How To Understand And Manage Cybersecurity Risk
|
|
- Eugene Lynch
- 3 years ago
- Views:
Transcription
1 White Paper A Framework to Gauge Cyber Defenses NIST s Cybersecurity Framework Helps Critical Infrastructure Owners to Cost-Effectively Defend National & Economic Security of the U.S.
2 Executive Summary Critical infrastructures underpin national and economic security in the United States. Increasing onslaughts of cybercrime necessitate ever-greater urgency with regard to their resilience and protection. The operations and management of the most critical infrastructures hinge on reliable connectivity, which makes these resources especially vulnerable to cyber attacks. Also vulnerable are the finances and reputations of the private sector, which owns and operates about 85% of the nation s critical infrastructure. An Executive Order issued by President Obama in February 2013 spawned the creation of a new Framework for Improving Critical Infrastructure Cybersecurity to help gauge the effectiveness of cyber defenses and let business drivers cost-effectively guide an organization s risk management process. The new Cybersecurity Framework helps executives to clearly understand cyber risks to their organization and ensure that business priorities steer selection of cybersecurity solutions and operations. The National Institute of Standards and Technology (NIST) created the Framework in collaboration with the government and private sector. It leverages existing risk management models such as COBIT and ISO/IEC by presenting three simplified parts: (1) a Framework Core of standard cybersecurity controls, (2) Implementation Tiers that provide context on how an organization views cybersecurity risk and the processes used to manage that risk, and (3) Profiles representing present and future risk outcomes based on business needs that are identified in parts 1 and 2. The Profiles serve as an organization s blueprint for cost-effectively protecting critical infrastructure. This paper presents an overview of the Cybersecurity Framework as a useful executive tool for managing risk. Cyphort is providing this assessment because, as part of deploying our Advanced Threat Cyber Defense Platform solution, we have discovered that the organizations that achieve the best defense are those that actively manage risk from an executive level. This summary is designed to help enterprise leaders leverage effective tools for improving resilience of critical infrastructures under their watch while fulfilling the additionally vital role of protecting the national and economic security of the United States. 2
3 Framework Controls Risk Management by Business Priorities Critical Infrastructure Sectors* Chemical Commercial Facilities Communications Critical Manufacturing Dams Defense Industrial Base Emergency Services Energy Financial Services Food and Agriculture Government Facilities Healthcare and Public Health Information Technology Nuclear Reactors, Materials, and Waste Transportation Systems Water and Wastewater Systems *Source: Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience Overview of NIST s Cybersecurity Framework On 12 February 2013 President Barack Obama issued Executive Order , Improving Critical Infrastructure Security. He directed NIST to develop a Cybersecurity Framework to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. To ensure public trust and simplify operations across legal regimens, the Framework was to include a methodology for protecting individual privacy and civil liberties during the implementation of cybersecurity programs and activities. President Obama also directed the establishment of a voluntary program to support adoption of the Framework. Primary targets are the 16 critical infrastructure sectors (see sidebar) that are foundational to the national and economic security of the United States. NIST published Version 1.0 of the Framework for Improving Critical Infrastructure Cybersecurity on 12 February The Framework is technology-neutral and is based on a variety of existing standards, guidelines, and practices for risk management and cybersecurity. It complements these, and is not meant to replace them but the Framework may be used in lieu of these if an organization does not have an existing cybersecurity risk management program in place. The Framework is not industry-specific, so it may be adapted as appropriate to the particular requirements of organizations in different critical infrastructure sectors. NIST states that the Framework is intended to be a living document and will be updated and improved as industry provides feedback on implementation. According to the Framework (p. 4), its common taxonomy and mechanism allows organizations to: 1. Describe their current cybersecurity posture; 2. Describe their target state for cybersecurity; 3. Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; 4. Assess progress toward the target state; 5. Communicate among internal and external stakeholders about cybersecurity risks. 3
4 Summaries of the Framework s Core, Implementation Tiers, Profiles, and use of the Framework are provided below. Framework Core Functions The Framework formally defines its Core as a set of cybersecurity activities, desired outcomes, and applicable references across critical infrastructure sectors. The Core consists of standard cybersecurity controls slotted into a taxonomy of five Functions, 22 Categories or subdivisions of the Functions, and 98 Subcategories along with applicable Informative References that are familiar to cybersecurity practitioners. Core Functions form the operational culture that addresses cybersecurity risks. The Core Functions are: Identify Identify Functions are foundational; they help an organization understand how to manage cybersecurity risk to systems, assets, data, and capabilities. Relating these to a business context is critical for prioritizing efforts. Categories include Asset Management, Business Environment, Governance, Risk Assessment, and Risk Management Strategy. Protect Protect Functions are the safeguards that ensure delivery of critical infrastructure services. In terms of ensuring resilience, these safeguards help to limit or contain the impact of a cybersecurity event. Categories include Access Control, Awareness and Training, Data Security, Information Protection Processes and Procedures, Maintenance, and Protective Technology. Detect Detect Functions identify the occurrence of a cybersecurity event. Categories include Anomalies and Events, Security Continuous Monitoring, and Detection Processes. Cyphort s solution falls under the Detect and Respond Functions. Respond Respond Functions allow an organization to take action on a detected cybersecurity event. The goal of Respond Functions is to contain the impact of a cybersecurity event and remediate vulnerabilities. Categories include Response Planning, Communications, Analysis, Mitigation, and Improvements. Cyphort s solution falls under the Detect and Respond Functions. Recover Recover Functions are for resilience planning particularly the restoration of capabilities or services impaired by a cybersecurity event. Categories include Recovery Planning, Improvements, and Communications. 4
5 Informative References for Framework Core COBIT Control Objectives for Information and Related Technology CCS CSC Council on CyberSecurity Top 20 Critical Security Controls ANSI/ISA ( )-2009 Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program ANSI/ISA ( )-2013 Security for Industrial Automation and Control Systems: System Security Requirements and Security Levels ISO/IEC 27001:2013 Information technology Security techniques Information security management systems Requirements: NIST SP Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations ISACA s framework for managing and governing information technology. Bridges control requirements, technical issues and business risks. Subset of controls in NIST SP , prioritizing those that are effective against Advanced Targeted Threats by emphasizing what works. ANSI/ISA s standard on cybersecurity focused on industrial automation and control systems. ANSI/ISA s standard on cybersecurity focused on industrial automation and control systems. ISO/IEC s international standard on cybersecurity focused on industrial automation and control systems. NIST s catalog of security controls for all U.S. federal information systems except those used in national security. Framework Implementation Tiers Implementation Tiers frame the context for how an organization views cybersecurity risks and which processes it uses to manage those risks. Four Tiers range from lower to greater rigor and sophistication as part of an organization s approach to managing risk. Tiers incorporate an organization s business requirements and other aspects of cybersecurity including degrees of privacy and civil liberties considerations used by an organization to manage and respond to cybersecurity risk. They also consider an organization s business and mission objectives, constraints of the organization, and legal and regulatory requirements. The latter may have heavy weight for certain critical infrastructure sectors. Guidance from federal resources, Information Sharing and Analysis Centers (ISACs), and other sources can help inform an organization on a desirable Tier. For example, REN-ISAC for education, FS-ISAC for financial services, and others, provide a range of services including risk mitigation, incident response, alerts and information/intelligence sharing. The ISACs goal is to provide critical infrastructure owners and operators with accurate, actionable, and relevant information. Cyphort believes that continuous threat monitoring, context-relevant detection, and practical mitigation actions are critical for effective protection of critical infrastructure. Cyphort s threat protection platform helps organizations to achieve higher Implementation Tier functionality by enabling a comprehensive security ecosystem with open interfaces to incorporate threat intelligence sharing from ISACs. The Strategy for Implementation Tiers is to weigh the considerations above and determine which Tier is appropriate for your organization both for meeting enterprise requirements as well as those of U.S. national and economic security. The Framework encourages organizations to progress to higher Tiers to reduce cybersecurity risk while managing cost effectiveness. Success is measured by achieving outcomes specified in an organization s Target Profile(s), not by Tier determination. 5
6 Framework Implementation Tiers Tiers Risk Management Process Integrated Risk Management Program External Participation 1: Partial Informal, ad hoc, reactive 2: Risk Informed Approved but policy not established; prioritization is informed by risk and business requirements 3: Repeatable Formally approved and expressed as policy; regularly updated based on risk and business requirements 4: Adaptive Practices are adapted based on lessons learned and predictive indicators; continuous, active improvement to meet evolving and sophisticated threats in timely manner Limited awareness, no organizational process Awareness established but without implementation of an organization-wide approach; processes are ready to go Organization-wide approach established, continuously reviewed and updated; personnel are fully trained to perform their roles and responsibilities Organization-wide approach uses riskinformed policies, processes, and procedures; risk management is in the organization s cultural DNA No coordination or collaboration Aware of role in ecosystem but no formal process established Dependencies are understood; information sharing is implemented for collaboration and risk-based management decisions in response to events Proactively manages risk and shares information to improve cybersecurity before an event occurs C3 Voluntary Cyber Community Program The Department of Homeland Security has partnered with the critical infrastructure community in a voluntary program to encourage the use of the Cybersecurity Framework. It s called the Critical Infrastructure Cyber Community C3 (pronounced C-Cubed ) Voluntary Program. The program is the coordination point between infrastructure owners and operators and the federal government. C3 has three goals: 1) Support the critical infrastructure industry in strengthening its cyber resilience; 2) increase awareness and use of the Framework; and 3) encourage organizations to manage cybersecurity as part of an allhazards approach to enterprise risk management. During its first year, the C3 voluntary program will focus on developing sector-specific guidance on how to implement the Framework. It will provide outreach and communications via DHS and other public and private sector resources, and coordinate feedback on the Framework and its implementation. Resources and Engagement Channels C3 Voluntary Program resources are available via a US-CERT Gateway at Engagement channels include: Regionally located DHS personnel from Cyber Security Advisor (CSA) and Protective Security Advisor (PSA) programs. The Critical Infrastructure Partnership Advisory Council (CIPAC) Framework. Direct engagement between the C3 Voluntary Program and interested organizations via ccubedvp@hq.dhs.gov. Requests for Information (RFI) by the general public. 6
7 Framework Profiles Profiles get barely a half-page of coverage in the Framework but from a functional perspective, they may be the most important part as they specify the roadmap from an organization s current cybersecurity posture to where it needs be. The Profile aligns everything Functions, Categories, and Subcategories with the organization s business requirements, risk tolerance, and resources. A complex organization may require multiple Profiles to cover its unique requirements. Comparing the Current Profile(s) and Target Profile(s) may reveal material gaps requiring action by cybersecurity risk management stakeholders. Typical gaps may come from weaknesses in threat detection and response especially from Advanced Persistent Threats, targeted attacks, and zero-day threats. Remediating gaps like these require prioritization gauged by an organization s business needs and risk management processes. The Department of Homeland Security plans to release guidance on Profiles in conjunction with its Critical Infrastructure Cyber Community C3 (pronounced C-Cubed ) Voluntary Program, described in the sidebar. Using the NIST Framework Organizations may use the Framework to systematically guide their process of evaluating and managing cybersecurity risk. The Framework is not meant to replace existing processes, and may be used in tandem with existing processes to help determine gaps and roadmap development. The essence of using the Framework is creating and evolving a Current Profile to a meaningful, costefficient Target Profile that describes desirable outcomes for strengthening cybersecurity of critical infrastructure owned or operated by an organization. The process will help senior executives and other stakeholders to clearly understand basic levels of cybersecurity risk, how these are managed, and how their organization can excel in protecting its assets. In particular, the process can help reveal an organization s posture toward emerging risks such as targeted Advanced Persistent Threats, targeted attacks, and zero-day threats and answer the question: How are we doing? This knowledge allows stakeholders to clarify policy and practices for strengthening cybersecurity practices. Using the Framework entails a continuous seven-step process of review and recalibration. 7
8 Learn More To learn more about NIST s Cybersecurity Framework, we urge you to read President Obama s Executive Order , Improving Critical Infrastructure Security and NIST s Framework for Improving Critical Infrastructure Cybersecurity. Resources for implementing the Framework are available from the Department of Homeland Security s Critical Infrastructure Cyber Community C3 (pronounced C-Cubed ) Voluntary Program (see sidebar for details and links). Finally, Cyphort would be pleased to help your risk management team understand how to defend your organization s critical infrastructure against emerging Advanced Persistent Threats, targeted attacks, and zero day vulnerabilities. To learn more, please visit our website at n About the authors Gus Hunt, former CTO of the CIA Mr. Gus Hunt currently serves as President and CEO of Hunt Technology, LLC, a consulting company focused on strategic IT planning, IT effectiveness and efficiency, cyber security, data-centric protection, and the cloud. He is a recently retired federal government senior executive having served 28 years with the Central Intelligence Agency (CIA). Mr. Hunt retired from CIA as their Chief Technology Officer. As CTO, he set the information technology strategic direction and future technology investment plan for CIA. He was the motivating force behind CIA s decision to acquire a copy of both the Amazon cloud and IBM s Watson. Dr. Fengmin Gong, Co-founder and Chief Architect Dr. Fengmin Gong is an entrepreneur and security veteran with more than 25 years of security industry experience. Before founding Cyphort, he served as Chief Scientist and Head of Next-Gen Security Product Development at Huawei-Symantec, and before that as Chief Security Content Officer at FireEye. He also was a Co-founder and Chief Scientist at Palo Alto Networks, Chief Scientist and Director of Intrusion Detection Technologies at McAfee, and Co-Founder of IntruVert Networks (acquired by McAfee), and Director of Advanced Networking Research at MCNC. Fengmin holds 12 patents in networking security areas and has published more than 40 technical papers. His academic background includes a professorial appointment at Carolina State University and research roles at Washington University. He holds a D.Sc. and M.S. in Computer Science from Washington University in St. Louis and a B.Eng. and M.Eng. in Computer Science from Xi an Jiaotong University in China. About Cyphort Founded in 2011 by a team of security experts, Cyphort advanced threat defense goes beyond malware detection to reveal the true intent of an attack and the risk it poses to your organization while offering prioritized and expedited remediation. Our software-based approach combines best-in-class malware detection with knowledge of threat capabilities and your organizational context to cut through the avalanche of security data to get at the threats that matter so you can respond with velocity, in hours not days. Cyphort empowers enterprises with the three C s of security reduced resolution time and cost for easy deployment across your entire network, virtual and cloud infrastructure; comprehensive coverage via a distributed software model; and a context-based approach to Advanced Persistent Threats (APTs). CYPHORT, Inc Great America Pkwy Suite 225 Santa Clara, CA P: (408) F: (408) Customer Support (tel) MALWARE (tel) (fax) support@cyphort.com 8 Copyright 2014 Cyphort, Inc. All rights reserved.
Why you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More informationThe NIST Cybersecurity Framework
View the online version at http://us.practicallaw.com/5-599-6825 The NIST Cybersecurity Framework RICHARD RAYSMAN, HOLLAND & KNIGHT LLP AND JOHN ROGERS, BOOZ ALLEN HAMILTON A Practice Note discussing the
More informationPROTIVITI FLASH REPORT
PROTIVITI FLASH REPORT Cybersecurity Framework: Where Do We Go From Here? February 25, 2014 Just over a year ago, President Barack Obama signed an Executive Order (EO) calling for increased cybersecurity
More informationHow To Write A Cybersecurity Framework
NIST Cybersecurity Framework Overview Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2nd ENISA International Conference on Cyber Crisis Cooperation and Exercises Executive Order
More informationWhy you should adopt the NIST Cybersecurity Framework
www.pwc.com/cybersecurity Why you should adopt the NIST Cybersecurity Framework May 2014 The National Institute of Standards and Technology Cybersecurity Framework may be voluntary, but it offers potential
More informationCybersecurity Framework. Executive Order 13636 Improving Critical Infrastructure Cybersecurity
Cybersecurity Framework Executive Order 13636 Improving Critical Infrastructure Cybersecurity National Institute of Standards and Technology (NIST) Mission To promote U.S. innovation and industrial competitiveness
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 National Institute of Standards and Technology February 12, 2014 Table of Contents Executive Summary...1 1.0 Framework Introduction...3
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 National Institute of Standards and Technology February 12, 2014 Table of Contents Executive Summary...1 1.0 Framework Introduction...3
More informationCybersecurity Framework: Current Status and Next Steps
Cybersecurity Framework: Current Status and Next Steps Federal Advisory Committee on Insurance November 6, 2014 Adam Sedgewick Senior IT Policy Advisor Adam.Sedgewick@nist.gov National Institute of Standards
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2014 ISACA Pittsburgh Information Security Awareness Day Victoria Yan
More informationNIST Cybersecurity Framework. ARC World Industry Forum 2014
NIST Cybersecurity Framework Vicky Yan Pillitteri NIST ARC World Industry Forum 2014 February 10-13, 2014 Orlando, FL Executive Order 13636 Improving Critical Infrastructure Cybersecurity It is the policy
More informationBuilding Security In:
#CACyberSS2015 Building Security In: Intelligent Security Design, Development and Acquisition Steve Caimi Industry Solutions Specialist, US Public Sector Cybersecurity September 2015 A Little About Me
More informationCybersecurity Audit Why are we still Vulnerable? November 30, 2015
Cybersecurity Audit Why are we still Vulnerable? November 30, 2015 John R. Robles, CISA, CISM, CRISC www.johnrrobles.com jrobles@coqui.net 787-647-3961 John R. Robles- 787-647-3961 1 9/11-2001 The event
More informationNIST Cybersecurity Framework & A Tale of Two Criticalities
NIST Cybersecurity Framework & A Tale of Two Criticalities Vendor Management & Incident Response Presented by: John H Rogers, CISSP Advisory Services Practice Manager john.rogers@sagedatasecurity.com Presented
More informationThe President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.
The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013. The Executive Order calls for the development of a voluntary risk based Cybersecurity Framework
More informationCONCEPTS IN CYBER SECURITY
CONCEPTS IN CYBER SECURITY GARY KNEELAND, CISSP SENIOR CONSULTANT CRITICAL INFRASTRUCTURE & SECURITY PRACTICE 1 OBJECTIVES FRAMEWORK FOR CYBERSECURITY CYBERSECURITY FUNCTIONS CYBERSECURITY CONTROLS COMPARATIVE
More informationistockphoto/ljupco 36 June 2015 practicallaw.com 2015 Thomson Reuters. All rights reserved.
istockphoto/ljupco 36 June 2015 practicallaw.com The NIST Cybersecurity Framework Data breaches in organizations have rapidly increased in recent years. In 2014, the National Institute of Standards and
More informationImproving Critical Infrastructure Cybersecurity Executive Order 13636. Preliminary Cybersecurity Framework
1 Improving Critical Infrastructure Cybersecurity Executive Order 13636 Preliminary Cybersecurity Framework 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
More informationIntel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security
Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security David Brezinski, Professional Services, Enterprise Security Architect Agenda Overview
More informationUnderstanding the NIST Cybersecurity Framework September 30, 2014
Understanding the NIST Cybersecurity Framework September 30, 2014 Earlier this year the National Institute of Standard and Technology released the Framework for Improving Critical Infrastructure Cybersecurity
More informationTHE WHITE HOUSE. Office of the Press Secretary. For Immediate Release February 12, 2013. February 12, 2013
THE WHITE HOUSE Office of the Press Secretary For Immediate Release February 12, 2013 February 12, 2013 PRESIDENTIAL POLICY DIRECTIVE/PPD-21 SUBJECT: Critical Infrastructure Security and Resilience The
More informationENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE
ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE JANUARY 2015 U.S. DEPARTMENT OF ENERGY OFFICE OF ELECTRICITY DELIVERY AND ENERGY RELIABILITY Energy Sector Cybersecurity Framework Implementation
More informationExecutive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014
Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework September 23, 2014 Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to
More informationThe NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide
SOLUTION BRIEF NIST FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide SOLUTION BRIEF CA DATABASE
More informationNIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015
NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015 Overview The University of Pittsburgh NIST Cybersecurity Framework Pitt NIST Cybersecurity Framework Program Wrap Up Questions
More informationCybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014
Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014 Victoria Yan Pillitteri Advisor for Information Systems Security
More informationVoluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, nadya.bartol@utc.org. 2014 Utilities Telecom Council
Voluntary Cybersecurity Initiatives in Critical Infrastructure Nadya Bartol, CISSP, SGEIT, nadya.bartol@utc.org 2014 Utilities Telecom Council Utility cybersecurity environment is full of collaborations
More informationWestlaw Journal. What is the Cybersecurity Framework? Risk Management Process And Pathway to Corporate Liability? Expert Analysis
Westlaw Journal Computer & Internet Litigation News and Analysis Legislation Regulation Expert Commentary VOLUME 31, ISSUE 14 / DECEMBER 12, 2013 Expert Analysis The Cybersecurity Framework: Risk Management
More informationSOLUTION BRIEF. Next Generation APT Defense for Healthcare
SOLUTION BRIEF Next Generation APT Defense for Healthcare Overview Next Generation APT Defense for Healthcare Healthcare records with patients personally identifiable information (PII) combined with their
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 NARUC Winter Committee Meeting Committee & Staff Committee on Critical Infrastructure February 15,
More informationCritical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order 13636 Improving Critical Infrastructure Cybersecurity
Critical Infrastructure Cybersecurity Framework Overview and Status Executive Order 13636 Improving Critical Infrastructure Cybersecurity Executive Order: Improving Critical Infrastructure Cybersecurity
More informationCLIENT UPDATE CRITICAL INFRASTRUCTURE CYBERSECURITY: U.S. GOVERNMENT RESPONSE AND IMPLICATIONS
CLIENT UPDATE CRITICAL INFRASTRUCTURE CYBERSECURITY: U.S. GOVERNMENT RESPONSE AND IMPLICATIONS NEW YORK Jeremy Feigelson jfeigelson@debevoise.com WASHINGTON, D.C. Satish M. Kini smkini@debevoise.com Renee
More informationWhich cybersecurity standard is most relevant for a water utility?
Which cybersecurity standard is most relevant for a water utility? Don Dickinson 1 * 1 Don Dickinson, Phoenix Contact USA, 586 Fulling Mill Road, Middletown, Pennsylvania, USA, 17057 (*correspondence:
More informationCybersecurity..Is your PE Firm Ready? October 30, 2014
Cybersecurity..Is your PE Firm Ready? October 30, 2014 The Panel Melinda Scott, Founding Partner, Scott Goldring Eric Feldman, Chief Information Officer, The Riverside Company Joe Campbell, CTO, PEF Services
More informationNIST Cybersecurity Framework What It Means for Energy Companies
Daniel E. Frank J.J. Herbert Mark Thibodeaux NIST Cybersecurity Framework What It Means for Energy Companies November 14, 2013 Your Panelists Dan Frank J.J. Herbert Mark Thibodeaux 2 Overview The Cyber
More informationAmerica s New Cybersecurity Framework: Help or New Source of Exposure?
America s New Cybersecurity Framework: Help or New Source of Exposure? BY BEHNAM DAYANIM, RYAN NIER & ELIZABETH DORSI March 2014 Data theft is on the rise, and the federal government is concerned. In 2013
More informationCritical Infrastructure Security and Resilience
U.S. Department of Homeland Security in partnership with the National Coordination Office for Space-Based Positioning, Navigation and Timing Critical Infrastructure Security and Resilience International
More informationCyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record
Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record Roberta Stempfley Acting Assistant Secretary for Cybersecurity and Communications
More informationA MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS
A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS CYBER ATTACKS INFILTRATE CRITICAL INFRASTRUCTURE SECTORS Government and enterprise critical infrastructure sectors such as energy, communications
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 8 April 2015 cyberframework@nist.gov Agenda Mission of NIST Cybersecurity at NIST Cybersecurity Framework
More informationApplying IBM Security solutions to the NIST Cybersecurity Framework
IBM Software Thought Leadership White Paper August 2014 Applying IBM Security solutions to the NIST Cybersecurity Framework Help avoid gaps in security and compliance coverage as threats and business requirements
More informationcyberr by e-management The Leader in Cybersecurity Risk Intelligence (RI) Cybersecurity Risk: What You Don t Know CAN Hurt You!
cyberr by e-management The Leader in Cybersecurity Risk Intelligence (RI) Cybersecurity Risk: What You Don t Know CAN Hurt You! Cybersecurity is all over the news. Target, University of Maryland, Neiman
More informationRE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity
October 10, 2014 Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899 RE: Experience with the Framework for Improving Critical Infrastructure
More informationSeptember 28, 2 012 MEMORANDUM FOR. MR. ANTONY BLINKEN Deputy Assistant to the President and National Security Advisor to the Vice President
004216 THE WHITE HOUSE WASHINGTON MEMORANDUM FOR September 28, 2 012 MR. ANTONY BLINKEN Deputy Assistant to the President and National Security Advisor to the Vice President MR. STEPHEN D. MULL Executive
More informationRoadmaps to Securing Industrial Control Systems
Roadmaps to Securing Industrial Control Systems Insert Photo Here Mark Heard Eastman Chemical Company Rockwell Automation Process Solutions User Group (PSUG) November 14-15, 2011 Chicago, IL McCormick
More informationNIPP 2013. Partnering for Critical Infrastructure Security and Resilience
NIPP 2013 Partnering for Critical Infrastructure Security and Resilience Acknowledgments NIPP 2013: Partnering for Critical Infrastructure Security and Resilience was developed through a collaborative
More informationNadya Bartol, CISSP, CGEIT VP, Industry Affairs and Cybersecurity Strategist UTC (Utilities Telecom Council) USA. 2014 Utilities Telecom Council 1
Nadya Bartol, CISSP, CGEIT VP, Industry Affairs and Cybersecurity Strategist UTC (Utilities Telecom Council) USA 2014 Utilities Telecom Council 1 Why do we need cybersecurity? Agriculture and Food Energy
More informationCritical Manufacturing Cybersecurity Framework Implementation Guidance
F Critical Manufacturing Cybersecurity Framework Implementation Guidance i Foreword The National Institute of Standards and Technology (NIST) released the 2014 Framework for Improving Critical Infrastructure
More informationBusiness Continuity for Cyber Threat
Business Continuity for Cyber Threat April 1, 2014 Workshop Session #3 3:00 5:30 PM Susan Rogers, MBCP, MBCI Cyberwise CP S2 What happens when a computer program can activate physical machinery? Between
More informationCyberprivacy and Cybersecurity for Health Data
Experience the commitment Cyberprivacy and Cybersecurity for Health Data Building confidence in health systems Providing better health care quality at lower cost will be the key aim of all health economies
More informationTHE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS
THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS Download the entire guide and follow the conversation at SecurityRoundtable.org Collaboration and communication between technical
More informationEnterprise Security Tactical Plan
Enterprise Security Tactical Plan Fiscal Years 2011 2012 (July 1, 2010 to June 30, 2012) Prepared By: State Chief Information Security Officer The Information Security Council State of Minnesota Enterprise
More informationNo. 33 February 19, 2013. The President
Vol. 78 Tuesday, No. 33 February 19, 2013 Part III The President Executive Order 13636 Improving Critical Infrastructure Cybersecurity VerDate Mar2010 17:57 Feb 15, 2013 Jkt 229001 PO 00000 Frm 00001
More informationPreventing and Defending Against Cyber Attacks October 2011
Preventing and Defending Against Cyber Attacks October 2011 The Department of Homeland Security (DHS) is responsible for helping Federal Executive Branch civilian departments and agencies secure their
More informationIntegrating Cybersecurity with Emergency Operations Plans (EOPs) for Institutions of Higher Education (IHEs)
Integrating Cybersecurity with Emergency Operations Plans (EOPs) for Institutions of Higher Education (IHEs) Amy Banks, U.S. Department of Education, Center for School Preparedness, Office of Safe and
More informationCybersecurity: Mission integration to protect your assets
Cybersecurity: Mission integration to protect your assets C Y B E R S O L U T I O N S P O L I C Y O P E R AT I O N S P E O P L E T E C H N O L O G Y M A N A G E M E N T Ready for what s next Cyber solutions
More informationApril 8, 2013. Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899
Salt River Project P.O. Box 52025 Mail Stop: CUN204 Phoenix, AZ 85072 2025 Phone: (602) 236 6011 Fax: (602) 629 7988 James.Costello@srpnet.com James J. Costello Director, Enterprise IT Security April 8,
More informationWhite Paper. Time for Integrated vs. Bolted-on IT Security. Cyphort Platform Architecture: Modular, Open and Flexible
White Paper Time for Integrated vs. Bolted-on IT Security Cyphort Platform Architecture: Modular, Open and Flexible Overview This paper discusses prevalent market approaches to designing and architecting
More informationWILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES
WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES This special report examines the cyber risk disclosures made by the retail sector of the Fortune 1000.
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool
ICBA Summary of FFIEC Cybersecurity Assessment Tool July 2015 Contact: Jeremy Dalpiaz Assistant Vice President Cyber Security and Data Security Policy Jeremy.Dalpiaz@icba.org www.icba.org ICBA Summary
More informationUpdate on U.S. Critical Infrastructure and Cybersecurity Initiatives
Update on U.S. Critical Infrastructure and Cybersecurity Initiatives Presented to Information Security Now! Seminar Helsinki, Finland May 8, 2013 MARK E. SMITH Assistant Director International Security
More informationIntegrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Education
Integrating Cybersecurity with Emergency Operations Plans (EOPs) for K-12 Education Amy Banks, U.S. Department of Education, Center for School Preparedness, Office of Safe and Healthy Students Hamed Negron-Perez,
More informationWhite Paper on Financial Industry Regulatory Climate
White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during
More informationNIST CYBERSECURITY FRAMEWORK IMPLEMENTATION: ENERGY SECTOR APPROACH
NIST CYBERSECURITY FRAMEWORK IMPLEMENTATION: ENERGY SECTOR APPROACH SANS ICS Security Summit March 18, 2014 Jason D. Christopher Nadya Bartol Ed Goff Agenda Background Use of Existing Tools: C2M2 Case
More informationThe Cybersecurity Framework in Action: An Intel Use Case
SOLUTION BRIEF Cybersecurity Framework Risk Management The Cybersecurity Framework in Action: An Intel Use Case Intel Publishes a Cybersecurity Framework Use Case Advancing cybersecurity across the global
More informationCybersecurity Converged Resilience :
Cybersecurity Converged Resilience : The cybersecurity of critical infrastructure 2 AECOM Port Authority of New York and New Jersey (PANYNJ), New York, New York, United States. AECOM, working with the
More informationICS-CERT Year in Review. Industrial Control Systems Cyber Emergency Response Team. National Cybersecurity and Communications Integration Center
ICS-CERT Year in Review Industrial Control Systems Cyber Emergency Response Team 2013 National Cybersecurity and Communications Integration Center What s Inside Welcome 1 National Preparedness 2 Prevention
More informationNational Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity
National Cybersecurity Challenges and NIST Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity Though no-one knows for sure, corporate America is believed to lose anything
More informationThe NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session
The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session Robert Smith Systemwide IT Policy Director Compliance & Audit Educational Series 5/5/2016 1 Today s reality There are two kinds
More informationNIST Unveils Preliminary Cybersecurity Framework
November 25, 2013 Practice Group: Cyber Law and Cybersecurity NIST Unveils Preliminary Cybersecurity Framework By Roberta D. Anderson On October 22, the National Institute of Standards and Technology (NIST)
More informationPROTECTING CRITICAL CONTROL AND SCADA SYSTEMS WITH A CYBER SECURITY MANAGEMENT SYSTEM
PROTECTING CRITICAL CONTROL AND SCADA SYSTEMS WITH A CYBER SECURITY MANAGEMENT SYSTEM Don Dickinson Phoenix Contact USA P.O. Box 4100 Harrisburg, PA 17111 ABSTRACT Presidential Executive Order 13636 Improving
More informationApplying Framework to Mobile & BYOD
Applying Framework to Mobile & BYOD Framework for Improving Critical Infrastructure Cybersecurity National Association of Attorneys General Southern Region Meeting 13 March 2015 cyberframework@nist.gov
More informationTestimony of Dan Nutkis CEO of HITRUST Alliance. Before the Oversight and Government Reform Committee, Subcommittee on Information Technology
Testimony of Dan Nutkis CEO of HITRUST Alliance Before the Oversight and Government Reform Committee, Subcommittee on Information Technology Hearing entitled: Cybersecurity: The Evolving Nature of Cyber
More informationPreventing and Defending Against Cyber Attacks November 2010
Preventing and Defending Against Cyber Attacks November 2010 The Nation s first ever Quadrennial Homeland Security Review (QHSR), delivered to Congress in February 2010, identified safeguarding and securing
More informationImplementing the U.S. Cybersecurity Framework at Intel A Case Study
SESSION ID: STR-W01 Implementing the U.S. Cybersecurity Framework at Intel A Case Study Tim Casey Senior Strategic Risk Analyst Intel Information Security @timcaseycyber How would you represent your entire
More informationHealth Industry Implementation of the NIST Cybersecurity Framework
Health Industry Implementation of the NIST Cybersecurity Framework A Collaborative Presentation by HHS, NIST, HITRUST, Deloitte and Seattle Children s Hospital 1 Your presenters HHS Steve Curren, Acting
More informationA Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst
TRACESECURITY WHITE PAPER GRC Simplified... Finally. A Guide to Successfully Implementing the NIST Cybersecurity Framework Jerry Beasley CISM and TraceSecurity Information Security Analyst TRACESECURITY
More informationPreventing and Defending Against Cyber Attacks June 2011
Preventing and Defending Against Cyber Attacks June 2011 The Department of Homeland Security (DHS) is responsible for helping Federal Executive Branch civilian departments and agencies secure their unclassified
More informationIG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY
IG MATURITY MODEL FOR FY 2015 FISMA 1 Ad-hoc 1.1 program is not formalized and activities are performed in a reactive manner resulting in an adhoc program that does not meet 2 requirements for a defined
More informationFFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors
Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed
More informationCybersecurity and Corporate America: Finding Opportunities in the New Executive Order
Executive Order: In the President s State of the Union Address on February 12, 2013, he announced an Executive Order Improving Critical Infrastructure Cybersecurity (EO) to strengthen US cyber defenses
More information7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008
U.S. D EPARTMENT OF H OMELAND S ECURITY 7 Homeland Fiscal Year 2008 HOMELAND SECURITY GRANT PROGRAM ty Grant Program SUPPLEMENTAL RESOURCE: CYBER SECURITY GUIDANCE uidelines and Application Kit (October
More informationRemarks for Admiral David Simpson WTA Advocates for Rural Broadband Spring Meeting Cybersecurity Panel
Remarks for Admiral David Simpson WTA Advocates for Rural Broadband Spring Meeting Cybersecurity Panel May 5th, 2015 10:00-11:30 a.m. Hyatt Regency, Indian Wells, CA Thank you all for welcoming me. It
More informationCyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks
Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks July 2014 Cyber Threat Intelligence and Incident Coordination Center: Protecting
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationCYBER SECURITY INFORMATION SHARING & COLLABORATION
Corporate Information Security CYBER SECURITY INFORMATION SHARING & COLLABORATION David N. Saul Senior Vice President & Chief Scientist 28 June 2013 Discussion Flow The Evolving Threat Environment Drivers
More informationWritten Statement of Richard Dewey Executive Vice President New York Independent System Operator
Written Statement of Richard Dewey Executive Vice President New York Independent System Operator Senate Standing Committee on Veterans, Homeland Security and Military Affairs Senator Thomas D. Croci, Chairman
More informationClient Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs
1 Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs NEW YORK Byungkwon Lim blim@debevoise.com Gary E. Murphy gemurphy@debevoise.com Michael J. Decker mdecker@debevoise.com
More informationCYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES
POINT OF VIEW CYBERSECURITY IN FINANCIAL SERVICES Financial services institutions are globally challenged to keep pace with changing and covert cybersecurity threats while relying on traditional response
More informationImplementation of the Cybersecurity Executive Order
Implementation of the Cybersecurity Executive Order November 13 th, 2013 Ben Beeson, Partner, Lockton Companies Gerald J. Ferguson, Partner, BakerHostetler Mark Weatherford, Principal, The Chertoff Group
More informationNavigating the NIST Cybersecurity Framework
Navigating the NIST Cybersecurity Framework Explore the NIST Cybersecurity Framework and tools and processes needed for successful implementation. Abstract For federal agencies, addressing cybersecurity
More informationCybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015
Cybersecurity: Considerations for Internal Audit IIA Atlanta Chapter Meeting January 9, 2015 Agenda Key Risks Incorporating Internal Audit Resources for Internal Auditors Questions 2 Key Risks 3 4 Key
More informationEd McMurray, CISA, CISSP, CTGA CoNetrix
Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats
More informationCommonwealth IT Threat Management: Keeping Out the Cyber Villains Category: Cyber Security Initiatives. Initiation date: January 2012
Commonwealth IT Threat Management: Keeping Out the Cyber Villains Category: Cyber Security Initiatives Initiation date: January 2012 Completion date: June 2012 Nomination submitted by: Samuel A. Nixon
More informationOctober 9, 2014. Lyman Terni, Consultant Tim Villano, Chief Technology Officer. Current Awareness of the Cybersecurity Framework
October 9, 2014 Ascendant Compliance Management is an independent consulting firm assisting Registered Investment Advisers and Broker-Dealers with regulatory compliance. Our firm has an IT Risk Assessment
More informationDelaware Cyber Security Workshop September 29, 2015. William R. Denny, Esquire Potter Anderson & Corroon LLP
Changing Legal Landscape in Cybersecurity: Implications for Business Delaware Cyber Security Workshop September 29, 2015 William R. Denny, Esquire Potter Anderson & Corroon LLP Agenda Growing Cyber Threats
More informationGlobal Cyber Range (GCR) Empowering the Cybersecurity Professional (CyPro)
Global Cyber Range (GCR) Empowering the Cybersecurity Professional (CyPro) NICE Conference 2014 CYBERSECURITY RESILIENCE A THREE TIERED SOLUTION NIST Framework for Improving Critical Infrastructure Cybersecurity
More informationU.S. Department of Homeland Security Protective Security Advisor (PSA) North Carolina District
U.S. Department of Homeland Security Protective Security Advisor (PSA) North Carolina District Securing the Nation s s critical infrastructures one community at a time Critical Infrastructure & Key Resources
More information