Docket Number: 130206115-3115-01]
More informationStepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM
Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and
More informationContinuous Monitoring in a Risk Management Framework. US Census Bureau Oct 2012
Monitoring in a Risk Management Framework US Census Bureau Oct 2012 Agenda Drivers for Monitoring What is Monitoring Monitoring in a Risk Management Framework (RMF) RMF Cost Efficiencies RMF Lessons Learned
More informationApplying IBM Security solutions to the NIST Cybersecurity Framework
IBM Software Thought Leadership White Paper August 2014 Applying IBM Security solutions to the NIST Cybersecurity Framework Help avoid gaps in security and compliance coverage as threats and business requirements
More informationNIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT
NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT OVERVIEW The National Institute of Standards of Technology Framework for Improving Critical Infrastructure Cybersecurity (The NIST Framework) is a
More informationBefore the. United States Department of Commerce. and the. National Institute of Standards and Technology
Before the United States Department of Commerce and the National Institute of Standards and Technology In the Matter of ) Experience with the Framework for ) Improving Critical Infrastructure Cybersecurity
More informationPROTIVITI FLASH REPORT
PROTIVITI FLASH REPORT California Law Requires Companies to Disclose Efforts to Ensure Supply Chains Are Free of Slavery and Human Trafficking February 6, 2012 The California Transparency in Supply Chains
More informationInformation Security Management System for Microsoft s Cloud Infrastructure
Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System
More informationPACB One-Day Cybersecurity Workshop
PACB One-Day Cybersecurity Workshop WHAT IS CYBERSECURITY? PRESENTED BY: JON WALDMAN, SBS CISA, CRISC 1 Contact Information Jon Waldman Partner, Senior IS Consultant CISA, CRISC Masters of Info Assurance
More informationfs viewpoint www.pwc.com/fsi
fs viewpoint www.pwc.com/fsi June 2013 02 11 16 21 24 Point of view Competitive intelligence A framework for response How PwC can help Appendix It takes two to tango: Managing technology risk is now a
More informationHealthcare s Model Approach to Critical Infrastructure Cybersecurity
Healthcare s Model Approach to Critical Infrastructure Cybersecurity How the Industry is Leading the Way with its Information Security Risk Management Framework June 2014 Healthcare s Model Approach to
More informationHow To Manage Cybersecurity In Healthcare
Healthcare s Model Approach to Critical Infrastructure Cybersecurity How the Industry is Leading the Way with its Information Security Risk Management Framework June 2014 Healthcare s Model Approach to
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity April 2016 cyberframework@nist.gov Pre-Cybersecurity Framework Threat Landscape 79% of reported victims were targets of opportunity 96% of
More informationUsing the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6
to Assess Cybersecurity Preparedness 1 of 6 Introduction Long before the signing in February 2013 of the White House Executive Order Improving Critical Infrastructure Cybersecurity, HITRUST recognized
More informationTop Priorities for Internal Auditors in U.S. Healthcare Provider Organizations
Top Priorities for Internal Auditors in U.S. Healthcare Provider Organizations Key Areas for Improvement Include Compliance, Information Security, Social Media and Quality Assurance INTRODUCTION Historic
More informationPreventing Fraud: Assessing the Fraud Risk Management Capabilities of Today s Largest Organizations
Preventing Fraud: Assessing the Fraud Risk Management Capabilities of Today s Largest Organizations Overview In late 2006 and 2007, Protiviti commissioned a study to gauge the fraud risk management (FRM)
More informationHigh Value Audits: An Update on Information Technology Auditing. Robert B. Hirth Jr., Managing Director
High Value Audits: An Update on Information Technology Auditing Robert B. Hirth Jr., Managing Director The technology landscape and its impact on internal audit Technology is playing an ever-growing role
More informationFFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors
Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed
More informationTestimony of Dan Nutkis CEO of HITRUST Alliance. Before the Oversight and Government Reform Committee, Subcommittee on Information Technology
Testimony of Dan Nutkis CEO of HITRUST Alliance Before the Oversight and Government Reform Committee, Subcommittee on Information Technology Hearing entitled: Cybersecurity: The Evolving Nature of Cyber
More informationOctober 9, 2014. Lyman Terni, Consultant Tim Villano, Chief Technology Officer. Current Awareness of the Cybersecurity Framework
October 9, 2014 Ascendant Compliance Management is an independent consulting firm assisting Registered Investment Advisers and Broker-Dealers with regulatory compliance. Our firm has an IT Risk Assessment
More informationThe Cybersecurity Framework in Action: An Intel Use Case
SOLUTION BRIEF Cybersecurity Framework Risk Management The Cybersecurity Framework in Action: An Intel Use Case Intel Publishes a Cybersecurity Framework Use Case Advancing cybersecurity across the global
More information2014 Trends in the Insurance Industry
2014 Trends in the Insurance Industry Introduction Changes in the insurance industry historically move at a slow and steady pace, yet in recent years, by industry standards, they have become increasingly
More informationRE: ITI comments in response to NIST RFI: Improving Critical Infrastructure Cybersecurity Executive Order 13636: Preliminary Cybersecurity Framework
December 12, 2013 Adam Sedgewick Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899 Via e-mail to: csfcomments@nist.gov
More informationHow To Ensure Internal Control Of Financial Reporting In India
PROTIVITI FLASH REPORT New Internal Control Requirements for Companies with Operations in India November 9, 2015 In the aftermath of major global financial frauds, several countries enacted legislation
More informationPriorities for Internal Auditors in U.S. Healthcare Provider Organizations. Chief Concerns Include Cybersecurity, Regulatory Compliance and Fraud
Priorities for Internal Auditors in U.S. Healthcare Provider Organizations Chief Concerns Include Cybersecurity, Regulatory Compliance and Fraud INTRODUCTION Technology is a double-edged sword. From an
More informationCybersecurity for Medical Devices
Cybersecurity for Medical Devices Suzanne O Shea Kathleen Rice January 29, 2015 Why Is This Important? Security Risks in the Sensors of Implantable Medical Devices Over the last year, we ve seen an uptick
More informationCustomer Data and Reputational Risk in the Pharmaceutical Industry
1 Customer Data and Reputational Risk in the Pharmaceutical Industry Sensitive Data: A Chain of Trust Organizations of all types, from banks to government agencies to healthcare providers, are taking steps
More informationDiscussion Draft of the Preliminary Cybersecurity Framework
1 Discussion Draft of the Preliminary Cybersecurity Framework August 28, 2013 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 A Discussion Draft of the Preliminary
More information