Happy First Anniversary NIST Cybersecurity Framework: We ve Hardly Known Ya Chad Stowe, CISSP, CISA, MBA
Who is your organization on Cybersecurity?
Problem Statement Management has not been given the correct information to understand and act upon the risks, processes, and skill requirements needed to address cybersecurity risk in their organizations and it is not their fault.
Questions companies should be asking themselves. How would you detect if you had a cyber security related exposure? How would you know if someone took, or shared with others, sensitive company specific information? What prevention measures do you have in place to protect against a cybersecurity attack? Given that some companies spend above 250 million per year on cyber security, what makes you feel as though your environment is protected?
Questions companies should be asking themselves. Do you know what you would do in the event an unauthorized person gained access to your network? What do you think is the value of information in your company? Information is not an asset on your financial statements, however, if it were stolen or shared outside the company, how could it affect your company s future financial performance?
NIST, The Framework
NIST Cybersecurity Risk Assessment Identify Recover NIST Cybersecurity Framework Protect Respond Detect 2013 Hein & Associates LLP.
The Framework Structure 5 Functions (Entity Risk Areas) 22 Categories (Control Objectives) 98 Subcategories (Control Requirements)
CSX Respondent Results 75% of CISOs and CISMs had heard of the framework. Benefits: Overall increase in awareness of cybersecurity threats, Better strategic alignment of security with enterprise objectives, Greater support from senior management Sense of improved overall governance of cybersecurity. 50 percent of those who are using the framework reported an increased overall level of cybersecurity governance in their organization.
CSX Program Steps 1. Prioritize & Scope 2. Orient 3. Create a Current Profile 4. Conduct a Risk Assessment 5. Create a Target Profile 6. Determine, Analyze, and Prioritize Gaps 7. Implement Action Plans
Risk Assessment Approach Scope Areas: Function Category (Control Objective) Subcategory (Requirements) Scope Area (Systems) Example Questions Walkthrough Supporting Documentation Tier Assessment
NIST, The Details
Technical Speak I used 256 Bit Diffie Helman with SHA 2 to send you an email. HUH?
Lehman Speak I sent you a secure email that allows you to verify it came from me.
Identify (ID) Function IDENTIFY (ID) Category Asset Management (ID.AM) Business Environment (ID.BE) Governance (ID.GV): Risk Assessment (ID.RA) Risk Management Strategy (ID.RM) ID.AM: Understanding your hardware, software, Resources 6 Sub. ID.BE: Security Alignment with organization and stakeholders 5 Sub. ID.GV: Security Policies, process, and role definition and alignment 4 Sub. ID.RA: Threat and Vulnerability Assessment 6 Sub. ID.RA: Defining the organization s Risk Appetite 3 Sub. 24 Total Subcategories
Protect (PR) Function PROTECT (PR) Category Access Control (PR.AC) Awareness and Training Data Security (PR.DS) Information Protection Processes and Procedures (PR.IP) Maintenance (PR.MA) Protective Technology (PR.PT) PR.AC: Access Management Process 5 Sub. PR.AT: Communicating Security Roles and Responsibilities/Awareness Training 5 Sub.
Protect (PR) Cont. Function PROTECT (PR) Category Access Control (PR.AC) Awareness and Training Data Security (PR.DS) Information Protection Processes and Procedures (PR.IP) Maintenance (PR.MA) Protective Technology (PR.PT) PR.DS: Manage information to protect the confidentiality, integrity, and availability of information. 7 Sub. PR.IP: Security policies and procedures are used to manage information systems. - 12 Sub. These categories are TOO NEBULOUS and try to cover too many bases!
Tips to Attack Nebulousness Organization size Resource availability What information needs to be protected Information criticality Supporting system(s) Protection capabilities Risk appetite
Protect (PR) Cont. Function PROTECT (PR) Category Access Control (PR.AC) Awareness and Training Data Security (PR.DS) Information Protection Processes and Procedures (PR.IP) Maintenance (PR.MA) Protective Technology (PR.PT) PR.MA: Maintenance, Repair and Patching of Systems - 2 Sub. PR.PT: Protecting Systems, Logs, Media, and Networks using least privilege - 4 Sub. 35 Total Subcategories
Detect (DE) Function DETECT (DE) Category Anomalies and Events (DE.AE) Security Continuous Monitoring (DE.CM) Detection Processes (DE.DP) DE.AE: Event Triggers and Impacts- 5 Sub. DE.CM: Event Detection Measures- 8 Sub. DE.DP: Event Identification Processes - 5 Sub. 18 Total Subcategories
Respond (RS) Function RESPOND (RS) Category Response Planning (RS.RP) Communications (RS.CO) Analysis (RS.AN) Mitigation (RS.MI) Improvements (RS.IM) RS.RP: Response Procedure Development/Performance - 1 Sub. RS.CO: Roles, Reporting, Coordination- 5 Sub. RS.AN: Incident investigation and impact analysis- 4 Sub. RS.MI: Minimize the impact of an incident - 3 Sub. RS.IM: Continuous improvement of response plans and strategies - 2 Sub 15 Total Subcategories
Recover Function RECOVER (RC) Category Recovery Planning (RC.RP) Improvements (RC.IM) Communications (RC.CO) RC.RP: Recovery Plan Development and Execution- 1 Sub. RC.IM: Strategies and Lessons Learned - 2 Sub. RC.CO: Restoration of confidence and cleanup - 3 Sub. 6 Total Subcategories
Framework Tiers Tier Risk Management Process Integrated Risk Management Program External Participation Tier 1 Adhoc and Reactive Limited Communication & Activity Limited or No Activities Performed Tier 2 Informal Processes Active Communication, Adequate Staff, and Process Understands Role Externally as a Customer & a Vendor Formal Policies and Procedures Changes based on Lessons Learned and Predictive Indicators Tier 3 Organization Wide Approach, Consistency Tier 4 Cybersecurity risk management is a part of the culture. Understands Dependencies and Partners as Customer & a Vendor Actively shares risk information as Customer & a Vendor
Tier Scoring Summary Function Desired Score Assessed Score IDENTIFY (ID) 3.4 2.5 PROTECT (PR) 3.7 3 DETECT (DE) 3.7 2.9 RESPOND (RS) 3.2 2.5 RECOVER (RC) 3 2.5 Cybersecurity Process Tier Maturity 0 0.5 1 1.5 2 2.5 3 3.5 4 IDENTIFY (ID) PROTECT (PR) DETECT (DE) RESPOND (RS) RECOVER (RC) Desired Score Assessed Score
NIST, Adoption?
Why not being widely adopted? SOC Reports Cyber-Liability Insurance No regulatory requirement Executive education Skilled Staff Required Sarbanes Oxley There s a NIST Cybersecurity Framework?
How does the Framework Align to SOX? 98 Total Subcategories 22 Can be traced to Sarbanes Oxley Testing 11 Clearly Map to Sarbanes Oxley 11 Have a partial mapping to Sarbanes Oxley SOX Aligned Partially SOX Alligned DE.AE 1 ID.AM 3 DE.CM 4 PR.PT 1 PR.AC 1 ID.AM 4 ID.GV 2 PR.PT 2 PR.AC 2 ID.GV 1 PR.AC 3 PR.PT 3 PR.AC 4 PR.IP 3 PR.AT 3 PR.PT 4 PR.AT 2 PR.IP 4 PR.DS 2 PR.DS 6 PR.DS 7 PR.IP 11
Downfalls Unclear Privacy Requirements Confusing Tiers/Maturity Model Framework does not: Educate executive management Provide clear guidance Is not tied to any regulation
Should Cybersecurity be Regulated? Regardless of industry, which element of legal and regulatory requirements are all industries subject to: A. Sarbanes Oxley B. HIPPA C. Due Care D. Privacy Act E. PCI
Regulatory Notes July 2002 Sarbanes Oxley Act November 2002 Homeland Security Act November 2002 Federal Information Security Management Act (FISMA) November 2002 - Cyber Security Research and Development Act Required NIST to establish cybersecurity research programs. There have been no MAJOR cybersecurity related regulations since November 2002.
To Regulate or Not to Regulate
NIST Take-Aways People, Process and Technology Organizations Must Own Incident Response Invest in Experts for Protection and Detection Take Ownership of the Risk Inventory systems and critical data
NIST Take-Aways (Cont.) Framework context Think organizational risk Derive risk appetite Control efficiency The NIST framework must be improved upon
Food for Thought When thinking about cybersecurity, risk does not create an issue, but an issue can create risk. However, we must address the issue of assessing cybersecurity risk.
Contact Information Chad Stowe, CISSP, CISA, MBA Managing Consultant cstowe@heincpa.com Office (303) 965-7909