MANAGING THE EFFECTIVENESS OF A CYBER SECURITY PROGRAM THROUGH A NIST CYBER SECURITY FRAMEWORK EVALUATION
|
|
- Sophie O’Neal’
- 5 years ago
- Views:
Transcription
1 MANAGING THE EFFECTIVENESS OF A CYBER SECURITY PROGRAM THROUGH A NIST CYBER SECURITY FRAMEWORK EVALUATION Art Ehuan Alvarez & Marsal Global Cyber Risk Services LLC
2 AGENDA þ How does an organization know if the cyber security program is effective þ NIST Cybersecurity Framework Overview þ Understanding the framework þ Applying NIST to a Cyber Evaluation þ Informative References and External Frameworks
3 Is the Existing Cyber Security Program Effective? 3
4 STATE OF CYBERSECURITY Over 169 million personal records were exposed in 2015, stemming from 781 publicized breaches across the financial, business, education, government and healthcare sectors. ITRC Data Breach Reports 2015 Year-End Totals ITRC The average global cost per each lost or stolen record containing confidential and sensitive data was $154. The industry with the highest cost per stolen record was healthcare, at $363 per record. Cost of Data Breach Study: Global Analysis IBM/ Ponemon In 2015, there were 38 percent more security incidents detected than in The Global State of Information Security Survey 2016 PWC The median number of days that attackers stay dormant within a network before detection is over 200. Microsoft Advanced Threat Analytics Microsoft As much as 70 percent of cyber attacks use a combination of phishing and hacking techniques and involve a secondary victim Data Breach Investigations Report Verizon 4
5 STATE OF CYBERSECURITY An alarming 59% of respondents say that their agency struggles to understand how cyber attackers could potentially breach their systems, with 40% of respondents unaware of where their key assets are located. 65% of respondents disagree that the federal government as a whole can detect ongoing cyber attacks. Only 67% of respondents believe their agencies can appropriately respond to a cyber incident. Lack of accountability is a consistent theme throughout the industry. How does Management know if the cyber security program is effective? Statistics attributed to the 2016 State of Cybersecurity report by the The International Information System Security Certification Consortium, or (ISC)² 5
6 STATE OF CYBERSECURITY SIGNIFICANT GAME CHANGING TECHNOLOGY TOP 3 INHIBITORS TO SECURITY Illustrations attributed to the 2016 State of Cybersecurity report by the The International Information System Security Certification Consortium, or (ISC)² 6
7 CYBERSECURITY FRAMEWORK OVERVIEW
8 NIST CYBERSECURITY FRAMEWORK WHAT IS IT? The Framework is a risk-based approach to managing cybersecurity risk, and is composed of three parts: the Framework Core, the Framework Implementation Tiers, and the Framework Profiles. Each Framework component reinforces the connection between business drivers and cybersecurity activities. The Framework uses risk management processes to enable organizations to inform and prioritize decisions regarding cybersecurity. It supports recurring risk assessments and validation of business drivers to help organizations select target states for cybersecurity activities that reflect desired outcomes. Thus, the Framework gives organizations the ability to dynamically select and direct improvement in cybersecurity risk management for the IT and ICS environments. Voluntary participation Nearly 3,000 participating SME s to develop Improve an organizations cyber readiness Flexible, repeatable and activity driven Technology neutral Maps to and leverage s existing frameworks Creates a common assessment language Highlights the current cyber readiness state Defines the future cyber readiness state Industry agnostic 8
9 NIST CYBERSECURITY FRAMEWORK WHAT IS IT? The NIST CSF is a risk-based framework created through collaboration between the U.S. government and private sector that frames a standardized set of cybersecurity concepts into best practices to help organizations manage cyber risks. The Framework consists of three parts; the Core, Implementation Tiers and the Profile. The Framework Core provides a set of five activities to achieve specific cybersecurity outcomes, divided into five functions: Identify, Protect, Detect, Respond, and Recover. The Implementation Tiers provide context on how you view cybersecurity risk and your processes currently in place to manage risk. The Framework Profile represents the alignment of your cybersecurity activities with business requirements, risk tolerances, and resources. The Framework enables you to describe your current and target cybersecurity profiles, identify and prioritize opportunities for improvement, and evaluate your progress toward your target state. 9
10 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) CYBERSECURITY FRAMEWORK (CSF) Framework Informative References External Guidance and Control Mapping Control Objectives for Information and Related Technology (COBIT) Council on CyberSecurity (CCS) Top 20 Critical Security Controls ANSI/ISA ( )-2009 ANSI/ISA ( )-2013 ISO/IEC NIST Special Publication Revision 4 Framework Implementation Tiers Subcategory Scoring and Gap Prioritization Tier 1 Partial Tier 2 Risk Informed Tier 3 Repeatable Tier 4 Adaptive Improving Cybersecurity Program Steps to Gap Remediation and Improvement Step 1 Prioritize & Scope Step 2 Orient Step 3 Create a Current Profile Step 4 Conduct Risk Assessment Step 5 Create a Target Profile Step 6 Analyze & Prioritize Gaps Step 7 Implement Action Plan 10
11 UNDERSTANDING THE FRAMEWORK
12 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) CYBERSECURITY FRAMEWORK (CSF) The NIST CSF is not proscriptive! The NIST CSF does not include any control families. The categories and subcategories merely consolidate and describe security concepts as expectations. The framework also provides a common language and systematic methodology and roadmap for managing cyber risk. It also does not tell a organization how much cyber risk is tolerable, but provides a roadmap to help develop an understanding of risk and risk tolerance. The framework is a living document. It is intended to be updated from time to time as stakeholders learn from implementation, and as technology and risks change. NIST held a public information sharing workshop this year. The framework helps an organization focus on areas requiring additional attention and to ask the kind of hard risk tolerance and cultural questions that are necessary to manage cyber risk. While practices, technology, and standards will change over time principles and corporate culture should not. 12
13 THE NIST CSF EVALUATION METHODOLOGY Identify and Engage Executive Sponsor Seek and establish executive champion and evaluation context Assess Current Profile using Implementation Tiers Provide and collect CSF questionnaire Conduct leadership and SME interviews Review previous work and collected documents and policies Establish the current Profile as defined by the Implementation Tiers Perform Gap Analysis to inform Target State Define Target Profile using Implementation Tiers Determine a Target Profile as defined by the Implementation Tiers Draft a prioritized action roadmap and execution program Continuously monitor, communicate and collaborate Reiteratively reassess your Current Profile and Target Profile Share information about the Target Profile with your executive sponsor Seek guidance aligning the Target Profile into projects and initiatives 13
14 FRAMEWORK IMPLEMENTATION TIERS - UNDERSTOOD The Tiers are comprised of a numerical range between one (1) and four (4) and describe an increasing degree of rigor and sophistication in cybersecurity risk management practices. Risk management considerations include many aspects of cybersecurity, including the degree to which privacy and civil liberties considerations are integrated into an organization s management of cybersecurity risk and potential risk responses. TIER 1 PARTIAL Informal Practices Risk managed ad-hoc Limited awareness No external collaboration TIER 2 INFORMED Practices Approved but not established Risk practices are informed Advanced awareness but no cohesion Aware of external info no formal plan TIER 3 REPEATABLE Approved practices documented as policy Decisions are risk driven organization wide Awareness of risk and cohesion in action Actively consumes external information TIER 4 ADAPTIVE Lessons learned driven practices Continuous improvement in risk decisioning Risk awareness is cultural Actively participates in information sharing The Tier scoring process requires the consideration of three required conceptual criteria. These criteria are used to inform the understanding of the qualitative nature of the activities and comprehensiveness of the organizations efforts for the individual subcategory being assessed. Each of three conceptual criteria has an increasing burden of compliance relative to that concept for a Tier to be understood as achieved. The three criteria used to guide tier assignments are understood as: Risk Management Practices Integrated Risk Management program External Participation and Information Consideration An organization scoring as tier 1 on a subcategory is encouraged to consider moving toward tier 2 or greater. However, the tiers themselves do not represent maturity levels. As such, organizational progression to a higher tier is encouraged when such a change would reduce cybersecurity risk and align with the organizational stated risk tolerance while remaining cost effective. The tiers themselves also do not describe the organizations efforts in any individual Framework subcategory as being good vs. bad or adequate vs. inadequate, but rather seek to level set the understanding of the current state profile for each subcategory so as to identify where additional gap closure might be required to align the cybersecurity posture to the stated risk tolerance. 14
15 FRAMEWORK IMPLEMENTATION TIERS - APPLIED The Tiers essentially provide a method for framing the 98 CSF subcategories with easy to understand metrics and provide context as to how the organization; 1) Competently accesses risk data and to the extent it understands the cybersecurity risks it faces 2) Articulates and communicates its tolerance to the identified risks 3) Expends resources, manages the processes and improves the activites committed to managing its cybersecurity risks. For the purposes of a consultative or regulatory examination, the tier scores can serve as triggers for increased scrutiny or the forced intervention and oversight by a regulatory body. In A&M s experience, the following scale is an effective way to define these triggers: Tier score of : Receives annual monitoring Tier score of : Receives recurrent monitoring Tier score of : Requires scrutiny Tier score of : Receives scrutiny and possible intervention Tier score of : Requires intervention 15
16 APPLYING NIST TO A CYBER EVALUATION
17 APPLYING NIST TO A CYBER EVALUATION Initial Kickoff Review of Recently Developed Expert Work Plan For Reuse External Framework Alignment Evaluation Identify Policy & Framework Gaps Reliance on NIST Cyber Security Framework for exam guidance Business and Operational Evaluation & Analysis Technical Evaluation & Analysis Assure Reusable Tools Versioning Control & Licensing Sustainability Application and Database Evaluation Incident Response Plan Evaluation Cybersecurity & SecOps Program Review DR\BC Program Evaluation Vulnerability Evaluation Compromise Evaluation PEN Testing Policies, Standards, Controls & SOP Review Program Deficiency Remediation Planning Program Technical Report Vulnerability Remediation Planning Document Threats & Notify as Appropriate Threat Remediation Planning Gap Remediation Planning GRC Technical Report Executive Summary Threat Profile Technical Report 17
18 APPLYING NIST TO AN INDEPENDENT CYBER EVALUATION Gather necessary planning information Request previous related work product Request regulatory aligned record requests Request CSF aligned record requests Distribute the Regulatory and CSF integrated cybersecurity baseline questionnaire Review Information Gathered Review collected previous work product Review record request collected responses in real-time Collate and review collected questionnaire responses Reconcile all collected responses and generate validation requests Complete cybersecurity review planning Define external framework or regulatory applicability to the examination (e.g. HiTrust, PCI DSS) Develop and execute validation responses review plan Reconcile validation responses for completeness Conduct cybersecurity fieldwork Conduct initial executive, leadership and subject-matter expert ( SME ) interview sessions Review collected validation information in real-time Conduct SME validation sessions where privilege or confidentiality requirements constrain access to information Reconcile information gathered between CSF subcategories and external requirements Generate prioritized risk findings Consider functional or technical testing to further investigate high or critical findings Conduct CSF Implementation Tier analysis, deliberation and scoring 18
19 APPLYING NIST TO AN INDEPENDENT CYBER EVALUATION 1. Gather Necessary Planning Information 2. Review Information Gathered 3. Complete Cybersecurity Review Planning 4. Conduct Cybersecurity Fieldwork Generate record request for previous work product (assessments, audits and regulatory reports) Review previous work product (assessments, audits and regulatory reports) Identify examination procedures as required by applicable control families Conduct executive discovery sessions Generate record requests for documentation related to cyber aligned regulatory requirements Review record request response documents in real-time Enumerate applicable cybersecurity requirements Conduct SME discovery sessions Generate record requests for documentation related to the NIST CSF Create and maintain testing plan for demonstrative validation Conduct subjectmatter demonstrative validation sessions of privileged information Generate and distribute baseline cybersecurity risk questionnaire to appropriate SME s Collate and review cybersecurity risk questionnaire responses Generate real-time record requests for demonstrative validation Reconcile collected information and validation with cybersecurity Exhibit C controls and NIST functions Reconcile reviewed information to determine demonstrative validation requirements Review demonstrative validation responses in real-time Continually reconcile demonstrative validation responses for completeness Generate prioritized risk findings determine and consider control and / or technical testing Conduct NIST Implementation Tier analysis, deliberation and scoring Perform maturity model and risk tier alignment 19
20 CYBERSECURITY EVALUATORS GUIDE TO CONFIDENCE 20
21 INFORMATIVE REFERENCES AND EXTERNAL FRAMEWORKS
22 FRAMEWORK INFORMATIVE REFERENCES 22
23 MAPPING OUTSIDE OF THE FRAMEWORK INDUSTRY-SPECIFIC EXTERNAL FRAMEWORKS ID.AM-1: Physical devices and systems with the organization are inventoried 07.a Inventory of Assets ID.AM-2: Software platforms and applications within the organization are inventoried 07.a Inventory of Assets Asset Management (ID.AM) ID.AM-3: Organizational communication and data flows are mapped ID.AM-4: External information systems are catalogued ID.AM-5: Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and thirdparty stakeholders (e.g., suppliers, customers, partners) are established 01.m Segregation in Networks 05.i Identification of Risks Related to Third Parties 09.m Network Controls 09.n Security of Network Services 01.i Policy on the Use of Network Services 09.e Service Delivery 09.n Security of Network Services 07.a Inventory of Assets 07.b Ownership of Assets 07.d Classification Guidelines 12.a Including Information Security in the Business Continuity Management Process 12.c Developing and Implementing Continuity Plans Including Information Security 12.d Business Continuity Planning Framework 02.a Roles and Responsibilities 02.c Terms and Conditions of Employment 02.d Management Responsibilities 05.k Addressing Security in Third Party Agreements 07.b Ownership of Assets 09.n Security of Network Services 10.k Change Control Procedures 10.m Control of Technical Vulnerabilities 11.d Learning from Information Security Incidents 12.a Including Information Security in the Business Continuity Management Process 12.c Developing and Implementing Continuity Plans Including Information Security 12.d Business Continuity Planning Framework 12.e Testing, Maintaining and Re-assessing Business Continuity Plans FTC Red Fag MARS-E 23
24 SUMMARY THOUGHTS The only path to AVERSION RISK is CULTURAL change must be bottom up, driven by executive support Be risk aware and think risk first Compliancy requirements will be met as a result Seek informative references align with required control frameworks as inhibitors Seek a third-party and agnostic NIST based current state profile evaluation Internally complete the NIST CSF profile exercise build upon the current state with a target state exercise Develop gap remediation roadmap to accelerate towards the state target state seek executive leadership support Formalize the risk tolerance process as a driver towards a risk-averse corporate culture Modernize the risk assessment process, seek metric based data that can inform the risk tolerance process 24
25 CYBER PROFESSIONAL Art Ehuan Managing Director Global Cyber Risk Services 600 Madison Avenue, 8th Floor New York, NY Direct: Art Ehuan has extensive, high-profile industry and law enforcement experience in the field of information security. Mr. Ehuan has a specialization in the financial, insurance and health sectors to include strategy for enterprise data protection, incident response, digital investigations for corporate and government agencies. Mr. Ehuan also serves as a senior lecturer on cyber crime/terrorism for the U.S. State Department, Diplomatic Security Service, Anti-Terrorism Assistance Program. In this capacity he has lectured on cyber threat to nation-state critical infrastructure to include Advanced Persistent Threat (ATP), Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) protection. Prior to his position as Managing Director at A&M, Art was a Director at Forward Discovery, a cyber forensics consulting and training firm. Mr. Ehuan served as Assistant VP and Director of the Corporate Information Security Department for USAA, a Fortune 200 financial services company. In this role, he was responsible for worldwide enterprise and strategic guidance on the protection of USAA information and established their digital forensic capability and Advanced Data Security and Incident reporting programs. Among Mr. Ehuan s high-profile corporate positions was Deputy Chief Information Security Officer for the Northrop Grumman Corporation. He was responsible for protecting data from internal and external cyber threats, developing and managing security operations and implementing a corporate digital investigative unit. Mr. Ehuan was also a Federal Information Security Team Manager for BearingPoint (formerly KPMG Consulting), where he established information security initiatives and solutions for government and corporate organizations, as well as developing BearingPoint s corporate incident response and digital forensic services. In addition, Mr. Ehuan served as the Program Manager for Cisco Systems Information Security, where he was responsible for securing corporate networks, managing risk assessments, protecting source code and developing Cisco s worldwide digital forensic capability. As a law enforcement officer, Mr. Ehuan has worldwide experience working on cases involving computer crimes. His extensive background conducting and managing computer intrusion and forensic investigations with the Federal Bureau of Investigation (FBI) led to his assignment as a Supervisory Special Agent assigned to the Computer Crimes Investigations Program at FBI Headquarters in Washington, D.C. In addition, he served as a Computer Analysis Response Team Certified Examiner, where he developed and conducted training for law enforcement globally. Mr. Ehuan served as a computer crime Special Agent for the Air Force Office of Special Investigations (AFOSI), where he investigated cyber crime against the network systems of the U.S. Department of Defense. Mr. Ehuan has also testified in Federal, State and Military courts in cases involving digital forensics. Mr. Ehuan has received industry credentials including the Certified Information Systems Security Professional (CISSP),. He also maintains the Information Assessment Methodology (IAM) credentials with the National Security Agency (NSA). Mr. Ehuan was previously an Adjunct Professor/Lecturer at George Washington University, Georgetown University and Duke University where he taught courses on cyber crime, incident response, digital investigations and computer forensics. He is a contributing author of Techno-Security s Guide to E-Discovery and Digital Forensics from Elsevier Publishing. 25
26 #AMCYBER Copyright Alvarez & Marsal Holdings, LLC. All rights reserved. ALVAREZ & MARSAL, and A&M are trademarks of Alvarez & Marsal Holdings, LLC.
NCSF Foundation Certification
NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity
More informationWhy you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More informationNCSF Foundation Certification
NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationEvaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure
Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure March 2015 Pamela Curtis Dr. Nader Mehravari Katie Stewart Cyber Risk and Resilience Management Team CERT
More informationFunction Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments
Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments 1 ID.AM-1: Physical devices and systems within the organization are inventoried Asset Management (ID.AM): The
More informationThe HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information
The HITRUST CSF A Revolutionary Way to Protect Electronic Health Information June 2015 The HITRUST CSF 2 Organizations in the healthcare industry are under immense pressure to improve quality, reduce complexity,
More informationHITRUST CSF: One Framework
HITRUST CSF: One Framework Leveraging the HITRUST CSF to Support ISO, HIPAA, & NIST Implementation and Compliance, and SSAE 16 SOC Reporting Dr. Bryan Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP Senior
More informationSOC for cybersecurity
April 2018 SOC for cybersecurity a backgrounder Acknowledgments Special thanks to Francette Bueno, Senior Manager, Advisory Services, Ernst & Young LLP and Chris K. Halterman, Executive Director, Advisory
More informationSOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT
RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, antivirus, intrusion prevention systems, intrusion
More informationISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION
ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION Cathy Bates Senior Consultant, Vantage Technology Consulting Group January 30, 2018 Campus Orientation Initiative and Project Orientation Project
More informationRisk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23
Risk: Security s New Compliance Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23 Agenda Market Dynamics Organizational Challenges Risk: Security s New Compliance
More informationDesigning and Building a Cybersecurity Program
Designing and Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson lwilson@umassp.edu ISACA Breakfast Meeting January, 2016 Designing & Building a Cybersecurity
More informationCertified Information Security Manager (CISM) Course Overview
Certified Information Security Manager (CISM) Course Overview This course teaches students about information security governance, information risk management, information security program development,
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity November 2017 cyberframework@nist.gov Supporting Risk Management with Framework 2 Core: A Common Language Foundational for Integrated Teams
More informationChoosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist
Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist Agenda Industry Background Cybersecurity Assessment Tools Cybersecurity Best Practices 2 Cybersecurity
More informationUpdates to the NIST Cybersecurity Framework
Updates to the NIST Cybersecurity Framework NIST Cybersecurity Framework Overview and Other Documentation October 2016 Agenda: Overview of NIST Cybersecurity Framework Updates to the NIST Cybersecurity
More informationExecutive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI
Executive Order 13636 & Presidential Policy Directive 21 Ed Goff, Duke Energy Melanie Seader, EEI Agenda Executive Order 13636 Presidential Policy Directive 21 Nation Infrastructure Protection Plan Cybersecurity
More informationDATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI
DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI EXECUTIVE SUMMARY The shortage of cybersecurity skills Organizations continue to face a shortage of IT skill
More information2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report
Nationwide Cyber Security Review: Summary Report Nationwide Cyber Security Review: Summary Report ii Nationwide Cyber Security Review: Summary Report Acknowledgments The Multi-State Information Sharing
More informationCybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016
Cybersecurity: Considerations for Internal Audit Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016 Agenda Key Risks Incorporating Internal Audit Resources Questions 2 San Francisco
More information2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification
2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification Presenters Jared Hamilton CISSP CCSK, CCSFP, MCSE:S Healthcare Cybersecurity Leader, Crowe Horwath Erika Del Giudice CISA, CRISC,
More informationImproving Cybersecurity through the use of the Cybersecurity Framework
Improving Cybersecurity through the use of the Cybersecurity Framework March 11, 2015 Tom Conkle G2, Inc. Agenda Cybersecurity Framework Why it was created What is it Why it matters How do you use it 2
More informationHow to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
How to implement NIST Cybersecurity Framework using ISO 27001 WHITE PAPER Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
More informationModel Approach to Efficient and Cost-Effective Third-Party Assurance
Model Approach to Efficient and Cost-Effective Third-Party Assurance 1 CHALLENGES WITH THIRD-PARTY ASSURANCE 2 What s Driving Demand for Increased Assurance? Increasing risk posed by third parties Increasing
More informationISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO FRAMEWORK AUGUST 19, 2015
ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO 27001 FRAMEWORK AUGUST 19, 2015 Agenda Coalfire Overview Threat Landscape What is ISO Why ISO ISO Cycle Q&A 2 Presenters
More information10 Cybersecurity Questions for Bank CEOs and the Board of Directors
4 th Annual UBA Bank Executive Winter Conference February, 2015 10 Cybersecurity Questions for Bank CEOs and the Board of Directors Dr. Kevin Streff Founder, Secure Banking Solutions 1 Board of Directors
More informationCybersecurity & Privacy Enhancements
Business, Industry and Government Cybersecurity & Privacy Enhancements John Lainhart, Director, Grant Thornton The National Institute of Standards and Technology (NIST) is in the process of updating their
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationEffective Cyber Incident Response in Insurance Companies
August 2017 Effective Cyber Incident Response in Insurance Companies An article by Raj K. Chaudhary, CRISC, CGEIT; Troy M. La Huis; and Lucas J. Morris, CISSP Audit / Tax / Advisory / Risk / Performance
More informationThe NIST Cybersecurity Framework
The NIST Cybersecurity Framework U.S. German Standards Panel 2018 April 10, 2018 Adam.Sedgewick@nist.gov National Institute of Standards and Technology About NIST Agency of U.S. Department of Commerce
More informationData Security Standards
Data Security Standards Overall guide The bigger picture of where the standards fit in 2018 Copyright 2017 Health and Social Care Information Centre. The Health and Social Care Information Centre is a
More informationNEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?
NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT? What the new data regulations mean for your business, and how Brennan IT and Microsoft 365 can help. THE REGULATIONS: WHAT YOU NEED TO KNOW Australia:
More informationSWIFT Customer Security Programme
www.pwc.ch/cybersecurity SWIFT Customer Security Programme Mandatory controls: what you have to do to protect your local SWIFT infrastructures SWIFT Customer Security Programme (CSP) The growing number
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More informationRe: McAfee s comments in response to NIST s Solicitation for Comments on Draft 2 of Cybersecurity Framework Version 1.1
January 19, 2018 VIA EMAIL: cyberframework@nist.gov Edwin Games National Institute of Standards and Technology 100 Bureau Drive, Mail Stop 8930 Gaithersburg, MD 20899 Re: McAfee s comments in response
More informationCYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS
CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS WILLIAM (THE GONZ) FLINN M.S. INFORMATION SYSTEMS SECURITY MANAGEMENT; COMPTIA SECURITY+, I-NET+, NETWORK+; CERTIFIED
More informationOntario Energy Board Cyber Security Framework
Ontario Energy Board Cyber Security Framework Accelerating compliance using Security-as-a-Service (SECaaS) Office: 888.876.0504 Email: info@stratejm.com Website: www.stratejm.com About this Whitepaper
More informationFramework for Improving Critical Infrastructure Cybersecurity. and Risk Approach
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 and Risk Approach June 9, 2016 cyberframework@nist.gov Executive Order: Improving Critical Infrastructure
More informationTHE POWER OF TECH-SAVVY BOARDS:
THE POWER OF TECH-SAVVY BOARDS: LEADERSHIP S ROLE IN CULTIVATING CYBERSECURITY TALENT SHANNON DONAHUE DIRECTOR, INFORMATION SECURITY PRACTICES 1 IT S A RISK-BASED WORLD: THE 10 MOST CRITICAL UNCERTAINTIES
More informationInstitute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI
Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO CHAPTER: @IIACHI #IIACHI WWW.FACEBOOK.COM/IIACHICAGO HTTPS://WWW.LINKEDIN.COM/GROUPS/1123977 1 CAE Communications and Common Audit Committee
More informationCybersecurity for Health Care Providers
Cybersecurity for Health Care Providers Montgomery County Medical Society Provider Meeting February 28, 2017 T h e MARYLAND HEALTH CARE COMMISSION Overview Cybersecurity defined Cyber-Threats Today Impact
More informationBHConsulting. Your trusted cybersecurity partner
Your trusted cybersecurity partner BH Consulting Securing your business BH Consulting is an award-winning, independent provider of cybersecurity consulting and information security advisory services. Recognised
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationMITIGATE CYBER ATTACK RISK
SOLUTION BRIEF MITIGATE CYBER ATTACK RISK CONNECTING SECURITY, RISK MANAGEMENT & BUSINESS TEAMS TO MINIMIZE THE WIDESPREAD IMPACT OF A CYBER ATTACK DIGITAL TRANSFORMATION CREATES NEW RISKS As organizations
More informationCybersecurity in Higher Ed
Cybersecurity in Higher Ed 1 Overview Universities are a treasure trove of information. With cyber threats constantly changing, there is a need to be vigilant in protecting information related to students,
More informationNYDFS Cybersecurity Regulations: What do they mean? What is their impact?
June 13, 2017 NYDFS Cybersecurity Regulations: What do they mean? What is their impact? Gus Coldebella Principal, Boston Caroline Simons Principal, Boston Agenda 1) Overview of the new regulations 2) Assessing
More informationUsing Metrics to Gain Management Support for Cyber Security Initiatives
Using Metrics to Gain Management Support for Cyber Security Initiatives Craig Schumacher Chief Information Security Officer Idaho Transportation Dept. January 2016 Why Metrics Based on NIST Framework?
More informationRSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE
WHITEPAPER RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE CONTENTS Executive Summary........................................ 3 Transforming How We Think About Security.......................... 4 Assessing
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity May 2017 cyberframework@nist.gov Why Cybersecurity Framework? Cybersecurity Framework Uses Identify mission or business cybersecurity dependencies
More informationTIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE
TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE Association of Corporate Counsel NYC Chapter 11/1 NYC BDO USA, LLP, a Delaware limited liability partnership,
More informationISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006
ISO / IEC 27001:2005 A brief introduction Dimitris Petropoulos Managing Director ENCODE Middle East September 2006 Information Information is an asset which, like other important business assets, has value
More informationAdvanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018
Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018 The Homeland Security Systems Engineering and Development Institute (HSSEDI ) is a trademark of the U.S. Department of Homeland
More informationFFIEC Cyber Security Assessment Tool. Overview and Key Considerations
FFIEC Cyber Security Assessment Tool Overview and Key Considerations Overview of FFIEC Cybersecurity Assessment Tool Agenda Overview of assessment tool Review inherent risk profile categories Review domain
More informationBest Practices & Lesson Learned from 100+ ITGRC Implementations
Best Practices & Lesson Learned from 100+ ITGRC Implementations Presenter: Vivek Shivananda CEO of Rsam Dec 3, 2010 ISACA -NY Chapter Copyright 2002 2010 Relational Security Corp. (dba Rsam) Agenda Overview
More informationCYBERSECURITY MATURITY ASSESSMENT
CYBERSECURITY MATURITY ASSESSMENT ANTICIPATE. IMPROVE. PREPARE. The CrowdStrike Cybersecurity Maturity Assessment (CSMA) is unique in the security assessment arena. Rather than focusing solely on compliance
More information2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager
2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager NIST Cybersecurity Framework (CSF) Executive Order 13636 Improving Critical Infrastructure Cybersecurity tasked the National
More informationINTELLIGENCE DRIVEN GRC FOR SECURITY
INTELLIGENCE DRIVEN GRC FOR SECURITY OVERVIEW Organizations today strive to keep their business and technology infrastructure organized, controllable, and understandable, not only to have the ability to
More informationDepartment of Management Services REQUEST FOR INFORMATION
RESPONSE TO Department of Management Services REQUEST FOR INFORMATION Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services September 3, 2015 250 South President
More informationIntegrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise
February 11 14, 2018 Gaylord Opryland Resort and Convention Center, Nashville #DRI2018 Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise Tejas Katwala CEO
More informationCybersecurity and Hospitals: A Board Perspective
Cybersecurity and Hospitals: A Board Perspective Cybersecurity is an important issue for both the public and private sector. At a time when so many of our activities depend on information systems and technology,
More informationCybersecurity and the Board of Directors
Cybersecurity and the Board of Directors Key Findings from BITS/FSR Meetings OVERVIEW Board directors are increasingly required to engage in cybersecurity risk management yet some may need better education
More information2018 GLOBAL CHANNEL PARTNER SURVEY THYCOTIC CHANNEL PARTNER SURVEY REPORT
2018 GLOBAL CHANNEL PARTNER SURVEY THYCOTIC CHANNEL PARTNER SURVEY REPORT THYCOTIC 2018 GLOBAL CHANNEL PARTNER SURVEY Channel Partner survey highlights client cybersecurity concerns and opportunities for
More informationSecurity Metrics Establishing unambiguous and logically defensible security metrics. Steven Piliero CSO The Center for Internet Security
Security Metrics Establishing unambiguous and logically defensible security metrics Steven Piliero CSO The Center for Internet Security The Center for Internet Security (CIS) Formed - October 2000 As a
More informationHITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.
HITRUST CSF Roadmap for 2018 and Beyond HITRUST CSF Roadmap 2017 HITRUST CSF v9 Update 21 CFR Part 11 (FDA electronic signatures) Add FFIEC IT Examination (InfoSec), FedRAMP, DHS Critical Resilience Review
More informationIMPLEMENTING A RISK-BASE CYBER SECURITY FRAMEWORK FOR HEALTHCARE
FOR HEALTHCARE The NIST CSF quick guide to clarity, readiness, buy-in and risk management for healthcare security leaders Sponsored by: Written by: Jeff Orr Cyber Security Begins With Understanding An
More informationlocuz.com SOC Services
locuz.com SOC Services 1 Locuz IT Security Lifecycle services combine people, processes and technologies to provide secure access to business applications, over any network and from any device. Our security
More informationPresented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0
Cyber Security and Inside Threats: Turning Policies into Practices Presented by Ingrid Fredeen and Pamela Passman Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0 Presented By Ingrid Fredeen, J.D.
More informationCyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.
Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK. In today s escalating cyber risk environment, you need to make sure you re focused on the right priorities by
More informationEU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS
EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS MEET THE EXPERTS DAVID O LEARY Director, Forsythe Security Solutions THOMAS ECK Director, Forsythe Security Solutions ALEX HANWAY Product
More informationAchieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)
Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs) Florida Hospital Association Welcome! John Wilgis Director, Emergency Management Services Florida Hospital Association
More informationSage Data Security Services Directory
Sage Data Security Services Directory PROTECTING INFORMATION ASSETS ENSURING REGULATORY COMPLIANCE FIGHTING CYBERCRIME Discover the Sage Difference Protecting your business from cyber attacks is a full-time
More informationLes joies et les peines de la transformation numérique
Les joies et les peines de la transformation numérique Georges Ataya CISA, CGEIT, CISA, CISSP, MSCS, PBA Professor, Solvay Brussels School of Economics and Management Academic Director, IT Management Education
More informationTurning Risk into Advantage
Turning Risk into Advantage How Enterprise Wide Risk Management is helping customers succeed in turbulent times and increase their competitiveness Glenn Tjon Partner KPMG Advisory Presentation Overview
More informationEU General Data Protection Regulation (GDPR) Achieving compliance
EU General Data Protection Regulation (GDPR) Achieving compliance GDPR enhancing data protection and privacy The new EU General Data Protection Regulation (GDPR) will apply across all EU member states,
More informationHealthcare Security Success Story
Regional Forum on Cybersecurity in the Era of Emerging Technologies & the Second Meeting of the Successful Administrative Practices -2017 Cairo, Egypt 28-29 November 2017 Healthcare Security Success Story
More informationChanging the Game: An HPR Approach to Cyber CRM007
Speakers: Changing the Game: An HPR Approach to Cyber CRM007 Michal Gnatek, Senior Vice President, Marsh & McLennan Karen Miller, Sr. Treasury & Risk Manager, FireEye, Inc. Learning Objectives At the end
More informationDATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE
DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE EXECUTIVE SUMMARY ALIGNING CYBERSECURITY WITH RISK The agility and cost efficiencies
More informationGreg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security
1 Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security 2 Government Services 3 Business Education Social CYBERSPACE
More information4/5/2017. April 5, 2017 CYBER-RISK: WHAT MANAGEMENT & BOARDS NEED TO KNOW
April 5, 2017 CYBER-RISK: WHAT MANAGEMENT & BOARDS NEED TO KNOW 1 TO RECEIVE CPE CREDIT Participate in entire webinar Answer polls when they are provided If you are viewing this webinar in a group Complete
More informationImproving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework
1 Improving Critical Infrastructure Cybersecurity Executive Order 13636 Preliminary Cybersecurity Framework 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
More informationISAO SO Product Outline
Draft Document Request For Comment ISAO SO 2016 v0.2 ISAO Standards Organization Dr. Greg White, Executive Director Rick Lipsey, Deputy Director May 2, 2016 Copyright 2016, ISAO SO (Information Sharing
More informationIT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18
Pierce County Classification Description IT SECURITY OFFICER Department: Information Technology Job Class #: 634900 Pay Range: Professional 18 FLSA: Exempt Represented: No Classification descriptions are
More informationAvanade s Approach to Client Data Protection
White Paper Avanade s Approach to Client Data Protection White Paper The Threat Landscape Businesses today face many risks and emerging threats to their IT systems and data. To achieve sustainable success
More informationAssurance over Cybersecurity using COBIT 5
Assurance over Cybersecurity using COBIT 5 Special thanks to ISACA for supplying material for this presentation. Anthony Noble, VP IT Audit, Viacom Inc. Anthony.noble@viacom.com Disclamer The opinions
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)
ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update) June 2017 INSERT YEAR HERE Contact Information: Jeremy Dalpiaz AVP, Cyber and Data Security Policy Jeremy.Dalpiaz@icba.org ICBA Summary
More informationCybersecurity: Incident Response Short
Cybersecurity: Incident Response Short August 2017 Center for Development of Security Excellence Contents Lesson 1: Incident Response 1-1 Introduction 1-1 Incident Definition 1-1 Incident Response Capability
More informationState of South Carolina Interim Security Assessment
State of South Carolina Interim Security Assessment Deloitte & Touche LLP Date: October 28, 2013 Our services were performed in accordance with the Statement on Standards for Consulting Services that is
More informationTechnology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited
Technology Risk Management in Banking Industry Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited Change in Threat Landscape 2 Problem & Threats faced by Banking Industry
More informationEC-Council Certified Incident Handler v2. Prepare to Handle and Respond to Security Incidents EC-COUNCIL CERTIFIED INCIDENT HANDLER 1
EC-Council Certified Incident Handler v2 Prepare to Handle and Respond to Security Incidents EC-COUNCIL CERTIFIED INCIDENT HANDLER 1 THE CRITICAL NATURE OF INCIDENT HANDLING READINESS An organized and
More informationEnhancing the Cybersecurity of Federal Information and Assets through CSIP
TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3
More informationISACA Arizona May 2016 Chapter Meeting
ISACA Arizona May 2016 Chapter Meeting Suzanne Farr / Carlos A. Villalba Agenda Introduction Preliminary questions CCM Preliminaries Definition Benefits Challenges Beyond Templates Questions 1 Background
More informationCYBER RESILIENCE & INCIDENT RESPONSE
CYBER RESILIENCE & INCIDENT RESPONSE www.nccgroup.trust Introduction The threat landscape has changed dramatically over the last decade. Once the biggest threats came from opportunist attacks and preventable
More informationFramework for Improving Critical Infrastructure Cybersecurity
1 Framework for Improving Critical Infrastructure Cybersecurity Standards Certification Education & Training Publishing Conferences & Exhibits Dean Bickerton ISA New Orleans April 5, 2016 A Brief Commercial
More informationAutomating the Top 20 CIS Critical Security Controls
20 Automating the Top 20 CIS Critical Security Controls SUMMARY It s not easy being today s CISO or CIO. With the advent of cloud computing, Shadow IT, and mobility, the risk surface area for enterprises
More informationEffective Practices for Insider Threats and Third-Party Risk Management Thursday, February 22 10:00 a.m. 11:00 a.m.
Effective Practices for Insider Threats and Third-Party Risk Management Thursday, February 22 10:00 a.m. 11:00 a.m. Financial institutions are subject to threats on multiple fronts. Two threats of significant
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationMapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective
Mapping Your Requirements to the NIST Cybersecurity Framework Industry Perspective 1 Quest has the solutions and services to help your organization identify, protect, detect, respond and recover, better
More informationContinuous protection to reduce risk and maintain production availability
Industry Services Continuous protection to reduce risk and maintain production availability Managed Security Service Answers for industry. Managing your industrial cyber security risk requires world-leading
More informationCybersecurity Overview
Cybersecurity Overview DLA Energy Worldwide Energy Conference April 12, 2017 1 Enterprise Risk Management Risk Based: o Use of a risk-based approach for cyber threats with a focus on critical systems where
More information