NIST Cybersecurity Framework & A Tale of Two Criticalities

Transcription

1 NIST Cybersecurity Framework & A Tale of Two Criticalities Vendor Management & Incident Response Presented by: John H Rogers, CISSP Advisory Services Practice Manager john.rogers@sagedatasecurity.com Presented by: Zach Zimmerman Assurance Services Practice Manager zach.zimmerman@sagedatasecurity.com

2 Agenda The Ever Evolving Environment NIST Cybersecurity Framework Overview Vendor Management In the Framework Vendor Management in the Organization Incident Response Planning in the Framework Incident Response Planning in the Organization Questions & Answers

3 The Ever-Evolving Environment In May of 2014, the Federal Financial Institutions Examiners the Council (FFIEC) reinforced the expectation that senior management and boards of directors must provide cybersecurity leadership, align business and cybersecurity strategy, and create a governance process to ensure ongoing awareness and accountability. GLBA is now 15 years old. The proportion of electronic vs. traditional banking transactions is growing rapidly. This interconnectedness as well as the motivation of cybercriminals and cyber terrorist organizations to steal, disrupt, and cause harm means that banks must expand their current information security program.

4 The Ever-Evolving Environment In conjunction with this announcement, the FFIEC Cybersecurity and Critical Infrastructure Working Group, whose members include the FDIC, FRB, OCC, NCUA and the CFPB, announced their intention to expand examinations to include an assessment of cybersecurity risk management and resiliency. During the summer of 2014, the FFIEC member agencies piloted a cybersecurity examination work program at over 500 community financial institutions They found that the level of preparedness varied significantly across institutions of various sizes and charters. Not surprising, the common denominator for institutions that fared well was executive awareness of cybersecurity threats. Executives and boards of directors set policy, approve budget and provide leadership. Reference : FFIEC_Cybersecurity_Assessment_Observations.pdf

5 The FFIEC and its member agencies are treating cybersecurity and the management of cybersecurity risks as a critical priority. Governance. Oversight, Responsibilities, Risk Management, Reporting and Education. Threat intelligence & Collaboration. Gathering, monitoring, analyzing, and sharing information from internal and external sources on cyber threats and vulnerabilities. External Dependency Management External dependency management includes the connectivity to third-party service providers, business partners, customers, or others and the financial institutions expectations and practices to oversee these relationships. Cyber Incident Management and Resilience. Cyber incident management involves incident detection, response, mitigation, escalation, reporting, and resilience. / Information Assets Regulatory Compliance Cybercrime

6 NIST Cybersecurity Framework Why Adopt? Recommendation to adopt from the FFIEC Strategic Focus Process Driven Measurable based on maturity The best aspects of existing frameworks and guidance ISO COBIT ISA NIST Information Assets Regulatory Compliance Cybercrime

7 NIST Cybersecurity Framework Overview Framework Core a set of cybersecurity activities, desired outcomes and applicable references. The Framework Core consists of five concurrent and continuous Functions Identify, Protect, Detect, Respond & Recover. Framework Implementation Tiers provide context on the maturity of cyber risk management. There are 4 Tiers 1. Partial, 2. Risk Informed, 3. Repeatable & 4. Adaptive. Framework Profile provides a mechanism for organizations to describe their current state, target state, gaps and resource requirements. The Profile is used to create a Cybersecurity Roadmap Information Assets Regulatory Compliance Cybercrime

8 Framework Core The Framework Core is a compilation of Functions, Categories, Subcategories and Informative References. Function Functions provide the highest level of structure for organizing cybersecurity activates. Functions are Identify, Protect, Detect, Respond & Recover. Category Subdivision of a Function into groups of related cybersecurity activities and objectives. Examples are Asset Management, Access Control and Detective Processes. Subcategories Subdivision of a Category into specific technical or management activities or outcomes. Examples are Data-at-Rest is Protected. Informative Reference Related standard, guideline or best practice. Information Assets Regulatory Compliance Cybercrime

9 Functions Functions provide the highest level of structure for organizing cybersecurity activities. Identify Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. Protect Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. Detect Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. Respond Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. Recover Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. Information Assets Regulatory Compliance Cybercrime

10 Categories Categories are a subdivision of a Function into groups of related cybersecurity activities and outcomes. Information Assets Regulatory Compliance Cybercrime

11 Subcategories Subcategories Subdivision into specific technical or management activities or outcomes. Information Assets Regulatory Compliance Cybercrime

12 Profile Framework Profile provides a mechanism for organizations to describe their current state, target state, gaps and resource requirements. Category Subcategory Finding Desired State GAP Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organization s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk. ID.GV-1: Organizational information security policy is established ID.GV-2: Information security roles & responsibilities are coordinated and aligned with internal roles and external partners ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed ID.GV-4: Governance and risk management processes address cybersecurity risks Information Assets Regulatory Compliance Cybercrime

13 Cybersecurity Program Implementation Tiers [Maturity Model] Tier 1 Partial - Organizational cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc and sometimes reactive manner. Prioritization of cybersecurity activities may not be directly informed by organizational risk objectives, the threat environment or business/mission requirements. An organization may not have the processes in place to participate in coordination or collaboration with other entities. Tier 2 Risk Informed - Risk management practices are approved by management but may not be established as organization wide policy. Prioritization of cybersecurity activities is directly informed by organizational risk objectives, the threat environment or business/ mission requirements. The organization knows its role in the larger ecosystem, but has not formalized its capabilities to interact and share information externally. Information Assets Regulatory Compliance Cybercrime

14 Cybersecurity Program Implementation Tiers [Maturity Model] Tier 3 Repeatable - The organization s risk management practices are formally approved and expressed as policy. Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/ mission requirements and a changing threat and technology landscape. The organization understands its dependencies and partners and receives information from these partners that enables collaboration and risk-based management decisions within the organization in response to events. Tier 4 Adaptive - The organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities. Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organization actively adapts to a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely manner. Information Assets Regulatory Compliance Cybercrime

15 Exam Expectations Oversight of cybersecurity is a FFIEC priority. The OCC is the lead organization. Recognition that financial institutions are considered critical infrastructure. Financial institutions must evaluate their inherent and residual risk of cyberattack and effective response. Financial Institutions must have a framework and methodology in place to evaluate their cybersecurity posture, implement appropriate controls and communicate cybersecurity and cyber resiliency requirements both within the organization and externally. The NIST Cybersecurity Framework is the preferred framework. Information Assets Regulatory Compliance Cybercrime

16 Vendor Management in the Framework Identify (ID) Asset Management (ID.AM) ID.AM-3: Organizational communication and data flows are mapped ID.AM-4: External Information Systems are Catalogued ID.AM-6: Cybersecurity roles and responsibilities for entire workforce and thirdparty stakeholders (e.g. suppliers, customers, partners) are established Business Environment (ID.BE) ID.BE-4: Dependencies and critical functions for delivery of critical services are established ID.BE-5: Resilience requirements to support delivery of critical services are established Governance (ID.GV) ID.GV-2: Information security roles & responsibilities are coordinated and aligned with internal roles and external partners ID.GV-4: Governance and risk management processes address cybersecurity risks Information Assets Regulatory Compliance Cybercrime

17 Vendor Management in the Framework Identify (ID) Risk Assessment (ID.RA) ID.RA-1: Asset vulnerabilities are identified and documented ID.RA-3: Threats, both internal and external, are identified and documented ID.RA-4: Potential business impacts and likelihoods are identified ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk Risk Management Strategy (ID.RM) ID.RM-3: : The organization s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysisid.be-5: Resilience requirements to support delivery of critical services are established Protect (PR) Access Control PR.AC-1: Identities and credentials are managed for authorized devices and users PR.AC-3: Remote access is managed Information Assets Regulatory Compliance Cybercrime

18 Vendor Management in the Framework Protect (PR) Awareness and Training (PR.AT) PR-AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand roles & responsibilitiesid.am-4: External Information Systems are Catalogued Data Security (PR.DS) PR.DS-1: Data-at-rest is protected PR.DS-2: Data-in-transit is protected PR.DS-4: Adequate capacity to ensure availability is maintained Maintenance (PR.MA) PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access Protective Technology (PR.PT) PR.PT-3: Access to systems and assets is controlled, incorporating the principle of least functionality PR.PT-4: Communications and control networks are protected Information Assets Regulatory Compliance Cybercrime

19 Vendor Management in the Framework Detect (DE) Security Continuous Monitoring (DE.CM) DR.CM-6: External service provider activity is monitored to detect potential cybersecurity events Information Assets Regulatory Compliance Cybercrime

20 Vendor Management in the Organization

21 Vendor Management in the Organization Internal Barriers Third-Party TSP Inventory Organizational Silos Insufficient Expertise or Resources Onerous Assessment Process Lack of Strategic Planning for the Function External Barriers Document Collection TSP Policies for Information Sharing Resistance to Contractual Obligation Provision of Insufficient Information Resistance to Active Participation Weak Controls in Software Applications

22 Vendor Management in the Organization Critical Success Factors Strategic Approach Multidiscipline Participation & Buy-In No One Size Fits All Approach TSPs Obligated to Follow Your Rules Accurate Self Assessment Responsibilities Documented Review & Reporting Consistency

23 Vendor Management in the Organization Key Performance Indicators Percentage of Known Vendors Reviewed Percentage Comparison of Inventory Over Time Percentage of Contracts with Security Requirements Successful Tests of DR/BCP/IR with TSPs Complete Review Schedule by Criticality Examination Performance on the Program Cost/Benefit Analysis Risk Assessment Mitigation Statistics Over Time

24 Incident Response in the Framework RESPONSE(RS) Incident Response Response Planning (RS.RP) Communications (RS.CO) Analysis (RS.AN) Mitigation (RS.MI) Improvements (RS.IM)

25 Incident Response in the Framework Response Planning (RS.PR) Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events. Ensure that there are written incident response procedures that include a definition of personnel roles for handling incidents. The procedures should define the phases of incident handling.

26 Incident Response in the Framework Communications (RS.CO) Personnel know their roles and order of operations when a response is needed Define management personnel who will support the incident handling process by acting in key decision-making roles. Assign job titles and duties for handling computer and network incidents to specific individuals. Assemble and maintain information on third-party contact information to be used to report a security incident (i.e., address or have an internal web page).

27 Incident Response in the Framework Communications (RS.CO) Events are reported consistent with established criteria Information is shared consistent with response plans Publish information for all personnel, including employees and contractors, regarding reporting computer anomalies and incidents to the incident handling team.

28 Incident Response in the Framework Analysis (RS.AN) Notifications from detection systems are investigated Devise standards for the time required for system administrators and other personnel to report anomalous events. The impact of the incident is understood Forensics are performed Incidents are categorized consistent with response plans

29 Incident Response in the Framework Mitigation (RS.MI) Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident. Incidents are contained Incidents are mitigated Newly identified vulnerabilities are mitigated or documented as accepted risks

30 Incident Response in the Framework Improvements (RS.IM) Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities. Response plans incorporate lessons learned Conduct periodic incident scenario sessions for personnel associated with the incident handling team to ensure that they understand current threats and risks, as well as their responsibilities in supporting the incident handling team.

31 Incident Response in the Framework Improvements (RS.IM) After defining detailed incident response procedures, the incident response team should engage in periodic scenario-based training, working through a series of attack scenarios fine-tuned to the threats and vulnerabilities the organization faces. These scenarios help ensure that team members understand their role on the incident response team and also help prepare them to handle incidents.

32 Incident Response in the Organization Current Conventions Typically focused solely on computer incidents Tactically focused almost exclusively Seen as a compartment, assigned to a resource(s) Departmental and Division silos Institutional Islands Keep it Secret

33 Incident Response in the Organization Shifting The Conventions Move to focus on incident impact on the organization Shift to a strategic posture Multidiscipline, cross-departmental involvement COOP Plans Integration BCP DR IRP Awareness & Training

34 Incident Response in the Organization Improving the Incident Response Plan Strategic Focus Threat Intelligence Information Sharing Network Information Sharing Coordinator Information Sharing & Analysis Centers (FS-ISAC) Collective Intelligence thread is a good place to start Cybersecurity Considerations Vendor Management Inventory of External Connections Mentoring & Institutional Memory Procedures include organizational elements Invoking other COOP Plans Global COOP Strategy

35 Resources FFIEC Business Continuity Planning Booklet Appendix J: Strengthening the Resilience of Outsourced Technology Services NIST Special Publication Risk Assessment NIST Special Publication R2 Incident Response NIST Special Publication Information Sharing NIST SP Rev. 4: NIST Special Publication Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013 (including updates as of January 15, 2014). Additional supporting material relating to the Framework can be found on the NIST website at

36 Questions? THANK YOU! John H Rogers, CISSP Advisory Services Practice Manager john.rogers@sagedatasecurity.com Zach Zimmerman, GCIH, GCIA Assurance Services Practice Manager Zach.zimmerman@sagedatasecurity.com