Business Continuity for Cyber Threat



Similar documents
How To Write A Cybersecurity Framework

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Framework for Improving Critical Infrastructure Cybersecurity

NIST Cybersecurity Framework. ARC World Industry Forum 2014

Cybersecurity Framework: Current Status and Next Steps

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

NIST Cybersecurity Framework & A Tale of Two Criticalities

Why you should adopt the NIST Cybersecurity Framework

Applying Framework to Mobile & BYOD

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

Building Security In:

Cybersecurity The role of Internal Audit

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.

NIST CYBERSECURITY FRAMEWORK IMPLEMENTATION: ENERGY SECTOR APPROACH

Critical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order Improving Critical Infrastructure Cybersecurity

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

Cybersecurity Framework Security Policy Mapping Table

Lessons from Defending Cyberspace

The Comprehensive National Cybersecurity Initiative

National Institute of Standards and Technology Smart Grid Cybersecurity

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

Managing Cyber Risks to Transportation Systems. Mike Slawski Cyber Security Awareness & Outreach

The NIST Cybersecurity Framework

SECURITY RISK MANAGEMENT

Cybersecurity Primer

Keynote: FBI Wednesday, February 4 noon 1:10 p.m.

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

Overview TECHIS Manage information security business resilience activities

Cyber Threats Insights from history and current operations. Prepared by Cognitio May 5, 2015

How To Understand And Manage Cybersecurity Risk

NIST Cybersecurity Initiatives. ARC World Industry Forum 2014

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

Ed McMurray, CISA, CISSP, CTGA CoNetrix

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS

Applying IBM Security solutions to the NIST Cybersecurity Framework

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

An Overview of Large US Military Cybersecurity Organizations

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

Framework for Improving Critical Infrastructure Cybersecurity

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

Defending Against Data Beaches: Internal Controls for Cybersecurity

National Cybersecurity Challenges and NIST. Donna F. Dodson Chief Cybersecurity Advisor ITL Associate Director for Cybersecurity

Happy First Anniversary NIST Cybersecurity Framework:

CRR-NIST CSF Crosswalk 1

Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security

Information and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework

CForum: A Community Driven Solution to Cybersecurity Challenges

NIST Cybersecurity Framework What It Means for Energy Companies

No. 33 February 19, The President

National Cyber Security Policy -2013

Cybersecurity for Medical Devices

Quantum Dawn 2 A simulation to exercise cyber resilience and crisis management capabilities. October 21, 2013

A Crisis Response, Information Sharing View of FFIEC Appendix J?

Preventing and Defending Against Cyber Attacks June 2011

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

Standing together for financial industry cyber resilience Quantum Dawn 3 after-action report. November 23, 2015

Developing a Corporate Governance Framework

NASCIO 2014 State IT Recognition Awards

Why you should adopt the NIST Cybersecurity Framework

Enterprise Risk Management

2 Gabi Siboni, 1 Senior Research Fellow and Director,

Risk Management in Practice A Guide for the Electric Sector

TUSKEGEE CYBER SECURITY PATH FORWARD

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

istockphoto/ljupco 36 June 2015 practicallaw.com 2015 Thomson Reuters. All rights reserved.

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

What is Cyber Liability

Westlaw Journal. What is the Cybersecurity Framework? Risk Management Process And Pathway to Corporate Liability? Expert Analysis

Italy. EY s Global Information Security Survey 2013

Cybersecurity: What CFO s Need to Know

FlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk

CYBER SECURITY GUIDANCE

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Cyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks?

Cybersecurity as a Risk Factor in doing business

Building Blocks of a Cyber Resilience Program. Monika Josi monika.josi@safis.ch

Preventing and Defending Against Cyber Attacks November 2010

Written Statement of Richard Dewey Executive Vice President New York Independent System Operator

Cybersecurity Awareness

Transcription:

Business Continuity for Cyber Threat April 1, 2014 Workshop Session #3 3:00 5:30 PM Susan Rogers, MBCP, MBCI Cyberwise CP S2 What happens when a computer program can activate physical machinery? Between 2009-2010 the Stuxnet cyberweapon is estimated to have destroyed 1,000 Iranian nuclear-fuel centrifuges at the Natanz uranium enrichment plant.

Slide 2 S2 Susan, 10/15/2013

Cyber Threat to Critical Infrastructure Richard Clarke tells Fresh Air host Terry Gross. former Counter Terrorism Chief under Presidents Clinton and Bush A cyberattack could disable trains all over the country It could blow up pipelines. It could cause blackouts and damage electrical power grids so that the blackouts would go on for a long time. It could wipe out and confuse financial records, so that we would not know who owned what. It could disrupt traffic in urban areas by knocking out control computers. It could, in nefarious ways, do things like wipe out medical records. Protecting U.S. Critical Infrastructure We have entered into a new phase of conflict in which we use a cyberweapon to create physical destruction, said Retired General Michael Hayden in an interview on 60 Minutes. When you use a physical weapon, it destroys itself, in addition to the target, if it s used properly. A cyberweapon doesn t, explained Gen. Hayden. So there are those out there who can take a look at [the Stuxnet worm], study it and maybe even attempt to turn it to their own purposes. Such as launching a cyber attack against critical infrastructure here in the United States. One of the biggest targets for cyber terrorism is our critical infrastructure energy, in particular. About 75% of critical infrastructure is owned by private industry. Problem: How do you convince them they need to invest money in safeguard practices to protect their own assets but those of our country?

Framework to Motivate Market Interests 2/12/2013 U.S. Presidential policy & Executive Order signed to enhance Cyber security Critical Infrastructure (CI) Protection DHS & NIST charged to work with private sector to build voluntary standards & practices to increase cyber protection of CI Cyber Framework Workshops open to the public produce: 1) Risk framework 2) Basic activities 3) Gaps to close 4) Incentives Entrepreneurs & business encouraged to deploy the framework and bring innovation to close gaps Agenda & Goals Part I (3:00 3:30) NIST Cybersecurity Critical Infrastructure Framework Part II (3:30 4:30) Engage in BC Planning for Cyber Threat Part III (4:30 5:30) Exercising Cyber Contingency Planning

Part I - Framework NIST Cybersecurity Risk Framework For Critical Infrastructure NIST Risk Framework Mapping BC Process Motivation to Adopt Need for Baseline Standards The vulnerabilities allowing Stuxnet to succeed included insecure software (technology), improper IT security management (process), and insufficient security training of personnel (people) the usual people, process, and technology triad that underlies the security (or insecurity) of any system. NRECA / Cooperative Research Network Smart Grid Demonstration Project Guide to Developing a Cyber Security and Risk Mitigation Plan

Executive Order 13636 Improving Critical Infrastructure Cybersecurity It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy and civil liberties National Institute of Standards and Technology (NIST) is directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure This Cybersecurity Framework is being developed in an open manner with input from stakeholders in industry, academia and government, including a public review and comment process, workshops and other means of engagement. Value of a Risk Framework Cyber risk = Operations Risk Baseline activities to strengthen critical infrastructure Integrate into risk & vendor management practices NIST Cybersecurity Risk Framework http://www.nist.gov/cyberframework/index.cfm COSO ERM * The ERM framework by the Commission of Sponsoring Organizations of the Treadway Commission (COSO)

Framework Core Present Key Outcomes Align to known activities Map to standards & guidelines Baseline - if implemented will reduce % of breach, attack success & impact Framework to communicate maturity and risk environment Framework Categories Information Security focused Areas where Business Continuity & Vendor Management support effort

Framework Core Sample Profile, Gap Assessment, Tiers Profile = Alignment to Industry & Risk Tolerance Integration Tiers Tier I Partial Tier II Risk Informed Tier III Repeatable Tier IV Adaptive

Motivation to Adopt Viewpoint Critical Infrastructure Coordinating Councils Law Firms Insurance Co. Auditors Technology / Consultants Regulators Vendors Security Firms Regulated Entities Regulators Education FINRA Cybersecurity Survey, Jan 2014 http://www.finra.org/industry/regulation/guidance/targetedexami nationletters/p443219 The assessment addresses a number of areas related to cybersecurity, including firms : business continuity plans in case of a cyber-attack Mapping to BC Process & Controls Function Category Sub-Category BC Support Process IDENTIFY Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. Risk Management Strategy (ID.RM): The organization s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions. ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk ID.RA-6: Risk responses are identified and prioritized ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders ID.RM-2: Organizational risk tolerance is determined and clearly expressed ID.RM-3: The organization s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis Business units include cyber threat in their risk assessment, with the intent to identify areas of contingency planning. Business units identify their processes and assets that are high risk based on cyber threat actor motivation. Results of risk assessments are aggregated, and approved by senior leadership. An organization's risk tolerance includes funding and approval of technology and business contingency planning activities that will reduce impact of cyber threat. The organization will meet their Regulator, and Customer's level of standards and practices for information security, business continuity and vendor management.

Part II Team BC Planning for Cyber Threat Threat Assessment BC Planning Cyber Threat Assessment Threat Source Motivation Impact, Probability, Controls Nation States Advantage: Terrorists political, economic, financial, military, Economic Espionage technological Criminals Activists/Hacktivists Ego notoriety, revenge External Opportunists Insiders Ideology Religious political, cultural

Cyber BC Planning Case Study Case study will be made available during the DRJ workshop. Materials will be electronically updated after the conference. Part III Exercising Cyber Contingency Planning Lessons Learned Takeaways Exercise Content

Lessons Learned From DDOS Attacks Feedback from Financial Industry Break Down Silos - There is a need to bring all together to address cyber, physical impact: business teams, fraud, BC, Incident response, corporate messaging. Need to adapt and respond to cyber impact quickly. During crisis response, decision making cannot be done by committee. During an attack you need to know what is normal versus and abnormal impact to critical assets. Need to prioritize business & customer impact and identify actions that will be taken in worst case or poor scenarios. BC Planning Takeaway Tech + Business Incident Command Cyber based tabletop exercises Expand BC & Incident response plans Incident command to define: roles, activities & decision authority Identify critical asset thresholds Crisis monitoring & anomaly detection reporting Extreme case scenario planning Lessons Learned From Cyber Exercises Cyber Exercise After Action Report Enhance response playbook to better account for a industry specific incident with the goal of strengthening the integration between industry groups, market participants, and government agencies. Improve coordination between business and technology leaders during cyber incident analysis and response. Enhance the role of exchanges, clearing firms, and trusted government partners in cyber incident response and crisis management. Increase awareness about government resources available to assist the sector. Augment existing guidelines and decision frameworks to determine if cyber incidents are systemic in nature. Institutionalize procedures for market open/close decisions during times of cyber incident response & crisis. BC Planning Takeaway Sector & enterprise playbooks Tech + Business Incident Command Formalize 3 rd party & government crisis routines Crisis monitoring reporting Procedures for worst case scenario

Cyber Exercise Case Study Case study will be made available during the DRJ workshop. Materials will be electronically updated after the conference. Take Away Activities Proactively address Cyber BC with your company s Info Sec, Risk Management & Critical Business leaders (see action plan). Connect into cyber mapping activities & dialogue: public-private partnerships, trade groups, etc Utilize materials for BC & Info Sec planning from: Stop, Think, Connect DHS Voluntary NIST framework

Cyber BC Action Plan (an approach) BC / DR Consider expanding your annual BC Plan update, BIA process, training and testing to include cyber threat contingency and communication concepts Info Sec Locate Sponsors (Risk, Tech, Business, Security) Expand RISK MANAGEMENT models, RCSA, Assessment, Metrics Read Security Policies & Plans Connect into Security Exercises Create supplements jointly with Info Security Pitch value, deliverables, benefit to business Determine Appetite for cyber contingency plans Incorporate BC/DR Lessons Learned BIA analysis for cyber threat BC /DR Plan enhancements Crisis Communication enhancement Share what we can do because of Planning 2013 Susan Rogers References & Resources The White House, Presidential Policy Directive -- Critical Infrastructure Security and Resilience, February 12, 2013, accessed August 6, 2013, www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil Executive Order 13636 Improving Critical Infrastructure Cybersecurity, www.gpo.gov/fdsys/pkg/fr-2013-02-19/pdf/2013-03915.pdf ISAC http://www.isaccouncil.org/aboutus.html NIST Cybersecurity Framework http://www.nist.gov/itl/upload/preliminary-cybersecurity-framework.pdf DHS NIP https://www.dhs.gov/national-infrastructure-protection-plan National Cybersecurity Alliance http://staysafeonline.org DHS Presidential Directive 7 https://www.dhs.gov/homeland-security-presidential-directive-7 US-CERT Critical Infrastructure Cyber Community Voluntary Program http://www.us-cert.gov/ccubedvp Stop, Think, Connect http://stopthinkconnect.org COSO ERM Model - http://www.compliancysoftware.com/solutions_enterprise_risk_management.html SIFMA Quantum Dawn 2 Exercise http://www.sifma.org/services/bcp/cyber-exercise---quantum-dawn-2/ National Initiative for Cybersecurity Careers and Studies http://niccs.us-cert.gov/research/cybersecurity-capability-maturity-model What are the implications of a cyber attack http://www.intellectualtakeout.org/faq/4-what-are-implications-cyber-attack Ponemon Institute Cost of Cyber Crimes Study http://www.ponemon.org/local/upload/file/2012_us_cost_of_cyber_crime_study_final6%20.pdf Verizon 2013 Data Breach Investigation http://www.verizonenterprise.com/dbir/2013/ Federal Reserve recommended standards http://www.federalreserve.gov/bankinforeg/interagencyguidelines.htm FINRA Cybersecurity Survey, Jan 2014 http://www.finra.org/industry/regulation/guidance/targetedexaminationletters/p443219 SANS 20 Critical Security Controls http://www.sans.org/critical-security-controls/

Contact Information Susan Rogers CEO, Cyberwise CP Susan.Rogers@cyberwiseCP.com Susan.Rogers@yale.edu (610) 389-1271

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information