Happy First Anniversary NIST Cyber Security Framework:
|
|
- Roderick Morrison
- 8 years ago
- Views:
Transcription
1 Happy First Anniversary NIST Cyber Security Framework: We ve Hardly Known Ya Chad Stowe, CISSP, CISA, MBA
2 Problem Statement Management has not been given the correct information to understand and act upon the risks, processes, and skill requirements needed to address cyber security risk in their organizations It is not management s fault.
3 Who is Your Organization on Cyber Security?
4 Questions Companies Should Be Asking Themselves How would you detect if you had a cyber security related exposure? How would you know if someone took, or shared with others, sensitive company specific information? What prevention measures do you have in place to protect against a cyber security attack? Given that some companies spend above $250 million per year on cyber security, what makes you feel as though your environment is protected?
5 Questions Companies Should Be Asking Themselves Cont. Do you know what you would do in the event an unauthorized person gained access to your network? What do you think is the value of information in your company? Information is not an asset on your financial statement; however, if it were stolen or shared outside the company, how could it affect your company s future financial performance?
6 Presentation Points Revisit the basics that we may understand, but executive management may not understand. Understand the NIST Framework as a tool for executive management conversation. Ponder current and future regulatory aspects of cyber security.
7 Anatomy of a Cyber Attack - 101
8 Types of Attacks 1. Phishing/Spear Phishing 2. Malware 3. Zero Day 4. APT - Advanced Persistent Threat 5. SQL Injection 6. Watering Hole / Drive-By 7. DOS/DDOS Denial of Service 8. Botnet
9 Anatomy of a Cyber Attack Investigate
10 Anatomy of a Cyber Attack Investigate Phishing / Watering Holes
11 Anatomy of a Cyber Attack Investigate Phishing / Watering Holes Vulnerabilities / Malware
12 Anatomy of a Cyber Attack Admin Crack Passwords Investigate Phishing / Watering Holes Vulnerabilities / Malware
13 Anatomy of a Cyber Attack Admin Crack Passwords Investigate Phishing / Watering Holes Vulnerabilities / Malware Research / Gather Info
14 Anatomy of a Cyber Attack Admin Crack Passwords Investigate Phishing / Watering Holes Vulnerabilities / Malware Research / Gather Info Remove Info
15 Anatomy of a Cyber Attack Admin Crack Passwords Investigate Phishing / Watering Holes Vulnerabilities / Malware Research / Gather Info Remove Info Destroy Evidence/ Leave Backdoors
16 Anatomy of a Cyber Attack Admin Crack Passwords Investigate Phishing / Watering Holes Vulnerabilities / Malware Cyber Attacker Research / Gather Info Remove Info Destroy Evidence/ Leave Backdoors
17 Anatomy of a Cyber Attack Admin Crack Passwords Investigate Phishing / Watering Holes Vulnerabilities / Malware Cyber Attacker Research / Gather Info Remove Info Destroy Evidence/ Leave Backdoors You
18 Example Cyber Security Strategies and Tactics Prioritize and segment business systems into high, medium, and low criticality. Identify data and systems into criticality levels for a defense-in-depth strategy. Cyber security defense in depth is a strategy where attackers must go through defense layers of increasing magnitude in order to get to the most critical and valuable assets.
19 Are You spending security resources protecting everything?
20 Are Your Protection Mechanisms Really Working?
21 NIST, The Framework
22 NIST Cyber Security Risk Assessment Identify Recover NIST Cyber Security Framework Protect Respond Detect 2013 Hein & Associates LLP.
23 The Framework Structure 5 Functions (Entity Risk Areas) 22 Categories (Control Objectives) 98 Subcategories (Control Requirements)
24 CSX Respondent Results 75% of CISOs and CISMs had heard of the framework Benefits: Overall increase in awareness of cyber security threats, Better strategic alignment of security with enterprise objectives Greater support from senior management Sense of improved overall governance of cyber security 50 percent of those who are using the framework reported an increased overall level of cyber security governance in their organization
25 NIST, The Details
26 Technical Speak I used 256 Bit Diffie Helman with SHA 2 to send you an . HUH?
27 Layman Speak I sent you a secure that allows you to verify it came from me.
28 CSX Program Steps 1. Prioritize and Scope 2. Orient 3. Create a Current Profile 4. Conduct a Risk Assessment 5. Create a Target Profile 6. Determine, Analyze, and Prioritize Gaps 7. Implement Action Plans
29 Risk Assessment Approach Scope Areas: Function Category (Control Objective) Subcategory (Requirements) Scope Area (Systems) Example Questions Walkthrough Supporting Documentation Tier Assessment
30 Example Design Assessment Components
31 Identify (ID) Function IDENTIFY (ID) Category Asset Management (ID.AM) Business Environment (ID.BE) Governance (ID.GV): Risk Assessment (ID.RA) Risk Management Strategy (ID.RM) ID.AM: Understanding your hardware, software, Resources 6 Sub. ID.BE: Security Alignment with organization and stakeholders 5 Sub. ID.GV: Security Policies, process, and role definition and alignment 4 Sub. ID.RA: Threat and Vulnerability Assessment 6 Sub. ID.RA: Defining the organization s Risk Appetite 3 Sub. 24 Total Subcategories
32 Protect (PR) Function PROTECT (PR) Category Access Control (PR.AC) Awareness and Training Data Security (PR.DS) Information Protection Processes and Procedures (PR.IP) Maintenance (PR.MA) Protective Technology (PR.PT) PR.AC: Access Management Process 5 Sub. PR.AT: Communicating Security Roles and Responsibilities/Awareness Training 5 Sub.
33 Protect (PR) Cont. Function PROTECT (PR) Category Access Control (PR.AC) Awareness and Training Data Security (PR.DS) Information Protection Processes and Procedures (PR.IP) Maintenance (PR.MA) Protective Technology (PR.PT) PR.DS: Manage information to protect the confidentiality, integrity, and availability of information. 7 Sub. PR.IP: Security policies and procedures are used to manage information systems Sub. These categories are TOO NEBULOUS and try to cover too many bases!
34 Tips to Attack Nebulousness Organization size Resource availability What information needs to be protected Supporting system(s) Protection capabilities Risk appetite Information criticality
35 Protect (PR) Cont. Function PROTECT (PR) Category Access Control (PR.AC) Awareness and Training Data Security (PR.DS) Information Protection Processes and Procedures (PR.IP) Maintenance (PR.MA) Protective Technology (PR.PT) PR.MA: Maintenance, Repair and Patching of Systems - 2 Sub. PR.PT: Protecting Systems, Logs, Media, and Networks using least privilege - 4 Sub. 35 Total Subcategories
36 Detect (DE) Function DETECT (DE) Category Anomalies and Events (DE.AE) Security Continuous Monitoring (DE.CM) Detection Processes (DE.DP) DE.AE: Event Triggers and Impacts- 5 Sub. DE.CM: Event Detection Measures- 8 Sub. DE.DP: Event Identification Processes - 5 Sub. 18 Total Subcategories
37 Respond (RS) Function RESPOND (RS) Category Response Planning (RS.RP) Communications (RS.CO) Analysis (RS.AN) Mitigation (RS.MI) Improvements (RS.IM) RS.RP: Response Procedure Development/Performance - 1 Sub. RS.CO: Roles, Reporting, Coordination- 5 Sub. RS.AN: Incident investigation and impact analysis- 4 Sub. RS.MI: Minimize the impact of an incident - 3 Sub. RS.IM: Continuous improvement of response plans and strategies - 2 Sub. 15 Total Subcategories
38 Recover Function RECOVER (RC) Category Recovery Planning (RC.RP) Improvements (RC.IM) Communications (RC.CO) RC.RP: Recovery Plan Development and Execution- 1 Sub. RC.IM: Strategies and Lessons Learned - 2 Sub. RC.CO: Restoration of confidence and cleanup - 3 Sub. 6 Total Subcategories
39 Framework Tiers Tier Risk Management Process Integrated Risk Management Program External Participation Tier 1 Adhoc and Reactive Limited Communication & Activity Limited or No Activities Performed Tier 2 Informal Processes Active Communication, Adequate Staff, and Process Understands Role Externally as a Customer & a Vendor Formal Policies and Procedures Changes based on Lessons Learned and Predictive Indicators Tier 3 Organization Wide Approach, Consistency Tier 4 Cyber security risk management is a part of the culture. Understands Dependencies and Partners as Customer & a Vendor Actively shares risk information as Customer & a Vendor
40 Tier Scoring Assessed Score Function IDENTIFY (ID) Category Risk Management Integrated Risk Management Program External Participation Assessed Score Desired Score Asset Management (ID.AM) Business Environment (ID.BE) Governance (ID.GV): Risk Assessment (ID.RA) Risk Management Strategy (ID.RM) Average Scores Access Control (PR.AC) Awareness and Training (PR.AT) Data Security (PR.DS) PROTECT (PR) DETECT (DE) RESPOND (RS) RECOVER (RC) Information Protection Processes and Procedures (PR.IP) Maintenance (PR.MA) Protective Technology (PR.PT) Average Scores Anomalies and Events (DE.AE) Security Continuous Monitoring (DE.CM) Detection Processes (DE.DP) Average Scores Response Planning (RS.RP) Communications (RS.CO) Analysis (RS.AN) Mitigation (RS.MI) Improvements (RS.IM) Average Scores Recovery Planning (RC.RP) Improvements (RC.IM) Communications (RC.CO) Average Scores
41 Tier Scoring Summary Function Desired Score Assessed Score IDENTIFY (ID) PROTECT (PR) DETECT (DE) RESPOND (RS) RECOVER (RC) Cyber Security Process Tier Maturity IDENTIFY (ID) PROTECT (PR) DETECT (DE) RESPOND (RS) RECOVER (RC) Desired Score Assessed Score
42 Hein s FREE Online Security Announcing.. Questionnaire Hein s Cyber Security Questionnaire Perform your own assessment online. Hein will provide you with the results within 24 hours of the assessment. If requested, we would be happy to perform the assessment with you offline.
43 Cyber Security Value Propositions Cyber Security Management Partner Vulnerability / Penetration Assessments Cyber Security Tuning System Hardening / Cyber Security Audits Incident Response / Recovery Plan Development Cyber Security Process Management External Third Party Assessments Free External Scans
44 NIST, The Regulation?
45 Downfalls Unclear Privacy Requirements Confusing Tiers/Maturity Model Framework does not: Educate executive management Provide clear guidance Does not encourage the sharing of threat information Is not tied to any regulation
46 Why not being widely adopted? SOC Reports Cyber-Liability Insurance No regulatory requirement Executive education Skilled Staff Required Sarbanes Oxley There s a NIST Cyber Security Framework?
47 How does the Framework Align to SOX? 98 total subcategories 22 Can be traced to Sarbanes Oxley testing 11 Clearly map to Sarbanes Oxley 11 Have a partial mapping to Sarbanes Oxley SOX Aligned Partially SOX Alligned DE.AE 1 ID.AM 3 DE.CM 4 PR.PT 1 PR.AC 1 ID.AM 4 ID.GV 2 PR.PT 2 PR.AC 2 ID.GV 1 PR.AC 3 PR.PT 3 PR.AC 4 PR.IP 3 PR.AT 3 PR.PT 4 PR.AT 2 PR.IP 4 PR.DS 2 PR.DS 6 PR.DS 7 PR.IP 11
48 Should Cyber Security be Regulated? Regardless of industry, which element of legal and regulatory requirements are all industries subject to: A. Sarbanes Oxley B. HIPAA C. Due Care D. Privacy Act E. PCI
49 Regulatory Notes July 2002 Sarbanes Oxley Act November 2002 Homeland Security Act November 2002 Federal Information Security Management Act (FISMA) November Cyber Security Research and Development Act Required NIST to establish cyber security research programs. There have been no MAJOR cyber security related regulations since November 2002.
50 Why Regulation May Not Work Military tactics are at work. There are no rules and regulations followed by enemies in cyber warfare. Strategies and tactics must be devised, but must be changed, adapted, and updated to address emerging threats. If you prescribe a strategy and tactics, your enemies will circumvent the prescription.
51 To Regulate or Not to Regulate
52 NIST Take-Aways People, Process and Technology Organizations Must Own incident response Invest in experts for protection and detection Take ownership of the risk Inventory systems and critical data
53 NIST Take-Aways (Cont.) Framework context Think organizational risk Derive risk appetite Control efficiency The NIST framework must be improved upon
54 Food for Thought When thinking about cyber security, risk does not create an issue, but an issue can create risk. However, we must address the issue of assessing cyber security risk.
55 Contact Information Chad Stowe, CISSP, CISA, MBA Managing Consultant, Cyber Risk Service Leader Office (303)
Happy First Anniversary NIST Cybersecurity Framework:
Happy First Anniversary NIST Cybersecurity Framework: We ve Hardly Known Ya Chad Stowe, CISSP, CISA, MBA Who is your organization on Cybersecurity? Problem Statement Management has not been given the correct
More informationCybersecurity Framework Security Policy Mapping Table
Cybersecurity Framework Security Policy Mapping Table The following table illustrates how specific requirements of the US Cybersecurity Framework [1] are addressed by the ISO 27002 standard and covered
More informationAutomation Suite for NIST Cyber Security Framework
WHITEPAPER NIST Cyber Security Framework Automation Suite for NIST Cyber Security Framework NOVEMBER 2014 Automation Suite for NIST Cyber Security Framework The National Institute of Standards and Technology
More informationNIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT
NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT OVERVIEW The National Institute of Standards of Technology Framework for Improving Critical Infrastructure Cybersecurity (The NIST Framework) is a
More informationCRR-NIST CSF Crosswalk 1
IDENTIFY (ID) Asset Management (AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative
More informationApplying IBM Security solutions to the NIST Cybersecurity Framework
IBM Software Thought Leadership White Paper August 2014 Applying IBM Security solutions to the NIST Cybersecurity Framework Help avoid gaps in security and compliance coverage as threats and business requirements
More informationNIST Cybersecurity Framework & A Tale of Two Criticalities
NIST Cybersecurity Framework & A Tale of Two Criticalities Vendor Management & Incident Response Presented by: John H Rogers, CISSP Advisory Services Practice Manager john.rogers@sagedatasecurity.com Presented
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity January 2016 cyberframework@nist.gov Improving Critical Infrastructure Cybersecurity It is the policy of the United States to enhance the security
More informationCritical Manufacturing Cybersecurity Framework Implementation Guidance
F Critical Manufacturing Cybersecurity Framework Implementation Guidance i Foreword The National Institute of Standards and Technology (NIST) released the 2014 Framework for Improving Critical Infrastructure
More informationNIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015
NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015 Overview The University of Pittsburgh NIST Cybersecurity Framework Pitt NIST Cybersecurity Framework Program Wrap Up Questions
More informationData Breaches, Credit Card Fraud, Front Page News Are You Next?
Data Breaches, Credit Card Fraud, Front Page News Are You Next? Calvin Weeks EnCE, CEDS, CRISC, CISSP, CISM Computer Forensics Manager 1 Home Depot Breach CBS News 2,200 stores compromised Up to 60 million
More informationImproving Critical Infrastructure Cybersecurity Executive Order 13636. Preliminary Cybersecurity Framework
1 Improving Critical Infrastructure Cybersecurity Executive Order 13636 Preliminary Cybersecurity Framework 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
More informationAppendix B: Mapping Cybersecurity Assessment Tool to NIST
Appendix B: to NIST Cybersecurity Framework In 2014, the National Institute of Standards and Technology (NIST) released a Cybersecurity Framework for all sectors. The following provides a mapping of the
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 National Institute of Standards and Technology February 12, 2014 Table of Contents Executive Summary...1 1.0 Framework Introduction...3
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 National Institute of Standards and Technology February 12, 2014 Table of Contents Executive Summary...1 1.0 Framework Introduction...3
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity April 2016 cyberframework@nist.gov Pre-Cybersecurity Framework Threat Landscape 79% of reported victims were targets of opportunity 96% of
More informationWeak (1.0) Limited (2.0) Effective (3.0) Strong (4.0) Very Strong (5.0)
Results for Telco Co Your Cyber Risk Profile The Cyber Risk Profile is designed to quickly provide a visual indication of your cybersecurity risk. In the Cyber RiskScope methodology, your Cybersecurity
More informationWelcome! Designing and Building a Cybersecurity Program
Welcome! Designing and Building a Cybersecurity Program Note that audio will be through your phone. Please dial: 866-740-1260 Access code: 6260070 The webcast will be 60 minutes in length with time allotted
More informationIT ASSET MANAGEMENT Securing Assets for the Financial Services Sector
IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 financial_nccoe@nist.gov This revision incorporates comments from the public. Page Use case 1 Comments
More informationHITRUST Common Security Framework Summary of Changes
HITRUST Common Security Framework Summary of Changes Apr-14 CSF 2014 V6.1 Incorporates changes in PCI-DSS v3 and updates stemming from the HIPAA Omnibus Final Rule. Includes mappings to the v1. Fundamental
More informationCRR Supplemental Resource Guide. Volume 5. Incident Management. Version 1.1
CRR Supplemental Resource Guide Volume 5 Incident Management Version 1.1 Copyright 2016 Carnegie Mellon University This material is based upon work funded and supported by Department of Homeland Security
More informationBuilding Security In:
#CACyberSS2015 Building Security In: Intelligent Security Design, Development and Acquisition Steve Caimi Industry Solutions Specialist, US Public Sector Cybersecurity September 2015 A Little About Me
More informationThe NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide
SOLUTION BRIEF NIST FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide SOLUTION BRIEF CA DATABASE
More informationCybersecurity: What CFO s Need to Know
Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction
More informationDesigning & Building a Cybersecurity Program. Based on the NIST Cybersecurity Framework (CSF)
Designing & Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson Lesson 3 June, 2015 1 Lesson 3: Building the Programs The Controls Factory Lesson 3 - Building
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationClick to edit Master title style
EVOLUTION OF CYBERSECURITY Click to edit Master title style IDENTIFYING BEST PRACTICES PHILIP DIEKHOFF, IT RISK SERVICES TECHNOLOGY THE DARK SIDE AGENDA Defining cybersecurity Assessing your cybersecurity
More informationDiscussion Draft of the Preliminary Cybersecurity Framework
1 Discussion Draft of the Preliminary Cybersecurity Framework August 28, 2013 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 A Discussion Draft of the Preliminary
More informationCompliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
More informationThe President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.
The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013. The Executive Order calls for the development of a voluntary risk based Cybersecurity Framework
More informationThe Value of Vulnerability Management*
The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda
More informationSECURITY. Risk & Compliance Services
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
More informationSCAC Annual Conference. Cybersecurity Demystified
SCAC Annual Conference Cybersecurity Demystified Me Thomas Scott SC Deputy Chief Information Security Officer PMP, CISSP, CISA, GSLC, FEMA COOP Practitioner Tscott@admin.sc.gov 803-896-6395 What is Cyber
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationApplying Framework to Mobile & BYOD
Applying Framework to Mobile & BYOD Framework for Improving Critical Infrastructure Cybersecurity National Association of Attorneys General Southern Region Meeting 13 March 2015 cyberframework@nist.gov
More informationEmerging Network Security Threats and what they mean for internal auditors. December 11, 2013 John Gagne, CISSP, CISA
Emerging Network Security Threats and what they mean for internal auditors December 11, 2013 John Gagne, CISSP, CISA 0 Objectives Emerging Risks Distributed Denial of Service (DDoS) Attacks Social Engineering
More informationBig Data, Big Risk, Big Rewards. Hussein Syed
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
More informationC Y B E R S E C U R I T Y INSIDER THREAT BEST PRACTICES GUIDE JULY 2014
CYBERSECURITY INSIDER THREAT BEST PRACTICES GUIDE JULY 2014 INSIDER THREAT BEST PRACTICES GUIDE I. DISCLAIMER This report was prepared as an account of work within the private and public sector. Neither
More informationCreating an Integrated Business Continuity / Disaster Recovery (BC/DR) Program. A Hands on Workshop
Creating an Integrated Business Continuity / Disaster Recovery (BC/DR) Program A Hands on Workshop The material appearing in this presentation is for informational purposes only and is not legal or accounting
More informationIncident Response 101: You ve been hacked, now what?
Incident Response 101: You ve been hacked, now what? Gary Perkins, MBA, CISSP Chief Information Security Officer (CISO) Information Security Branch Government of British Columbia Agenda: threat landscape
More informationEd McMurray, CISA, CISSP, CTGA CoNetrix
Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats
More informationBy: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More informationThe NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session
The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session Robert Smith Systemwide IT Policy Director Compliance & Audit Educational Series 5/5/2016 1 Today s reality There are two kinds
More informationASSESSING VENDORS USING THE NIST CYBERSECURITY FRAMEWORK
ASSESSING VENDORS USING THE NIST CYBERSECURITY FRAMEWORK Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager Dan Banning Director of Marketing
More informationCybersecurity Audit Why are we still Vulnerable? November 30, 2015
Cybersecurity Audit Why are we still Vulnerable? November 30, 2015 John R. Robles, CISA, CISM, CRISC www.johnrrobles.com jrobles@coqui.net 787-647-3961 John R. Robles- 787-647-3961 1 9/11-2001 The event
More informationCompliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire
Compliance, Security and Risk Management Relationship Advice Andrew Hicks, Director Coalfire Housekeeping You may submit questions throughout the webinar using the question area in the control panel on
More informationCyber Insurance: How to Investigate the Right Coverage for Your Company
6-11-2015 Cyber Insurance: How to Investigate the Right Coverage for Your Company Presented by: Faith M. Heikkila, Ph.D., CISM, CIPM, CIPP-US, ABCP Greenleaf Trust Chief Information Security Officer (CISO)
More informationSECURITY RISK MANAGEMENT
SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W
More informationSecurity Management. Keeping the IT Security Administrator Busy
Security Management Keeping the IT Security Administrator Busy Dr. Jane LeClair Chief Operating Officer National Cybersecurity Institute, Excelsior College James L. Antonakos SUNY Distinguished Teaching
More informationAPT Advanced Persistent Threat Time to rethink?
APT Advanced Persistent Threat Time to rethink? 23 November 2012 Gergely Tóth Senior Manager, Security & Privacy Agenda APT examples How to get inside? Remote control Once we are inside Conclusion 2 APT
More informationEnterprise Cybersecurity: Building an Effective Defense
: Building an Effective Defense Chris Williams Scott Donaldson Abdul Aslam 1 About the Presenters Co Authors of Enterprise Cybersecurity: How to Implement a Successful Cyberdefense Program Against Advanced
More informationCyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft
Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security
More informationReal World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services
Real World Healthcare Security Exposures Brian Selfridge, Partner, Meditology Services 2 Agenda Introduction Background and Industry Context Anatomy of a Pen Test Top 10 Healthcare Security Exposures Lessons
More informationDeveloping National Frameworks & Engaging the Private Sector
www.pwc.com Developing National Frameworks & Engaging the Private Sector Focus on Information/Cyber Security Risk Management American Red Cross Disaster Preparedness Summit Chicago, IL September 19, 2012
More informationDepartment of Management Services. Request for Information
Department of Management Services Request for Information Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 Submitted By: Carlos Henley
More informationCloud Assurance: Ensuring Security and Compliance for your IT Environment
Cloud Assurance: Ensuring Security and Compliance for your IT Environment A large global enterprise has to deal with all sorts of potential threats: advanced persistent threats (APTs), phishing, malware
More informationProfessional Services Overview
Professional Services Overview INFORMATION SECURITY ASSESSMENT AND ADVISORY NETWORK APPLICATION MOBILE CLOUD IOT Praetorian Company Overview HISTORY Founded in 2010 Headquartered in Austin, TX Self-funded
More informationIT AUDIT WHO WE ARE. Current Trends and Top Risks of 2015 10/9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski
IT AUDIT Current Trends and Top Risks of 2015 2 02 Eric Vyverberg WHO WE ARE David Kupinski Randy Armknecht Associate Director Internal Audit Protiviti 317.510.4661 eric.vyverberg@protiviti.com Managing
More informationThe Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
More informationCybersecurity: Protecting Your Business. March 11, 2015
Cybersecurity: Protecting Your Business March 11, 2015 Grant Thornton. All LLP. rights All reserved. rights reserved. Agenda Introductions Presenters Cybersecurity Cybersecurity Trends Cybersecurity Attacks
More informationData Breach Lessons Learned. June 11, 2015
Data Breach Lessons Learned June 11, 2015 Introduction John Adams, CISM, CISA, CISSP Associate Director Security & Privacy 410.707.2829 john.adams@protiviti.com Powerful Insights. Proven Delivery. Kevin
More informationAn Overview of Information Security Frameworks. Presented to TIF September 25, 2013
An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information
More informationHow To Buy Cyber Insurance
10-26-2015 Cyber Insurance: How to Investigate the Right Coverage for Your Company Presented by: Faith M. Heikkila, Ph.D., CISM, CIPM, CIPP-US, ABCP Greenleaf Trust Chief Information Security Officer (CISO)
More informationINFORMATION SECURITY FOR YOUR AGENCY
INFORMATION SECURITY FOR YOUR AGENCY Presenter: Chad Knutson Secure Banking Solutions, LLC CONTACT INFORMATION Dr. Kevin Streff Professor at Dakota State University Director - National Center for the Protection
More informationProtecting Sensitive Data Reducing Risk with Oracle Database Security
Protecting Sensitive Data Reducing Risk with Oracle Database Security Antonio.Mata.Gomez@oracle.com Information Security Architect Agenda 1 2 Anatomy of an Attack Three Steps to Securing an Oracle Database
More informationCYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS. Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015
CYBERSECURITY: PROTECTING YOUR ORGANIZATION AGAINST CYBER ATTACKS Viviana Campanaro CISSP Director, Security and Compliance July 14, 2015 TODAY S PRESENTER Viviana Campanaro, CISSP Director, Security and
More informationPACB One-Day Cybersecurity Workshop
PACB One-Day Cybersecurity Workshop WHAT IS CYBERSECURITY? PRESENTED BY: JON WALDMAN, SBS CISA, CRISC 1 Contact Information Jon Waldman Partner, Senior IS Consultant CISA, CRISC Masters of Info Assurance
More informationCritical Controls for Cyber Security. www.infogistic.com
Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 8 April 2015 cyberframework@nist.gov Agenda Mission of NIST Cybersecurity at NIST Cybersecurity Framework
More informationHIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT
HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.
More informationJohn Essner, CISO Office of Information Technology State of New Jersey
John Essner, CISO Office of Information Technology State of New Jersey http://csrc.nist.gov/publications/nistpubs/800-144/sp800-144.pdf Governance Compliance Trust Architecture Identity and Access Management
More informationACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector
ACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector V.2 Final Draft May 1, 2014 financial_nccoe@nist.gov This revision incorporates comments from the public. Page Use case 1 Comments
More informationFINRA Publishes its 2015 Report on Cybersecurity Practices
Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February
More informationPresentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy
Presentation for : The New England Board of Higher Education Hot Topics in IT Security and Data Privacy October 22, 2010 Rocco Grillo, CISSP Managing Director Protiviti Inc. Quote of the Day "It takes
More informationHow To Manage Security On A Networked Computer System
Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy
More informationPCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES
CONFIDENCE: SECURED WHITE PAPER PCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES ADVANCED THREAT PROTECTION, SECURITY AND COMPLIANCE BENCHMARKS, STANDARDS, FRAMEWORKS
More informationHOW SECURE IS YOUR PAYMENT CARD DATA?
HOW SECURE IS YOUR PAYMENT CARD DATA? October 27, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director PCI Practice Leader Kevin Villanueva,, CISSP,
More informationWhat Directors need to know about Cybersecurity?
What Directors need to know about Cybersecurity? W HAT I S C YBERSECURITY? PRESENTED BY: UTAH BANKERS ASSOCIATION AND JON WALDMAN PARTNER, SENIOR IS CONSULTANT - SBS 1 Contact Information Jon Waldman Partner,
More informationCYBERSECURITY: ISSUES AND ISACA S RESPONSE
CYBERSECURITY: ISSUES AND ISACA S RESPONSE June 2014 KEY TRENDS AND DRIVERS OF SECURITY Consumerization Emerging Trends Continual Regulatory and Compliance Pressures Mobile devices Social media Cloud services
More informationOCIE CYBERSECURITY INITIATIVE
Topic: Cybersecurity Examinations Key Takeaways: OCIE will be conducting examinations of more than 50 registered brokerdealers and registered investment advisers, focusing on areas related to cybersecurity.
More informationHow To Write A Cybersecurity Framework
NIST Cybersecurity Framework Overview Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2nd ENISA International Conference on Cyber Crisis Cooperation and Exercises Executive Order
More informationHow to Lead the People in a Program Based Environment
SESSION ID: GRC-W01 Balancing Compliance and Operational Security Demands Steve Winterfeld Bank Information Security Officer CISSP, PCIP What is more important? Compliance with laws / regulations Following
More information應 用 SIEM 偵 測 與 預 防 APT 緩 攻 擊
應 用 SIEM 偵 測 與 預 防 APT 緩 攻 擊 HP Enterprise Security 林 傳 凱 (C. K. Lin) Senior Channel PreSales, North Asia HP ArcSight, Enterprise Security 1 Rise Of The Cyber Threat Enterprises and Governments are experiencing
More informationNIST Cybersecurity Framework What It Means for Energy Companies
Daniel E. Frank J.J. Herbert Mark Thibodeaux NIST Cybersecurity Framework What It Means for Energy Companies November 14, 2013 Your Panelists Dan Frank J.J. Herbert Mark Thibodeaux 2 Overview The Cyber
More informationIntel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security
Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security David Brezinski, Professional Services, Enterprise Security Architect Agenda Overview
More informationMaintaining PCI-DSS compliance. Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com
Maintaining PCI-DSS compliance Daniele Bertolotti daniele_bertolotti@symantec.com Antonio Ricci antonio_ricci@symantec.com Sessione di Studio Milano, 21 Febbraio 2013 Agenda 1 Maintaining PCI-DSS compliance
More informationCyber Resilience Implementing the Right Strategy. Grant Brown Security specialist, CISSP @TheGrantBrown
Cyber Resilience Implementing the Right Strategy Grant Brown specialist, CISSP @TheGrantBrown 1 2 Network + Technology + Customers = $$ 3 Perfect Storm? 1) Increase in Bandwidth (extended reach) 2) Available
More informationData Breach Response Planning: Laying the Right Foundation
Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA
More informationEnterprise Computing Solutions
Business Intelligence Data Center Cloud Mobility Enterprise Computing Solutions Security Solutions arrow.com Security Solutions Secure the integrity of your systems and data today with the one company
More informationCorporate Overview. MindPoint Group, LLC 8078 Edinburgh Drive, Springfield, VA 22153 Office: 703.636.2033 Fax: 866.761.7457 www.mindpointgroup.
Corporate Overview MindPoint Group, LLC 8078 Edinburgh Drive, Springfield, VA 22153 Office: 703.636.2033 Fax: 866.761.7457 www.mindpointgroup.com IS&P Practice Areas Core Competencies Clients & Services
More informationN-Dimension Solutions Cyber Security for Utilities
AGENDA ITEM NO.: 3.A. MEETING DATE; 08/18/2014 N-Dimension Solutions Cyber Security for Utilities Cyber Security Protection for Critical Infrastructure Assets The cyber threat is escalating - Confidential
More informationHigh End Information Security Services
High End Information Security Services Welcome Trion Logics Security Solutions was established after understanding the market's need for a high end - End to end security integration and consulting company.
More informationAmerica s New Cybersecurity Framework: Help or New Source of Exposure?
America s New Cybersecurity Framework: Help or New Source of Exposure? BY BEHNAM DAYANIM, RYAN NIER & ELIZABETH DORSI March 2014 Data theft is on the rise, and the federal government is concerned. In 2013
More informationCYBERSECURITY & EXPECTATIONS FOR INDEPENDENT GROCERS
October 21, 2015 CYBERSECURITY & EXPECTATIONS FOR INDEPENDENT GROCERS Cerone F. Cy Sturdivant Managing Consultant csturdivant@bkd.com 1 TO RECEIVE CPE CREDIT Participate in entire webinar Answer polls
More informationData Management & Protection: Common Definitions
Data Management & Protection: Common Definitions Document Version: 5.5 Effective Date: April 4, 2007 Original Issue Date: April 4, 2007 Most Recent Revision Date: November 29, 2011 Responsible: Alan Levy,
More informationMEMORANDUM. Date: October 28, 2013. Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance
MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions Subject: Guidance The increasing frequency and sophistication of recent cyber-attacks has resulted in an elevated risk profile
More informationIncident Response. Six Best Practices for Managing Cyber Breaches. www.encase.com
Incident Response Six Best Practices for Managing Cyber Breaches www.encase.com What We ll Cover Your Challenges in Incident Response Six Best Practices for Managing a Cyber Breach In Depth: Best Practices
More information