Implementing the U.S. Cybersecurity Framework at Intel A Case Study

Similar documents
Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security

Cyber Security Framework: Intel s Implementation Tools & Approach

How To Write A Cybersecurity Framework

The Cybersecurity Framework in Action: An Intel Use Case

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

Italy. EY s Global Information Security Survey 2013

CRR-NIST CSF Crosswalk 1

Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

Framework for Improving Critical Infrastructure Cybersecurity

ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

NIST Cybersecurity Framework & A Tale of Two Criticalities

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

The NIST Cybersecurity Framework

NIST Cybersecurity Framework. ARC World Industry Forum 2014

Building Security In:

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.

Happy First Anniversary NIST Cybersecurity Framework:

Applying IBM Security solutions to the NIST Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity

CForum: A Community Driven Solution to Cybersecurity Challenges

Cybersecurity: What CFO s Need to Know

Voluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, 2014 Utilities Telecom Council

Which cybersecurity standard is most relevant for a water utility?

COBIT Helps Organizations Meet Performance and Compliance Requirements

Understanding the NIST Cybersecurity Framework September 30, 2014

Report: An Analysis of US Government Proposed Cyber Incentives. Author: Joe Stuntz, MBA EP 14, McDonough School of Business

RE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity

Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015

How To Understand And Manage Cybersecurity Risk

A Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

istockphoto/ljupco 36 June 2015 practicallaw.com 2015 Thomson Reuters. All rights reserved.

The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session

Why you should adopt the NIST Cybersecurity Framework

Risk Management in Practice A Guide for the Electric Sector

Discussion Draft of the Preliminary Cybersecurity Framework

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

Why you should adopt the NIST Cybersecurity Framework

Cybersecurity Framework: Current Status and Next Steps

Assessing the Effectiveness of a Cybersecurity Program

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

CIPAC Water Sector Cybersecurity Strategy Workgroup: FINAL REPORT & RECOMMENDATIONS

NIST Cybersecurity Framework Impacting Your Company? April 24, 2014 Presented By Sheila FitzPatrick, NetApp Jeff Greene, Symantec Andy Serwin, MoFo

Framework for Improving Critical Infrastructure Cybersecurity

The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide

CLOSING THE DOOR TO CYBER ATTACKS HOW ENTERPRISES CAN IMPLEMENT COMPREHENSIVE INFORMATION SECURITY

Defending Against Data Beaches: Internal Controls for Cybersecurity

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

Prioritizing Information Security Risks with Threat Agent Risk Assessment

PROTIVITI FLASH REPORT

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE

Preparing for the Convergence of Risk Management & Business Continuity

EXTREME CYBER SCENARIO PLANNING & ATTACK TREE ANALYSIS

Navigating the NIST Cybersecurity Framework

Westlaw Journal. What is the Cybersecurity Framework? Risk Management Process And Pathway to Corporate Liability? Expert Analysis

Don t Get Left in the Dust: How to Evolve from CISO to CIRO

COPYRIGHTED MATERIAL. Contents. Acknowledgments Introduction

Frequently Asked Questions about the HITRUST Risk Management Framework

Developing National Frameworks & Engaging the Private Sector

70% of US Business Will Be Impacted by the Cybersecurity Framework: Are You Ready?

Cyber Security and your Financial Institution: Are you ready for the increased scrutiny related to cyber risks?

Cybersecurity Framework Security Policy Mapping Table

Business Continuity for Cyber Threat

ACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector

Nationwide Cyber Security Review (NCSR) Frequently Asked Questions

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

The Cybersecurity Framework and the SAFETY Act a Primer for Temple Business School

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Framework for Improving Critical Infrastructure Cybersecurity

FINRA Publishes its 2015 Report on Cybersecurity Practices

Cybersecurity The role of Internal Audit

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

NIST Cybersecurity Framework What It Means for Energy Companies

Health Industry Implementation of the NIST Cybersecurity Framework

CYBER SOLUTIONS HANDBOOK

CYBER SECURITY GUIDANCE

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Impact of New Internal Control Frameworks

Address C-level Cybersecurity issues to enable and secure Digital transformation

Critical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order Improving Critical Infrastructure Cybersecurity

Critical Manufacturing Cybersecurity Framework Implementation Guidance

Obtaining Enterprise Cybersituational

HITRUST Risk Management Framework and the Texas Certification Program A Model for the Healthcare Industry

Transcription:

SESSION ID: STR-W01 Implementing the U.S. Cybersecurity Framework at Intel A Case Study Tim Casey Senior Strategic Risk Analyst Intel Information Security @timcaseycyber

How would you represent your entire risk landscape to your senior management? And how would you get there?

Topics Our goals & strategy for the CSF Framework structures we used Pilot implementation & results Not Covered CSF development / management CSF 2.0 Regulatory concerns Key Learnings Our Recommendations 3

The Cybersecurity Framework Basics

Framework Core 5

Framework Core Categories Data Security (DS): Protect information & data from natural and man-made hazards to achieve organizational Data Security (DS): Protect information & data from natural and man-made hazards to achieve organizational confidentiality, integrity, and availability requirements. 6

Framework Core Subcategories Data Security (DS): Protect information & data from natural and man-made hazards to achieve organizational PR.DS-1: Protect data (including phys records) during storage to achieve PR.DS-1: Protect data (including physical records) during storage to achieve confidentiality, integrity, and availability goals 7

Framework Core References Data Security (DS): Protect information & data from natural and man-made hazards to achieve organizational PR.DS-1: Protect data (including phys records) during storage to achieve COBIT APO01.06, BAI02.01 ISO/IEC 27001 A.15.1.3 COBIT APO01.06, BAI02.01 ISO/IEC 27001 A.15.1.3 CCS CSC 17 NIST SP 800-53 Rev 4 SC-28 8

Framework Tiers & Profiles Tier Definitions Tiers Tier 4: Adaptive Tier 3: Repeatable Tier 2: Risk-Informed Tier 1: Partial 9

Framework Tiers & Profiles Tiers Tier 4: Adaptive Tier 3: Repeatable Tier 2: Risk-Informed Tier 1: Partial Identify Protect Detect Respond Recover PROFILE EXAMPLE: TARGET ACTUAL OVER Tiers 1 2 3 4 1 2 3 4 GAPS 10

Intel s Cybersecurity Framework Pilot

Laying the Groundwork Several methods to build comprehensive risk picture tried in the past, but none were satisfactory Intel actively involved with NIST and CSF from beginning (February 2013) and ready to pilot at release Team engaged and educated senior management at very beginning Also engaged other stakeholders early; their buy-in helped with resourcing Interestingly, the Framework itself facilitated the discussions 12

Pilot Scope (or, Eating the Elephant) Intel is a large multi-national enterprise with many business units and 300k+ computing platforms and, The Framework has ~140 potential assessment points Just designing a pilot to cover all that could take months So Decision made up front to pilot on a subset of well-defined areas Not expecting entire risk management plan from just a pilot Simplified pilot assessment allows us to focus on CSF usage, not implementation details 13

Pilot Scoping Subset of the Company Design Office Manufacturing Enterprise Services IT models support across company as DOMES Design, Office, Manf., Enterprise, Services Pilot w/ Office + Enterprise IT-owned Highest familiarity with Core Team Identify Business Environment Asset Management Governance Risk Assessment Risk Management Strategy Protect Access Control Awareness/Training Data Security Protective Process & Procedures Maintenance Protective Technologies Detect Anomalies/Events Security Continuous Monitoring Detection Process Threat Intelligence Respond Response Planning Communication Analysis Mitigations Improvements Recover Recovery Planning Improvements Communications Focus Areas 14

Pilot Scoping Only the Top Level of the CSF Assessing subcategories too large a task for a pilot Decided to only assess to Category level (21+1) Our training covered how to assess to higher level 15

Framework Utilization Process Set Targets Tailor Tiers definitions F2F Session with Core Group to set Targets (Category level) Validate Initial Targets with Decision Makers (CISO & Staff) Assess Current State Identify and train SME assessors SMEs use custom tools to self score (~1 hour) Follow-up meeting to validate SME aggregation Analyze Results Combine individual SME scores with Core Team and compare to Targets Use simple heat map to identify gaps Drill down on subcategories for identified gaps to identify key issues Communicate Results Meet with CISO & Staff to discuss findings, ratify targets & recommendations Ensure prioritization feed into budget and planning cycles Brief Senior Leadership on findings and resulting recommendations 16

Results

Unexpected Benefits: SME Roll-up Evaluating by functional area provided greater insights 18

Unexpected Benefits: SME Roll-up Highlight outliers 1 1 Highlight major differences 19

Our Final Result Category Actual Identify 3 Business Environment 2 Asset Management 2 Governance 4 Risk Assessment 2 Risk Management Strategy 2 Protect 2 Access Control 1 Awareness/Training 2 Data Security 2 Protective Process & Procedures 2 Maintenance 3 Protective Technologies 2 Detect 1 Anomalies/Events 3 Security Continuous Monitoring 4 Detection Process 2 Threat Intelligence 3 Respond 2 Response Planning 1 Communication 3 Analysis 2 Mitigations 2 Improvements 3 Recover 3 Recovery Planning 2 Improvements 2 Communications 4 Target Delta 3 0 2 0 2 0 3 1 2 0 4-2 2 0 1 0 3-1 2 0 2 0 4-1 2 0 1 0 2 1 4 0 2 0 4-1 2 0 1 0 3 0 2 0 2 0 4-1 3 0 4-2 2 0 4 0 THE RISK LANDSCAPE! ACTUAL 1 2 3 4 GAPS OVER 20

Summary

Our Key Learnings The CSF fosters essential internal discussions about alignment, risk tolerance, control maturity, and other elements of cyber risk management Setting our own Tier Targets was especially useful The CSF provides a common language for cross-organizational communications, allowing apple-to-apples comparisons Engage all stakeholders early; the Framework itself facilitates discussion Its alignment to industry practices made it easy to scale and tailor it to our environment with surprisingly minimal impact 22

Challenges Since this is a new tool, both management and pilot participants needed extra discussion up front to become comfortable with it For ease of use, we chose to tailor the Tiers definitions to match our own business and risk management language Subcategories provided almost overwhelming level of detail still trying to figure out how to best leverage them 23

Looking Ahead: Insider Risk and CSF Intent Non-hostile Non-Hostile / Hostile Hostile Attack Type Reckless Employee Untrained/ Distracted Employee Outward Sympath zr Vendor Partner Irrational Individual Thief Disgruntled Employee Activist Terrorist Organized Crime Competitor Accidental leak X X X X X X X Espionage X X X X X X X X Financial fraud X X X X X Misuse X X X X X X X X Opport. data theft X X X X X X X X Physical Theft X X X X X Product alteration X X X X X X X X X Sabotage X X X X X X Violence X X X Intel Threat Agent analysis of most-likely insider threats in a typical corporate environment Nation State Goal: Pilot using CSF to assess and characterize our Insider Risk 24

Apply: Utilizing the CSF in Your Organization You will miss the benefits if you treat the Framework as a compliance exercise, or use an outside agency do it for you Coaching is fine but you need to make the journey yourself First: Inform senior management on the Framework and benefits: Driven by and follows industry best practices Provides common a cybersecurity reference up and down the organization Drives important conversations on your risks and your tolerance Can lead to a much better understanding of your complete risk picture 25

Apply: Utilizing the CSF in Your Organization, cont d Next, engage and inform all your stakeholders Managers & SMEs in InfoSec, IT, GRC, Supply Chain, Finance Cast a wide net; eventually many will have inputs Connect with partners & fellow travelers in your industry With the stakeholders, design your pilot Start where you are comfortable Use a logical subset of your cybersecurity domain Execute the pilot Maintain constant contact with senior management and stakeholders Start with the Tiers & Targets discussions, not mapping the categories Share your results! 26

Resources Intel CSF white paper: http://www.intel.com/content/www/us/en/government/cybersecurityframework-in-action-use-case-brief.html NIST CSF Website: http://www.nist.gov/cyberframework U.S. Sector Information Sharing & Analysis Centers (ISAC): http://www.isaccouncil.org/home.html U.S. Dept. Homeland Security Critical Infrastructure Cyber Community (C³) Voluntary Program: http://www.dhs.gov/about-critical-infrastructure-cyber-community-c%c2%b3-voluntary-program Intel Threat Agent Analysis: https://communities.intel.com/docs/doc-23914 https://communities.intel.com/docs/doc-1151 We actively engage with fellow travelers and communities utilizing the CSF related to: Threat Assessments Supplier Management and Supply Chain Risk Manufacturing / ICS Risk Tools and Visualization 27

Questions?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information