Cybersecurity Audit Why are we still Vulnerable? November 30, 2015 John R. Robles, CISA, CISM, CRISC www.johnrrobles.com jrobles@coqui.net 787-647-3961 John R. Robles- 787-647-3961 1
9/11-2001 The event that dramatically changed how the Federal government works to minimize threats to government resources and society as a whole. John R. Robles- 787-647-3961 2
Homeland Security Presidential Directive 7 (December 17, 2003) Homeland Security Presidential Directive 7 established a national policy for Federal departments and agencies to: identify and prioritize critical infrastructure and to protect them from terrorist attacks. John R. Robles- 787-647-3961 3
Cyberspace Policy Review On February 9, 2009, President Obama gave his National Security and Homeland Security Advisors 60 days to conduct a Cyberspace Policy Review. June 2009, The Cyberspace Policy Review was published John R. Robles- 787-647-3961 4
Cyberspace Policy Review Recommendations 1. Appoint a cybersecurity policy official responsible for coordinating the Nation s cybersecurity policies and activities; 2. Prepare for the President s approval an updated national strategy 3. Designate cybersecurity as one of the President s key management priorities and establish performance metrics. 6. Initiate a national public awareness and education campaign to promote cybersecurity. 8. Prepare a cybersecurity incident response plan; 9. Develop a framework for research and development strategies. Build a cybersecurity-based identity management vision and strategy ************* John R. Robles- 787-647-3961 5
Executive Order 13636 Improving Critical Infrastructure Cybersecurity (March 2013) On February 12, 2013, the President issued Executive Order 13636, stating that the cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. John R. Robles- 787-647-3961 6
Executive Order 13636 Improving Critical Infrastructure Cybersecurity (March 2013) Section 1. Policy It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that: Encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties Now, How do we do it? John R. Robles- 787-647-3961 7
Executive Order 13636 Improving Critical Infrastructure Cybersecurity (March 2013) Section 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure. The Secretary of Commerce shall direct the Director of the National Institute of Standards and Technology (NIST) to lead the development of a framework to reduce cyber risks to critical infrastructure (the "Cybersecurity Framework"). John R. Robles- 787-647-3961 8
Executive Order 13636 Improving Critical Infrastructure Cybersecurity (March 2013) The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. The Cybersecurity Framework shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible. The Cybersecurity Framework shall be consistent with voluntary international standards (Read ISO 27001!) John R. Robles- 787-647-3961 9
NIST and the Cybersecurity Framework (February 14, 2014) In meeting the requirements of the Executive Order, NIST developed the Cybersecurity Framework (2014). It includes: Set of standards, methodologies, procedures, and processes that addresses cyber risks. Information security measures and controls, to help owners and operators of critical infrastructure to identify, assess, and manage cyber risk. Identifies areas for improvement that should be addressed through future collaboration and Guidance for measuring the performance of an entity in implementing the John Cybersecurity R. Robles- 787-647-3961 Framework. 10
The Cybersecurity Framework Overview of the Framework The Framework is a risk-based approach to managing cybersecurity risk, and is composed of three parts: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles John R. Robles- 787-647-3961 11
The Cybersecurity Framework The Framework Core is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Framework Core consists of five concurrent and continuous Functions Identify, Protect, Detect, Respond, Recover. John R. Robles- 787-647-3961 12
Developing the NIST Cybersecurity Framework (CSF) (Latest Update, July 1, 2015) ISACA (+140,000 members in 180 countries) participated with NIST in the development of the CSF. ISACA also developed and published a document to assist in the implementation of the CSF. The document is titled: Implementing the NIST Cybersecurity Framework Note: ISACA expects IT auditors to review compliance with the CSF in an audit of their organization s cybersecurity capabilities. John R. Robles- 787-647-3961 13
Audit Cybesecurity If your organization is part of the 16 Critical Infrasture areas, then the Federal Government would appreciate your implementation and compliance with the Cyber Security Framework (CSF). After implementation Perform a Cybersecurity Audit John R. Robles- 787-647-3961 14
Audit Cybersecurity Why Audit Cybersecurity? A cybersecurity audit is performed to determine if a: private enterprise, government agency, or Non government organization (NGO) is adequately Using and Maintaining : [a stable, safe, and resilient cyberspace or cyber ecosystem.] John R. Robles- 787-647-3961 15
Audit Cybersecurity How to Audit the Implemention of the Framework The Framework places cybersecurity activities into five functions: Identify, Protect, Detect, Respond, and Recover. Memorize these functions. It'll be on the test! Organizations should implement controls in each of these areas. John R. Robles- 787-647-3961 16
Audit Cybersecurity Repeated cybersecurity intrusions into the nation s critical infrastructure have demonstrated: the need for a stronger approach to manage cybersecurity. Implementing and auditing the Framework will help organizations align and communicate their risk posture to: Internal Board of Directors and the Audit Committee Senior and middle Management Operational personnel External Government regulators Clients Business partners John R. Robles- 787-647-3961 17
How to: Audit Cybersecurity Table of Contents of the ISACA guide Chapter 1: Introduction to COBIT 5 Chapter 2: Introduction to NIST Cybersecurity Framework 1.0 Chapter 3: Framework Implementation Chapter 4: Communicating Cybersecurity Requirements with Stakeholders. John R. Robles- 787-647-3961 18
Audit Cybersecurity Implementation of Cybersecurity according to NIST CSF and ISACA Guidelines Step 1: Establish Scope and Priorities Step 2. Orient Step 3. Create a Current Profile What is current status of cybersecurity? Step 4. Conduct a Risk Assessment Step 5. Create a Target Profile What status of cybersecurity do you want to achieve? Step 6. Determine, Analyze, and Prioritize Gaps Step 7. Implement an Action Plan Step 8. Review the Action Plan Step 9. Manage the Implementation Life Cycle John R. Robles- 787-647-3961 19
Audit Cybersecurity Step 1: Prioritize and Scope Establish priorities and scope of business/mission objectives This information allows organizations to make strategic decisions regarding the scope of systems and assets that support the selected business lines or processes within the organization. Step 2: Orient Identify threats to, and vulnerabilities of, systems identified in the Prioritize and Scope step. Step 3: Create a Current Profile Identify the current state of the cybersecurity program by establishing a current state profile. John R. Robles- 787-647-3961 20
Audit Cybersecurity Step 4: Conduct a Risk Assessment Conduct a risk assessment using an accepted methodology. Step 5: Create a Target Profile Develop a risk-informed target state profile. The target state profile focuses on the assessment of the Framework Categories and Subcategories describing the organization s desired cybersecurity outcomes. Step 6: Determine, Analyze, and Prioritize Gaps Conduct a gap analysis to determine opportunities for improving the current state. The gaps are identified by overlaying the current state profile with the target state profile. John R. Robles- 787-647-3961 21
Audit Cybersecurity Step 7: Implement Action Plan Required actions are taken to close the gaps and work toward obtaining the target state. Note: As an auditor, I want to see a documented Cyber Security Improvement Action Plan. Very, very, very important! I would start the audit with the assumed audit conclusion that the security is not optimal. If there is No Plan, OK, then, lets start fresh with Step 1. If your are a Security Officer (Top Dog!)and you don t know why or how to do a Risk Analysis, then You should NOT be a Security Officer. John R. Robles- 787-647-3961 22
Audit Cybersecurity Goals of implementing CSF An effective audit of cybersecurity will consist of determining how well the Cybersecurity Framework or CSF has been implemented. We ask questions to determine if during the implementation process the following control areas are in compliance: Identify Protect Detect Respond Recovery John R. Robles- 787-647-3961 23
Audit Cybersecurity Identify Do assets identification controls include: Assets Management Governance Risk Assessment Risk Management Protect Do assets protection controls include: Access Control Data Security Information Protection of Processes and Information Protective Technology, and finally Awareness and Training John R. Robles- 787-647-3961 24
Audit Cybersecurity Detect Do incidents detection controls include: Identifications of abnormal incidents Continuous Monitoring of Active Security!!!!! Detection of abnormal incidents Respond Do response to incidents controls include: Communications Analysis Mitigation Improvements Recover Do controls for recovery from an incident include: Recovery Planning Improvements Communications John R. Robles- 787-647-3961 25
Audit Cybersecurity To Assist in performing a Cybersecurity Audit ISACA has published a CyberCrime Audit Assurance Program John R. Robles- 787-647-3961 26
Audit Cybersecurity VI. Audit/Assurance Program 1. Planning and Scoping the Audit 2. Understanding Supporting Infrastructure 3. Governance 4. Organization 5. Organizational Policies 6. Business Role in Cybercrime Prevention 7. IT Management 8. Incident Management Policy And Procedures 9. Incident Management Implementation 10. Crisis Management VII. Maturity Assessment VIII. Maturity Assessment vs. Target Assessment John R. Robles- 787-647-3961 27
Audit Cybersecurity This is another document ISACA has published to assist the Cybersecurity Auditor John R. Robles- 787-647-3961 28
The Cybersecurity Audit Report Prepare draft report Positive aspects of the audit, if any Negative aspects of the audit, if any The auditor will always find areas for improvement comments Recommendations for improving and mitigating negative issues. Discuss with stakeholders Update draft based on comments received Obtain management approval of draft. Present Final Report Document priority items that should be immediately addressed. Establish High and Medium priority recommendations. Establish time table to implement improvements John R. Robles- 787-647-3961 29
Audit Cybersecurity References http://www.dhs.gov/topic/cybersecurity Homeland Cybersecurity Home Page http://www.nist.gov/cyberframework/ NIST Cybersecurity Framework Home Page http://www.isaca.org/cyber/pages/default.aspx Isaca Cybersecurity Nexus Home Page John R. Robles- 787-647-3961 30
Gracias! Questions and Some Answers John R. Robles, CISA, CISM, CRISC www.johnrrobles.com jrobles@coqui.net 787-647-3961 John R. Robles- 787-647-3961 31