Framework for Improving Critical Infrastructure Cybersecurity



Similar documents
Cybersecurity Framework: Current Status and Next Steps

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Critical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

NIST Cybersecurity Framework. ARC World Industry Forum 2014

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

How To Write A Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

National Institute of Standards and Technology Smart Grid Cybersecurity

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014

Information and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework

Applying Framework to Mobile & BYOD

Framework for Improving Critical Infrastructure Cybersecurity

PROTIVITI FLASH REPORT

Envisioning Collaboration for Medical Device and Healthcare Cybersecurity

National Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity

How To Understand And Manage Cybersecurity Risk

Health Industry Implementation of the NIST Cybersecurity Framework

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

Why you should adopt the NIST Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity

Business Continuity for Cyber Threat

Framework for Improving Critical Infrastructure Cybersecurity

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

Framework for Improving Critical Infrastructure Cybersecurity

Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

NIST Cybersecurity Framework What It Means for Energy Companies

Westlaw Journal. What is the Cybersecurity Framework? Risk Management Process And Pathway to Corporate Liability? Expert Analysis

Building Security In:

NIST Cybersecurity Framework & A Tale of Two Criticalities

The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session

Which cybersecurity standard is most relevant for a water utility?

Re: Experience with the Framework for Improving Critical Infrastructure Cybersecurity ( Framework )

Why you should adopt the NIST Cybersecurity Framework

Understanding the NIST Cybersecurity Framework September 30, 2014

Ed McMurray, CISA, CISSP, CTGA CoNetrix

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

CForum: A Community Driven Solution to Cybersecurity Challenges

Implementing the U.S. Cybersecurity Framework at Intel A Case Study

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

Applying IBM Security solutions to the NIST Cybersecurity Framework

The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

The NIST Cybersecurity Framework

Cybersecurity Framework Security Policy Mapping Table

The Cybersecurity Framework in Action: An Intel Use Case

cyberr by e-management The Leader in Cybersecurity Risk Intelligence (RI) Cybersecurity Risk: What You Don t Know CAN Hurt You!

ENTERPRISE RISK MANAGEMENT FRAMEWORK

RE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity

Delving Into FCC's 'Damn Important' Cybersecurity Report

C2M2 and the NIST Cyber Framework: Applying DOE's NIST Cyber Security Framework Guidance

Cybersecurity for Medical Devices

NIST CYBERSECURITY FRAMEWORK IMPLEMENTATION: ENERGY SECTOR APPROACH

Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA

Billing Code: 3510-EA

Report: An Analysis of US Government Proposed Cyber Incentives. Author: Joe Stuntz, MBA EP 14, McDonough School of Business

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems

CONCEPTS IN CYBER SECURITY

Lessons from Defending Cyberspace

ASSESSING VENDORS USING THE NIST CYBERSECURITY FRAMEWORK

NIST Cybersecurity Framework Manufacturing Implementation

CYBER SOLUTIONS HANDBOOK

Critical Manufacturing Cybersecurity Framework Implementation Guidance

No. 33 February 19, The President

istockphoto/ljupco 36 June 2015 practicallaw.com 2015 Thomson Reuters. All rights reserved.

Security Risk Management For Health IT Systems and Networks

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Remarks for Admiral David Simpson WTA Advocates for Rural Broadband Spring Meeting Cybersecurity Panel

CRR-NIST CSF Crosswalk 1

C ETS C/ETS: CYBER INTELLIGENCE + ENTERPRISE SOLUTIONS CSCSS / ENTERPRISE TECHNOLOGY + SECURITY

Overview TECHIS Manage information security business resilience activities

Happy First Anniversary NIST Cybersecurity Framework:

Modalities for Cyber Security and Privacy Resilience: The NIST Approach

NIST Unveils Preliminary Cybersecurity Framework

THE PRESIDENT S NATIONAL SECURITY TELECOMMUNICATIONS ADVISORY COMMITTEE

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Cybersecurity as a Risk Factor in doing business

Water Sector Approach to Cybersecurity Risk Management

RE: ITI comments in response to NIST RFI: Experience with the Framework for Improving Critical Infrastructure Cybersecurity

DOE Cyber Security Policy Perspectives

Transcription:

Framework for Improving Critical Infrastructure Cybersecurity Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2014 ISACA Pittsburgh Information Security Awareness Day Victoria Yan Pillitteri victoria.yan@nist.gov National Institute of Standards and Technology (NIST) About NIST NIST s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. 3,000 employees 2,700 guest researchers 1,300 field staff in partner organizations Two main locations: Gaithersburg, Md and Boulder, Co NIST Priority Research Areas Advanced Manufacturing IT and Cybersecurity Healthcare Forensic Science Disaster Resilience Cyber-physical Systems Advanced Communications 2 1

Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties President Barack Obama Executive Order 13636, Feb. 12, 2013 The National Institute of Standards and Technology (NIST) was directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure Version 1.0 of the framework was released on Feb. 12, 2014, along with a roadmap for future work 3 The Cybersecurity Framework Is for Organizations Of any size, in any sector in the critical infrastructure That already have a mature cyber risk management and cybersecurity program That don t yet have a cyber risk management or cybersecurity program With a mission of helping keep up-to-date on managing risk and facing business or societal threats 4 2

Framework Components Aligns industry standards and best practices to the Framework Core in a particular implementation scenario Cybersecurity activities and informative references, organized around particular outcomes Supports prioritization and measurement while factoring in business needs Framework Profile Framework Core Enables communication of cyber risk across an organization Framework Implementation Tiers Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics 5 Framework Core 6 3

Framework Core - Sample 7 Framework Profile Alignment of Functions, Categories, and Subcategories with business requirements, risk tolerance, and resources of the organization Enables organizations to establish a roadmap for reducing cybersecurity risk that is well aligned with organizational and sector goals, considers legal/regulatory requirements and industry best practices, and reflects risk management priorities Can be used to describe current state or desired target state of cybersecurity activities 8 4

Definitions of Tiers (Excerpts) Tier 1: Partial Risk Management Process: Organizational cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc and sometimes reactive manner. Tier 3: Risk-Informed and Repeatable Integrated Risk Management Program: Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Tier 2: Risk-Informed External Participation The organization knows its role in the larger ecosystem, but has not formalized its capabilities to interact and share information externally. Tier 4: Adaptive External Participation: The organization manages risk and actively shares information with partners to ensure that accurate, current information is being distributed and consumed to improve cybersecurity before an event occurs. 9 How to Use the Cybersecurity Framework The Framework is designed to complement existing business and cybersecurity operations, and can be used to: Understand security status Establish / Improve a cybersecurity program Communicate cybersecurity requirements with stakeholders, including partners and suppliers Identify opportunities for new or revised standards Identify tools and technologies to help organizations use the Framework Integrate privacy and civil liberties considerations into a cybersecurity program 10 5

Snapshot of Framework Use And many others! 11 Update on Cybersecurity Framework Activities Ongoing Outreach, Coordination and Engagement February 12, 2014: Cybersecurity Framework (CSF) Released Request for Information August 26, 2014: Seeking feedback on Experience with the CSF 6 th CSF Workshop October 29-30, 2014: Florida Center for Cybersecurity Next Steps December 2014: Status Update of RFI Comments and 6 th Workshop will be posted 12 6

Recapping Key Points about the Framework It s a framework, not a prescription It provides a common language and systematic methodology for managing cyber risk It does not tell a company how much cyber risk is tolerable, nor does it claim to provide the one and only formula for cybersecurity Having a common lexicon to enable action across a very diverse set of stakeholders will enable the best practices of elite companies to become standard practices for everyone The framework is a living document It is intended to be updated over time as stakeholders learn from implementation, and as technology and risks change That s one reason why the framework focuses on questions an organization needs to ask to manage its cyber risk. Practices, technology, and standards will change over time principals will not 13 Key Points About the Framework (cont.) Organizations should use the framework now: The framework is a flexible, highly adaptable document, and its adoption will be market-driven Its improvement will depend to a great degree on the experiences of those who have used it We need to improve cyber protections across the broadest set of stakeholders possible to achieve the collective benefit of security for all. The fastest way to do this is through voluntary adoption This is a strong public-private partnership Version 1.0 of the framework strongly reflects the efforts of a broad range of industries that see the value of, and need for, improving cybersecurity and lowering risk 14 7

Learn More and Stay Current The Framework for Improving Critical Infrastructure Cybersecurity, the Roadmap, and related news and information are available at: http://www.nist.gov/cyberframework Email: cyberframework@nist.gov #NISTCSF 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information