Cybersecurity Framework: Current Status and Next Steps



Similar documents
Framework for Improving Critical Infrastructure Cybersecurity

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Critical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

NIST Cybersecurity Framework. ARC World Industry Forum 2014

How To Write A Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity

National Institute of Standards and Technology Smart Grid Cybersecurity

Envisioning Collaboration for Medical Device and Healthcare Cybersecurity

Information and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

Applying Framework to Mobile & BYOD

Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

National Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.

Framework for Improving Critical Infrastructure Cybersecurity

PROTIVITI FLASH REPORT

How To Understand And Manage Cybersecurity Risk

No. 33 February 19, The President

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

Building Security In:

Billing Code: 3510-EA

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

NIST Cybersecurity Framework & A Tale of Two Criticalities

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

CForum: A Community Driven Solution to Cybersecurity Challenges

Why you should adopt the NIST Cybersecurity Framework

Business Continuity for Cyber Threat

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

NIST Cybersecurity Framework What It Means for Energy Companies

Westlaw Journal. What is the Cybersecurity Framework? Risk Management Process And Pathway to Corporate Liability? Expert Analysis

Cybersecurity Framework Security Policy Mapping Table

Applying IBM Security solutions to the NIST Cybersecurity Framework

Why you should adopt the NIST Cybersecurity Framework

Cybersecurity as a Risk Factor in doing business

NIST CYBERSECURITY FRAMEWORK IMPLEMENTATION: ENERGY SECTOR APPROACH

Which cybersecurity standard is most relevant for a water utility?

The NIST Cybersecurity Framework

cyberr by e-management The Leader in Cybersecurity Risk Intelligence (RI) Cybersecurity Risk: What You Don t Know CAN Hurt You!

Health Industry Implementation of the NIST Cybersecurity Framework

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems

The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide

RE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity

Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Trends in Information Technology (IT) Auditing

Overview TECHIS Manage information security business resilience activities

December 13, Submitted via to

Re: Experience with the Framework for Improving Critical Infrastructure Cybersecurity ( Framework )

Diane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

Discussion Draft of the Preliminary Cybersecurity Framework

THE PRESIDENT S NATIONAL SECURITY TELECOMMUNICATIONS ADVISORY COMMITTEE

Cybersecurity for Medical Devices

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

Testimony of Patrick D. Gallagher, Ph.D. Deputy Director

CONCEPTS IN CYBER SECURITY

The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session

NIST Unveils Preliminary Cybersecurity Framework

Cybersecurity & Public Utility Commissions

70% of US Business Will Be Impacted by the Cybersecurity Framework: Are You Ready?

Developing a Corporate Governance Framework

[STAFF WORKING DRAFT]

THE WHITE HOUSE. Office of the Press Secretary. For Immediate Release February 12, February 12, 2013

Remarks for Admiral David Simpson WTA Advocates for Rural Broadband Spring Meeting Cybersecurity Panel

Lessons from Defending Cyberspace

PROTECTING CRITICAL CONTROL AND SCADA SYSTEMS WITH A CYBER SECURITY MANAGEMENT SYSTEM

NICE and Framework Overview

Big Data, Big Risk, Big Rewards. Hussein Syed

CRR-NIST CSF Crosswalk 1

Domain 1 The Process of Auditing Information Systems

C2M2 and the NIST Cyber Framework: Applying DOE's NIST Cyber Security Framework Guidance

Cybersecurity The role of Internal Audit

Preventing and Defending Against Cyber Attacks November 2010

April 28, Ms. Hada Flowers Regulatory Secretariat Division General Services Administration 1800 F Street, NW, 2 nd Floor Washington, DC

Cyber Risk Management Guidance for FHFA Regulated Entities

NIST Cybersecurity Framework Impacting Your Company? April 24, 2014 Presented By Sheila FitzPatrick, NetApp Jeff Greene, Symantec Andy Serwin, MoFo

NIST Cybersecurity Framework Manufacturing Implementation

Transcription:

Cybersecurity Framework: Current Status and Next Steps Federal Advisory Committee on Insurance November 6, 2014 Adam Sedgewick Senior IT Policy Advisor Adam.Sedgewick@nist.gov

National Institute of Standards and Technology (NIST) About NIST Part of the U.S. Department of Commerce NIST s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. 3,000 employees 2,700 guest researchers 1,300 field staff in partner organizations NIST Priority Research Areas Advanced Manufacturing IT and Cybersecurity Healthcare Forensic Science Disaster Resilience Cyber-physical Systems Two main locations: Gaithersburg, Md and Boulder, Co Advanced Communications 2

Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties President Barack Obama Executive Order 13636, Feb. 12, 2013 The National Institute of Standards and Technology (NIST) was directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure Version 1.0 of the framework was released on Feb. 12, 2014, along with a roadmap for future work 3

Based on the Executive Order, the Cybersecurity Framework Must... Include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks Provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk Identify areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations 4

The Cybersecurity Framework Is for Organizations Of any size, in any sector in the critical infrastructure That already have a mature cyber risk management and cybersecurity program That don t yet have a cyber risk management or cybersecurity program With a mission of helping keep up-to-date on managing risk and facing business or societal threats 5

Must apply from Executives to Operations 6

Framework Components Aligns industry standards and best practices to the Framework Core in a particular implementation scenario Cybersecurity activities and informative references, organized around particular outcomes Supports prioritization and measurement while factoring in business needs Framework Profile Framework Core Enables communication of cyber risk across an organization Framework Implementation Tiers Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics 7

Framework Core What assets need protection? What safeguards are available? What techniques can identify incidents? What techniques can contain impacts of incidents? What techniques can restore capabilities? 8

Framework Profile Alignment of Functions, Categories, and Subcategories with business requirements, risk tolerance, and resources of the organization Enables organizations to establish a roadmap for reducing cybersecurity risk that is well aligned with organizational and sector goals, considers legal/regulatory requirements and industry best practices, and reflects risk management priorities Can be used to describe current state or desired target state of cybersecurity activities 9

How to Use the Cybersecurity Framework The Framework is designed to complement existing business and cybersecurity operations, and can be used to: Understand security status Establish / Improve a cybersecurity program Communicate cybersecurity requirements with stakeholders, including partners and suppliers Identify opportunities for new or revised standards Identify tools and technologies to help organizations use the Framework Integrate privacy and civil liberties considerations into a cybersecurity program 10

What s Next: Areas for Development, Alignment, and Collaboration The Executive Order calls for the framework to identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations High-priority areas for development, alignment, and collaboration were identified based on stakeholder input: Authentication Automated Indicator Sharing Conformity Assessment Cybersecurity Workforce Data Analytics Federal Agency Cybersecurity Alignment International Aspects, Impacts, and Alignment Supply Chain Risk Management Technical Privacy Standards 11

International Aspects, Impacts, and Alignment Because the Framework references globally accepted standards, guidelines and practice, organizations domiciled inside and outside of the United States can use the Framework to efficiently operate globally and manage new and evolving risks. Feedback from Stakeholders (ISACA): Cybersecurity risks and threats are a global problem, and the more the Framework can be socialized globally, especially among governments and those agencies that deal with cyber issues, the better. We are exchanging information and working with standards developing organizations, industry, and sectors to ensure the Cybersecurity Framework remains aligned and compatible with existing and developing standards and practices. 12

What s Next: Using the Cybersecurity Framework Organizations led by their senior executives are using the framework now Industry groups, associations, and non-profits are playing key roles in assisting their members to understand and use the framework by: Building or mapping their sector s specific standards, guidelines, and best practices to the framework Developing and sharing examples of how organizations are using the framework NIST is committed to helping organizations understand and use the framework, getting feedback on initial use. Workshop was held on October 29th and 30th in Tampa, FL. 13

Where to Learn More and Stay Current The Framework for Improving Critical Infrastructure Cybersecurity, the Roadmap, and related news and information are available at: http://www.nist.gov/cyberframework Email: cyberframework@nist.gov 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information