ACR 2 Solutions Compliance Tools

Transcription

1 ACR 2 Solutions Compliance Tools What s all the noise about the Cyber Security Framework? The Cyber Security Framework Airs Conference May 2017

2 About ACR 2 Solutions your NIST experts ACR2 is a developer of scalable real-time Risk Management and IT Compliance Software Solutions Tools to support information security regulatory laws and regulations as follows: FISMA, GLBA, HIPAA, NAIC, NERC and PCI DSS and most recently the Cyber Security Framework Risk and Compliance solutions for public, private, and government organizations. Technical Implementation Partner for GA-HITREC We are an HP Healthcare Alliance Partner and work with Premier HP Resellers We currently work with 100 s of locations in Healthcare and Financial Services Single sites, distributed enterprise and hospitals and their practices

3 1) Introductions Todays Agenda: 2) History of the Cybersecurity Framework (CSF) 3) Why do we need the CSF? 4) Terminology and Acronyms 5) What does the future of the CSF look like? 6) Will it remain optional? 7) The CyberSecurity Framework 8) How it can be utilized for My organization? 9) Questions and answers As time allows

4 Getting to know you. 1. Works for a company that uses the HIPAA Privacy, Security and Breach rules? 2. Has mandated Security and Privacy Awareness trainings for all employees? 3. Has Read the Cybersecurity Framework Vers. 1? Draft Read or know what Omnibus rule is? 5. Has anyone ever been asked for a Business Associate Agreement or requires them from contractors or partners. 6. Lastly know what the NIST stands for?

5 The History of the CSF

6 What is the Framework, and what is it designed to accomplish? The Framework is voluntary guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.

7 Cyber Security Objective [i]t is the Policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity... Executive order February 12, 2013

8 Executive Order The Cybersecurity Framework was published in February 2014 following a collaborative process involving industry, academia and government agencies. More that 1000 individuals had input into the current revision. The original goal was to develop a voluntary framework to help organizations manage cybersecurity risk in the nation s critical infrastructure. The framework has been widely adopted by many types of organizations across the country and around the world.

9 The 16 Critical Infrastructure Industries Chemical Sector Commercial Facilities Sector Communications Sector Critical Manufacturing Sector Defense Industrial Base Sector Dams Sector Emergency Services Sector Energy Sector Financial Services Sector Food and Agriculture Sector Government Facilities Sector Healthcare and Public Health Sector Information Technology Sector Nuclear Reactors, Materials, and Waste Transportation Systems Sector Water and Wastewater Systems

10 Executive Summary The national and economic security of the United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation s security, economy, and public safety and health at risk.

11 Acronyms and Regulations CCS - Council on CyberSecurity COBIT - Control Objectives for Information and Related Technology DCS - Distributed Control System DHS - Department of Homeland Security NIST - National Institute of Standards and Technology OMB Office of Management and Budget ISO - International Organization for Standardization ISO 27001/2 HIPAA FISMA Federal Information Security Management ACT GLBA Graham Leach Bliley ACT PCI Payment Card In Cybersecurity Framework EO Executive Order

12 Why do we need the CSF? The national and economic security of the United States depends on the reliable functioning of our critical infrastructure. To strengthen the resilience of this infrastructure, President Obama issued Executive Order (EO), Improving Critical Infrastructure Cybersecurity on February 12, This Executive Order calls for the development of a voluntary Cybersecurity Framework ( Framework ) To assist organizations responsible for critical infrastructure services to manage cybersecurity risk.

13 Cybersecurity Framework Overview The Cybersecurity Framework intention or design criteria Includes a set of standards, methodologies, procedures, and processes that align policy, business and technological approaches to address cyber risks. Provides a prioritized, flexible, repeatable, performance-based and cost-effective approach. This includes information security methods and controls to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.

14 Cybersecurity Framework Overview The Cybersecurity Framework Identifies areas for improvement to be addressed through future collaboration with particular sectors and standardsdeveloping organizations. Is consistent with voluntary international standards.

15 NAIC CYBERSECURITY TASK FORCE ADOPTS REGULATORY PRINCIPLES National Association of Insurance Commissioners (NAIC) NAIC is the U.S. standard-setting and regulatory support organization created and governed by the chief insurance regulators from the 50 states, the District of Columbia and five U.S. territories. Through the NAIC, state insurance regulators establish standards and best practices, conduct peer review, and coordinate their regulatory oversight.

16 Governor of New York Letter sent to all registered Financial Services March 2015

17 Cybersecurity Executive Order

18 Cybersecurity Executive Order NIST Risk Management Framework (RMF) now mandatory for all federal agencies. Agencies have 90 days to file implementation plans with OMB. Agency heads will be held accountable by the President for implementing risk management measures

19 More about the NIST (From 1901 to 1988 called the Bureau of Standards) NIST publications, many of which are required for federal agencies, can serve as voluntary guidelines and best practices for state, local, and tribal governments and the private sector. NIST security standards and guidelines include: Federal Information Processing Standards [FIPS], Special Publications which can be used to support the requirements of both HIPAA and FISMA and GLBA. May be used by organizations to help provide a structured, yet flexible framework for selecting, specifying, employing, and evaluating the security controls in information systems. Most importantly, it what the auditors know and are required to use internally!

20 The Future of the CSF

21 A New Update is coming What changes are included in the proposed revision? The draft revision (Version 1.1): Clarifies use of Implementation Tiers and their relationship to Profiles, Enhances guidance for applying the Framework for supply chain risk management, Provides guidance on metrics and measurements using the Framework, Adds the concept of identity proofing and expands authorization, and Updates FAQs to support understanding and use of Framework.

22 If I adopt it, how will it impact my Resources, Cost, and time.. And how much new work will it create? Implementing HIPAA Security Rule compared to implementing the CyberSecurity Framework (CSF), If you implement HIPAA using the NIST SP you will have 52% of the CSF requirements addressed. If you implement CSF you will have 68% of the HIPAA requirements covered.

23 Should we use the CSF? If I adopt it, how will it impact my Resources, Cost, and time..and how much new work will it create? Implementing HIPAA Security Rule compared to implementing the CyberSecurity Framework (CSF), If you implement HIPAA using the NIST SP you will have 52% of the CSF requirements addressed. If you implement CSF you will have 68% of the HIPAA requirements covered.

24 Future Opportunity!

25 Why use NIST Security Controls? There are official mappings between: The NIST controls and ISO 27001/2 HIPAA PCI GLBA Cybersecurity Framework COBIT Not necessarily State Requirements COBIT GLBA ISO 27001/2 HIPAA Security Cybersecurity Framework/ NAIC PCI States Not to scale.

26 We typically works on 3 regulations and the local state issues most notably Breach Related Our Most Common Engagements are: HIPAA Security Risk Assessment Security Awareness Training Develop and Review Policies and Procedures Add Cybersecurity Framework Ctrls. Add State Specific Requirements Especially for Disclosure/Breach regulations Your Organization may be different! GLBA Cybersecurity Framework/ NAIC HIPAA Compliance & Security States Specific Issues

27 Critical Infrastructure Support It is the policy of the executive branch to use its authorities and capabilities to support the cybersecurity risk management efforts of the owners and operators of the Nation's critical infrastructure

28 Reasonable Security Becomes Reasonably Clear If cybersecurity risks appear to be ubiquitous, some comfort may be taken in the fact that reasonable defenses are well known. The Report emphasizes a finding that has been made regularly in Verizon s annual Data Breach Investigations Reports: 99.9 percent of exploited vulnerabilities were compromised more than a year after the fix for the vulnerability had been made publicly available. Defining a Reasonable Security Standard California law requires organizations to implement reasonable security procedures and practices... to protect personal information from unauthorized, access, destruction, use, modification, or disclosure. The Report, drawing on a rich dataset of reported breaches, for the first time sets forth the California Attorney General s expectations, providing additional meaning to the reasonable security requirement.

29 Organization of the Cybersecurity Framework

30 Overview of the Framework The Framework complements, and does not replace, an organization s risk management process and cybersecurity program. 1) Describe the current cybersecurity posture; 2) Describe their target state for cybersecurity; 3) Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; 4) Assess progress toward the target statej; 5) Communicate among internal and external stakeholders about cybersecurity risk.

31 Overview of the Framework The Framework is a risk-based approach to managing cybersecurity risk, and is composed of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers.

32 The Framework Core A set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization

33 The Framework Profile A Framework Profile ( Profile ) represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories. The Profile can be characterized as the alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario.

34 The Framework Implementation Tiers. Provide the context on how an organization views cybersecurity risk and the processes in place to manage that risk. Tiers describe the degree to which an organization s cybersecurity risk management practices exhibit the characteristics defined in the Framework. Risk and Threat Awareness: Partial, Risk Informed, Repeatable and Adaptable

35 Implementation Overview

36 Framework 7-Step Process Step 1: Prioritize and Scope Step 2: Orient Step 3: Create a current Profile Conduct a Risk Assessment Create a Target Profile Determine, Analyze and Prioritize Gaps Implement Action Plan

37 Define the previous slide points

38 Implementation Tiers

39 By the way There are co$ts associated with implementation In order to be a 4 in a key area, you may choose to be a 2 in That Cost Benefit analysis tells you where you can focus The Core is designed to translate the highly technical that is Cybersecurity to the other disciplines. Cybersecurity works when the whole organization is in synch.

40

41 The Core

42 The five Framework core Functions Identify Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. Protect Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. Detect Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. Respond Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. Recover Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

43 The Five Cyber Security Framework Core Functions

44 The Core and Categories The Core 5 and the next 22 Categories are simple, but not all groups will define the terms the same The terminology are purposely selected, to be generally available.

45 The Core and Categories with ID s The Matra Identify, Protect, Detect, Respond and Recover The Core 5 and the next 22 Categories are simple, but not all groups will define the terms the same The terminology are purposely selected, to be generally available and understood by many.

46 The Core to the Granular Usable Guidence

47 Cybersecurity Framework

48 Cybersecurity Framework

49 Using The Cybersecurity Framework

50

51 Building a Profile in 3 steps. A profile can be thought of: Mission Objects Cybersecurity Requirements Legislation Regulations Internal & External Policies Best Practice Operating Methodologies.

52 Conceptual Profile Comply once report many HIPAA, FISMA, Sarbanes Oxley Their can be hundreds of distinct profiles

53 Resource and Budgeting Why aren t you addressing the activities in regards to Priority Why aren t you doing subdcat 1? The priorities smaller The Gaps were smaller The costs were greater Than the Category 2 and 3. You end up with a defensible plan!

54 Creating or editing a profile. HHS and HIPAA Security Rule to Cybersecurity Mappings Profiles are there.. Efficiency is there hour meetings.

55 Small Organization Cyber Security Compliance At least Annually, Start Cyber Security Risk Mgt. Program Step 1 - Prioritize and Scope Program, i.e. What Assets to Protect? Step 2 Orient, i.e. Locate Assets at Risk Step 3 Create Current Profile, i.e. How are Assets Currently Protected Step 7 Action Plan Implement Changes to Achieve Desired Risk Levels Step 6 Gap Analysis What is Required to Achieve Desired Risk Levels? Step 5 Create Target Profile Showing Desired Risk Levels Step 4 Select Compliance Option and Conduct Risk Assessment. NIST Recommended for US Sites, ISO Internationally

56 Office of Civil Rights (OCR) Risk Assessment Steps Step 1 System Characterization Step 2 Threat Identification Step 3 Vulnerability Identification Step 4 Control Analysis Step 5 Likelihood Determination Step 6 Impact Analysis Step 7 Risk Determination Step 8 Control Recommendations Step 9 Results Documentation

57 NIST Risk Management Framework 3.1 RMF STEP 1 CATEGORIZE INFO. SYSTEM 3.2 RMF STEP 2 SELECT SECURITY CONTROLS 3.3 RMF STEP 3 IMPLEMENT CONTROLS 3.4 RMF STEP 4 ASSESS SECURITY CONTROLS 3.5 RMF STEP 5 AUTHORIZE INFO. SYSTEM 3.6 RMF STEP 6 MONITOR SECURITY CONTROLS

58 NIST Risk Management Framework 3.1 RMF STEP 1 CATEGORIZE INFO. SYSTEM TASK 1-1: Categorize the information system and document the results References: FIPS Publication 199; NIST Special Publications , , , ; CNSS Instruction 1253 TASK 1-2: Describe the information system References: None TASK 1-3: Register the information system References: None.

59 Safeguard Inventory Input

60 NIST Risk Management Framework 3.2 RMF STEP 2 SELECT SECURITY CONTROLS TASK 2-1:Identify and document the controls in a security plan References: FIPS 199, 200; NIST , ; CNSS TASK 2-2: Select the security controls References: FIPS199, 200; , ; CNSS TASK 2-3: Develop a strategy for the continuous monitoring...references: NIST , , ; A; CNSS TASK 2-4: Review and approve the security plan. References: NIST , ; CNSS 1253.

61 Content Based NIST Safeguards Symbol NIST Title CUI CSF HIPAA Privacy AC-02 Account Management X X X AC-03 Acces s Enforcement X X X X AC-04 Information Flow Enforcement X X X AC-05 Separation of Duties X X X X AC-06 Leas t Privilege X X X X AC-07 Uns ucces s ful Logon Attempts X X AC-08 Sys tem Us e Notification X X AC-11 Ses s ion Lock X X X AC-12 Ses s ion Termination X X X AC-17 Remote Acces s X X X X AC-18 Wireles s Acces s X X AC-19 Acces s Control for Mobile Devices X X X X AC-20 Us e of External Information Sys tems X X AC-22 Publicly Acces s ible Content X X AT-02 Security Awarenes s Training X X X AT-03 Role-Bas ed Security Training X X X AU-02 Auditable Events X X X X AU-03 Content of Audit Records X X X AU-06 Audit Review, Analys is, and Reporting X X X X AU-07 Audit Reduction and Report Generation X X X AU-12 Audit Generation X X

62 NIST Risk Management Framework 3.3 RMF STEP 3 IMPLEMENT SECURITY CONTROLS TASK 3-1: Implement the security controls specified in the security plan References: FIPS 200; NIST , , A; CNSS 1253; Web:SCAP. NIST.GOV. TASK 3-2: Document the security control implementation References: NIST ; CNSS 1253.

63 NIST Risk Management Framework 3.4 RMF STEP 4 ASSESS SECURITY CONTROLS TASK 4-1: Develop, review, and approve a plan to assess the security controls. References: NIST Special Publication A. TASK 4-2: Assess the security controls References: NIST A. TASK 4-3: Prepare the security assessment report References: NIST A. TASK 4-4: Conduct initial remediation actions References: NIST , A.

64 NIST Risk Management Framework 3.5 RMF STEP 5 AUTHORIZE INFO. SYSTEM TASK 5-1: Prepare the plan of action and milestones.. References: OMB Memorandum 02-01; NIST , A. TASK 5-2: Assemble the security authorization package References: None. TASK 5-3: Determine the risk References: NIST , TASK 5-4: Determine if the risk is acceptable. References: NIST

65

66 NIST Risk Management Framework 3.6 RMF STEP 6 MONITOR SECURITY CONTROLS TASK 6-1: Determine the security impact... References: NIST , A. TASK 6-2: Assess a selected subset of the security controls References: NIST A. TASK 6-3: Conduct remediation actions...references: NIST , , A; CNSS1253.

67 NIST Risk Management Framework 3.6 RMF STEP 6 MONITOR SECURITY CONTROLS TASK 6-4: Update the security plan based on the results of the continuous monitoring process. References: NIST A. TASK 6-5: Report the security status of the information system on an ongoing basis References: NIST A.

68 NIST Risk Management Framework 3.6 RMF STEP 6 MONITOR SECURITY CONTROLS TASK 6-6: Review the reported security status of the information system..to determine whether the risk..remains acceptable. References: NIST , TASK 6-7: Implement an information system decommissioning strategy...references: NIST , A.

69 Monitoring Multiple Sites or Network Segments

70 Example EPA RFI, 3/17 RFQ-DC RMF compliance 48 networks/15,000 assets Other Cybersecurity and Management Services

71 For More Information Website Contacts Jack Kolk, Benicia CA, or Robert Peterson, Lilburn GA, or