Managing Security Risk In a World of Complex Systems and IT Infrastructures



Similar documents
Security Risk Management For Health IT Systems and Networks

Cloud Computing Technologies Achieving Greater Trustworthiness and Resilience

Cyber Security Risk Management: A New and Holistic Approach

Managing Security and Privacy Risk in Healthcare Applications

FISMA Implementation Project

FREQUENTLY ASKED QUESTIONS

Cybersecurity. Cloud. and the. 4TH Annual NICE Workshop Navigating the National Cybersecurity Education InterState Highway September 2013

Security Controls Assessment for Federal Information Systems

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Advancing Access to Restricted Data: Regulations, Compliance, Continuous Monitoring. OH MY!!!

MANAGING THE CONFIGURATION OF INFORMATION SYSTEMS WITH A FOCUS ON SECURITY

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014

Reports on Computer Systems Technology

Guide for Applying the Risk Management Framework to Federal Information Systems

Security Control Standard

Guide for Conducting Risk Assessments

Supply Chain Risk Management Practices for Federal Information Systems and Organizations

Security and Privacy Controls for Federal Information Systems and Organizations

From Chaos to Clarity: Embedding Security into the SDLC

IG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY

Guide for Security-Focused Configuration Management of Information Systems

CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills Professor of Information Technology

Guide for Assessing the Security Controls in Federal Information Systems and Organizations

Cybersecurity Framework: Current Status and Next Steps

CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills DAU-South

AODR Role-Based Training. Name Title Division Name U.S. Department of Energy Office of the Associate CIO for Cyber Security

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

ICT Supply Chain Risk Management

NASA OFFICE OF INSPECTOR GENERAL

NERC CIP VERSION 5 COMPLIANCE

Next Generation Security Strategies. Marc Sarrias Regional Sales Manager

NIST Special Publication (SP) , Revision 2, Security Considerations in the System Development Life Cycle

SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK

NIST Cybersecurity Framework. ARC World Industry Forum 2014

Cybersecurity: Mission integration to protect your assets

Cyber Security Metrics Dashboards & Analytics

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

DoD Strategy for Defending Networks, Systems, and Data

PUTTING NIST GUIDELINES FOR INFORMATION SECURITY CONTINUOUS MONITORING INTO PRACTICE

Industrial Control Systems Security Guide

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

The introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.

Intelligence Driven Security

Guide for Applying the Risk Management Framework to Federal Information Systems

Cybersecurity Enhancement Account. FY 2017 President s Budget

Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations

SECURITY RISK MANAGEMENT

INFORMATION SYSTEMS. Revised: August 2013

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

How To Write A Cybersecurity Framework

DoD Software Assurance (SwA) Overview

Framework for Improving Critical Infrastructure Cybersecurity

Enterprise Security Tactical Plan

NIST Cybersecurity Framework Manufacturing Implementation

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

Tim Denman Systems Engineering and Technology Dept Chair/ Cybersecurity Lead DAU South, Huntsville

Computing. Federal Cloud. Service Providers. The Definitive Guide for Cloud. Matthew Metheny ELSEVIER. Syngress is NEWYORK OXFORD PARIS SAN DIEGO

Framework for Improving Critical Infrastructure Cybersecurity

Security Authorization Process Guide

A Role-Based Model for Federal Information Technology/ Cybersecurity Training

Capabilities for Cybersecurity Resilience

Designing & Building a Cybersecurity Program. Based on the NIST Cybersecurity Framework (CSF)

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET DoD RMF Transition

National Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity

ICBA Summary of FFIEC Cybersecurity Assessment Tool

Assessing Security and Privacy Controls in Federal Information Systems and Organizations

NIST Cloud Computing Program

Information Technology Risk Management

Cybersecurity Awareness for Executives

Information Security for Managers

LOGIIC Remote Access. Final Public Report. June LOGIIC - APPROVED FOR PUBLIC DISTRIBUTION

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

Waterfall for NERC-CIP Compliance

FedVTE Training Catalog SPRING advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

NHTSA S AUTOMOTIVE CYBERSECURITY RESEARCH. Arthur Carter, Frank Barickman, NHTSA

John Essner, CISO Office of Information Technology State of New Jersey

C ETS C/ETS: CYBER INTELLIGENCE + ENTERPRISE SOLUTIONS CSCSS / ENTERPRISE TECHNOLOGY + SECURITY

Security Issues in Cloud Computing

NIST SP , Revision 1 Contingency Planning Guide for Federal Information Systems

Enterprise Cybersecurity: Building an Effective Defense

Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA

Dr. Ron Ross National Institute of Standards and Technology

CYBER SECURITY GUIDANCE

Cybersecurity Awareness. Part 1

IoT & SCADA Cyber Security Services

Minimum Security Requirements for Federal Information and Information Systems

Middle Class Economics: Cybersecurity Updated August 7, 2015

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

IBM Security Strategy

BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT

Transcription:

Object Management Group Technical Meeting Managing Security Risk In a World of Complex Systems and IT Infrastructures NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

Classes of Vulnerabilities A 2013 Defense Science Board Report described Tier 1: Known vulnerabilities. Tier 2: Unknown vulnerabilities (zero-day exploits). Tier 3: Adversary-created vulnerabilities (APT). A significant number of vulnerabilities are off the radar of many organizations NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2

Good cyber hygiene is necessary But not sufficient. Which Road to Follow? You can t count, configure, or patch your way out of this problem space. Difficult decisions ahead. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3

The hard cybersecurity problems are buried below the water line In the hardware, software, and firmware. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4

The argument for building stronger, more resilient information systems Software assurance. Systems security engineering. Supply chain risk management. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5

Getting the attention of the C-Suite. If you are not solving the right problems, you cannot effectively manage security risk. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6

TACIT Security Threat Assets Complexity Integration Trustworthiness MERRIAM-WEBSTER DICTIONARY tac. it adjective : expressed or understood without being directly stated NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7

Threat Develop a better understanding of the modern threat space, including the capability of adversaries to launch sophisticated, targeted cyber-attacks that exploit specific organizational vulnerabilities. Obtain threat data from as many sources as possible. Include external and insider threat analysis. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8

Assets Conduct a comprehensive criticality analysis of organizational assets including information and information systems. Focus on mission/business impact. Use triage concept to segregate assets by criticality. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9

Complexity Reduce the complexity of the information technology infrastructure including IT component products and information systems. Employ enterprise architecture to consolidate, optimize, and standardize the IT infrastructure. Adopt cloud computing architectures to reduce the number of IT assets through on-demand provisioning of services. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10

Integration Integrate information security requirements and the security expertise of individuals into organizational development and management processes. Embed security personnel into enterprise architecture, systems engineering, SDLC, and acquisition processes. Coordinate security requirements with mission/business owners; become key stakeholders. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11

Trustworthiness Invest in more trustworthy and resilient information systems supporting organizational missions and business functions. Isolate critical assets into separate enclaves. Implement solutions using modular design, layered defenses, component isolation. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12

Summary TACIT Security Understand the cyber threat space. Conduct a thorough criticality analysis of organizational assets. Reduce complexity of IT infrastructure. Integrate security requirements into organizational processes. Invest in trustworthiness and resilience of IT components and systems. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13

Risk Management Approach Frame Assess Respond Monitor Communicating and sharing risk-related information from the strategic to tactical level, that is from the executives to the operators. TIER 1 Organization (Governance) Communicating and sharing risk-related information from the tactical to strategic level, that is from the operators to the executives. TIER 2 Mission / Business Process (Information and Information Flows) TIER 3 Information Systems (Environment of Operation) NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14

Risk Management Framework Starting Point CATEGORIZE Information System MONITOR Security Controls Continuously track changes to the information system that may affect security controls and reassess control effectiveness. Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business. Security Life Cycle SELECT Security Controls Select baseline security controls; apply tailoring guidance and supplement controls as needed based on risk assessment. AUTHORIZE Information System Determine risk to organizational operations and assets, individuals, other organizations, and the Nation; if acceptable, authorize operation. ASSESS Security Controls Determine security control effectiveness (i.e., controls implemented correctly, operating as intended, meeting security requirements for information system). IMPLEMENT Security Controls Implement security controls within enterprise architecture using sound systems engineering practices; apply security configuration settings. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15

Joint Task Force Risk Management Toolset NIST Special Publication 800-39 Managing Information Security Risk: Organization, Mission, and Information System View NIST Special Publication 800-30 Guide for Conducting Risk Assessments NIST Special Publication 800-37 Applying the Risk Management Framework to Federal Information Systems NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations NIST Special Publication 800-53A Guide for Assessing the Security Controls in Federal Information Systems and Organizations NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16

On the Horizon NIST Special Publication 800-160 Systems Security Engineering An Integrated Approach to Building Trustworthy Resilient Systems NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17

Integrating the RMF and security concepts, principles, and best practices into IEEE/ISO/IEC 15288 Systems and software engineering System life cycle processes Building on International Standards Stakeholder requirements definition. Requirements analysis. Architectural design. Implementation. Integration. Verification. Transition. Validation. Operation. Maintenance. Disposal. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18

Security must be a by-product of good design and development practices. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19

Government Cybersecurity is a team sport. Academia Industry NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20

Contact Information Project Leader 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930 Administrative Support Dr. Ron Ross Peggy Himes (301) 975-5390 (301) 975-2489 ron.ross@nist.gov peggy.himes@nist.gov LinkedIn http://www.linkedin.com/in/ronrossnist Senior Information Security Researchers and Technical Support Pat Toth Kelley Dempsey (301) 975-5140 (301) 975-2827 patricia.toth@nist.gov kelley.dempsey@nist.gov Web: csrc.nist.gov Comments: sec-cert@nist.gov NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information