CForum: A Community Driven Solution to Cybersecurity Challenges

Similar documents
NIST Cybersecurity Framework. ARC World Industry Forum 2014

70% of US Business Will Be Impacted by the Cybersecurity Framework: Are You Ready?

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

How To Write A Cybersecurity Framework

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

Cybersecurity Framework: Current Status and Next Steps

Framework for Improving Critical Infrastructure Cybersecurity

Critical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order Improving Critical Infrastructure Cybersecurity

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

Framework for Improving Critical Infrastructure Cybersecurity

PROTIVITI FLASH REPORT

Framework for Improving Critical Infrastructure Cybersecurity

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

Why you should adopt the NIST Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity

Which cybersecurity standard is most relevant for a water utility?

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

Framework for Improving Critical Infrastructure Cybersecurity

Report: An Analysis of US Government Proposed Cyber Incentives. Author: Joe Stuntz, MBA EP 14, McDonough School of Business

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

National Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity

Why you should adopt the NIST Cybersecurity Framework

Building Security In:

April 8, Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

Framework for Improving Critical Infrastructure Cybersecurity

Water Sector Approach to Cybersecurity Risk Management

Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security

RE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity

Implementing the U.S. Cybersecurity Framework at Intel A Case Study

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.

NIST Cybersecurity Framework What It Means for Energy Companies

Business Continuity for Cyber Threat

National Institute of Standards and Technology Smart Grid Cybersecurity

The NIST Cybersecurity Framework

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

Health Industry Implementation of the NIST Cybersecurity Framework

Applying Framework to Mobile & BYOD

Information and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework

NIST CYBERSECURITY FRAMEWORK IMPLEMENTATION: ENERGY SECTOR APPROACH

Billing Code: 3510-EA

Critical Manufacturing Cybersecurity Framework Implementation Guidance

Partnership for Cyber Resilience

Docket No. DHS , Notice of Request for Public Comment Regarding Information Sharing and Analysis Organizations

How To Protect Water Utilities From Cyber Attack

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

Healthcare Cybersecurity Perspectives from the Michigan Healthcare Cybersecurity Council

Applying IBM Security solutions to the NIST Cybersecurity Framework

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

CIPAC Water Sector Cybersecurity Strategy Workgroup: FINAL REPORT & RECOMMENDATIONS

Re: Experience with the Framework for Improving Critical Infrastructure Cybersecurity ( Framework )

A RIPE Implementation of the NIST Cyber Security Framework

Data Breach Response Planning: Laying the Right Foundation

DHS Cyber Security & Resilience Resources: Cyber Preparedness, Risk Mitigation, & Incident Response

Risk Management in Practice A Guide for the Electric Sector

How To Understand And Manage Cybersecurity Risk

Cybersecurity as a Risk Factor in doing business

Roadmaps to Securing Industrial Control Systems

NIST Cybersecurity Framework & A Tale of Two Criticalities

Cybersecurity Framework Security Policy Mapping Table

istockphoto/ljupco 36 June 2015 practicallaw.com 2015 Thomson Reuters. All rights reserved.

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

Department of Homeland Security Federal Government Offerings, Products, and Services

RE: ITI comments in response to NIST RFI: Experience with the Framework for Improving Critical Infrastructure Cybersecurity

Diane Honeycutt National Institute of Standards and Technology (NIST) 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

Program Overview and 2015 Outlook

PwC Cybersecurity Briefing

The Cybersecurity Framework and the SAFETY Act a Primer for Temple Business School

Delving Into FCC's 'Damn Important' Cybersecurity Report

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014

Cyber Security and Privacy - Program 183

Nationwide Cyber Security Review (NCSR) Frequently Asked Questions

DHS Incentives Study: Analysis, Recommendations, and Areas Identified for Further Research

Enhancing NASA Cyber Security Awareness From the C-Suite to the End-User

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

December 13, Submitted via to

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

Nuclear Regulatory Commission Computer Security Office CSO Office Instruction

CRR-NIST CSF Crosswalk 1

C ETS C/ETS: CYBER INTELLIGENCE + ENTERPRISE SOLUTIONS CSCSS / ENTERPRISE TECHNOLOGY + SECURITY

PREPARED DIRECT TESTIMONY OF SCOTT KING ON BEHALF OF SOUTHERN CALIFORNIA GAS COMPANY

PROTECTING CRITICAL CONTROL AND SCADA SYSTEMS WITH A CYBER SECURITY MANAGEMENT SYSTEM

Envisioning Collaboration for Medical Device and Healthcare Cybersecurity

Navigating the NIST Cybersecurity Framework

CLIENT UPDATE CRITICAL INFRASTRUCTURE CYBERSECURITY: U.S. GOVERNMENT RESPONSE AND IMPLICATIONS

Response to NIST: Developing a Framework to Improve Critical Infrastructure Cybersecurity

Transcription:

SESSION ID: AST3-R01 CForum: A Community Driven Solution to Cybersecurity Challenges Tom Conkle Cybersecurity Engineer G2, Inc. @TomConkle Greg Witte Sr. Security Engineer G2, Inc. @thenetworkguy

Organizations continued to battle challenges to achieving cybersecurity risk management Image: Getty #41365208 Used with permission U.S. Executive Order (EO) 13636 initiated a dialogue to identify challenges and determine effective responses. Industry responded to a NIST RFI: Trying to prioritize security activities without context seems like Whack-a-Mole IT Security budget is a zero-sum game; every dollar spent on compliance is a dollar not spent on riskmanagement Application of security controls needs to be scalable Challenge balancing performance and conformance Need for better risk dialogue with executive management

What is CForum? In the next few slides, we ll provide some details about CForum CForum continues the conversation started during the Cybersecurity Framework workshops as: a place to collaborate about measuring and improving cybersecurity an environment for discussing emerging threats to cybersecurity information and operation technology a forum for thought leaders to share information Cyber.SecurityFramework.org 3

Community response and dialogue helped refine the challenges and solutions Framework Principles Flexibility Global Impact Risk Mgmt Approaches Leverage Existing Approaches, Standards, and Best Practices Common Points Senior Mgmt Engagement Understanding Threat Environment Business Risk Assessment Separation of Business & Operational Systems Models / Levels of Maturity Incident Response Cybersecurity Workforce Initial Gaps Metrics Privacy / Civil Liberties Tools Dependencies Industry Best Practices Resiliency Critical Infrastructure Cybersecurity Nomenclature 4

We also need a common language to help normalize and optimize activities Goal: Comply once use many NIST identified >450 commonly used standards & practices Many of these share categories and families of controls in common Keeping up with multiple compliance frameworks is resource intensive and costly Need to express requirements and status to supply chain partners For example: NIST SP 800-53 Control AC-3, ISO 27002:2013 A.9.4.1, and IEC 15408 FDP_ACC.2 all point to access control processes 5

The Cybersecurity Framework is comprised of three primary components Framework Core Framework Tiers Framework Profiles 6

CForum helps users understand how to apply the Framework for communications 7

CForum is an online forum for sharing lessons learned and good practices Industry leaders such as Tony Sager and Mike Brown help spark security conversations Several hundred users help ensure a balanced approach Relevant topic areas include: Framework specific training and discussion Topics for individual critical information sectors Next iteration of the Framework Implementation Guidance Supply Chain Risk Management 8

CForum can help identify others examples of use that can save your organization time Apply the Framework s flexibility to achieve organizational cybersecurity goals Learn how different organizations use it in different ways with different tools to achieve Framework outcomes 9

The Cybersecurity Framework in Action: An Intel Use Case Intel Corporation described how they used the Framework model to create a heat map for communicating and prioritizing cybersecurity activity among internal functional areas http://www.intel.com/content/www/us/en/government/cybersecurity-framework-in-action-use-case-brief.html 10

AWWA Guidance and Cybersecurity Tool American Water Works Association has developed Process Control System Security Guidance for the Water Sector and a supporting Cybersecurity Use-Case Tool. The AWWA s cybersecurity resources are designed to provide actionable information for utility owner/operators based on their use of process control systems. http://www.awwa.org/resources-tools/water-and-wastewater-utility-management/cybersecurity-guidance.aspx 11

Homeland Security provides valuable resources to apply the Framework model DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) provides the Cyber Security Evaluation Tool (CSET) Numerous resources from the Critical Infrastructure Cyber Community (C³) Voluntary Program https://ics-cert.us-cert.gov/assessments https://www.us-cert.gov/ccubedvp 12

CForum provides a venue for sharing risk information with other organizations ISACs and Sector Coordinating organizations use CForum to share information about emerging threats, and successful incident response methods Organizations can compare notes about how to characterize risks & threats Users should not share corporate or sensitive data, but general information can protect the community 13

Why re-invent the wheel? Leverage shared templates to accelerate improvement Take advantage of lessons learned by others Jump start use of cybersecurity resources by using shared templates Identify opportunities for consistency within and across critical infrastructure sectors 14

Continue the conversation! Federal agencies are jump starting but aren t the longterm solution - management will eventually transfer to Industry Industry needs to own and lead cybersecurity management practices Businesses bring real-world understanding of the challenges and solutions Take advantage of the examples and lessons learned Help provide topics that speak the language of business Cyber.SecurityFramework.org 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information