The Confluence of Physical and Cyber Security Management
|
|
- Kelly Leonard
- 6 years ago
- Views:
Transcription
1 The Confluence of Physical and Cyber Security Management GOVSEC 2009 Samuel A Merrell, CISSP James F. Stevens, CISSP 2009 Carnegie Mellon University
2 Today s Agenda: Introduction Risk Management Concepts Confluence of Physical and Cyber Security Adopting a Service View A Service View for Critical Infrastructure Next steps 2
3 Software Engineering Institute U.S. DoD Office of the Under Secretary (Research and Engineering) sponsor (FFRDC*) CERT Program Cyber Threat and Vulnerability Analysis Enterprise and Workforce Development Survivable Secure Network Software and Systems Technology Digital Forensics Survivable Enterprise Management Practices Development & Training 3
4 CERT Capabilities Technology Organizations Community Networks (Sensors and Analysis) Software (Artifact Analysis) Systems (Forensics) Work Force Development (Training) Threat and Incident Management Resiliency Engineering and Management (Risk) National CSIRTs Software Assurance Vulnerability Disclosure 4
5 Resiliency Engineering and Management Resiliency Engineering and Management (REM) develops, deploys, and institutionalizes tools, techniques, methods, and training that advance organizational capabilities for governing and managing operational resiliency and risk for critical assets (such as information and infrastructure) and services 5
6 REM Research Focus REM work aligned along four focus areas: Resiliency Engineering Information Resiliency Critical Infrastructure Resiliency Governance, Risk & Compliance 6
7 Today s Agenda: Introduction Risk Management Concepts Confluence of Physical and Cyber Security Adopting a Service View A Service View for Critical Infrastructure Next steps 7
8 Risk A risk is the possibility of incurring a loss or harm For risk to exist in any circumstance, the following three conditions must be satisfied There must be a loss associated with the situation ti There must be some uncertainty with respect to the eventual outcome Some choice or decision is required 8
9 The Basic Risk Equation 9
10 Risk Mitigation Options Risk Assumption. To accept the potential risk and continue operating the IT system or to implement controls to lower the risk to an acceptable level Risk Avoidance. To avoid the risk by eliminating the risk cause and/or consequence Risk Limitation. To limit the risk by implementing controls that minimize the adverse impact of a threat's exercising a vulnerability Risk Planning. To manage risk by developing a risk mitigation plan that prioritizes, implements, and maintains controls Research and Acknowledgment. To lower the risk of loss by acknowledging the vulnerability or flaw and researching controls to correct the vulnerability Risk Transference. To transfer the risk by using other options to compensate for the loss 10
11 Residual and Acceptable Risk Residual risk is the potential for the occurrence of an adverse event after adjusting for the effectiveness and impact of all implemented security measures (controls) Acceptable risk is the level of residual risk that has been determined to be a reasonable level of potential loss/disruption to a system or organization 11
12 A Risk Management Process Identify Control Analyze Monitor Plan Implement 12
13 Diverse Risks To Be Managed Financiali Relationship Operational Organizational Risks Regulatory Market 13
14 Security and Operational Risk Managing firewall rule-sets Installing fences around facilities Limiting access to intellectual property or confidential information Developing business continuity and disaster recovery plans The aim of these security activities, both physical and cyber, is ultimately t l to manage operational risk 14
15 Focus on Operational Risk A form of hazard risk affecting day-to-day business operations The potential failure to achieve mission objectives Operational risk is defined as the risk of loss resulting gfrom inadequate or failed internal processes, people, and systems, or from external events. --Basel II Capital Accords 15
16 Scope of Operational Risk is Vast Actions of people Systems & technology failures Failed internal processes External events Tech reliance Global economy Open boundaries Complexity Cultural shifts 16
17 Today s Agenda: Introduction Risk Management Concepts Confluence of Physical and Cyber Security Adopting a Service View A Service View for Critical Infrastructure Conclusion 17
18 Physical Security - Yesterday 18
19 Cyber Security - Yesterday 19
20 Silos of Responsibility 20
21 Today - Confluence 21
22 The Risk Management Challenge The convergence of physical and cyber security has rapidly expanded the threat environment that must be managed Limited organizational resources are available for security activities Ensure that t those limited it resources are effectively and efficiently deployed 22
23 Human sacrifice, dogs and cats living together... mass hysteria! Dr. P. Venkman 23
24 A Structured Approach 24
25 Shifting Security Paradigms Yesterday Today Scope: Security Operational Ownership: Focus: Driver: Execution: Goal: IT and Physical Discrete External Platform/practice IT and Physical security Enterprise Continuous Internal Process Enterprise resilience 25
26 An Integrated View of Security Physical Security Cyber Security Others 26
27 A Fresh Look at Security Management Operational risks must be managed within a program that can adapt to a dynamic environment this requires active mitigation of all identified risks, regardless of their nature (e.g., cyber or physical) 27
28 Today s Agenda: Introduction Risk Management Concepts Confluence of Physical and Cyber Security Adopting a Service View A Service View for Critical Infrastructure Conclusion 28
29 Current Approaches to Security Management Security by compliance FISMA HIPAA PCI Security by adoption of best practices ISO DISA STIGs Vendor guides Result: Uneven use of limited resources 29
30 Enterprise Perspective An enterprise view of risk Enables risk mitigation decisions that effectively deploy limited resources Integrates with enterprise architecture approaches to security management NIST SP s Risk Executive Incorporates I t physical and cyber security management 30
31 Assets of an Organization Assets 31
32 Assets Support Business Processes Business Processes Assets 32
33 Business Processes Support Services Services Business Processes Assets 33
34 Services Support the Mission Organizational X Mission Service 1 Service N X Mission Mission X Service X Mission People X Information Technology Facilities 34
35 Step 1: Understand Your Services Formally identify the services that your organization must deliver in order to accomplish its mission Ask what are the core competencies of the organization? Often, business units are divided along these lines Manufacturing Operations Sales and Marketing Finance Compliance Research and Development Customer Service 35
36 Operational Risks to Service Delivery Risks to service delivery are what organizations need to care about These risks arise from both physical and cyber threats, therefore, both of these risks need to be mitigated efficiently and effectively Physical and cyber protection strategies for assets can be engineered and evaluated in terms of their ability to best ensure the service 36
37 Benefits of Adopting a Service View Align the protection and sustainment strategies to the organization s mission Engineer a unified approach to mitigating risks Evaluate protection strategies for effectiveness in protecting the mission Ensure efficiencies in the application of limited resources 37
38 Engineer a Unified Approach to Mitigating Risks-1 38
39 Engineer a Unified Approach to Mitigating Risks-2 39
40 Select Effective Protection Strategies Business Services 40
41 Ensure Efficiencies Maximize use of limited resources by incorporating the disciplines of physical and cyber security What works best for your environment: a guard at a post, an automated intrusion detection system, or both? 41
42 Step 2: Define Service Requirements What are the needs of the services that you have identified? Customer Service is available between 9:00 am and 5:00 pm This monitoring system must operate 24 x 7 42
43 Step 3: Map Assets to Services Service: Loan Operations Process: Account Opening Process: Account Maintenance Bank Tellers IBM AS/400 Loan Officers Loan Account Database Corporate Headquarters 43
44 Identifying Interdependencies 44
45 Step 4: Define Resiliency Requirements Service: Loan Operations Process: Account Opening Process: Account Maintenance Confidentiality Loan Account data may be viewed only by Loan Officers, account servicing staff, and Customer Service. Integrity Maintenance of Loan accounts may be made only by tellers, or Loan officers. Deletions of existing Loan Account information may be made only by a Loan Officer. Availability Loan Accounts must be available during normal banking hours (9:00 am to 5:00 pm, Monday through Thursday, 9:00 am to 7:00 pm Friday, and 10:00 am to 1:00 pm on Saturdays). 45
46 Step 5: Assess Risk to the Service Risks to service delivery are what organizations need to care about Identify how assets are exposed to conditions that can lead to service interruption Ensure that all possible vectors of threat are considered both physical and cyber 46
47 Step 6: Develop an Integrated Mitigation Strategy 47
48 Step 7: Monitor for Change Maintain vigilance in monitoring for changes in the operating environment. Ensure that changes do not introduce new risks. 48
49 Enterprise Perspective for Risk Management 1. Define enterprise services 2. Identify Impact Evaluation Criteria 3. Map assets to services 4. Define resiliency requirements for assets using the needs of the services 5. Assess risks to the reliable delivery of the service 6. Develop an integrated (using disciplines of physical and cyber security) approach effectively mitigate identified risks 7. Monitor for changes in the environment 49
50 Today s Agenda: Introduction Confluence of Physical and Cyber Security Risk Management Concepts Adopting a Service View A Service View for Critical Infrastructure Conclusion 50
51 Critical Infrastructure Protection 51
52 X Agriculture and Food Banking and Finance Chemical Commercial Facilities Commercial Nuclear Reactors, Materials, and Waste Dams Defense industrial i base Drinking Water and Water Treatment Systems Emergency Services Energy egy Government Facilities Information Technology Manufacturing National Monuments and Icons Postal and Shipping Public Health and Healthcare Telecommunications Transportation Systems 18 U.S. Critical Infrastructure Sectors Services 52
53 Critical Infrastructure Asset Identification Old MacDonald s Petting Zoo, Alabama World s Largest Ball of Sisal Twine, Ks 53
54 NERC s Struggle with Asset Identification NERC s CIP standards NERC has robust physical security requirements N-1 and N-1-1 contingencies Currently having difficulty in identifying critical infrastructure assets Some BES organizations claim to operate no critical infrastructure 54
55 Managing Sector Risks Sector Service ` Sector Member Business Service 55
56 Energy XSector Mission BES Function 1 BES Function N X Mission Accomplishment Mission X X BES Mission People X Information Technology Facilities 56
57 Benefits of Adopting a Service View Connect protection and sustainment strategies to the sector s mission Risks can be defined in terms of service delivery Impact evaluation criteria can be identified Physical and cyber protection strategies for assets can be engineered and evaluated in terms of their ability to best ensure the service 57
58 Connect to the Mission of the Sector The requirements of the organization s contribution to the sector service are the basis for resiliency requirements for assets 58
59 Select Effective Protection Strategies Critical Infrastructure Services 59
60 Resiliency Requirements Connect requirements for Critical Infrastructure Services to a sector member s contribution to that service Establish service delivery requirements for that contribution Implement controls to effectively and efficiently meet the requirements. 60
61 Recognize Dependencies 61
62 Critical Infrastructure Risk Management 1. Define sector services 2. Identify service requirements 3. Map assets to how an organization contributes to sector services 4. Define resiliency requirements for assets using the needs of the services 5. Assess risks to the reliable delivery of the service 6. Engineer an integrated (using disciplines of physical and cyber security) approach effectively mitigate identified risks 7. Monitor for changes in the environment 62
63 Today s Agenda: Introduction Confluence of Physical and Cyber Security Risk Management Concepts Adopting a Service View A Service View for Critical Infrastructure Conclusion 63
64 Summary and Conclusion Adopt a structured approach to identify services Use business rules to define resiliency requirements Assess risks to assets that will affect reliable service delivery Engineer protection strategies to ensure infrastructure resiliency Continuously monitor for changes 64
65 CERT Resiliency Management Model The CERT Resiliency Management Model is a capability model for operational resiliency management. It has two primary objectives: Establish the convergence of operational risk and resiliency management activities such as security, business continuity, and aspects of IT operations management into a single model. Apply a process improvement approach to operational resiliency management through the definition and application of a capability level scale that expresses increasing levels of process improvement. 65
66 Contact Us Contact Information Speakers Samuel Merrell James Stevens Phone (8:30 a.m. - 4:30 p.m. EST) Web Postal Mail Software Engineering Institute ATTN: Customer Relations Carnegie Mellon University Pittsburgh, PA
67 Questions? 67
68 Notices Copyright 2009 Carnegie Mellon University. NO WARRANTY THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. Use of any trademarks in this report is not intended in any way to infringe on the rights of the trademark holder. Internal use. Permission to reproduce this document for internal use is granted, provided the copyright and "No Warranty" statements are included with all reproductions. Requests for permission to prepare derivative works of this document for internal use should be addressed to the SEI Licensing Agent. External use. Requests for permission to reproduce this document or prepare derivative works of this document for external and commercial use should be addressed to the SEI Licensing Agent. 68
Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure
Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure March 2015 Pamela Curtis Dr. Nader Mehravari Katie Stewart Cyber Risk and Resilience Management Team CERT
More informationNational Cyber Incident Response - Architectural Concepts
CSIRT Contributions to National Cyber Incident Response: An Architectural Perspective with U.S. Examples Bradford J. Willke Team Lead, Information Security Assessment & Evaluation Survivable Enterprise
More informationEnergy Assurance Plans
Energy Assurance Plans funded through the American Reinvestment and Recovery Act (ARRA) - Stimulus $$ to help create jobs to enhance energy reliability and facilitate recovery from disruptions to the energy
More informationWhy you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More informationGoal-Based Assessment for the Cybersecurity of Critical Infrastructure
Goal-Based Assessment for the Cybersecurity of Critical Infrastructure IEEE HST 2010 November 10, 2010 NO WARRANTY THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE IS
More informationDefining Computer Security Incident Response Teams
Defining Computer Security Incident Response Teams Robin Ruefle January 2007 ABSTRACT: A computer security incident response team (CSIRT) is a concrete organizational entity (i.e., one or more staff) that
More information*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Introduction and Bio CyberSecurity Defined CyberSecurity Risks NIST CyberSecurity Framework References *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Chapter 3. Framework Implementation Relationship
More informationSoftware, Security, and Resiliency. Paul Nielsen SEI Director and CEO
Software, Security, and Resiliency Paul Nielsen SEI Director and CEO Dr. Paul D. Nielsen is the Director and CEO of Carnegie Mellon University's Software Engineering Institute. Under Dr. Nielsen s leadership,
More informationCybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com
Cybersecurity Presidential Policy Directive Frequently Asked Questions kpmg.com Introduction On February 12, 2013, the White House released the official version of the Presidential Policy Directive regarding
More informationCyber Hygiene: A Baseline Set of Practices
[DISTRIBUTION STATEMENT A] Approved for public Cyber Hygiene: A Baseline Set of Practices Matt Trevors Charles M. Wallen Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Copyright
More informationInformation Security Is a Business
Information Security Is a Business Continuity Issue: Are You Ready? Dr. Nader Mehravari Cyber Risk and Resilience Management Team CERT Division Software Engineering Institute Carnegie Mellon University
More informationBradford J. Willke. 19 September 2007
A Critical Information Infrastructure Protection Approach to Multinational Cyber Security Events Bradford J. Willke 19 September 2007 Overview A framework for national Critical Information Infrastructure
More informationCERT Overview. Jeffrey J. Carpenter 2008 Carnegie Mellon University
CERT Overview Jeffrey J. Carpenter 2008 Carnegie Mellon University Software Engineering Institute Department of Defense R&D Laboratory FFRDC Created in 1984 Administered by Carnegie Mellon
More informationCritical Infrastructure
Critical Infrastructure 1 Critical Infrastructure Can be defined as any facility, system, or function which provides the foundation for national security, governance, economic vitality, reputation, and
More informationUsing CERT-RMM in a Software and System Assurance Context
Using CERT-RMM in a Software and System Assurance Context Julia Allen SEPG NA 2011 24 March 2011 Agenda What is the CERT Resilience Management Model (CERT-RMM)? Model Building Blocks CERT-RMM for Assurance
More informationCritical Infrastructure Assessment
Critical Infrastructure Assessment Everyday the products and services that support our standard of living flow, almost seamlessly, to and from our homes, communities, and government. Making this possible
More informationThe Need for Operational and Cyber Resilience in Transportation Systems
The Need for Operational and Cyber Resilience in Transportation Systems January 14, 2016 Dr. Nader Mehravari, MBCP, MBCI Cyber Risk and Resilience Management Software Engineering Institute Software Carnegie
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationThe NIST Cybersecurity Framework
The NIST Cybersecurity Framework U.S. German Standards Panel 2018 April 10, 2018 Adam.Sedgewick@nist.gov National Institute of Standards and Technology About NIST Agency of U.S. Department of Commerce
More informationAbout Issues in Building the National Strategy for Cybersecurity in Vietnam
Vietnam Computer Emergency Response Team - VNCERT About Issues in Building the National Strategy for Cybersecurity in Vietnam Vu Quoc Khanh Director General Outline Internet abundance Security situation
More informationJulia Allen Principal Researcher, CERT Division
Improving the Security and Resilience of U.S. Postal Service Mail Products and Services Using CERT -RMM (Case Study) Julia Allen Principal Researcher, CERT Division Julia Allen is a principal researcher
More informationINTELLIGENCE DRIVEN GRC FOR SECURITY
INTELLIGENCE DRIVEN GRC FOR SECURITY OVERVIEW Organizations today strive to keep their business and technology infrastructure organized, controllable, and understandable, not only to have the ability to
More informationCritical Infrastructure Resilience
Critical Infrastructure Resilience Climate Resilience Webinar Series U.S. Department of Housing and Urban Development Disclaimer This presentation is intended to provide communities and states with the
More informationThe CERT Top 10 List for Winning the Battle Against Insider Threats
The CERT Top 10 List for Winning the Battle Against Insider Threats Dawn Cappelli CERT Insider Threat Center Software Engineering Institute Carnegie Mellon University Session ID: STAR-203 Session Classification:
More informationBusiness Continuity: How to Keep City Departments in Business after a Disaster
Business Continuity: How to Keep City Departments in Business after a Disaster Shannon Spence, PE Red Oak Consulting, an ARCADIS group Agenda Security, Resilience and All Hazards The Hazards Cycle and
More informationCritical Infrastructure Sectors and DHS ICS CERT Overview
Critical Infrastructure Sectors and DHS ICS CERT Overview Presented by Darryl E. Peek II REGIONAL INTELLIGENCE SEMINAR AND NATIONAL SECURITY FORUM 2 2 Authorities and Related Legislation Homeland Security
More informationNext Generation Policy & Compliance
Next Generation Policy & Compliance Mason Karrer, CISSP, CISA GRC Strategist - Policy and Compliance, RSA Core Competencies C33 2013 Fall Conference Sail to Success CRISC CGEIT CISM CISA Introductions...
More informationCritical Resilient Interdependent Infrastructure Systems and Processes
TeleNeT Program Critical Resilient Interdependent Infrastructure Systems and Processes David Tipper, Professor Graduate Telecommunications and Networking Program School of Computing and Information University
More informationDr. Stephanie Carter CISM, CISSP, CISA
Dr. Stephanie Carter CISM, CISSP, CISA Learning Objectives (LO) LO1 Will learn the theological and practitioner definition of cybersecurity LO2 Will learn the dependency between physical and cyber security
More informationNational Policy and Guiding Principles
National Policy and Guiding Principles National Policy, Principles, and Organization This section describes the national policy that shapes the National Strategy to Secure Cyberspace and the basic framework
More informationCritical Infrastructure Protection for the Energy Industries. Building Identity Into the Network
Critical Infrastructure Protection for the Energy Industries Building Identity Into the Network Executive Summary Organizations in the oil, gas, and power industries are under increasing pressure to implement
More informationBuilding A Disaster Resilient Quebec
Building A Disaster Resilient Quebec Paula L. Scalingi, Ph.D. Executive Director, Bay Area Center for Regional Disaster Resilience President, The Scalingi Group February 14, 2012 Importance of Regional
More informationIndustry role moving forward
Industry role moving forward Discussion with National Research Council, Workshop on the Resiliency of the Electric Power Delivery System in Response to Terrorism and Natural Disasters February 27-28, 2013
More informationPD 7: Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection
PD 7: Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection December 17, 2003 SUBJECT: Critical Infrastructure Identification, Prioritization,
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA
Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA Information Security Policy and Procedures Identify Risk Assessment ID.RA Table of Contents Identify
More informationCRITICAL INFRASTRUCTURE AND KEY RESOURCES
AGRICULTURE AND FOOD SECTOR The Agriculture and Food Sector has the capacity to feed and clothe people well beyond the boundaries of the nation. The sector is almost entirely under private ownership and
More informationNIST Security Certification and Accreditation Project
NIST Security Certification and Accreditation Project An Integrated Strategy Supporting FISMA Dr. Ron Ross Computer Security Division Information Technology Laboratory 1 Today s Climate Highly interactive
More informationITG. Information Security Management System Manual
ITG Information Security Management System Manual This manual describes the ITG Information Security Management system and must be followed closely in order to ensure compliance with the ISO 27001:2005
More informationFFIEC Cyber Security Assessment Tool. Overview and Key Considerations
FFIEC Cyber Security Assessment Tool Overview and Key Considerations Overview of FFIEC Cybersecurity Assessment Tool Agenda Overview of assessment tool Review inherent risk profile categories Review domain
More informationContinuous protection to reduce risk and maintain production availability
Industry Services Continuous protection to reduce risk and maintain production availability Managed Security Service Answers for industry. Managing your industrial cyber security risk requires world-leading
More informationAdvancing Cyber Intelligence Practices Through the SEI s Consortium
Advancing Cyber Intelligence Practices Through the SEI s Consortium SEI Emerging Technology Center Jay McAllister Melissa Kasan Ludwick Copyright 2015 Carnegie Mellon University This material is based
More informationTop 10 ICS Cybersecurity Problems Observed in Critical Infrastructure
SESSION ID: SBX1-R07 Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure Bryan Hatton Cyber Security Researcher Idaho National Laboratory In support of DHS ICS-CERT @phaktor 16 Critical
More informationJohn Snare Chair Standards Australia Committee IT/12/4
John Snare Chair Standards Australia Committee IT/12/4 ISO/IEC 27001 ISMS Management perspective Risk Management (ISO 31000) Industry Specific Standards Banking, Health, Transport, Telecommunications ISO/IEC
More informationDr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt
Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA The African Internet Governance Forum - AfIGF2017 5 Dec 2017, Egypt Agenda Why? Threats Traditional security? What to secure?
More informationTHE POWER OF TECH-SAVVY BOARDS:
THE POWER OF TECH-SAVVY BOARDS: LEADERSHIP S ROLE IN CULTIVATING CYBERSECURITY TALENT SHANNON DONAHUE DIRECTOR, INFORMATION SECURITY PRACTICES 1 IT S A RISK-BASED WORLD: THE 10 MOST CRITICAL UNCERTAINTIES
More informationCertified Information Security Manager (CISM) Course Overview
Certified Information Security Manager (CISM) Course Overview This course teaches students about information security governance, information risk management, information security program development,
More informationProfessional in Critical Infrastructure Protection
Professional in Critical Infrastructure Protection The world is rapidly changing. Our critical infrastructure is at risk on many fronts. Key services that were once taken for granted are now being affected
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationCyber COBIT. Ophir Zilbiger, CEO SECOZ Shay Zandani, CEO CyberARM. December 2013
Cyber COBIT Ophir Zilbiger, CEO SECOZ Shay Zandani, CEO CyberARM December 2013 1 Agenda 1. Background & Definitions 2. Applying COBIT5 to Cybersecurity Governance 3. Cybersecurity Management 4. Cybersecurity
More informationMedical Device Cybersecurity: FDA Perspective
Medical Device Cybersecurity: FDA Perspective Suzanne B. Schwartz MD, MBA Associate Director for Science and Strategic Partnerships Office of the Center Director (OCD) Center for Devices and Radiological
More informationSTRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government
ATIONAL STRATEGY National Strategy for Critical Infrastructure Government Her Majesty the Queen in Right of Canada, 2009 Cat. No.: PS4-65/2009E-PDF ISBN: 978-1-100-11248-0 Printed in Canada Table of contents
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationOverview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 PPD-21: CI Security and Resilience On February 12, 2013, President Obama signed Presidential Policy Directive
More informationCritical Information Infrastructure Protection Law
Critical Information Infrastructure Protection Law CCD COE Training 8 September 2009 Tallinn, Estonia Maeve Dion Center for Infrastructure Protection George Mason University School of Law Arlington, Virginia.
More informationCRITICAL INFRASTRUCTURE AND CYBER THREAT CRITICAL INFRASTRUCTURE AND CYBER THREAT
CRITICAL INFRASTRUCTURE SAFER CITIES. THRIVING COMMUNITIES. Critical Infrastructure sectors have become prime targets for cyber criminals due to their vitality to a nation s security and stability. 16
More informationHow to get the Enterprise to Understand the Value of Security
PART 1 of 2 Insight into Security Leader Success How to get the Enterprise to Understand the Value of Security A SEC Research Finding Intended Audience This presentation is intended for security leaders
More informationNHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy
NHS Gloucestershire Clinical Commissioning Group 1 Document Control Title of Document Gloucestershire CCG Author A Ewens (Emergency Planning and Business Continuity Officer) Review Date February 2017 Classification
More informationCYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS
CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS WILLIAM (THE GONZ) FLINN M.S. INFORMATION SYSTEMS SECURITY MANAGEMENT; COMPTIA SECURITY+, I-NET+, NETWORK+; CERTIFIED
More informationHPH SCC CYBERSECURITY WORKING GROUP
HPH SCC A PRIMER 1 What Is It? The cross sector coordinating body representing one of 16 critical infrastructure sectors identified in Presidential Executive Order (PPD 21) A trust community partnership
More informationResearching New Ways to Build a Cybersecurity Workforce
THE CISO ACADEMY Researching New Ways to Build a Cybersecurity Workforce Pamela D. Curtis, Summer Craze Fowler, David Tobar, and David Ulicne December 2016 Organizations across the world face the increasing
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationDr. Kenneth E. Nidiffer Director of Strategic Plans for Government Programs
War Fighting Technologies: Enhance Advance - Modernize: -Technological/Acquisition Advances Enabling a More Responsive 24th Anniversary - Systems & Software Technology Conference April 23-26, 2012 Salt
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationOffice of Infrastructure Protection Overview
Office of Infrastructure Protection Overview Harvey Perriott Protective Security Advisor North Texas District U.S. Department of Homeland Security Vision and Mission Vision A safe, secure, and resilient
More informationEMERGENCY SUPPORT FUNCTION (ESF) 13 PUBLIC SAFETY AND SECURITY
EMERGENCY SUPPORT FUNCTION (ESF) 13 PUBLIC SAFETY AND SECURITY PRIMARY AGENCY: SUPPORT AGENCIES: Savannah-Chatham Metropolitan Police Department Armstrong-Atlantic Campus Police Department Bloomingdale
More informationSOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT
RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, antivirus, intrusion prevention systems, intrusion
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationAccelerate Your Enterprise Private Cloud Initiative
Cisco Cloud Comprehensive, enterprise cloud enablement services help you realize a secure, agile, and highly automated infrastructure-as-a-service (IaaS) environment for cost-effective, rapid IT service
More informationFor providing decision support on climate stressors to infrastructure and assets for federal, state, local, and private clients...
Resilience Resilience is the ability of a community to maintain its functions in the face of dramatically changed circumstances, including climate change, natural disasters, and aging infrastructure. Recent
More informationComponents and Considerations in Building an Insider Threat Program
Components and Considerations in Building an Insider Threat Program Carly Huth Insider Threat Researcher, CEWM Carly L. Huth is an insider threat researcher in the Cyber Enterprise and Workforce Management
More informationAppendix A. Syllabus. NIST Cybersecurity Foundation. Syllabus. Status: First Draft
Appendix A Syllabus NIST Cybersecurity Foundation Syllabus Status: First Draft Version Status Sign off Date / Names V1.0.0 First Draft Content Group Lead Author: Mark E.S. Bernard Copyright 2018 Secure
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationThe Insider Threat Center: Thwarting the Evil Insider
The Insider Threat Center: Thwarting the Evil Insider The CERT Top 10 List for Winning the Battle Against Insider Threats Randy Trzeciak 14 June 2012 2007-2012 Carnegie Mellon University Notices 2011 Carnegie
More informationIntroduction to Business Continuity Management
Introduction to Business Continuity Management Audio Presented by ABD s Occupational Health and Safety Team Featuring The Cross Connection JULY 24, 2018 Speaker Panel ABD Insurance & Financial Services
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationCybersecurity Auditing in an Unsecure World
About This Course Cybersecurity Auditing in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that cybersecurity
More informationTHE WHITE HOUSE. Office of the Press Secretary. EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS
THE WHITE HOUSE Office of the Press Secretary EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS February 12, 2013 PRESIDENTIAL POLICY DIRECTIVE/PPD-21 SUBJECT: Critical
More informationMapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective
Mapping Your Requirements to the NIST Cybersecurity Framework Industry Perspective 1 Quest has the solutions and services to help your organization identify, protect, detect, respond and recover, better
More informationRethinking Cybersecurity from the Inside Out
Rethinking Cybersecurity from the Inside Out An Engineering and Life Cycle-Based Approach for Building Trustworthy Resilient Systems Dr. Ron Ross Computer Security Division Information Technology Laboratory
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationThe NIS Directive and Cybersecurity in
The NIS Directive and Cybersecurity in ehealth Dr. Athanasios Drougkas Officer in NIS Belgian Hospitals Meeting on Security Brussels 13 th October European Union Agency For Network And Information Security
More informationITG. Information Security Management System Manual
ITG Information Security Management System Manual This manual describes the ITG Information Security Management system and must be followed closely in order to ensure compliance with the ISO 27001:2005
More informationISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard
Certification Exam Outline Effective Date: April 2013 About CISSP-ISSMP The Information Systems Security Management Professional (ISSMP) is a CISSP who specializes in establishing, presenting, and governing
More informationLESSONS LEARNED IN SMART GRID CYBER SECURITY
LESSONS LEARNED IN SMART GRID CYBER SECURITY Lynda McGhie CISSP, CISM, CGEIT Quanta Technology Executive Advisor Smart Grid Cyber Security and Critical Infrastructure Protection lmcghie@quanta-technology.com
More informationBPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.
BPS Suite and the OCEG Capability Model Mapping the OCEG Capability Model to the BPS Suite s product capability. BPS Contents Introduction... 2 GRC activities... 2 BPS and the Capability Model for GRC...
More informationProtecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)
https://www.csiac.org/ Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP800-171 Revision 1) Today s Presenter: Wade Kastorff SRC, Commercial Cyber Security
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationState of Security Operations
State of Security Operations Roberto Sandoval / September 2014 Security Intelligence & Operations Consulting Founded: 2007 The best in the world at building state of the art security operations capabilities/cyber
More informationLong-Term Power Outage Response and Recovery Tabletop Exercise
1 Long-Term Power Outage Response and Recovery Tabletop Exercise After Action Report [Template] The After-Action Report/Improvement Plan (AAR/IP) aligns exercise objectives with preparedness doctrine to
More informationTAN Jenny Partner PwC Singapore
1 Topic: Cybersecurity Risks An Essential Audit Consideration TAN Jenny Partner PwC Singapore PwC Singapore is honoured to be invited to contribute to the development of this guideline. Cybersecurity Risks
More informationIngram Micro Cyber Security Portfolio
Ingram Micro Cyber Security Portfolio Ingram Micro Inc. 1 Ingram Micro Cyber Security Portfolio Services Trainings Vendors Technical Assessment General Training Consultancy Service Certification Training
More informationIntegrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise
February 11 14, 2018 Gaylord Opryland Resort and Convention Center, Nashville #DRI2018 Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise Tejas Katwala CEO
More informationAre Traditional Disaster Recovery Plans Still Relevant? Bobby Williams, MBCP, MBCI Director, IT Resiliency Planning Fidelity Investments
Are Traditional Disaster Recovery Plans Still Relevant? Bobby Williams, MBCP, MBCI Director, IT Resiliency Planning Fidelity Investments Who am I? Bobby Williams is the Director of IT Resiliency Planning
More informationlocuz.com SOC Services
locuz.com SOC Services 1 Locuz IT Security Lifecycle services combine people, processes and technologies to provide secure access to business applications, over any network and from any device. Our security
More informationTHE LINK BETWEEN ENTERPRISE RISK MANAGEMENT AND DISASTER MANAGEMENT
THE LINK BETWEEN ENTERPRISE RISK MANAGEMENT AND DISASTER MANAGEMENT International Recovery Forum 2014 ~ The Role of Private Sector in Disaster Recovery ~ 21 January 2014 Kobe, Japan Dr Janet L. Asherson
More informationDrinking Water Emergency Management Ministry of the Environment 2012 Drinking Water Leadership Summit October 25, 2012
Drinking Water Emergency Management Ministry of the Environment 2012 Drinking Water Leadership Summit October 25, 2012 Christine Campbell Team Leader, Drinking Water Emergency Planning Ministry of the
More informationNIST Special Publication
NIST Special Publication 800-53 Practical Application of the Minimum Baseline Security Controls Graydon S. McKee IV CISSP, GSEC A Framework for All Seasons With the finalization of Federal Information
More informationTIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE
TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE Association of Corporate Counsel NYC Chapter 11/1 NYC BDO USA, LLP, a Delaware limited liability partnership,
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security risk management
INTERNATIONAL STANDARD ISO/IEC 27005 First edition 2008-06-15 Information technology Security techniques Information security risk management Technologies de l'information Techniques de sécurité Gestion
More information