Nationwide Cyber Security Review (NCSR) Frequently Asked Questions

Similar documents
Threats to Local Governments and What You Can Do to Mitigate the Risks

1851 (d) RULE OF CONSTRUCTION. Nothing in this section shall be construed to (1) require a State to report data under subsection

Cybersecurity in the States 2012: Priorities, Issues and Trends

Homeland Security Perspectives: Cyber Security Partnerships and Measurement Activities

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

CYBER SECURITY GUIDANCE

COPYRIGHTED MATERIAL. Contents. Acknowledgments Introduction

Big Data, Big Risk, Big Rewards. Hussein Syed

FINRA Publishes its 2015 Report on Cybersecurity Practices

Department of Homeland Security

Get the most out of Public Sector Cyber Security Associations & Collaboration

An Overview of Large US Military Cybersecurity Organizations

Secure360. Measuring the Maturity of your Information Security Program Impossible? Presented by: Mark Carney, VP of Strategic Services

Response to NIST: Developing a Framework to Improve Critical Infrastructure Cybersecurity

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

Re: Experience with the Framework for Improving Critical Infrastructure Cybersecurity ( Framework )

Program Overview and 2015 Outlook

Managing Cyber Risks to Transportation Systems. Mike Slawski Cyber Security Awareness & Outreach

Testimony of. Doug Johnson. New York Bankers Association. New York State Senate Joint Public Hearing:

Report: An Analysis of US Government Proposed Cyber Incentives. Author: Joe Stuntz, MBA EP 14, McDonough School of Business

CForum: A Community Driven Solution to Cybersecurity Challenges

September 28, MEMORANDUM FOR. MR. ANTONY BLINKEN Deputy Assistant to the President and National Security Advisor to the Vice President

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Italy. EY s Global Information Security Survey 2013

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

Implementing the U.S. Cybersecurity Framework at Intel A Case Study

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

No. 33 February 19, The President

Feature. Developing an Information Security and Risk Management Strategy

Trends in Information Technology (IT) Auditing

Nuclear Regulatory Commission Computer Security Office CSO Office Instruction

ENTERPRISE RISK MANAGEMENT FRAMEWORK

RE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity

Written Statement of Richard Dewey Executive Vice President New York Independent System Operator

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

Vendor Risk Management Financial Organizations

Revised October 2013

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

Top 10 Baseline Cybersecurity Controls Banks Aren't Doing

GLOBAL STANDARD FOR INFORMATION MANAGEMENT

ESM Management Comments on Board of Auditors Annual Report to the Board of Governors for the period ended 31 December 2014

Why you should adopt the NIST Cybersecurity Framework

How To Improve Your Business

ADMINISTRATIVE POLICY # (2014) Information Security Roles and Responsibilities

University of Colorado Health Performance Incentive Compensation Plan Plan Summary Fiscal Year 2014 Staff/Managers/Directors

NIST Cybersecurity Framework. ARC World Industry Forum 2014

NGA Paper. Act and Adjust: A Call to Action for Governors. for cybersecurity;

Next. CDS 2015 Survey Module 7 Information Security Survey Errata

Information Security Program CHARTER

What are you trying to secure against Cyber Attack?

Next. CDS 2015 Survey Module 7 Information Security Survey Errata

Stakeholder Engagement Initiative: Customer Relationship Management

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015

NARA s Information Security Program. OIG Audit Report No October 27, 2014

Docket No. DHS , Notice of Request for Public Comment Regarding Information Sharing and Analysis Organizations

CMS Policy for Configuration Management

State Homeland Security Strategy (2012)

MEMORANDUM FOR HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES

Cyber Risks in the Boardroom

PERSONALLY IDENTIFIABLE INFORMATION (Pin BREACH NOTIFICATION CONTROLS

S. ll IN THE SENATE OF THE UNITED STATES A BILL

NH!ISAC"ADVISORY"201.13" NATIONAL"CRITICAL"INFRASTRUCTURE"RESILIENCE"ANALYSIS"REPORT""

NASCIO 2014 State IT Recognition Awards

HITRUST CSF Assurance Program

HSIN R3 User Accounts: Manual Identity Proofing Process

GAO ELECTRONIC GOVERNMENT ACT. Agencies Have Implemented Most Provisions, but Key Areas of Attention Remain

10 Best-Selling Modules For Home Information Technology Professionals

ESG Threat Intelligence Research Project

Preservation of longstanding, roles and missions of civilian and intelligence agencies

Achieving Security through Compliance

Criticism of Implementation of ITSM & ISO20000 in IT Banking Industry. Presented by: Agus Sutiawan, MIT, CISA, CISM, ITIL, BSMR3

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

Cyber Risk Managemet Next? What Board Members, Shareholders, Government, Auditors and Others Will be Asking from the CIO Next:

INFORMATION SECURITY. Additional Oversight Needed to Improve Programs at Small Agencies

Feature. A Higher Level of Governance Monitoring IT Internal Controls. Controls tend to degrade over time and between audits.

Health Industry Implementation of the NIST Cybersecurity Framework

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

The NIST Cybersecurity Framework

December 23, Congressional Committees

CIPAC Water Sector Cybersecurity Strategy Workgroup: FINAL REPORT & RECOMMENDATIONS

Department of Homeland Security

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

Emergency Management Performance Grant (EMPG) Administrative Plan

Transcription:

Nationwide Cyber Security Review (NCSR) Frequently Asked Questions

Table of Contents NCSR Frequently Asked Questions Nationwide Cyber Security Review (NCSR)... 1 Frequently Asked Questions... 1 1. What is the Nationwide Cyber Security Review?... 3 2. Is participation in the NCSR mandatory?... 3 3. What does the NCSR cost?... 3 4. What are the benefits of participating in the NCSR?... 3 5. How is the NCSR different than other audits, surveys, assessments, reviews, etc.?... 3 6. What is the Control Maturity Mode (CMM)?... 4 7. Which organizations can participate in the NCSR?... 4 8. Who from my organization should participate in the NCSR?... 4 9. Where is the NCSR located and how do I register for it?... 4 10. What is the timeframe to complete and submit the Survey?... 5 11. How is CIS MS- ISAC protecting the data associated with the 2014 NCSR?... 5 12. What does it mean to be a Sub- Entity?... 5 13. How are my reports shared?... 5 14. Can MS- ISAC share the NCSR Individualized Reports with other individuals, organizations, or entities?... 6 15. How will DHS and MS- ISAC use my results, and will my organization be identified?... 6 16. How can I use my NCSR results?... 6 17. What if I completed the previous NCSR, will I have access to my information?... 6 18. Does participation in the NCSR impact or align with funding awarded under the Federal Emergency Management Agency (FEMA) Homeland Security Grant Program (HSGP)?... 7 19. Who do I contact for NCSR- related questions or concerns?... 7 20. Where can I obtain information on additional cybersecurity services offered by the DHS National Cyber Security Division (NCSD) or the MS- ISAC?... 7 Page 2 of 7

1. What is the Nationwide Cyber Security Review? Answer: The NCSR, or Nationwide Cyber Security Review, is a voluntary self- assessment survey designed to evaluate cyber security management within state, local, tribal and territorial governments. The Senate Appropriations Committee has requested an ongoing effort to chart nationwide progress in cybersecurity and identify emerging areas of concern. In response, the U.S. Department of Homeland Security has partnered with the Center for Internet Security s Multi- State Information Sharing and Analysis Center (MS- ISAC), the National Association of Counties (NACo) and the National Association of State Chief Information Officers (NASCIO) to develop and conduct the second NCSR. 2. Is participation in the NCSR mandatory? Answer: No, the NCSR is a voluntary review (i.e., participation is not federally mandated). However, (for example) State Chief Information Officers are free to encourage participation from their State agencies in order to support this Congressional initiative. 3. What does the NCSR cost? Answer: Nothing. There is no cost to the participating organization beyond the time and effort taken by personnel to complete and submit the NCSR, which is between 1 and 2 hours. 4. What are the benefits of participating in the NCSR? Answer: Once completed, participants will have access to a variety of reports that measures the level of adoption of security controls within the organization and includes recommendations on how to raise the organization s risk awareness. After the review period, MS- ISAC and DHS will aggregate all review data and share in- depth statistical analysis with all participants via the NCSR Summary Report (the names of participants and their organizations will not be identified in this report). These reports and metrics can be utilized by your organization any way deemed fit, for example they can be utilized to assess the developing maturity of your organization or used for budget justification. 5. How is the NCSR different than other audits, surveys, assessments, reviews, etc.? Answer: The NCSR focuses on the security practices adopted within an organization, as well as the degree to which risk is used to select and manage security controls. The NCSR is not designed to audit an organization s compliance toward any specific regulation, standard, or model, and will not be used for regulatory purposes. The model that is used to assess your organization is called the Control Maturity Model. Page 3 of 7

6. What is the Control Maturity Mode (CMM)? Answer: The NCSR relies on five escalating categories of security control maturity, called the Control Maturity Model. These levels of maturity are based on key milestone activities for information risk management. These milestones are closely aligned with security governance processes and maturity indexes embodied within ISO 27001 Information Security Management system, Control Objective s for Information Technology (CobIT), Statement on Auditing Standards 6 (SAS #6) and National Institute of Standards and Technology (NIST) Special Publications 800 series methodologies for information security management and control. For further information regarding the CMM visit our website at http://msisac.cisecurity.org/resources/ncsr/ 7. Which organizations can participate in the NCSR? Answer: All States (and all agencies within), Local government jurisdictions (and all departments within), Tribal and Territorial governments. While any department can take the survey, information technology, health, revenue and transportation state departments are highly encouraged to participate in the NCSR. 8. Who from my organization should participate in the NCSR? Answer: The NCSR seeks participation from personnel service in any of the following roles within their organization: Chief Information Officer (CIO); Chief Information Security Officer (CISO); Chief Security Officer (CSO); Chief Technology Officer (CTO); Director of Information Technology (IT)/Information Systems (IS); or Individuals responsible for Information Technology management. Since the questions cover a large breadth of information security and privacy areas, you do have the option of assigning more than one user to fill out portions of the survey through the tool, or by downloading a.pdf of the question list to be filled out in hardcopy, which can then be collated and entered into the NCSR by the primary point of contact. 9. Where is the NCSR located and how do I register for it? Answer: The NCSR is accessible via the NCSR link on the homepage of the NCSR Website. To register, visit http://msisac.cisecurity.org/resources/ncsr/ and complete the registration form. Page 4 of 7

Once your registration is complete, a user account will be created and a link to the Nationwide Cyber Security Review (NCSR) survey on the secure Navis platform, powered by Coalfire Systems, Inc. will be emailed to the point of contact for your organization. Once logged in, additional security questions will be required. Once the security questions are created, additional users can be created for your organization, or you can begin taking the survey. For additional questions, email to NCSR@cisecurity.org. 10. What is the timeframe to complete and submit the Survey? Answer: The NCSR starts on October 1, 2014 and ends on November 30, 2014. The NCSR is planned to coincide with the DHS National Cyber Security Awareness Month, which occurs annually in October. During this timeframe, you will be able to access the NCSR questions, save your progress, and resume the review anytime by logging back into the NCSR website. However, the survey must be completed and submitted by November 30, 2014. 11. How is CIS MS- ISAC protecting the data associated with the 2014 NCSR? Answer: Security is a central tenet to CIS- MS- ISAC and from the start it has been incorporated into the development of the NCSR Survey Tool. The NCSR will be hosted on the secure Navis platform, powered by Coalfire Systems, Inc. Coalfire Systems has an established record for excellence and security and is one of the top IT Governance, Risk and Compliance firms. MS- ISAC and Coalfire have worked together to safeguard your information. 12. What does it mean to be a Sub- Entity? Answer: The NCSR Survey Tool has the functionality to organize participating entities in a hierarchical structure. This will provide STLL governments that have a centralized governance structure, the ability to recruit and monitor the completion of the survey for agencies or departments within their authority. For example, the State of Y, with centralized oversight, can recruit departments or agencies under their jurisdiction to take the survey. If the organizations have mutually agreed, then the State of Y will have access to results of any of the departments it recruited, as well as a special summary report of the results of its agencies/departments. Individual agencies of the State of Y cannot see each other s progress or results on the survey. The intention behind this is to supplement the flow of information for entities that have a centralized governance structure. 13. How are my reports shared? Answer: If you are registered as a sub- entity to another organization, then your information is automatically available to that specific organization. However, if you are not a sub- entity, the decision to disseminate all Reports is entirely up to you (and/or your organization). Page 5 of 7

14. Can MS- ISAC share the NCSR Individualized Reports with other individuals, organizations, or entities? Answer: MS- ISAC will not share your information unless your organization has agreed to have your results rolled up (shared) to a central, oversight organization. That relationship is established and agreed to at the time that your organization is registered. Your information is never shared with any other organizations outside of that relationship. 15. How will DHS and MS- ISAC use my results, and will my organization be identified? Answer: Once the NCSR concludes on November 30, DHS and MS- ISAC will aggregate all responses and analyze the results to produce the NCSR Summary Report. The NCSR Summary Report will be non- attributable to individual participants; participant names, and their organizations, will not be identified within the NCSR Summary Report. This Summary Report will be presented to Congress in Q1 of 2016. 16. How can I use my NCSR results? Answer: The reports can be used to document support for cybersecurity programs, guide implementation of security controls and be provided to decision makers to encourage additional investments in infrastructure or training. As part of the Individual Reports, you will receive tailored suggested practices based upon leading cyber security standards and best practices, including NIST, ISO, PCI DSS and others. In addition, NCSR will provide you with a report that compares your organization s score to those of similar organizations. If you have taken previous or future iterations of the NCSR, you will have the ability to track the maturity of your information security program over the course of time. The more you participate in the NCSR, the more useful information you get. 17. What if I completed the previous NCSR, will I have access to my information? Answer: Absolutely, if your entity has taken the previous NCSR, then you will be provided with a unique Historical Report based upon your previous organizations previous and current results. This is a feature that will also be in future iterations of the NCSR to provide you insight on how your security program is maturing. Page 6 of 7

18. Does participation in the NCSR impact or align with funding awarded under the Federal Emergency Management Agency (FEMA) Homeland Security Grant Program (HSGP)? Answer: No, the NCSR will not directly impact funding awarded under the FEMA HSGP. Participation in the NCSR, and the resulting reports, will not guarantee cybersecurity funding under the FEMA HSGP. However, DHS and MS- ISAC are exploring the possibility of incorporating future iteration of the NCSR into the FEMA grants process. 19. Who do I contact for NCSR- related questions or concerns? Answer: If you should have any questions or would like additional information please email NCSR@cisecurity.org or contact Kathleen Patentreger, NCSR Program Director, at (518) 880-0686. 20. Where can I obtain information on additional cybersecurity services offered by the DHS National Cyber Security Division (NCSD) or the MS- ISAC? Answer: Requests for various NCSD programs and other services can be made by emailing us at NCSR@cisecurity.com. Page 7 of 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information