ACR 2 Solutions Compliance Tools
|
|
- Dorcas Simon
- 6 years ago
- Views:
Transcription
1 ACR 2 Solutions Compliance Tools What s all the noise about the Cyber Security Framework? The Cyber Security Framework Airs Conference May 2017
2 About ACR 2 Solutions your NIST experts ACR2 is a developer of scalable real-time Risk Management and IT Compliance Software Solutions Tools to support information security regulatory laws and regulations as follows: FISMA, GLBA, HIPAA, NAIC, NERC and PCI DSS and most recently the Cyber Security Framework Risk and Compliance solutions for public, private, and government organizations. Technical Implementation Partner for GA-HITREC We are an HP Healthcare Alliance Partner and work with Premier HP Resellers We currently work with 100 s of locations in Healthcare and Financial Services Single sites, distributed enterprise and hospitals and their practices
3 1) Introductions Todays Agenda: 2) History of the Cybersecurity Framework (CSF) 3) Why do we need the CSF? 4) Terminology and Acronyms 5) What does the future of the CSF look like? 6) Will it remain optional? 7) The CyberSecurity Framework 8) How it can be utilized for My organization? 9) Questions and answers As time allows
4 Getting to know you. 1. Works for a company that uses the HIPAA Privacy, Security and Breach rules? 2. Has mandated Security and Privacy Awareness trainings for all employees? 3. Has Read the Cybersecurity Framework Vers. 1? Draft Read or know what Omnibus rule is? 5. Has anyone ever been asked for a Business Associate Agreement or requires them from contractors or partners. 6. Lastly know what the NIST stands for?
5 The History of the CSF
6 What is the Framework, and what is it designed to accomplish? The Framework is voluntary guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.
7 Cyber Security Objective [i]t is the Policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity... Executive order February 12, 2013
8 Executive Order The Cybersecurity Framework was published in February 2014 following a collaborative process involving industry, academia and government agencies. More that 1000 individuals had input into the current revision. The original goal was to develop a voluntary framework to help organizations manage cybersecurity risk in the nation s critical infrastructure. The framework has been widely adopted by many types of organizations across the country and around the world.
9 The 16 Critical Infrastructure Industries Chemical Sector Commercial Facilities Sector Communications Sector Critical Manufacturing Sector Defense Industrial Base Sector Dams Sector Emergency Services Sector Energy Sector Financial Services Sector Food and Agriculture Sector Government Facilities Sector Healthcare and Public Health Sector Information Technology Sector Nuclear Reactors, Materials, and Waste Transportation Systems Sector Water and Wastewater Systems
10 Executive Summary The national and economic security of the United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation s security, economy, and public safety and health at risk.
11 Acronyms and Regulations CCS - Council on CyberSecurity COBIT - Control Objectives for Information and Related Technology DCS - Distributed Control System DHS - Department of Homeland Security NIST - National Institute of Standards and Technology OMB Office of Management and Budget ISO - International Organization for Standardization ISO 27001/2 HIPAA FISMA Federal Information Security Management ACT GLBA Graham Leach Bliley ACT PCI Payment Card In Cybersecurity Framework EO Executive Order
12 Why do we need the CSF? The national and economic security of the United States depends on the reliable functioning of our critical infrastructure. To strengthen the resilience of this infrastructure, President Obama issued Executive Order (EO), Improving Critical Infrastructure Cybersecurity on February 12, This Executive Order calls for the development of a voluntary Cybersecurity Framework ( Framework ) To assist organizations responsible for critical infrastructure services to manage cybersecurity risk.
13 Cybersecurity Framework Overview The Cybersecurity Framework intention or design criteria Includes a set of standards, methodologies, procedures, and processes that align policy, business and technological approaches to address cyber risks. Provides a prioritized, flexible, repeatable, performance-based and cost-effective approach. This includes information security methods and controls to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.
14 Cybersecurity Framework Overview The Cybersecurity Framework Identifies areas for improvement to be addressed through future collaboration with particular sectors and standardsdeveloping organizations. Is consistent with voluntary international standards.
15 NAIC CYBERSECURITY TASK FORCE ADOPTS REGULATORY PRINCIPLES National Association of Insurance Commissioners (NAIC) NAIC is the U.S. standard-setting and regulatory support organization created and governed by the chief insurance regulators from the 50 states, the District of Columbia and five U.S. territories. Through the NAIC, state insurance regulators establish standards and best practices, conduct peer review, and coordinate their regulatory oversight.
16 Governor of New York Letter sent to all registered Financial Services March 2015
17 Cybersecurity Executive Order
18 Cybersecurity Executive Order NIST Risk Management Framework (RMF) now mandatory for all federal agencies. Agencies have 90 days to file implementation plans with OMB. Agency heads will be held accountable by the President for implementing risk management measures
19 More about the NIST (From 1901 to 1988 called the Bureau of Standards) NIST publications, many of which are required for federal agencies, can serve as voluntary guidelines and best practices for state, local, and tribal governments and the private sector. NIST security standards and guidelines include: Federal Information Processing Standards [FIPS], Special Publications which can be used to support the requirements of both HIPAA and FISMA and GLBA. May be used by organizations to help provide a structured, yet flexible framework for selecting, specifying, employing, and evaluating the security controls in information systems. Most importantly, it what the auditors know and are required to use internally!
20 The Future of the CSF
21 A New Update is coming What changes are included in the proposed revision? The draft revision (Version 1.1): Clarifies use of Implementation Tiers and their relationship to Profiles, Enhances guidance for applying the Framework for supply chain risk management, Provides guidance on metrics and measurements using the Framework, Adds the concept of identity proofing and expands authorization, and Updates FAQs to support understanding and use of Framework.
22 If I adopt it, how will it impact my Resources, Cost, and time.. And how much new work will it create? Implementing HIPAA Security Rule compared to implementing the CyberSecurity Framework (CSF), If you implement HIPAA using the NIST SP you will have 52% of the CSF requirements addressed. If you implement CSF you will have 68% of the HIPAA requirements covered.
23 Should we use the CSF? If I adopt it, how will it impact my Resources, Cost, and time..and how much new work will it create? Implementing HIPAA Security Rule compared to implementing the CyberSecurity Framework (CSF), If you implement HIPAA using the NIST SP you will have 52% of the CSF requirements addressed. If you implement CSF you will have 68% of the HIPAA requirements covered.
24 Future Opportunity!
25 Why use NIST Security Controls? There are official mappings between: The NIST controls and ISO 27001/2 HIPAA PCI GLBA Cybersecurity Framework COBIT Not necessarily State Requirements COBIT GLBA ISO 27001/2 HIPAA Security Cybersecurity Framework/ NAIC PCI States Not to scale.
26 We typically works on 3 regulations and the local state issues most notably Breach Related Our Most Common Engagements are: HIPAA Security Risk Assessment Security Awareness Training Develop and Review Policies and Procedures Add Cybersecurity Framework Ctrls. Add State Specific Requirements Especially for Disclosure/Breach regulations Your Organization may be different! GLBA Cybersecurity Framework/ NAIC HIPAA Compliance & Security States Specific Issues
27 Critical Infrastructure Support It is the policy of the executive branch to use its authorities and capabilities to support the cybersecurity risk management efforts of the owners and operators of the Nation's critical infrastructure
28 Reasonable Security Becomes Reasonably Clear If cybersecurity risks appear to be ubiquitous, some comfort may be taken in the fact that reasonable defenses are well known. The Report emphasizes a finding that has been made regularly in Verizon s annual Data Breach Investigations Reports: 99.9 percent of exploited vulnerabilities were compromised more than a year after the fix for the vulnerability had been made publicly available. Defining a Reasonable Security Standard California law requires organizations to implement reasonable security procedures and practices... to protect personal information from unauthorized, access, destruction, use, modification, or disclosure. The Report, drawing on a rich dataset of reported breaches, for the first time sets forth the California Attorney General s expectations, providing additional meaning to the reasonable security requirement.
29 Organization of the Cybersecurity Framework
30 Overview of the Framework The Framework complements, and does not replace, an organization s risk management process and cybersecurity program. 1) Describe the current cybersecurity posture; 2) Describe their target state for cybersecurity; 3) Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; 4) Assess progress toward the target statej; 5) Communicate among internal and external stakeholders about cybersecurity risk.
31 Overview of the Framework The Framework is a risk-based approach to managing cybersecurity risk, and is composed of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers.
32 The Framework Core A set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization
33 The Framework Profile A Framework Profile ( Profile ) represents the outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories. The Profile can be characterized as the alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario.
34 The Framework Implementation Tiers. Provide the context on how an organization views cybersecurity risk and the processes in place to manage that risk. Tiers describe the degree to which an organization s cybersecurity risk management practices exhibit the characteristics defined in the Framework. Risk and Threat Awareness: Partial, Risk Informed, Repeatable and Adaptable
35 Implementation Overview
36 Framework 7-Step Process Step 1: Prioritize and Scope Step 2: Orient Step 3: Create a current Profile Conduct a Risk Assessment Create a Target Profile Determine, Analyze and Prioritize Gaps Implement Action Plan
37 Define the previous slide points
38 Implementation Tiers
39 By the way There are co$ts associated with implementation In order to be a 4 in a key area, you may choose to be a 2 in That Cost Benefit analysis tells you where you can focus The Core is designed to translate the highly technical that is Cybersecurity to the other disciplines. Cybersecurity works when the whole organization is in synch.
40
41 The Core
42 The five Framework core Functions Identify Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. Protect Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. Detect Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. Respond Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. Recover Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
43 The Five Cyber Security Framework Core Functions
44 The Core and Categories The Core 5 and the next 22 Categories are simple, but not all groups will define the terms the same The terminology are purposely selected, to be generally available.
45 The Core and Categories with ID s The Matra Identify, Protect, Detect, Respond and Recover The Core 5 and the next 22 Categories are simple, but not all groups will define the terms the same The terminology are purposely selected, to be generally available and understood by many.
46 The Core to the Granular Usable Guidence
47 Cybersecurity Framework
48 Cybersecurity Framework
49 Using The Cybersecurity Framework
50
51 Building a Profile in 3 steps. A profile can be thought of: Mission Objects Cybersecurity Requirements Legislation Regulations Internal & External Policies Best Practice Operating Methodologies.
52 Conceptual Profile Comply once report many HIPAA, FISMA, Sarbanes Oxley Their can be hundreds of distinct profiles
53 Resource and Budgeting Why aren t you addressing the activities in regards to Priority Why aren t you doing subdcat 1? The priorities smaller The Gaps were smaller The costs were greater Than the Category 2 and 3. You end up with a defensible plan!
54 Creating or editing a profile. HHS and HIPAA Security Rule to Cybersecurity Mappings Profiles are there.. Efficiency is there hour meetings.
55 Small Organization Cyber Security Compliance At least Annually, Start Cyber Security Risk Mgt. Program Step 1 - Prioritize and Scope Program, i.e. What Assets to Protect? Step 2 Orient, i.e. Locate Assets at Risk Step 3 Create Current Profile, i.e. How are Assets Currently Protected Step 7 Action Plan Implement Changes to Achieve Desired Risk Levels Step 6 Gap Analysis What is Required to Achieve Desired Risk Levels? Step 5 Create Target Profile Showing Desired Risk Levels Step 4 Select Compliance Option and Conduct Risk Assessment. NIST Recommended for US Sites, ISO Internationally
56 Office of Civil Rights (OCR) Risk Assessment Steps Step 1 System Characterization Step 2 Threat Identification Step 3 Vulnerability Identification Step 4 Control Analysis Step 5 Likelihood Determination Step 6 Impact Analysis Step 7 Risk Determination Step 8 Control Recommendations Step 9 Results Documentation
57 NIST Risk Management Framework 3.1 RMF STEP 1 CATEGORIZE INFO. SYSTEM 3.2 RMF STEP 2 SELECT SECURITY CONTROLS 3.3 RMF STEP 3 IMPLEMENT CONTROLS 3.4 RMF STEP 4 ASSESS SECURITY CONTROLS 3.5 RMF STEP 5 AUTHORIZE INFO. SYSTEM 3.6 RMF STEP 6 MONITOR SECURITY CONTROLS
58 NIST Risk Management Framework 3.1 RMF STEP 1 CATEGORIZE INFO. SYSTEM TASK 1-1: Categorize the information system and document the results References: FIPS Publication 199; NIST Special Publications , , , ; CNSS Instruction 1253 TASK 1-2: Describe the information system References: None TASK 1-3: Register the information system References: None.
59 Safeguard Inventory Input
60 NIST Risk Management Framework 3.2 RMF STEP 2 SELECT SECURITY CONTROLS TASK 2-1:Identify and document the controls in a security plan References: FIPS 199, 200; NIST , ; CNSS TASK 2-2: Select the security controls References: FIPS199, 200; , ; CNSS TASK 2-3: Develop a strategy for the continuous monitoring...references: NIST , , ; A; CNSS TASK 2-4: Review and approve the security plan. References: NIST , ; CNSS 1253.
61 Content Based NIST Safeguards Symbol NIST Title CUI CSF HIPAA Privacy AC-02 Account Management X X X AC-03 Acces s Enforcement X X X X AC-04 Information Flow Enforcement X X X AC-05 Separation of Duties X X X X AC-06 Leas t Privilege X X X X AC-07 Uns ucces s ful Logon Attempts X X AC-08 Sys tem Us e Notification X X AC-11 Ses s ion Lock X X X AC-12 Ses s ion Termination X X X AC-17 Remote Acces s X X X X AC-18 Wireles s Acces s X X AC-19 Acces s Control for Mobile Devices X X X X AC-20 Us e of External Information Sys tems X X AC-22 Publicly Acces s ible Content X X AT-02 Security Awarenes s Training X X X AT-03 Role-Bas ed Security Training X X X AU-02 Auditable Events X X X X AU-03 Content of Audit Records X X X AU-06 Audit Review, Analys is, and Reporting X X X X AU-07 Audit Reduction and Report Generation X X X AU-12 Audit Generation X X
62 NIST Risk Management Framework 3.3 RMF STEP 3 IMPLEMENT SECURITY CONTROLS TASK 3-1: Implement the security controls specified in the security plan References: FIPS 200; NIST , , A; CNSS 1253; Web:SCAP. NIST.GOV. TASK 3-2: Document the security control implementation References: NIST ; CNSS 1253.
63 NIST Risk Management Framework 3.4 RMF STEP 4 ASSESS SECURITY CONTROLS TASK 4-1: Develop, review, and approve a plan to assess the security controls. References: NIST Special Publication A. TASK 4-2: Assess the security controls References: NIST A. TASK 4-3: Prepare the security assessment report References: NIST A. TASK 4-4: Conduct initial remediation actions References: NIST , A.
64 NIST Risk Management Framework 3.5 RMF STEP 5 AUTHORIZE INFO. SYSTEM TASK 5-1: Prepare the plan of action and milestones.. References: OMB Memorandum 02-01; NIST , A. TASK 5-2: Assemble the security authorization package References: None. TASK 5-3: Determine the risk References: NIST , TASK 5-4: Determine if the risk is acceptable. References: NIST
65
66 NIST Risk Management Framework 3.6 RMF STEP 6 MONITOR SECURITY CONTROLS TASK 6-1: Determine the security impact... References: NIST , A. TASK 6-2: Assess a selected subset of the security controls References: NIST A. TASK 6-3: Conduct remediation actions...references: NIST , , A; CNSS1253.
67 NIST Risk Management Framework 3.6 RMF STEP 6 MONITOR SECURITY CONTROLS TASK 6-4: Update the security plan based on the results of the continuous monitoring process. References: NIST A. TASK 6-5: Report the security status of the information system on an ongoing basis References: NIST A.
68 NIST Risk Management Framework 3.6 RMF STEP 6 MONITOR SECURITY CONTROLS TASK 6-6: Review the reported security status of the information system..to determine whether the risk..remains acceptable. References: NIST , TASK 6-7: Implement an information system decommissioning strategy...references: NIST , A.
69 Monitoring Multiple Sites or Network Segments
70 Example EPA RFI, 3/17 RFQ-DC RMF compliance 48 networks/15,000 assets Other Cybersecurity and Management Services
71 For More Information Website Contacts Jack Kolk, Benicia CA, or Robert Peterson, Lilburn GA, or
Why you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More informationThe NIST Cybersecurity Framework
The NIST Cybersecurity Framework U.S. German Standards Panel 2018 April 10, 2018 Adam.Sedgewick@nist.gov National Institute of Standards and Technology About NIST Agency of U.S. Department of Commerce
More informationCybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com
Cybersecurity Presidential Policy Directive Frequently Asked Questions kpmg.com Introduction On February 12, 2013, the White House released the official version of the Presidential Policy Directive regarding
More informationUpdates to the NIST Cybersecurity Framework
Updates to the NIST Cybersecurity Framework NIST Cybersecurity Framework Overview and Other Documentation October 2016 Agenda: Overview of NIST Cybersecurity Framework Updates to the NIST Cybersecurity
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity November 2017 cyberframework@nist.gov Supporting Risk Management with Framework 2 Core: A Common Language Foundational for Integrated Teams
More informationNCSF Foundation Certification
NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity
More informationCYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS
CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS WILLIAM (THE GONZ) FLINN M.S. INFORMATION SYSTEMS SECURITY MANAGEMENT; COMPTIA SECURITY+, I-NET+, NETWORK+; CERTIFIED
More informationSTRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE
STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby
More informationNational Policy and Guiding Principles
National Policy and Guiding Principles National Policy, Principles, and Organization This section describes the national policy that shapes the National Strategy to Secure Cyberspace and the basic framework
More informationOverview of the Cybersecurity Framework
Overview of the Cybersecurity Framework Implementation of Executive Order 13636 Matt Barrett Program Manager matthew.barrett@nist.gov cyberframework@nist.gov 15 January 2015 Executive Order: Improving
More informationCybersecurity & Privacy Enhancements
Business, Industry and Government Cybersecurity & Privacy Enhancements John Lainhart, Director, Grant Thornton The National Institute of Standards and Technology (NIST) is in the process of updating their
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationExecutive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI
Executive Order 13636 & Presidential Policy Directive 21 Ed Goff, Duke Energy Melanie Seader, EEI Agenda Executive Order 13636 Presidential Policy Directive 21 Nation Infrastructure Protection Plan Cybersecurity
More information10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment
Preparing Your Organization for a HHS OIG Information Security Audit David Holtzman, JD, CIPP/G CynergisTek, Inc. Brian C. Johnson, CPA, CISA HHS OIG Section 1: Models for Risk Assessment Section 2: Preparing
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity May 2017 cyberframework@nist.gov Why Cybersecurity Framework? Cybersecurity Framework Uses Identify mission or business cybersecurity dependencies
More informationCybersecurity in Higher Ed
Cybersecurity in Higher Ed 1 Overview Universities are a treasure trove of information. With cyber threats constantly changing, there is a need to be vigilant in protecting information related to students,
More informationSYSTEMS ASSET MANAGEMENT POLICY
SYSTEMS ASSET MANAGEMENT POLICY Policy: Asset Management Policy Owner: CIO Change Management Original Implementation Date: 7/1/2017 Effective Date: 7/1/2017 Revision Date: Approved By: NIST Cyber Security
More informationCyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber
CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber Initiatives 30 January 2018 1 Agenda Federal Landscape Cybersecurity
More informationDavid Missouri VP- Governance ISACA
David Missouri VP- Governance ISACA Present-Senior Agency Information Security Officer (SAISO) @GA DJJ 2012-2016 Information System Security Officer (ISSO) @ US DOL WHD 2011-2012 Network Administrator
More informationNCSF Foundation Certification
NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationFramework for Improving Critical Infrastructure Cybersecurity. and Risk Approach
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 and Risk Approach June 9, 2016 cyberframework@nist.gov Executive Order: Improving Critical Infrastructure
More informationBalancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld
Balancing Compliance and Operational Security Demands Nov 2015 Steve Winterfeld What is more important? Compliance with laws / regulations Following industry best practices Developing a operational practice
More informationHow to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
How to implement NIST Cybersecurity Framework using ISO 27001 WHITE PAPER Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.
More informationImproving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework
1 Improving Critical Infrastructure Cybersecurity Executive Order 13636 Preliminary Cybersecurity Framework 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
More informationDoes a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?
Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? A brief overview of security requirements for Federal government agencies applicable to contracted IT services,
More informationStrengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure Executive Order 13800 Update July 2017 In Brief On May 11, 2017, President Trump issued Executive Order 13800, Strengthening
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationFISMA Cybersecurity Performance Metrics and Scoring
DOT Cybersecurity Summit FISMA Cybersecurity Performance Metrics and Scoring Office of the Federal Chief Information Officer, OMB OMB Cyber and National Security Unit, OMBCyber@omb.eop.gov 2. Cybersecurity
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More information2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report
Nationwide Cyber Security Review: Summary Report Nationwide Cyber Security Review: Summary Report ii Nationwide Cyber Security Review: Summary Report Acknowledgments The Multi-State Information Sharing
More informationHITRUST CSF: One Framework
HITRUST CSF: One Framework Leveraging the HITRUST CSF to Support ISO, HIPAA, & NIST Implementation and Compliance, and SSAE 16 SOC Reporting Dr. Bryan Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP Senior
More informationImproving Cybersecurity through the use of the Cybersecurity Framework
Improving Cybersecurity through the use of the Cybersecurity Framework March 11, 2015 Tom Conkle G2, Inc. Agenda Cybersecurity Framework Why it was created What is it Why it matters How do you use it 2
More informationFramework for Improving Critical Infrastructure Cybersecurity
1 Framework for Improving Critical Infrastructure Cybersecurity Standards Certification Education & Training Publishing Conferences & Exhibits Dean Bickerton ISA New Orleans April 5, 2016 A Brief Commercial
More informationPOSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS
POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, 2017 14TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS 1 Fact vs. Myth Let s Play: Fact vs. Myth The FDA is the federal entity
More informationImplementing Executive Order and Presidential Policy Directive 21
March 26, 2013 Implementing Executive Order 13636 and Presidential Policy Directive 21 Mike Smith, Senior Cyber Policy Advisor, Office of Electricity Delivery and Energy Reliability, Department of Energy
More informationexisting customer base (commercial and guidance and directives and all Federal regulations as federal)
ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of
More informationExecutive Order on Coordinating National Resilience to Electromagnetic Pulses
Executive Order on Coordinating National Resilience to Electromagnetic Pulses The Wh... Page 1 of 11 EXECUTIVE ORDERS Executive Order on Coordinating National Resilience to Electromagnetic Pulses INFRASTRUCTURE
More informationInformation Security Risk Strategies. By
Information Security Risk Strategies By Larry.Boettger@Berbee.com Meeting Agenda Challenges Faced By IT Importance of ISO-17799 & NIST The Security Pyramid Benefits of Identifying Risks Dealing or Not
More informationFDA & Medical Device Cybersecurity
FDA & Medical Device Cybersecurity Closing Keynote, February 19, 2017 Suzanne B. Schwartz, M.D., MBA Associate Director for Science & Strategic Partnerships Center for Devices and Radiological Health US
More informationTHE WHITE HOUSE. Office of the Press Secretary. EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS
THE WHITE HOUSE Office of the Press Secretary EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS February 12, 2013 PRESIDENTIAL POLICY DIRECTIVE/PPD-21 SUBJECT: Critical
More informationNYDFS Cybersecurity Regulations: What do they mean? What is their impact?
June 13, 2017 NYDFS Cybersecurity Regulations: What do they mean? What is their impact? Gus Coldebella Principal, Boston Caroline Simons Principal, Boston Agenda 1) Overview of the new regulations 2) Assessing
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationNew York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief
Publication Date: March 10, 2017 Requirements for Financial Services Companies (23NYCRR 500) Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker s advanced
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Draft Version 1.1 National Institute of Standards and Technology January 10, 2017 Note to Reviewers on the Update and Next Steps The draft
More informationBonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology
Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology It s a hot topic!! Executives are asking their CISOs a LOT of questions about it Issues are costly, from a financial and a reputational
More informationCybersecurity Risk Management
Cybersecurity Risk Management NIST Guidance DFARS Requirements MEP Assistance David Stieren Division Chief, Programs and Partnerships National Institute of Standards and Technology (NIST) Manufacturing
More informationCalifornia Cybersecurity Integration Center (Cal-CSIC)
California Cybersecurity Integration Center (Cal-CSIC) Agenda Mission and Scope Whole of State Government Approach Where is the Cal-CSIC? Cal-CSIC Partners Attaining Cyber Maturity in Parallel Machine
More informationTHE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER
THE WHITE HOUSE Office of the Press Secretary FOR IMMEDIATE RELEASE May 11, 2017 EXECUTIVE ORDER - - - - - - - STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE By the authority
More informationImplementing the Administration's Critical Infrastructure and Cybersecurity Policy
Implementing the Administration's Critical Infrastructure and Cybersecurity Policy Cybersecurity Executive Order and Critical Infrastructure Security & Resilience Presidential Policy Directive Integrated
More informationTHE WHITE HOUSE Office of the Press Secretary EXECUTIVE ORDER
FOR IMMEDIATE RELEASE May 11, 2017 THE WHITE HOUSE Office of the Press Secretary EXECUTIVE ORDER - - - - - - - STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE By the authority
More informationCOMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards
November 2016 COMMENTARY Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards The Board of Governors of the Federal Reserve System ( Federal Reserve Board ), the Federal Deposit Insurance
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 National Institute of Standards and Technology February 12, 2014 Table of Contents Executive Summary...1 1.0 Framework Introduction...3
More informationPresidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure EXECUTIVE ORDER [13800] - - - - - - - STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS
More informationProtecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations
Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations January 9 th, 2018 SPEAKER Chris Seiders, CISSP Security Analyst Computing Services and Systems Development
More informationUsing the NIST Framework for Metrics 5/14/2015
Using the NIST Framework for Metrics 5/14/2015 ITD - Public Safety Safety improvements reduced total crashes by 29% and injury crashes by 41% in corridors after GARVEE projects were completed Ads / Commercials
More informationChoosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist
Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist Agenda Industry Background Cybersecurity Assessment Tools Cybersecurity Best Practices 2 Cybersecurity
More informationPD 7: Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection
PD 7: Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection December 17, 2003 SUBJECT: Critical Infrastructure Identification, Prioritization,
More informationFederal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011
Federal Continuous Monitoring Working Group March 21, 2011 DOJ Cybersecurity Conference 2/8/2011 4/12/2011 Why Continuous Monitoring? Case for Change Strategy Future State Current State Current State Case
More informationHIPAA Security Rule: Annual Checkup. Matt Sorensen
HIPAA Security Rule: Annual Checkup Matt Sorensen Disclaimer This presentation is similar to any other legal education materials designed to provide general information on pertinent legal topics. The statements
More informationCritical Infrastructure Sectors and DHS ICS CERT Overview
Critical Infrastructure Sectors and DHS ICS CERT Overview Presented by Darryl E. Peek II REGIONAL INTELLIGENCE SEMINAR AND NATIONAL SECURITY FORUM 2 2 Authorities and Related Legislation Homeland Security
More informationEnterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018
Enterprise Risk Management (ERM) and Cybersecurity Na9onal Science Founda9on March 14, 2018 Agenda Guiding Principles for Implementing ERM at NSF (Based on COSO) NSF s ERM Framework ERM Cybersecurity Risk
More informationMedical Device Cybersecurity: FDA Perspective
Medical Device Cybersecurity: FDA Perspective Suzanne B. Schwartz MD, MBA Associate Director for Science and Strategic Partnerships Office of the Center Director (OCD) Center for Devices and Radiological
More informationThe next generation of knowledge and expertise
The next generation of knowledge and expertise UNDERSTANDING FISMA REPORTING REQUIREMENTS 1 HTA Technology Security Consulting., 30 S. Wacker Dr, 22 nd Floor, Chicago, IL 60606, 708-862-6348 (voice), 708-868-2404
More informationThe HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information
The HITRUST CSF A Revolutionary Way to Protect Electronic Health Information June 2015 The HITRUST CSF 2 Organizations in the healthcare industry are under immense pressure to improve quality, reduce complexity,
More informationSection One of the Order: The Cybersecurity of Federal Networks.
Summary and Analysis of the May 11, 2017 Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Introduction On May 11, 2017, President Donald
More informationOverview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 PPD-21: CI Security and Resilience On February 12, 2013, President Obama signed Presidential Policy Directive
More informationAchieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)
Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs) Florida Hospital Association Welcome! John Wilgis Director, Emergency Management Services Florida Hospital Association
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationCyber Security & Homeland Security:
Cyber Security & Homeland Security: Cyber Security for CIKR and SLTT Michael Leking 19 March 2014 Cyber Security Advisor Northeast Region Office of Cybersecurity and Communications (CS&C) U.S. Department
More informationChecklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)
Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP) ecfirst, chief executive Member, InfraGard Compliance Mandates Key Regulations
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationUCOP ITS Systemwide CISO Office Systemwide IT Policy
UCOP ITS Systemwide CISO Office Systemwide IT Policy Revision History Date: By: Contact Information: Description: 08/16/17 Robert Smith robert.smith@ucop.edu Initial version, CISO approved Classification
More informationMNsure Privacy Program Strategic Plan FY
MNsure Privacy Program Strategic Plan FY 2018-2019 July 2018 Table of Contents Introduction... 3 Privacy Program Mission... 4 Strategic Goals of the Privacy Office... 4 Short-Term Goals... 4 Long-Term
More informationThe HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance
The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance Russell L. Jones Partner Health Sciences Sector Deloitte & Touche LLP Security & Privacy IMLA 2013 Annual Conference San
More information*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***
Introduction and Bio CyberSecurity Defined CyberSecurity Risks NIST CyberSecurity Framework References *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Chapter 3. Framework Implementation Relationship
More informationThe Office of Infrastructure Protection
The Office of Infrastructure Protection National Protection and Programs Directorate Department of Homeland Security Protective Security Coordination Division Overview ND Safety Council Annual Conference
More informationAutomating the Top 20 CIS Critical Security Controls
20 Automating the Top 20 CIS Critical Security Controls SUMMARY It s not easy being today s CISO or CIO. With the advent of cloud computing, Shadow IT, and mobility, the risk surface area for enterprises
More informationCritical Infrastructure Resilience
Critical Infrastructure Resilience Climate Resilience Webinar Series U.S. Department of Housing and Urban Development Disclaimer This presentation is intended to provide communities and states with the
More informationSecurity Awareness Compliance Requirements. Updated: 11 October, 2017
Security Awareness Compliance Requirements Updated: 11 October, 2017 Executive Summary The purpose of this document is to identify different standards and regulations that require security awareness programs.
More informationExploring Emerging Cyber Attest Requirements
Exploring Emerging Cyber Attest Requirements With a focus on SOC for Cybersecurity ( Cyber Attest ) Introductions and Overview Audrey Katcher Partner, RubinBrown LLP AICPA volunteer: AICPA SOC2 Guide Working
More informationManaging Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow
Managing Privacy Risk & Compliance in Financial Services Brett Hamilton Advisory Solutions Consultant ServiceNow 1 Speaker Introduction INSERT PHOTO Name: Brett Hamilton Title: Advisory Solutions Consultant
More informationDHS Cybersecurity: Services for State and Local Officials. February 2017
DHS Cybersecurity: Services for State and Local Officials February 2017 Department of Established in March of 2003 and combined 22 different Federal departments and agencies into a unified, integrated
More informationFunction Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments
Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments 1 ID.AM-1: Physical devices and systems within the organization are inventoried Asset Management (ID.AM): The
More information79th OREGON LEGISLATIVE ASSEMBLY Regular Session. Senate Bill 90
th OREGON LEGISLATIVE ASSEMBLY-- Regular Session Senate Bill 0 Printed pursuant to Senate Interim Rule. by order of the President of the Senate in conformance with presession filing rules, indicating neither
More informationRisk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23
Risk: Security s New Compliance Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23 Agenda Market Dynamics Organizational Challenges Risk: Security s New Compliance
More informationMEDICAL DEVICE CYBERSECURITY: FDA APPROACH
MEDICAL DEVICE CYBERSECURITY: FDA APPROACH CYBERMED SUMMIT JUNE 9TH, 2017 SUZANNE B. SCHWARTZ, MD, MBA ASSOCIATE DIRECTOR FOR SCIENCE & STRATEGIC PARTNERSHIPS CENTER FOR DEVICES AND RADIOLOGICAL HEALTH
More informationDemonstrating Compliance in the Financial Services Industry with Veriato
Demonstrating Compliance in the Financial Services Industry with Veriato Demonstrating Compliance in the Financial Services Industry With Veriato The biggest challenge in ensuring data security is people.
More informationExecutive Order 13556
Briefing Outline Executive Order 13556 CUI Registry 32 CFR, Part 2002 Understanding the CUI Program Phased Implementation Approach to Contractor Environment 2 Executive Order 13556 Established CUI Program
More informationPROFESSIONAL SERVICES (Solution Brief)
(Solution Brief) The most effective way for organizations to reduce the cost of maintaining enterprise security and improve security postures is to automate and optimize information security. Vanguard
More informationCybersecurity Risk Management:
Cybersecurity Risk Management: Building a Culture of Responsibility G7 ICT and Industry Multistakeholder Conference September 25 2017 Adam Sedgewick asedgewick@doc.gov Cybersecurity in the Department of
More informationFederal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats
May 20, 2015 Georgetown University Law Center Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats Robert S. Metzger Rogers Joseph
More informationPresidential Documents
Federal Register Vol. 84, No. 61 Friday, March 29, 2019 Presidential Documents 12041 Title 3 Executive Order 13865 of March 26, 2019 The President Coordinating National Resilience to Electromagnetic Pulses
More informationMay 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations
May 14, 2018 1:30PM to 2:30PM CST In Plain English: Cybersecurity and IT Exam Expectations Options to Join Webinar and audio Click on the link: https://www.webcaster4.com/webcast/page/584/24606 Choose
More informationInformation Systems Security Requirements for Federal GIS Initiatives
Requirements for Federal GIS Initiatives Alan R. Butler, CDP Senior Project Manager Penobscot Bay Media, LLC 32 Washington Street, Suite 230 Camden, ME 04841 1 Federal GIS "We are at risk," advises the
More informationBoston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018
Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security BRANDEIS UNIVERSITY PROFESSOR ERICH SCHUMANN MAY 2018 1 Chinese military strategist Sun Tzu: Benchmark If you know your
More informationInspector General. Report on the Peace Corps Information Security Program. Peace Corps Office of. Background FISCAL YEAR 2017
Peace Corps Office of Inspector General Our Mission: Through audits, evaluations, and investigations, the Office of Inspector General provides independent oversight of agency programs and operations in
More informationNISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015
NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015 Agenda Cybersecurity Information Sharing and the NISP NISP Working Group Update CUI Program Update 2 Executive Order 13691 Promoting Private
More informationISAO SO Product Outline
Draft Document Request For Comment ISAO SO 2016 v0.2 ISAO Standards Organization Dr. Greg White, Executive Director Rick Lipsey, Deputy Director May 2, 2016 Copyright 2016, ISAO SO (Information Sharing
More information