Bradford J. Willke, CISSP



Similar documents
Lessons from Defending Cyberspace

Overview TECHIS Manage information security business resilience activities

ITU National Cybersecurity/CIIP Self-Assessment Toolkit. Background Information for National Pilot Tests

Homeland Security Perspectives: Cyber Security Partnerships and Measurement Activities

Cyber Security in Austria

DHS Cyber Security & Resilience Resources: Cyber Preparedness, Risk Mitigation, & Incident Response

EU policy on Network and Information Security and Critical Information Infrastructure Protection

Qatar Computer Emergency Team

Buyer Beware: How To Be a Better Consumer of Security Maturity Models

Department of Homeland Security Cyber Resilience Review (Case Study) Matthew Butkovic Technical Manager - Cybersecurity Assurance, CERT Division

RESPONSIBLE CARE SECURITY CODE OF MANAGEMENT PRACTICES

ITU National Cybersecurity/CIIP Self-Assessment Tool

ITU Cybersecurity Work Programme to Assist Developing Countries

Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) (Case Study) James Stevens Senior Member, Technical Staff - CERT Division

Preventing and Defending Against Cyber Attacks November 2010

Department for Business, Innovation and Skills 1 Victoria Street London SW1H 0ET. 7 th May Dear Sir or Madam,

National Cyber Security Policy -2013

The Comprehensive National Cybersecurity Initiative

Cyber Defence Capability Assessment Tool (CDCAT ) Improving cyber security preparedness through risk and vulnerability analysis

CERT/CC Overview & CSIRT Development Team Activities

1.20 Appendix A Generic Risk Management Process and Tasks

TUSKEGEE CYBER SECURITY PATH FORWARD

Expert Meeting on CYBERLAWS AND REGULATIONS FOR ENHANCING E-COMMERCE: INCLUDING CASE STUDIES AND LESSONS LEARNED March 2015

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

Integration of QMS, SMS,

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

REPUBLIC OF MAURITIUS NATIONAL CYBER SECURITY STRATEGY

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

A COMPREHENSIVE INTER-AMERICAN CYBERSECURITY STRATEGY: A MULTIDIMENSIONAL AND MULTIDISCIPLINARY APPROACH TO CREATING A CULTURE OF CYBERSECURITY

Fast Facts About The Cyber Security Job Market

Business Continuity for Cyber Threat

Working Party on Information Security and Privacy

Framework for Improving Critical Infrastructure Cybersecurity

Business Continuity Management Charter

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

Distributed and Outsourced Software Engineering. The CMMI Model. Peter Kolb. Software Engineering

Preventing and Defending Against Cyber Attacks June 2011

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

ENSURING SECURITY IN AND FACILITATING INTERNATIONAL TRADE. Measures toward enhancing maritime cybersecurity. Submitted by Canada SUMMARY

Cyber Security Strategy of Georgia

Global Cybersecurity Center for Development. Korea Internet & Security Agency Ministry of Science, ICT and Future Planning

Cyber security in an organization-transcending way

INTRODUCTION TO INFORMATION TECHNOLOGY SECTOR CRITICAL INFRASTRUCTURE PROTECTION...

Best Practices for National Cyber Security: Building a National Computer Security Incident Management Capability, Version 2.0

Cyber Security Strategy

How To Understand And Understand The European Priorities In Information Security

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

Cyber Europe Key Findings and Recommendations

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Manoo Ordeedolchest Chairman ICT Policy Committee Sripatum University Microsoft Software Development Life Cycle Management of Enterprise June 5, 2007

HIGHER DIPLOMA BUSINESS FINANCE

Cybersecurity Strategy of the Republic of Cyprus

Advanced Risk Analysis for High-Performing Organizations

An Overview of Large US Military Cybersecurity Organizations

Supplemental Tool: Executing A Critical Infrastructure Risk Management Approach

CYBER SECURITY. Marcin Olender Head of Unit Information Society Department

Industrial Cybersecurity Center Are you looking for End-Users, Close to Market Approaches, Requirements, Validation and Dissemination?

Commonwealth Approach to Cybergovernance and Cybersecurity. By the Commonwealth Telecommunications Organisation

CYSPA - EC projects supporting NIS

Contrasting CMMI and the PMBOK. CMMI Technology Conference & User Group November 2005

Computer and Network Security in Higher Education

Department of Homeland Security Federal Government Offerings, Products, and Services

Overview of ITU Cybersecurity Activities

CYBERSECURITY SLAs: MANANGING REQUIREMENTS AT ARM S LENGTH

Cyber security Country Experience: Establishment of Information Security Projects.

Change Management: Automating the Audit Process

Department of Homeland Security

Moving from BS to ISO The new international standard for business continuity management systems. Transition Guide

CYBER SECURITY LEGISLATION AND POLICY INITIATIVES - UGANDA CASE

The Policy Approaches to Strengthen Cyber Security in the Financial Sector (Summary) July 2, 2015 Financial Services Agency

National Cybersecurity Management System: Framework, Maturity Model and Implementation Guide

Business Continuity. Is your Business Prepared for the worse? What is Business Continuity? Why use a Business Continuity Plan?

A Generic National Framework For Critical Information Infrastructure Protection (CIIP)

Business Continuity Policy

Priority III: A National Cyberspace Security Awareness and Training Program

2012 CyberSecurity Watch Survey

S. ll IN THE SENATE OF THE UNITED STATES

BS BUSINESS CONTINUITY MANAGEMENT

Transcription:

Engineering National Cybersecurity and Critical Information Infrastructure Protection Bradford J. Willke, CISSP 16 October 2007 ITU Regional Workshop Buenos Aires, Argentina

Overview Purpose: This session seeks to explore in more detail various approaches, best practices, and identify key building blocks that could assist countries in the Americas region in establishing national strategies for cybersecurity and CIIP. To address these threats and protect infrastructures, each country needs a comprehensive action plan that addresses technical, legal and policy issues, combined with regional and international cooperation. Issues, actors, and frameworks that should be considered in a national strategy for cybersecurity and critical information infrastructure protection 2

Preface on National Cybersecurity Efforts If you don t know where you are, a map won t help -- Watts Humphrey, Software Engineer 3

National and Multi-National Cybersecurity Impediments Goal Orientation: Cybersecurity, business continuity, and ICT operations support critical information infrastructure protection (I.e., provide elements of resiliency) but are often performed independent of one another Problem Recognition: The field of cybersecurity and CIIP tends to be focused on technical not managerial solutions; true process improvement elusive Preparation: Nation s have false sense of preparedness; only tested during disruptive events Process: Codes of practice are numerous; however practice effectiveness is rarely measured Measurement: There are few reliable benchmarks for determining an nation s capability for protecting critical information infrastructures 4

National Cybersecurity Goals 1. Develop National Strategy for Cybersecurity and Critical Infrastructure Protection 2. Establish National Government-to-Industry Collaboration 3. Deter Cyber Crime 4. Operate National Incident Management Capability 5. Promote National Culture of Cybersecurity 5

Getting Started Self-assessment against a common framework can provide a place to start building a national cybersecurity programme But you have to know What is the route (a framework) What is the destination (how far you must implement the framework) Where you are (how far you have implemented the framework) The destination is determined by the capabilities and the maturity of processes you must have in place to manage unacceptable risks 6

National Risks and Risk Tolerance National risks to cybersecurity involve conditions where negative consequences and events can possibly harm the assets required to implement, sustain, and protect critical infrastructure Risks are comprised of assets, threats, vulnerabilities, consequences, and probability and/or impacts Risk tolerance must be put in terms of CIIP and National Cybersecurity The degree of uncertainty a government can accept regarding potential negative impacts to community indicators of health and stability The threshold for negative consequences and events deemed as unacceptable community impacts of risks 7

Setting National Risk Tolerance Risk tolerance is decide in the public interest and not for the needs of single organizations or even industries Governments, because of the responsibility and duty they have for citizens and businesses, set the thresholds for acceptable and unacceptable risks Enumerated areas of health and wellness Public safety Psychology Economy 8

Best Practices for Engineering CIIP - 1 Plan your work for today and every day, then work your plan -- Norman Vincent Peale, Author Simplified: Plan the work, Work the plan 9

Best Practices for Engineering CIIP - 2 Project Management Perspective 1. Establish a national-level philosophy, set of goals and objectives, and policy for cyber security 2. Plan the process of conducting cybersecurity and CIIP 3. Provide resources, assign responsibilities, and train people 4. Manage configurations 5. Identify and involve relevant stakeholders 6. Monitor and control the process 7. Objectively evaluate adherence to the process 8. Review status with governance leaders [Adapted From: CMMi v1.2 - Generic Goals and Practices, Software Engineering Institute, Carnegie Mellon University.] 10

Best Practices for Engineering CIIP - 3 Process Control Perspective 1. Treat national strategies for cybersecurity and CIIP as a process 2. Monitor and control the plan, design, and implementation 3. Focus on building a national-level, highly visible process 4. Develop and manage requirements 5. Measure and analyze, where appropriate 6. Perform validation and verification of assumption, requirements, and solutions 7. Define trusted, reliable sources of information and the means for information sharing 11

Sponsors, Stakeholder, & Actors - 1 [What are their responsibilities] Define the CIIP Process Implement the CIIP Process Review the CIIP Process Government Agencies & Regulators X X X Private Industry Sectors X X X Public-Private Partnerships X X X International Partnerships X X X 12

Sponsors, Stakeholder, & Actors - 2 [Who are they] Controls and Monitors Risks Controls and Monitors Process Controls and Monitors Plan Government Agencies & Regulators Generally All Departments / Regulators Specialists within Agencies One Agency, or Small Group of in Collaboration Private Industry Sectors Generally All Sectors Sector leads and Specific CI/KR Owners [Account & Assist Only] Public-Private Partnerships Some Partnerships Working groups and Teams [Account & Assist Only] International Partnerships Some Partnerships Standards, Working & Study Groups [Observe and Assist Only] 13

Final Words on National Frameworks All models are wrong, some models are useful -- George Box, Industrial Statistician 14

Questions and Discussion Contact Information: Bradford Willke Email: bwillke@cert.org Phone: +1 412 268-5050 Postal Address: CERT Survivable Enterprise Management Group Software Engineering Institute Carnegie Mellon University Pittsburgh, Pennsylvania 15213-3890 USA 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information