Collaborative, Standards-Based Approaches to Improving Cybersecurity

Similar documents
Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

CRR-NIST CSF Crosswalk 1

Cybersecurity Framework Security Policy Mapping Table

Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity Framework: Current Status and Next Steps

Automation Suite for NIST Cyber Security Framework

Framework for Improving Critical Infrastructure Cybersecurity

Happy First Anniversary NIST Cybersecurity Framework:

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Framework for Improving Critical Infrastructure Cybersecurity

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

Applying IBM Security solutions to the NIST Cybersecurity Framework

Happy First Anniversary NIST Cyber Security Framework:

NIST Cybersecurity Framework & A Tale of Two Criticalities

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

Critical Manufacturing Cybersecurity Framework Implementation Guidance

Framework for Improving Critical Infrastructure Cybersecurity

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

Building Security In:

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

Critical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order Improving Critical Infrastructure Cybersecurity

Envisioning Collaboration for Medical Device and Healthcare Cybersecurity

Discussion Draft of the Preliminary Cybersecurity Framework

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

Appendix B: Mapping Cybersecurity Assessment Tool to NIST

Applying Framework to Mobile & BYOD

Welcome! Designing and Building a Cybersecurity Program

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.

How To Write A Cybersecurity Framework

NIST Cybersecurity Framework. ARC World Industry Forum 2014

Data Breaches, Credit Card Fraud, Front Page News Are You Next?

National Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity

Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security

HITRUST Common Security Framework Summary of Changes

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014

The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session

National Institute of Standards and Technology Smart Grid Cybersecurity

ACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector

Weak (1.0) Limited (2.0) Effective (3.0) Strong (4.0) Very Strong (5.0)

CRR Supplemental Resource Guide. Volume 5. Incident Management. Version 1.1

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

Business Continuity for Cyber Threat

Health Industry Implementation of the NIST Cybersecurity Framework

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide

Information and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework

How To Understand And Manage Cybersecurity Risk

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

Nadya Bartol, CISSP, CGEIT VP, Industry Affairs and Cybersecurity Strategist UTC (Utilities Telecom Council) USA Utilities Telecom Council 1

Which cybersecurity standard is most relevant for a water utility?

Altius IT Policy Collection Compliance and Standards Matrix

NICE and Framework Overview

PROTIVITI FLASH REPORT

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

Testimony of. Kevin Stine. Leader, Security Outreach and Integration Group. Computer Security Division. Information Technology Laboratory

Understanding the NIST Cybersecurity Framework September 30, 2014

NIST Cybersecurity Framework Manufacturing Implementation

Why you should adopt the NIST Cybersecurity Framework

Wireless Infusion Pumps: Securing Hospitals Most Ubiquitous Medical Device

FY 2016 Inspector General Federal Information Security Modernization Act of 2014 Reporting Metrics V1.0

CONCEPTS IN CYBER SECURITY

Cyber Security and Privacy - Program 183

Implementing the U.S. Cybersecurity Framework at Intel A Case Study

Bellevue University Cybersecurity Programs & Courses

Domain 1 The Process of Auditing Information Systems

The NIST Cybersecurity Framework

NIST Cloud Computing Program Activities

Opening Up a Second Front for Cyber Security and Risk Management

U.S. DEPARTMENT OF ENERGY ENERGY SECTOR CYBERSECURITY OVERVIEW. November 12, 2012 NASEO

America s New Cybersecurity Framework: Help or New Source of Exposure?

Risk Management in Practice A Guide for the Electric Sector

IG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY

Do You Have The Right Practices In Your Cyber Supply Chain Tool Box? NDIA Systems Engineering Conference October 29, 2014

Big Data, Big Risk, Big Rewards. Hussein Syed

NIST Cybersecurity Framework What It Means for Energy Companies

Business Continuity in Healthcare

Enterprise Security Tactical Plan

RE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

NIST CYBERSECURITY FRAMEWORK IMPLEMENTATION: ENERGY SECTOR APPROACH

DATA INTEGRITY. Reducing the impact of an attack BUILDING BLOCK WHITE PAPER

FFIEC Cybersecurity Assessment Tool

Industrial Control Systems Security Guide

Why you should adopt the NIST Cybersecurity Framework

Ed McMurray, CISA, CISSP, CTGA CoNetrix

CRR Supplemental Resource Guide. Volume 6. Service Continuity Management. Version 1.1

Function Category Subcategory Subcategory Informative References

Security Controls Assessment for Federal Information Systems

Release of the Draft Cybersecurity Procurement Language for Energy Delivery Systems

Designing & Building a Cybersecurity Program. Based on the NIST Cybersecurity Framework (CSF)

CForum: A Community Driven Solution to Cybersecurity Challenges

National Initiative for Cyber Security Education

Emerging SCADA and Security Solutions Presented by; Michael F. Graves, P.E. Chris Murphy, CISSP

IEEE-Northwest Energy Systems Symposium (NWESS)

Transcription:

Collaborative, Standards-Based Approaches to Improving Cybersecurity ISACA-NCAC Annual Meeting May 24, 2016 Kevin Stine Kevin.Stine@nist.gov

National Institute of Standards and Technology (NIST) About NIST NIST s mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. 3,000 employees 2,700 guest researchers 1,300 field staff in partner organizations Two main locations: Gaithersburg, MD and Boulder, CO NIST Priority Research Areas Advanced Manufacturing IT and Cybersecurity Healthcare Forensic Science Disaster Resilience Cyber-physical Systems Advanced Communications 2

NIST s Cybersecurity Portfolio Research, develop, and apply practical, innovative security technologies and methodologies that enhance our ability to address current and future computer and information security challenges. Biometrics Software Assurance Domain Name Security Identity Management FISMA Security Automation National Vulnerability Database Configuration Checklists Digital Signatures Risk Management Authentication IPv6 Security Profile Supply Chain NICE Health IT Security Key Management Secure Hash PKI Privacy Engineering Smart Grid Continuous Monitoring Small Business Outreach Mobile Devices Standards Cloud Computing Usability NSTIC Passwords Hardware Security Electronic Voting Wireless Security Awareness Vulnerability Measurement Security Metrics Public Safety Communications NCCoE 3

Applied Cybersecurity Division Implements practical cybersecurity and privacy through outreach and the effective application of standards and best practices necessary for the U.S. to adopt cybersecurity capabilities. Trusted Identity Initiative Integrate, apply and promote IdM technologies, standards, and guidelines for information and cyber-physical systems Projects: NSTIC, E-Authentication, ICAM Cybersecurity and Privacy Applications Develop, integrate, and promote security standards, guidelines, and measurements to address critical cybersecurity needs Projects: CSF, NICE, Smart Grid and Industrial Control Systems, Privacy Risk Mgt, Public Safety, Small Business Outreach, FISSEA, Health IT, Electronic Voting National Cybersecurity Center of Excellence Accelerate the deployment and use of secure, standards-based technologies Projects: Sector use cases and Cross-sector building blocks 4

NIST s Work Provides a Security Foundation Federal government State, Local and Tribal governments Healthcare Financial Sector and Payment Card Industry Energy and the Smart Grid Industrial Control Systems Information Technology 5

This Security Foundation is based on Risk Management Determine risk tolerance Identify and assess risks Respond to risks Monitor risks over time No risk can be completely eliminated Monitor Assess Frame Respond

Key Properties of Cyber Risk Management Integrated Risk Management Program Risk Management Process External Participation 7

Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties President Barack Obama Executive Order 13636, Feb. 12, 2013 The National Institute of Standards and Technology (NIST) was directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure Version 1.0 of the framework was released on Feb. 12, 2014, along with a roadmap for future work 8

The Cybersecurity Framework Is for Organizations Of any size, in any sector in the critical infrastructure That already have a mature cyber risk management and cybersecurity program That don t yet have a cyber risk management or cybersecurity program With a mission of helping keep up-to-date on managing risk and facing business or societal threats 9

Cybersecurity Framework Components Aligns industry standards and best practices to the Framework Core in a particular implementation scenario Cybersecurity activities and informative references, organized around particular outcomes Supports prioritization and measurement while factoring in business needs Framework Profile Framework Core Enables communication of cyber risk across an organization Framework Implementation Tiers Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics 10

Taxonomy Value Proposition Plant classification is the placing of known plants into groups or categories to show some relationship. Scientific classification follows a system of rules that standardizes the results, and groups successive categories into a hierarchy. For example, the family to which lilies belong is classified as: Kingdom: Plantae Phylum: Magnoliophyta Class: Liliopsida Order: Liliales Family: Liliaceae Genus:... Species:... Value Proposition Accurate communication Quickly categorize known Logically name unknown Inherent properties understood based on name

Core Cybersecurity Framework Component What processes and assets need protection? What safeguards are available? What techniques can identify incidents? What techniques can contain impacts of incidents? What techniques can restore capabilities? Function Category ID Asset Management ID.AM Business Environment ID.BE Governance ID.GV Identify Risk Assessment ID.RA Protect Detect Respond Recover Risk Management Strategy Access Control Awareness and Training Data Security Information Protection Processes & Procedures Maintenance Protective Technology Anomalies and Events Security Continuous Monitoring Detection Processes Response Planning Communications Analysis Mitigation Improvements Recovery Planning Improvements Communications ID.RM PR.AC PR.AT PR.DS PR.IP PR.MA PR.PT DE.AE DE.CM DE.DP RS.RP RS.CO RS.AN RS.MI RS.IM RC.RP RC.IM RC.CO 12

Core Cybersecurity Framework Component Function Category ID Asset Management ID.AM Business Environment ID.BE Identify Governance ID.GV Risk Assessment ID.RA Risk Management Strategy ID.RM Access Control PR.AC Awareness and Training PR.AT Data Security PR.DS Protect Information Protection Processes & Procedures PR.IP Maintenance PR.MA Protective Technology PR.PT Anomalies and Events DE.AE Detect Security Continuous Monitoring DE.CM Detection Processes DE.DP Response Planning RS.RP Communications RS.CO Respond Analysis RS.AN Mitigation RS.MI Improvements RS.IM Recovery Planning RC.RP Recover Improvements RC.IM Communications RC.CO Subcategory ID.BE-1: The organization s role in the supply chain is identified and communicated ID.BE-2: The organization s place in critical infrastructure and its industry sector is identified and communicated ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated ID.BE-4: Dependencies and critical functions for delivery of critical services are established ID.BE-5: Resilience requirements to support delivery of critical services are established Informative References COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05 ISO/IEC 27001:2013 A.15.1.3, A.15.2.1, A.15.2.2 NIST SP 800-53 Rev. 4 CP-2, SA-12 COBIT 5 APO02.06, APO03.01 NIST SP 800-53 Rev. 4 PM-8 COBIT 5 APO02.01, APO02.06, APO03.01 ISA 62443-2-1:2009 4.2.2.1, 4.2.3.6 NIST SP 800-53 Rev. 4 PM-11, SA- 14 ISO/IEC 27001:2013 A.11.2.2, A.11.2.3, A.12.1.3 NIST SP 800-53 Rev. 4 CP-8, PE-9, PE-11, PM-8, SA-14 COBIT 5 DSS04.02 ISO/IEC 27001:2013 A.11.1.4, A.17.1.1, A.17.1.2, A.17.2.1 NIST SP 800-53 Rev. 4 CP-2, 13CP- 11, SA-14 13

Implementation Tiers Risk Management Process Integrated Risk Management Program External Participation 1 2 3 4 Partial Risk Informed Repeatable Adaptive The functionality and repeatability of cybersecurity risk management The extent to which cybersecurity is considered in broader risk management decisions The degree to which the organization benefits my sharing or receiving information from outside parties 14 14

Profile Cybersecurity Framework Component Ways to think about a Profile: A customization of the Core for a given sector, subsector, or organization A fusion of business/mission logic and cybersecurity outcomes Identify Protect Detect Respond Recover An alignment of cybersecurity requirements with operational methodologies A basis for assessment and expressing target state A decision support tool for cybersecurity risk management 15

Supporting Risk Management with the CSF 16

Key Attributes It s a framework, not a prescription It provides a common language and systematic methodology for managing cyber risk It is meant to be adapted It does not tell a company how much cyber risk is tolerable, nor does it claim to provide the one and only formula for cybersecurity Having a common lexicon to enable action across a very diverse set of stakeholders will enable the best practices of elite companies to become standard practices for everyone The framework is a living document It is intended to be updated over time as stakeholders learn from implementation, and as technology and risks change That s one reason why the framework focuses on questions an organization needs to ask itself to manage its risk. While practices, technology, and standards will change over time principals will not 17

Industry Use The Framework is designed to complement existing business and cybersecurity operations, and has been used to: Self-Assessment, Gap Analysis, Budget & Resourcing Decisions Standardizing Communication Between Business Units Harmonize Security Operations with Audit Communicate Requirements with Partners and Suppliers Describe Applicability of Products and Services Identify Opportunities for New or Revised Standards Categorize College Course Catalogs As a Part of Cybersecurity Certifications Categorize and Organize Requests for Proposal Responses Consistent dialog, both within and amongst countries Common platform on which to innovate, by identifying market opportunities where tools and capabilities may not exist today 18

Examples of Framework Industry Resources Italy s National Framework for Cybersecurity Cybersecurity Guidance for Small Firms The Cybersecurity Framework in Action: An Intel Use Case Cybersecurity Risk Management and Best Practices Working Group 4: Final Report Energy Sector Cybersecurity Framework Implementation Guidance 19

Examples of U.S. State & Local Use Texas, Department of Information Resources Aligned Agency Security Plans with Framework Aligned Product and Service Vendor Requirements with Framework North Dakota, Information Technology Department Allocated Roles & Responsibilities using Framework Adopted the Framework into their Security Operation Strategy National Association of State CIOs 2 out of 3 CIOs from the 2015 NASCIO Awards cited Framework as a part of their award-winning strategy Houston, Greater Houston Partnership Integrated Framework into their Cybersecurity Guide Offer On-Line Framework Self-Assessment New Jersey Developed a cybersecurity framework that aligns controls and procedures with Framework 20

International Dialogs Over 30 countries have participated in discussion with NIST, including dialog with: The European Union, and 14 out of 28 Member States The Five Eyes 6 countries in Asia 5 countries in the Middle East 21

Recent and Near-Term Framework Events RFI: Views on the Framework for Improving Critical Infrastructure Cybersecurity Questions focused on: experiences, update, governance, and best practice sharing RFI Analysis Summary posted that includes analysis of topic trends in RFI responses and continued discussion topics for Workshop break-out sessions Cybersecurity Framework Workshop 2016 Goal: Highlight examples of Framework use, gather feedback on timing and content of an update, governance, and best practice sharing Workshop Summary Publication on the topics that evoked the most consensus and dissonance at Cybersecurity Framework Workshop 2016 22

Program Eras Feb 2013 Feb 2014 Dec 2015 Develop Support Update Five Workshops Request for Information Request for Information Key Milestones Request for Information Request for Comment Publication Workshop Speaking Events Workshop Request for Comment Publication NIST is: Adjudicating Stakeholder Input Crafting Version 1.0 Educating Building a Knowledge Base and Resource Catalog Adjudicating Stakeholder Input Crafting Version Next Stakeholders are: Participating in the development process Understanding and Piloting Framework Sharing Work Products Expanding Framework Implementations Participating in the Update Process 23

Resources Where to Learn More and Stay Current The National Institute of Standards and Technology Web site is available at http://www.nist.gov NIST Computer Security Resource Center is available at http://csrc.nist.gov/ The Framework for Improving Critical Infrastructure Cybersecurity and related news and information are available at www.nist.gov/cyberframework For additional Framework info and help cyberframework@nist.gov

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information