MANAGING THE EFFECTIVENESS OF A CYBER SECURITY PROGRAM THROUGH A NIST CYBER SECURITY FRAMEWORK EVALUATION

Transcription

1 MANAGING THE EFFECTIVENESS OF A CYBER SECURITY PROGRAM THROUGH A NIST CYBER SECURITY FRAMEWORK EVALUATION Art Ehuan Alvarez & Marsal Global Cyber Risk Services LLC

2 AGENDA þ How does an organization know if the cyber security program is effective þ NIST Cybersecurity Framework Overview þ Understanding the framework þ Applying NIST to a Cyber Evaluation þ Informative References and External Frameworks

3 Is the Existing Cyber Security Program Effective? 3

4 STATE OF CYBERSECURITY Over 169 million personal records were exposed in 2015, stemming from 781 publicized breaches across the financial, business, education, government and healthcare sectors. ITRC Data Breach Reports 2015 Year-End Totals ITRC The average global cost per each lost or stolen record containing confidential and sensitive data was $154. The industry with the highest cost per stolen record was healthcare, at $363 per record. Cost of Data Breach Study: Global Analysis IBM/ Ponemon In 2015, there were 38 percent more security incidents detected than in The Global State of Information Security Survey 2016 PWC The median number of days that attackers stay dormant within a network before detection is over 200. Microsoft Advanced Threat Analytics Microsoft As much as 70 percent of cyber attacks use a combination of phishing and hacking techniques and involve a secondary victim Data Breach Investigations Report Verizon 4

5 STATE OF CYBERSECURITY An alarming 59% of respondents say that their agency struggles to understand how cyber attackers could potentially breach their systems, with 40% of respondents unaware of where their key assets are located. 65% of respondents disagree that the federal government as a whole can detect ongoing cyber attacks. Only 67% of respondents believe their agencies can appropriately respond to a cyber incident. Lack of accountability is a consistent theme throughout the industry. How does Management know if the cyber security program is effective? Statistics attributed to the 2016 State of Cybersecurity report by the The International Information System Security Certification Consortium, or (ISC)² 5

6 STATE OF CYBERSECURITY SIGNIFICANT GAME CHANGING TECHNOLOGY TOP 3 INHIBITORS TO SECURITY Illustrations attributed to the 2016 State of Cybersecurity report by the The International Information System Security Certification Consortium, or (ISC)² 6

7 CYBERSECURITY FRAMEWORK OVERVIEW

8 NIST CYBERSECURITY FRAMEWORK WHAT IS IT? The Framework is a risk-based approach to managing cybersecurity risk, and is composed of three parts: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles. Each Framework component reinforces the connection between business drivers and cybersecurity activities. The Framework uses risk management processes to enable organizations to inform and prioritize decisions regarding cybersecurity. It supports recurring risk assessments and validation of business drivers to help organizations select target states for cybersecurity activities that reflect desired outcomes. Thus, the Framework gives organizations the ability to dynamically select and direct improvement in cybersecurity risk management for the IT and ICS environments. Voluntary participation Nearly 3,000 participating SME s to develop Improve an organizations cyber readiness Flexible, repeatable and activity driven Technology neutral Maps to and leverage s existing frameworks Creates a common assessment language Highlights the current cyber readiness state Defines the future cyber readiness state Industry agnostic 8

9 NIST CYBERSECURITY FRAMEWORK WHAT IS IT? The NIST CSF is a risk-based framework created through collaboration between the U.S. government and private sector that frames a standardized set of cybersecurity concepts into best practices to help organizations manage cyber risks. The Framework consists of three parts; the Core, Implementation Tiers and the Profile. The Framework Core provides a set of five activities to achieve specific cybersecurity outcomes, divided into five functions: Identify, Protect, Detect, Respond, and Recover. The Implementation Tiers provide context on how you view cybersecurity risk and your processes currently in place to manage risk. The Framework Profile represents the alignment of your cybersecurity activities with business requirements, risk tolerances, and resources. The Framework enables you to describe your current and target cybersecurity profiles, identify and prioritize opportunities for improvement, and evaluate your progress toward your target state. 9

10 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) CYBERSECURITY FRAMEWORK (CSF) Framework Informative References External Guidance and Control Mapping Control Objectives for Information and Related Technology (COBIT) Council on CyberSecurity (CCS) Top 20 Critical Security Controls ANSI/ISA ( )-2009 ANSI/ISA ( )-2013 ISO/IEC NIST Special Publication Revision 4 Framework Implementation Tiers Subcategory Scoring and Gap Prioritization Tier 1 Partial Tier 2 Risk Informed Tier 3 Repeatable Tier 4 Adaptive Improving Cybersecurity Program Steps to Gap Remediation and Improvement Step 1 Prioritize & Scope Step 2 Orient Step 3 Create a Current Profile Step 4 Conduct Risk Assessment Step 5 Create a Target Profile Step 6 Analyze & Prioritize Gaps Step 7 Implement Action Plan 10

11 UNDERSTANDING THE FRAMEWORK

12 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) CYBERSECURITY FRAMEWORK (CSF) The NIST CSF is not proscriptive! The NIST CSF does not include any control families. The categories and subcategories merely consolidate and describe security concepts as expectations. The framework also provides a common language and systematic methodology and roadmap for managing cyber risk. It also does not tell a organization how much cyber risk is tolerable, but provides a roadmap to help develop an understanding of risk and risk tolerance. The framework is a living document. It is intended to be updated from time to time as stakeholders learn from implementation, and as technology and risks change. NIST held a public information sharing workshop this year. The framework helps an organization focus on areas requiring additional attention and to ask the kind of hard risk tolerance and cultural questions that are necessary to manage cyber risk. While practices, technology, and standards will change over time principles and corporate culture should not. 12

13 THE NIST CSF EVALUATION METHODOLOGY Identify and Engage Executive Sponsor Seek and establish executive champion and evaluation context Assess Current Profile using Implementation Tiers Provide and collect CSF questionnaire Conduct leadership and SME interviews Review previous work and collected documents and policies Establish the current Profile as defined by the Implementation Tiers Perform Gap Analysis to inform Target State Define Target Profile using Implementation Tiers Determine a Target Profile as defined by the Implementation Tiers Draft a prioritized action roadmap and execution program Continuously monitor, communicate and collaborate Reiteratively reassess your Current Profile and Target Profile Share information about the Target Profile with your executive sponsor Seek guidance aligning the Target Profile into projects and initiatives 13

14 FRAMEWORK IMPLEMENTATION TIERS - UNDERSTOOD The Tiers are comprised of a numerical range between one (1) and four (4) and describe an increasing degree of rigor and sophistication in cybersecurity risk management practices. Risk management considerations include many aspects of cybersecurity, including the degree to which privacy and civil liberties considerations are integrated into an organization s management of cybersecurity risk and potential risk responses. TIER 1 PARTIAL Informal Practices Risk managed ad-hoc Limited awareness No external collaboration TIER 2 INFORMED Practices Approved but not established Risk practices are informed Advanced awareness but no cohesion Aware of external info no formal plan TIER 3 REPEATABLE Approved practices documented as policy Decisions are risk driven organization wide Awareness of risk and cohesion in action Actively consumes external information TIER 4 ADAPTIVE Lessons learned driven practices Continuous improvement in risk decisioning Risk awareness is cultural Actively participates in information sharing The Tier scoring process requires the consideration of three required conceptual criteria. These criteria are used to inform the understanding of the qualitative nature of the activities and comprehensiveness of the organizations efforts for the individual subcategory being assessed. Each of three conceptual criteria has an increasing burden of compliance relative to that concept for a Tier to be understood as achieved. The three criteria used to guide tier assignments are understood as: Risk Management Practices Integrated Risk Management program External Participation and Information Consideration An organization scoring as tier 1 on a subcategory is encouraged to consider moving toward tier 2 or greater. However, the tiers themselves do not represent maturity levels. As such, organizational progression to a higher tier is encouraged when such a change would reduce cybersecurity risk and align with the organizational stated risk tolerance while remaining cost effective. The tiers themselves also do not describe the organizations efforts in any individual Framework subcategory as being good vs. bad or adequate vs. inadequate, but rather seek to level set the understanding of the current state profile for each subcategory so as to identify where additional gap closure might be required to align the cybersecurity posture to the stated risk tolerance. 14

15 FRAMEWORK IMPLEMENTATION TIERS - APPLIED The Tiers essentially provide a method for framing the 98 CSF subcategories with easy to understand metrics and provide context as to how the organization; 1) Competently accesses risk data and to the extent it understands the cybersecurity risks it faces 2) Articulates and communicates its tolerance to the identified risks 3) Expends resources, manages the processes and improves the activites committed to managing its cybersecurity risks. For the purposes of a consultative or regulatory examination, the tier scores can serve as triggers for increased scrutiny or the forced intervention and oversight by a regulatory body. In A&M s experience, the following scale is an effective way to define these triggers: Tier score of : Receives annual monitoring Tier score of : Receives recurrent monitoring Tier score of : Requires scrutiny Tier score of : Receives scrutiny and possible intervention Tier score of : Requires intervention 15

16 APPLYING NIST TO A CYBER EVALUATION

17 APPLYING NIST TO A CYBER EVALUATION Initial Kickoff Review of Recently Developed Expert Work Plan For Reuse External Framework Alignment Evaluation Identify Policy & Framework Gaps Reliance on NIST Cyber Security Framework for exam guidance Business and Operational Evaluation & Analysis Technical Evaluation & Analysis Assure Reusable Tools Versioning Control & Licensing Sustainability Application and Database Evaluation Incident Response Plan Evaluation Cybersecurity & SecOps Program Review DR\BC Program Evaluation Vulnerability Evaluation Compromise Evaluation PEN Testing Policies, Standards, Controls & SOP Review Program Deficiency Remediation Planning Program Technical Report Vulnerability Remediation Planning Document Threats & Notify as Appropriate Threat Remediation Planning Gap Remediation Planning GRC Technical Report Executive Summary Threat Profile Technical Report 17

18 APPLYING NIST TO AN INDEPENDENT CYBER EVALUATION Gather necessary planning information Request previous related work product Request regulatory aligned record requests Request CSF aligned record requests Distribute the Regulatory and CSF integrated cybersecurity baseline questionnaire Review Information Gathered Review collected previous work product Review record request collected responses in real-time Collate and review collected questionnaire responses Reconcile all collected responses and generate validation requests Complete cybersecurity review planning Define external framework or regulatory applicability to the examination (e.g. HiTrust, PCI DSS) Develop and execute validation responses review plan Reconcile validation responses for completeness Conduct cybersecurity fieldwork Conduct initial executive, leadership and subject-matter expert ( SME ) interview sessions Review collected validation information in real-time Conduct SME validation sessions where privilege or confidentiality requirements constrain access to information Reconcile information gathered between CSF subcategories and external requirements Generate prioritized risk findings Consider functional or technical testing to further investigate high or critical findings Conduct CSF Implementation Tier analysis, deliberation and scoring 18

19 APPLYING NIST TO AN INDEPENDENT CYBER EVALUATION 1. Gather Necessary Planning Information 2. Review Information Gathered 3. Complete Cybersecurity Review Planning 4. Conduct Cybersecurity Fieldwork Generate record request for previous work product (assessments, audits and regulatory reports) Review previous work product (assessments, audits and regulatory reports) Identify examination procedures as required by applicable control families Conduct executive discovery sessions Generate record requests for documentation related to cyber aligned regulatory requirements Review record request response documents in real-time Enumerate applicable cybersecurity requirements Conduct SME discovery sessions Generate record requests for documentation related to the NIST CSF Create and maintain testing plan for demonstrative validation Conduct subjectmatter demonstrative validation sessions of privileged information Generate and distribute baseline cybersecurity risk questionnaire to appropriate SME s Collate and review cybersecurity risk questionnaire responses Generate real-time record requests for demonstrative validation Reconcile collected information and validation with cybersecurity Exhibit C controls and NIST functions Reconcile reviewed information to determine demonstrative validation requirements Review demonstrative validation responses in real-time Continually reconcile demonstrative validation responses for completeness Generate prioritized risk findings determine and consider control and / or technical testing Conduct NIST Implementation Tier analysis, deliberation and scoring Perform maturity model and risk tier alignment 19

20 CYBERSECURITY EVALUATORS GUIDE TO CONFIDENCE 20

21 INFORMATIVE REFERENCES AND EXTERNAL FRAMEWORKS

22 FRAMEWORK INFORMATIVE REFERENCES 22

23 MAPPING OUTSIDE OF THE FRAMEWORK INDUSTRY-SPECIFIC EXTERNAL FRAMEWORKS ID.AM-1: Physical devices and systems with the organization are inventoried 07.a Inventory of Assets ID.AM-2: Software platforms and applications within the organization are inventoried 07.a Inventory of Assets Asset Management (ID.AM) ID.AM-3: Organizational communication and data flows are mapped ID.AM-4: External information systems are catalogued ID.AM-5: Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and thirdparty stakeholders (e.g., suppliers, customers, partners) are established 01.m Segregation in Networks 05.i Identification of Risks Related to Third Parties 09.m Network Controls 09.n Security of Network Services 01.i Policy on the Use of Network Services 09.e Service Delivery 09.n Security of Network Services 07.a Inventory of Assets 07.b Ownership of Assets 07.d Classification Guidelines 12.a Including Information Security in the Business Continuity Management Process 12.c Developing and Implementing Continuity Plans Including Information Security 12.d Business Continuity Planning Framework 02.a Roles and Responsibilities 02.c Terms and Conditions of Employment 02.d Management Responsibilities 05.k Addressing Security in Third Party Agreements 07.b Ownership of Assets 09.n Security of Network Services 10.k Change Control Procedures 10.m Control of Technical Vulnerabilities 11.d Learning from Information Security Incidents 12.a Including Information Security in the Business Continuity Management Process 12.c Developing and Implementing Continuity Plans Including Information Security 12.d Business Continuity Planning Framework 12.e Testing, Maintaining and Re-assessing Business Continuity Plans FTC Red Fag MARS-E 23

24 SUMMARY THOUGHTS The only path to AVERSION RISK is CULTURAL change must be bottom up, driven by executive support Be risk aware and think risk first Compliancy requirements will be met as a result Seek informative references align with required control frameworks as inhibitors Seek a third-party and agnostic NIST based current state profile evaluation Internally complete the NIST CSF profile exercise build upon the current state with a target state exercise Develop gap remediation roadmap to accelerate towards the state target state seek executive leadership support Formalize the risk tolerance process as a driver towards a risk-averse corporate culture Modernize the risk assessment process, seek metric based data that can inform the risk tolerance process 24

25 CYBER PROFESSIONAL Art Ehuan Managing Director Global Cyber Risk Services 600 Madison Avenue, 8th Floor New York, NY Direct: Art Ehuan has extensive, high-profile industry and law enforcement experience in the field of information security. Mr. Ehuan has a specialization in the financial, insurance and health sectors to include strategy for enterprise data protection, incident response, digital investigations for corporate and government agencies. Mr. Ehuan also serves as a senior lecturer on cyber crime/terrorism for the U.S. State Department, Diplomatic Security Service, Anti-Terrorism Assistance Program. In this capacity he has lectured on cyber threat to nation-state critical infrastructure to include Advanced Persistent Threat (ATP), Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) protection. Prior to his position as Managing Director at A&M, Art was a Director at Forward Discovery, a cyber forensics consulting and training firm. Mr. Ehuan served as Assistant VP and Director of the Corporate Information Security Department for USAA, a Fortune 200 financial services company. In this role, he was responsible for worldwide enterprise and strategic guidance on the protection of USAA information and established their digital forensic capability and Advanced Data Security and Incident reporting programs. Among Mr. Ehuan s high-profile corporate positions was Deputy Chief Information Security Officer for the Northrop Grumman Corporation. He was responsible for protecting data from internal and external cyber threats, developing and managing security operations and implementing a corporate digital investigative unit. Mr. Ehuan was also a Federal Information Security Team Manager for BearingPoint (formerly KPMG Consulting), where he established information security initiatives and solutions for government and corporate organizations, as well as developing BearingPoint s corporate incident response and digital forensic services. In addition, Mr. Ehuan served as the Program Manager for Cisco Systems Information Security, where he was responsible for securing corporate networks, managing risk assessments, protecting source code and developing Cisco s worldwide digital forensic capability. As a law enforcement officer, Mr. Ehuan has worldwide experience working on cases involving computer crimes. His extensive background conducting and managing computer intrusion and forensic investigations with the Federal Bureau of Investigation (FBI) led to his assignment as a Supervisory Special Agent assigned to the Computer Crimes Investigations Program at FBI Headquarters in Washington, D.C. In addition, he served as a Computer Analysis Response Team Certified Examiner, where he developed and conducted training for law enforcement globally. Mr. Ehuan served as a computer crime Special Agent for the Air Force Office of Special Investigations (AFOSI), where he investigated cyber crime against the network systems of the U.S. Department of Defense. Mr. Ehuan has also testified in Federal, State and Military courts in cases involving digital forensics. Mr. Ehuan has received industry credentials including the Certified Information Systems Security Professional (CISSP),. He also maintains the Information Assessment Methodology (IAM) credentials with the National Security Agency (NSA). Mr. Ehuan was previously an Adjunct Professor/Lecturer at George Washington University, Georgetown University and Duke University where he taught courses on cyber crime, incident response, digital investigations and computer forensics. He is a contributing author of Techno-Security s Guide to E-Discovery and Digital Forensics from Elsevier Publishing. 25

26 #AMCYBER Copyright Alvarez & Marsal Holdings, LLC. All rights reserved. ALVAREZ & MARSAL, and A&M are trademarks of Alvarez & Marsal Holdings, LLC.