Protecting vital data with NIST Framework

Transcription

1 Protecting vital data with NIST Framework

2 About me Patrick Kerpan CEO at Cohesive BANKS

3 About Cohesive Networks 2,000+ customers protect cloudbased applications User-controlled security & connectivity at the top of the cloud Cloud is creating demand for more connectivity and security honest approach to cloud security

4 Agenda standards, teaching, testing and certifying sustained cyber sieges priority shifts toward risk-based models NIST Cybersecurity Framework overview applying risk based cybersecurity NIST Cybersecurity Framework for all

5 standards, teaching, testing and certifying

6 Pre-NIST Cybersecurity Framework International Organization for Standardization ISO/ IEC 27005:2011 Electricity Sub-Sector Cybersecurity Risk Management Process (RMP) guideline Committee of Sponsoring Organizations (Accounting Orgs) (COSO) American Institute of CPA's (AICPA) SOC 2 & SAS70 American Institute of CPA's (AICPA) - Generally Accepted Privacy PrinciplesGAPP (August 2009) Shared Assessments ORG Vendor Assessments (AUP v5.0 & SIG v6.0) FTC Children's Online Privacy Protection Rule (COPPA) European Union Agency for Network and Information Security (ENISA) IAF European Union Data Protection Directive 95/46/ EC GSA's Federal Risk and Authorization Management Program (FedRAMP) Cloud Security Controls Family Educational and Privacy Rights Act (FERPA) Health Insurance Portability and Accountability Act (HIPAA) Health Information Technology for Economic and Clinical Health (HITECH) Act Dept. of State International Traffic in Arms Regulations ITAR UK Royal Mail - Jericho Forum on De- Perimeterisation and on and on

7 The Big 10 International Organization for Standardization ISO 31000:2009 International Organization for Standardization ISO/IEC NIST Special Publication NIST r3 & r4 Payment Card Industry Security Standards Council Data Data Security Standard PCI DSS v3.0 International Society of Automation Industrial Automation And Controls ISA-IAC :2009 Information Systems Audit and Control Association (ISACA) COBIT 5 Cloud Security Alliance - Enterprise Architecture & Guidance CSA EAG v3.0 SANS Institute Council on Cybersecurity's Critical Security Controls for Effective Cyber Defense v5 DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) Cybersecurity Evaluation Tool (CSET ) Department of Energy (DOE) Cybersecurity Capability Maturity Model C2M2

8 Certification is expensive Class Test

9 the fog of more Competing Options, Priorities, Opinions, and Claims Software Tools Standards Training Classes Certification Badges Certification, PenTest, & Audit Services Vulnerability Databases Guidance & Best Practices Catalogs of Controls Checklists Vendor Benchmarks Recommendations, Regulations & Requirements Threat Information Feeds Risk Management Frameworks

10 sustained cyber siege

11 new cyber realities Attacks have become professional: hackers, criminals or foreign governments. In the post-sony era, all servers on a wire are compromised or targets. Regulatory implementation and reporting demands are increasing.

12 target: governments

13 target: healthcare

14 target: retail

15 target: you

16 shifting priorities

17 DHS mandate: organize & coordinate Executive Order 13636: Improving Critical Infrastructure Cybersecurity Increase Information Sharing Protect Privacy & Civil Liberties Consult with Everyone Have Commerce / NIST Create Cybersecurity Framework Voluntary Adoption Program w/ Incentives Identify Greatest Risks Determine Need for More Regulation Image credit: Beldin

18 Why: NIST Cybersecurity Framework Pros Organized One standard format Common language Unifying process Defense in breadth & depth Incentives Risk management focused Free Cons Redundant Yet another framework Enforcement & penalties Sustained cyber-siege Not technical Not designed for small firms Technology debt?

19 NIST Cybersecurity Framework

20 Who: 16 critical infrastructure sectors Nuclear Manufacturing Chemical Facilities Defense Dams Emergency Comms Image credit: dhs.gov Financial Energy Water Agriculture Transportation Health IT Gov Facilities

21 NIST Framework core

22 just one subcategory:

23 NIST Framework tiers of maturity source: PwC Why you should adopt the NIST Cybersecurity Framework

24 NIST Cybersecurity Framework NIST Cybersecurity Framework is *voluntary* 82% of US federal agencies fully or partially adopting it 53% of organizations outside the federal government adopted it 2016 PwC State of Information Security: the 2 most frequently implemented risk-based guidelines are ISO and NIST Cybersecurity Framework

25 applying risk based cybersecurity

26 traditional vs. risk-based security Audit focus Traditional Transation-based Compliance objective Policies & procedures focus Multi-year audit coverage Policy adherence Budgeted cost center Career auditors Methodology: Focus on policies, transactions, and compliance Business focus Process-based Customer focus Risk management focus Risk-Based Continual risk-reassessment coverage Change facilitator Accountability for performance improvement results Diversified knowledge and experience Methodology: Focus on goals, strategies, and risk management processes

27 risk-based security frameworks 2016 PwC State of Information Security: 91% of companies have already adopted a risk-based cybersecurity framework Risk-based security can help: identify and prioritize risks gauge the maturity of cybersecurity practices better communicate internally and externally design, measure and monitor goals build program that centers around safety and security of data

28 NIST Cybersecurity Framework for all

29 how: NIST Cybersecurity for all Step 1: Prioritize and Scope Step 2: Orient Step 3: Create a Current Profile Step 4: Conduct a Risk Assessment Step 5: Create a Target Profile Step 6: Determine, Analyze, and Prioritize Gaps Step 7: Implement Action Plan Repeat The Steps As Needed (Rinse and Repeat)

30 Chicago style cybersecurity Innovative blend proven style with new technologies Pragmatic work within constraints - shifting sand (literally!) Transparent more opportunities to allow more light internally Tenacious driven by the Mid-Western work ethic Creative willingness to build solutions rather than empires The Marquette Building Image via the MacArthur Foundation

31 roll your own NIST Manual INTRODUCTION RISK MANAGEMENT STRATEGY STATEMENT Risk Management Process Integrated Risk Management Program External Participation SCOPE OF RISK MANAGEMENT PROGRAM Asset, Change, and Configuration Management Cybersecurity Program Management Supply Chain and External Dependencies Management Identity and Access Management Event and Incident Response, Continuity of Operations Information Sharing and Communications Cybersecurity Risk Management & Network Operations Center Manual Risk Management Situational Awareness Threat and Vulnerability Management Workforce Management INFRASTRUCTURE UPGRADE PRIORITIES Current CyberSecurity Profile Target Profile Technology Debt CYBERSECURITY ROADMAP & MILESTONES Appendix 1: REGISTRY OF PRIMARY CYBERSECURITY RISKS Appendix 2: REGISTRY OF STAKEHOLDERS AND USERS Etc.

32 conduct app-specific self-evaluations Self evaluations available - Just go download a template!

33 case study: LocusView Natural gas SaaS provider streamlines audit processes Challenge An increasing stream of requests for documentation, certifications, and penetration test results Solution Used NIST Framework to map the compliance areas that matter most to their organization, clients Outcome LocusView has passed initial audits and the first of several penetration tests public internet user traffic We wanted to look at a bigger picture than just natural gas and current regulations. Tim Hopper - GIS Professional LocusView AWS ELB Cloud Server IPsec Tunnel Firewall / IPsec Public Cloud Overlay Network customer network VNS3 Controller

34 conclusions Standards are still relevant Map from standards, not to Shift from audit-heavy compliance to risk-based prevention Prioritize current compliance over post-mortem disaster recovery Holistic security for each business unit NIST Framework can make everyone s jobs less complicated

35 Q&A Stay