Framework for Improving Critical Infrastructure Cybersecurity
|
|
- Wilfred Griffin
- 6 years ago
- Views:
Transcription
1 1 Framework for Improving Critical Infrastructure Cybersecurity Standards Certification Education & Training Publishing Conferences & Exhibits Dean Bickerton ISA New Orleans April 5, 2016
2 A Brief Commercial Interruption Industrial Control System Cybersecurity Seminar Wednesday, April 27, :00 AM to 4:30 PM MS Benbow and Associates $325 Members / $450 Non-Members 8 PDHs Until recently, the reasons for securing Supervisory Control and Data Acquisition (SCADA) or Industrial Control Systems (ICS) weren t always that compelling to the end user. But cyber-attacks on are on the rise with the increased convergence of plant operations with IT infrastructure. The risks are certainly greater with critical infrastructure facilities such as Power, Oil & Gas, or Water/Wastewater plants. But smaller less critical processes are also exposed to cyber-attacks which can pose significant risks to human health and safety, the environment, and business operations. 2
3 Origin of the Framework EO Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, the President issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, on February 12, The Order directed the National Institute of Standards and Technology (NIST) to work with stakeholders to develop a voluntary framework based on existing standards, guidelines, and practices - for reducing cyber risks to critical infrastructure. It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. 3
4 Background on the Framework Created through collaboration between industry, academia, and government, the Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk. Version 1.0 of the Framework for Improving Critical Infrastructure was issued by on February 12, 2014 NIST continues to facilitate the awareness, use, and growth of the Framework across the country and around the world. 4
5 Framework Components Framework Core - a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. Framework Profiles - represents the cybersecurity outcomes based on business needs that an organization has selected from the Framework Core Categories and Subcategories. Framework Implementation Tiers - provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. 5
6 What is the Framework Core? The Framework Core is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. Example language of a desired outcome - physical devices and systems within the organization are inventoried. Language is intended to allow communication across the organization from executive level to operations and implementation levels. Consists of five concurrent and continuous functions with subcategories for each function and informative references Identify, Protect, Detect, Respond, Recover 6
7 Framework Core Structure 7
8 Framework Core Functions, Categories, and Subcategories 8
9 Framework Core - Identify Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs. Examples of outcome Categories within this Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy 9
10 Example - Identify Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. ID.RA-1: Asset vulnerabilities are identified and documented ID.RA-2: Threat and vulnerability information is received from information sharing forums and sources ID.RA-3: Threats, both internal and external, are identified and documented ID.RA-4: Potential business impacts and likelihoods are identified ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk ID.RA-6: Risk responses are identified and prioritized CCS CSC 4 COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04 ISA : , , , ISO/IEC 27001:2013 A , A NIST SP Rev. 4 CA-2, CA-7, CA-8, RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5 ISA : , , ISO/IEC 27001:2013 A NIST SP Rev. 4 PM-15, PM-16, SI-5 COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04 ISA : , , NIST SP Rev. 4 RA-3, SI-5, PM-12, PM-16 COBIT 5 DSS04.02 ISA : , , NIST SP Rev. 4 RA-2, RA-3, PM-9, PM-11, SA-14 COBIT 5 APO12.02 ISO/IEC 27001:2013 A NIST SP Rev. 4 RA-2, RA-3, PM-16 COBIT 5 APO12.05, APO13.02 NIST SP Rev. 4 PM-4, PM-9 10
11 Another Commercial Interruption Since 1949 Over 150 standards Over 140 committees Over 4,000 committee members Including: Symbols Instruments Controls Safety and alarm systems Batch recipes Integration Cybersecurity 11
12 Framework Core - Protect Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology. 12
13 Example - Protect PR.AC-1: Identities and credentials are managed for authorized devices and users CCS CSC 16 COBIT 5 DSS05.04, DSS06.03 ISA : ISA :2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9 Access Control (PR.AC): Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions. PR.AC-2: Physical access to assets is managed and protected PR.AC-3: Remote access is managed PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and separation of duties PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.2, A NIST SP Rev. 4 AC-2, IA Family COBIT 5 DSS01.04, DSS05.05 ISA : , ISO/IEC 27001:2013 A , A , A , A , A NIST SP Rev. 4 PE-2, PE-3, PE-4, PE-5, PE-6, PE-9 COBIT 5 APO13.01, DSS01.04, DSS05.03 ISA : ISA :2013 SR 1.13, SR 2.6 ISO/IEC 27001:2013 A.6.2.2, A , A NIST SP Rev. 4 AC 17, AC-19, AC-20 CCS CSC 12, 15 ISA : ISA :2013 SR 2.1 ISO/IEC 27001:2013 A.6.1.2, A.9.1.2, A.9.2.3, A.9.4.1, A NIST SP Rev. 4 AC-2, AC-3, AC-5, AC-6, AC-16 ISA : ISA :2013 SR 3.1, SR 3.8 ISO/IEC 27001:2013 A , A , A NIST SP Rev. 4 AC-4, SC-7 13
14 Framework Core - Detect Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security Continuous Monitoring; and Detection Processes. 14
15 Example - Detect nomalies and Events (DE.AE): Anomalous activity is detected in a timely manner and the potential impact of events is understood. DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed DE.AE-2: Detected events are analyzed to understand attack targets and methods DE.AE-3: Event data are aggregated and correlated from multiple sources and sensors DE.AE-4: Impact of events is determined DE.AE-5: Incident alert thresholds are established COBIT 5 DSS03.01 ISA : NIST SP Rev. 4 AC-4, CA-3, CM-2, SI-4 ISA : , , ISA :2013 SR 2.8, SR 2.9, SR 2.10, SR 2.11, SR 2.12, SR 3.9, SR 6.1, SR 6.2 ISO/IEC 27001:2013 A , A NIST SP Rev. 4 AU-6, CA-7, IR-4, SI-4 ISA :2013 SR 6.1 NIST SP Rev. 4 AU-6, CA-7, IR-4, IR-5, IR-8, SI-4 COBIT 5 APO12.06 NIST SP Rev. 4 CP-2, IR-4, RA-3, SI -4 COBIT 5 APO12.06 ISA : NIST SP Rev. 4 IR-4, IR-5, IR-8 15
16 Framework Core - Respond Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event. Examples of outcome Categories within this Function include: Response Planning; Communications; Analysis; Mitigation; and Improvements. 16
17 Example - Respond Communications (RS.CO): Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies. RS.CO-1: Personnel know their roles and order of operations when a response is needed RS.CO-2: Events are reported consistent with established criteria RS.CO-3: Information is shared consistent with response plans RS.CO-4: Coordination with stakeholders occurs consistent with response plans RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness ISA : , , ISO/IEC 27001:2013 A.6.1.1, A NIST SP Rev. 4 CP-2, CP-3, IR-3, IR-8 ISA : ISO/IEC 27001:2013 A.6.1.3, A NIST SP Rev. 4 AU-6, IR-6, IR-8 ISA : ISO/IEC 27001:2013 A NIST SP Rev. 4 CA-2, CA-7, CP-2, IR-4, IR-8, PE-6, RA-5, SI-4 ISA : NIST SP Rev. 4 CP-2, IR-4, IR-8 NIST SP Rev. 4 PM-15, SI-5 17
18 Framework Core - Recover Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning; Improvements; and Communications. 18
19 Example - Recover Improvements (RC.IM): Recovery planning and processes are improved by incorporating lessons learned into future activities. RC.IM-1: Recovery plans incorporate lessons learned RC.IM-2: Recovery strategies are updated COBIT 5 BAI05.07 ISA NIST SP Rev. 4 CP-2, IR-4, IR-8 COBIT 5 BAI07.08 NIST SP Rev. 4 CP-2, IR-4, IR-8 19
20 Framework Profiles - Definition A Framework Profile ( Profile ) represents the cybersecurity outcomes based on business needs that an organization has selected from the Framework Categories and Subcategories. The Profile can be characterized as the alignment of standards, guidelines, and practices to the Framework Core in a particular implementation scenario. Profiles can be used to identify opportunities for improving cybersecurity posture by comparing a Current Profile (the as is state) with a Target Profile (the to be state). 20
21 Framework Profiles - Development To develop a Profile, an organization can review all of the Categories and Subcategories and, based on business drivers and a risk assessment, determine which are most important. They can also add Categories and Subcategories as needed to address the organization s risks. 21
22 Framework Profiles - Use The Current Profile can then be used to support prioritization and measurement of progress toward the Target Profile, while factoring in other business needs including cost-effectiveness and innovation. Profiles can be used to conduct self-assessments and communicate within an organization or between organizations. 22
23 Implementation Tiers - Definition Framework Implementation Tiers ( Tiers ) provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. Tiers describe the degree to which an organization s cybersecurity risk management practices exhibit the characteristics defined in the Framework (e.g., risk and threat aware, repeatable, and adaptive). The Tiers characterize an organization s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4). These Tiers reflect a progression from informal, reactive responses to approaches that are agile and riskinformed. 23
24 Implementation Tiers - Selection During the Tier selection process, an organization should consider its current risk management practices, threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints. The Framework Implementation Tiers are not intended to be maturity levels. 24
25 Implementation Tiers - Use The Tiers are intended to provide guidance to organizations on the interactions and coordination between cybersecurity risk management and operational risk management. The key tenet of the Tiers is to allow organizations to take stock of their current activities from an organization wide point of view and determine if the current integration of cybersecurity risk management practices is sufficient given their mission, regulatory requirements, and risk appetite. Progression to higher Tiers is encouraged when such a change would reduce cybersecurity risk and would be cost-effective. 25
26 Tools The Framework Core and Informative Requirements are available as separate downloads in three formats: spreadsheet (Excel) alternate view (PDF) database (FileMaker Pro). A companion Roadmap discusses future steps and identifies key areas of cybersecurity development, alignment, and collaboration. The Department of Homeland Security's Critical Infrastructure Cyber Community C³ Voluntary Program helps critical infrastructure owners and operators align with existing resources to assist them in using the Cybersecurity Framework and managing their cyber risks. 26
27 Informative References Control Objectives for Information and Related Technology (COBIT): Council on CyberSecurity (CCS) Top 20 Critical Security Controls (CSC): ANSI/ISA ( )-2009, Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program: oductid=10243 ANSI/ISA ( )-2013, Security for Industrial Automation and Control Systems: System Security Requirements and Security Levels: oductid=13420 ISO/IEC 27001, Information technology -- Security techniques -- Information security management systems -- Requirements: NIST SP Rev. 4: NIST Special Publication Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013 (including updates as of January 15, 2014). 27
28 Roadmap Moving Forward On December 11, 2015, NIST issued its third request for information (RFI), Views on the Framework for Improving Critical Infrastructure Cybersecurity, to receive feedback. That RFI response period has closed, and NIST recently published an initial, high-level evaluation of the RFI responses.the RFI analysis will serve as a starting point for discussions at Cybersecurity Framework Workshop
29 The Final Commercial Interruption Seminar Agenda 27 April :00 8:15 Welcome and Introductions 8:15 9:00 NIST Cybersecurity Framework Overview 9:00 10:30 Indentify: Identifying the Threats to the ICS 10:30 12:00 Protect: How to Protect and Defend Against Cyber Threats 1:00 2:30 Detect: Detection of Undesired Activities in Real-time 2:30 4:00 Response & Recovery: Response Planning and Recovery from an ICS Attack 4:00 4:30 Wrap-up, Panelist Q&A 29
30 Our Speakers IDENTIFY Identifying the Threats to the ICS by David Bacque Senior Manager Accenture Asset and Operations Services (AAOS), North America David Bacque is a Senior Manager with Accenture s Asset and Operations Services division. He formerly held positions of increasing responsibility with Cimation as Industrial IT Consultant, Supervisor, Program Manager, and Director of Operations. Dave received his BS in Information Systems and Decision Sciences Management Information Systems from Louisiana State University in Prior to his involvement with Cimation, Dave was involved in IT and Systems Administration at Albert Garaudy and Associates, TOTAL Petrochemicals, and Audubon Engineering. PROTECT How to Protect and Defend Against Cyber Threats by Mitch Williams IT Operations Supervisor Chevron Oronite Company Mitch Williams currently works in Belle Chasse, LA for Chevron Oronite Company. He is the IT Operations Supervisor and is responsible for the security and information protection governance for the entire IT system. He also supports global efforts to increase protection from cyber-attacks. Prior to joining Chevron, Mitch was appointed as the Network Security Officer (NSO) for the Coast Guard Finance Center. He and his team of IT Professionals have successfully passed several IT audits with the government and while working for Chevron. Mitch earned a bachelor s degree in Internetworking Technology from Strayer University and a master s degree in Organizational Leadership from Ashford University. His experience in cyber security extends into network traffic analyzing, intrusion protection, next generation firewall as well as monitoring and alerting on suspicious behavior. DETECT Detection of Undesired Activities in Real-time by Robert Albach Senior Product Line Manager IoT Security Cisco Systems Robert Albach joined Cisco in As a product manager, he has defined and delivered three network security solutions. His most recent solution is Cisco s first Industrial Security Appliance. Prior to his Cisco tenure, he guided the IPS Management solutions and low end IPS solutions for Intrusion Prevention pioneer TippingPoint. Outside of network security, Robert has lead product management efforts in the application management space at IBM/Tivoli; BMC; and Quest Software. 30
31 Thank you! 31
Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework
1 Improving Critical Infrastructure Cybersecurity Executive Order 13636 Preliminary Cybersecurity Framework 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
More informationFunction Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments
Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments 1 ID.AM-1: Physical devices and systems within the organization are inventoried Asset Management (ID.AM): The
More informationUsing Metrics to Gain Management Support for Cyber Security Initiatives
Using Metrics to Gain Management Support for Cyber Security Initiatives Craig Schumacher Chief Information Security Officer Idaho Transportation Dept. January 2016 Why Metrics Based on NIST Framework?
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 National Institute of Standards and Technology February 12, 2014 Table of Contents Executive Summary...1 1.0 Framework Introduction...3
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity November 2017 cyberframework@nist.gov Supporting Risk Management with Framework 2 Core: A Common Language Foundational for Integrated Teams
More informationThe NIST Cybersecurity Framework
The NIST Cybersecurity Framework U.S. German Standards Panel 2018 April 10, 2018 Adam.Sedgewick@nist.gov National Institute of Standards and Technology About NIST Agency of U.S. Department of Commerce
More informationNCSF Foundation Certification
NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity
More informationSecuring an IT. Governance, Risk. Management, and Audit
Securing an IT Organization through Governance, Risk Management, and Audit Ken Sigler Dr. James L. Rainey, III CRC Press Taylor & Francis Group Boca Raton London New York CRC Press Is an imprint cf the
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity May 2017 cyberframework@nist.gov Why Cybersecurity Framework? Cybersecurity Framework Uses Identify mission or business cybersecurity dependencies
More informationNIST (NCF) & GDPR to Microsoft Technologies MAP
NIST (NCF) & GDPR to Microsoft Technologies MAP Digital Transformation Realized.TM IDENTIFY (ID) Asset Management (ID.AM) The data, personnel, devices, systems, and facilities that enable the organization
More informationNCSF Foundation Certification
NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity
More informationUpdates to the NIST Cybersecurity Framework
Updates to the NIST Cybersecurity Framework NIST Cybersecurity Framework Overview and Other Documentation October 2016 Agenda: Overview of NIST Cybersecurity Framework Updates to the NIST Cybersecurity
More informationInformation Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events
Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events Location: Need the right URL for this document https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/detect/ndcbf_i
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Draft Version 1.1 National Institute of Standards and Technology January 10, 2017 Note to Reviewers on the Update and Next Steps The draft
More informationCyber Security Standards Developments
INTERNATIONAL ELECTROTECHNICAL COMMISSION Cyber Security Standards Developments Bart de Wijs Head of Cyber Security Power Grids Division ABB b.v. Frédéric Buchi Sales&Consulting Cyber Security Siemens
More informationOverview of the Cybersecurity Framework
Overview of the Cybersecurity Framework Implementation of Executive Order 13636 Matt Barrett Program Manager matthew.barrett@nist.gov cyberframework@nist.gov 15 January 2015 Executive Order: Improving
More informationThe Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor,
The Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor, National Institute of Standards and Technology 1 Speaker
More informationChoosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist
Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist Agenda Industry Background Cybersecurity Assessment Tools Cybersecurity Best Practices 2 Cybersecurity
More informationCybersecurity & Privacy Enhancements
Business, Industry and Government Cybersecurity & Privacy Enhancements John Lainhart, Director, Grant Thornton The National Institute of Standards and Technology (NIST) is in the process of updating their
More informationLes joies et les peines de la transformation numérique
Les joies et les peines de la transformation numérique Georges Ataya CISA, CGEIT, CISA, CISSP, MSCS, PBA Professor, Solvay Brussels School of Economics and Management Academic Director, IT Management Education
More informationFramework for Improving Critical Infrastructure Cybersecurity. and Risk Approach
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 and Risk Approach June 9, 2016 cyberframework@nist.gov Executive Order: Improving Critical Infrastructure
More informationNIST Cybersecurity Testbed for Transportation Systems. CheeYee Tang Electronics Engineer National Institute of Standards and Technology
NIST Cybersecurity Testbed for Transportation Systems CheeYee Tang Electronics Engineer National Institute of Standards and Technology National Institute of Standards and Technology (NIST) About NIST NIST
More informationCybersecurity Framework Manufacturing Profile
Cybersecurity Framework Manufacturing Profile Keith Stouffer Project Leader, Cybersecurity for Smart Manufacturing Systems Engineering Lab, NIST National Institute of Standards and Technology (NIST) NIST
More informationBonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology
Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology It s a hot topic!! Executives are asking their CISOs a LOT of questions about it Issues are costly, from a financial and a reputational
More informationCybersecurity Framework
Catherine Bruder Shareholder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Cybercrime Economic Impact Cybercrime is costing the global economy $575 billion and the
More informationCYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS
CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS WILLIAM (THE GONZ) FLINN M.S. INFORMATION SYSTEMS SECURITY MANAGEMENT; COMPTIA SECURITY+, I-NET+, NETWORK+; CERTIFIED
More informationProtecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations
Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations January 9 th, 2018 SPEAKER Chris Seiders, CISSP Security Analyst Computing Services and Systems Development
More informationDiscussion Draft of the Preliminary Cybersecurity Framework August 28, 2013
1 Discussion Draft of the Preliminary Cybersecurity Framework August 28, 2013 2 3 A Discussion Draft of the Preliminary Cybersecurity Framework for improving critical 4 infrastructure cybersecurity is
More informationWhy you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More informationDesigning & Building a Cybersecurity Program. Based on the NIST Cybersecurity Framework (CSF)
Designing & Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson Lesson 2 June, 2015 1 Lesson 2: Controls Factory Components Part 1: The Controls Factory Part 2:
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA
Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA Information Security Policy and Procedures Identify Risk Assessment ID.RA Table of Contents Identify
More informationCOMPLIANCE BRIEF: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY S FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY
COMPLIANCE BRIEF: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY S FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY OVERVIEW On February 2013, President Barack Obama issued an Executive Order
More informationExecutive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI
Executive Order 13636 & Presidential Policy Directive 21 Ed Goff, Duke Energy Melanie Seader, EEI Agenda Executive Order 13636 Presidential Policy Directive 21 Nation Infrastructure Protection Plan Cybersecurity
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationHow to Align with the NIST Cybersecurity Framework
How to Align with the NIST Cybersecurity Framework 1 Title Table of Contents Identify (ID) 4 Protect (PR) 5 Detect (DE) 6 Respond (RS) 7 Recover (RC) 8 visibility detection control 2 SilentDefense Facilitates
More informationAssurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant
Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework Keith Price Principal Consultant 1 About About me - Specialise in cybersecurity strategy, architecture, and assessment -
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationCyber Information Sharing
Cyber Information Sharing Renault Ross CISSP, MCSE, CHSS, VCP5 Chief Cybersecurity Business Strategist Ian Schmertzler President Know Your Team Under Pressure Trust Your Eyes Know the Supply Chain Have
More informationACR 2 Solutions Compliance Tools
ACR 2 Solutions Compliance Tools What s all the noise about the Cyber Security Framework? The Cyber Security Framework Airs Conference May 2017 About ACR 2 Solutions your NIST experts ACR2 is a developer
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationNATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium
NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium Securing Cyber Space & America s Cyber Assets: Threats, Strategies & Opportunities September 10, 2009, Crystal Gateway Marriott, Arlington,
More information2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report
Nationwide Cyber Security Review: Summary Report Nationwide Cyber Security Review: Summary Report ii Nationwide Cyber Security Review: Summary Report Acknowledgments The Multi-State Information Sharing
More informationUsing the NIST Cybersecurity Framework to Guide your Security Program August 31, 2017
Using the NIST Cybersecurity Framework to Guide your Security Program August 31, 2017 Presenters: Allie Russell, Conexxus Kara Gunderson, DSSC Chair, CITGO Petroleum Chris Lietz & Bob Post, Coalfire Housekeeping
More informationEffectively Measuring Cybersecurity Improvement: A CSF Use Case
SESSION ID: GRC R03F Effectively Measuring Cybersecurity Improvement: A CSF Use Case Greg Witte Sr. Cybersecurity Engineer G2, Inc. @TheNetworkGuy Tom Conkle Cybersecurity Engineer G2, Inc. @TomConkle
More informationNW NATURAL CYBER SECURITY 2016.JUNE.16
NW NATURAL CYBER SECURITY 2016.JUNE.16 ADOPTED CYBER SECURITY FRAMEWORKS CYBER SECURITY TESTING SCADA TRANSPORT SECURITY AID AGREEMENTS CONCLUSION QUESTIONS ADOPTED CYBER SECURITY FRAMEWORKS THE FOLLOWING
More informationstandards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices
standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices mike.garcia@cisecurity.org The big three in their own words ISO 27000: family of standards to help organizations
More informationUsing the NIST Framework for Metrics 5/14/2015
Using the NIST Framework for Metrics 5/14/2015 ITD - Public Safety Safety improvements reduced total crashes by 29% and injury crashes by 41% in corridors after GARVEE projects were completed Ads / Commercials
More informationMapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective
Mapping Your Requirements to the NIST Cybersecurity Framework Industry Perspective 1 Quest has the solutions and services to help your organization identify, protect, detect, respond and recover, better
More informationFrom the Trenches: Lessons learned from using the NIST Cybersecurity Framework
From the Trenches: Lessons learned from using the NIST Cybersecurity Framework Greg Witte Sr. Cybersecurity Engineer G2, Inc. Greg.Witte@G2-inc.com Tom Conkle Cybersecurity Engineer G2, Inc. Tom.Conkle@G2-inc.com
More informationDHS Cybersecurity: Services for State and Local Officials. February 2017
DHS Cybersecurity: Services for State and Local Officials February 2017 Department of Established in March of 2003 and combined 22 different Federal departments and agencies into a unified, integrated
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationAcalvio Deception and the NIST Cybersecurity Framework 1.1
Acalvio Deception and the NIST Cybersecurity Framework 1.1 June 2018 The Framework enables organizations regardless of size, degree of cybersecurity risk, or cybersecurity sophistication to apply the principles
More informationMANAGING THE EFFECTIVENESS OF A CYBER SECURITY PROGRAM THROUGH A NIST CYBER SECURITY FRAMEWORK EVALUATION
MANAGING THE EFFECTIVENESS OF A CYBER SECURITY PROGRAM THROUGH A NIST CYBER SECURITY FRAMEWORK EVALUATION Art Ehuan Alvarez & Marsal Global Cyber Risk Services LLC AGENDA þ How does an organization know
More informationOverview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 PPD-21: CI Security and Resilience On February 12, 2013, President Obama signed Presidential Policy Directive
More informationCybersecurity Overview
Cybersecurity Overview DLA Energy Worldwide Energy Conference April 12, 2017 1 Enterprise Risk Management Risk Based: o Use of a risk-based approach for cyber threats with a focus on critical systems where
More informationImplementing the Administration's Critical Infrastructure and Cybersecurity Policy
Implementing the Administration's Critical Infrastructure and Cybersecurity Policy Cybersecurity Executive Order and Critical Infrastructure Security & Resilience Presidential Policy Directive Integrated
More informationAmerican Association of Port Authorities Port Security Seminar & Expo Cyber Security Preparedness and Resiliency in the Marine Environment
American Association of Port Authorities Port Security Seminar & Expo Cyber Security Preparedness and Resiliency in the Marine Environment July 20, 2017 DECIDEPLATFORM.COM The new Reality of Cyber Security
More informationHow to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
How to implement NIST Cybersecurity Framework using ISO 27001 WHITE PAPER Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
More informationSTRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE
STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby
More informationResponsible Care Security Code
Chemical Sector Guidance for Implementing the NIST Cybersecurity Framework and the ACC Responsible Care Security Code ACC Chemical Information Technology Council (ChemITC) January 2016 Legal and Copyright
More informationNIST SP , Revision 1 CNSS Instruction 1253
NIST SP 800-53, Revision 1 CNSS Instruction 1253 Annual Computer Security Applications Conference December 10, 2009 Dr. Ron Ross Computer Security Division Information Technology Laboratory Introduction
More informationDr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt
Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA The African Internet Governance Forum - AfIGF2017 5 Dec 2017, Egypt Agenda Why? Threats Traditional security? What to secure?
More informationFour Deadly Traps of Using Frameworks NIST Examples
Four Deadly Traps of Using Frameworks NIST 800-53 Examples ISACA Feb. 2015 Meeting Doug Landoll dlandoll@lantego.com (512) 633-8405 Session Agenda Framework Definition & Uses NIST 800-53 Framework Intro
More informationImplementing Executive Order and Presidential Policy Directive 21
March 26, 2013 Implementing Executive Order 13636 and Presidential Policy Directive 21 Mike Smith, Senior Cyber Policy Advisor, Office of Electricity Delivery and Energy Reliability, Department of Energy
More informationStatement for the Record
Statement for the Record of Seán P. McGurk Director, Control Systems Security Program National Cyber Security Division National Protection and Programs Directorate Department of Homeland Security Before
More informationCyber Security & Homeland Security:
Cyber Security & Homeland Security: Cyber Security for CIKR and SLTT Michael Leking 19 March 2014 Cyber Security Advisor Northeast Region Office of Cybersecurity and Communications (CS&C) U.S. Department
More informationThe Office of Infrastructure Protection
The Office of Infrastructure Protection National Protection and Programs Directorate Department of Homeland Security Organisation for the Prohibition of Chemical Weapons September 13, 2011 Overall Landscape
More informationRe: McAfee s comments in response to NIST s Solicitation for Comments on Draft 2 of Cybersecurity Framework Version 1.1
January 19, 2018 VIA EMAIL: cyberframework@nist.gov Edwin Games National Institute of Standards and Technology 100 Bureau Drive, Mail Stop 8930 Gaithersburg, MD 20899 Re: McAfee s comments in response
More informationA Controls Factory Approach To Operationalizing a Cyber Security Program Based on the NIST Cybersecurity Framework
A Controls Factory Approach To Operationalizing a Cyber Security Program Based on the NIST Cybersecurity Framework Prepared by: Larry Wilson lwilson@umassp.edu Chief Information Security Officer University
More informationEvaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure
Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure March 2015 Pamela Curtis Dr. Nader Mehravari Katie Stewart Cyber Risk and Resilience Management Team CERT
More informationISAO SO Product Outline
Draft Document Request For Comment ISAO SO 2016 v0.2 ISAO Standards Organization Dr. Greg White, Executive Director Rick Lipsey, Deputy Director May 2, 2016 Copyright 2016, ISAO SO (Information Sharing
More informationDesigning and Building a Cybersecurity Program
Designing and Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson lwilson@umassp.edu ISACA Breakfast Meeting January, 2016 Designing & Building a Cybersecurity
More informationKnowledge Set of Attack Surface and Cybersecurity Rating for Firms in a Supply Chain Dr. Shaun Wang, FCAS, CERA
Knowledge Set of Attack Surface and Cybersecurity Rating for Firms in a Supply Chain Dr. Shaun Wang, FCAS, CERA 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 1 Cyber Risk Management Project Government University
More informationINTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST
INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE Aeronautical Telecommunication Network Implementation Coordination Group (ATNICG) ASIA/PAC RECOMMENDED SECURITY CHECKLIST September 2009
More informationTrack 4A: NIST Workshop
Track 4A: NIST Workshop National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) GridSecCon October 18, 2016 AGENDA TOPIC PRESENTER(S) DURATION NIST/NCCoE
More informationIASM Support for FISMA
Introduction Most U.S. civilian government agencies, and commercial enterprises processing electronic data on behalf of those agencies, are concerned about whether and how Information Assurance products
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.
More informationEvolving Cybersecurity Strategies
Evolving Cybersecurity Strategies NIST Special Publication 800-53, Revision 4 ISSA National Capital Chapter April 17, 2012 Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL
More informationBuilding Secure Systems
Building Secure Systems Antony Selim, CISSP, P.E. Cyber Security and Enterprise Security Architecture 13 November 2015 Copyright 2015 Raytheon Company. All rights reserved. Customer Success Is Our Mission
More informationTechnical Conference on Critical Infrastructure Protection Supply Chain Risk Management
Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management Remarks of Marcus Sachs, Senior Vice President and the Chief Security Officer North American Electric Reliability
More informationCyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber
CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber Initiatives 30 January 2018 1 Agenda Federal Landscape Cybersecurity
More informationTop 10 ICS Cybersecurity Problems Observed in Critical Infrastructure
SESSION ID: SBX1-R07 Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure Bryan Hatton Cyber Security Researcher Idaho National Laboratory In support of DHS ICS-CERT @phaktor 16 Critical
More informationStrengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure Executive Order 13800 Update July 2017 In Brief On May 11, 2017, President Trump issued Executive Order 13800, Strengthening
More informationCybersecurity for Health Care Providers
Cybersecurity for Health Care Providers Montgomery County Medical Society Provider Meeting February 28, 2017 T h e MARYLAND HEALTH CARE COMMISSION Overview Cybersecurity defined Cyber-Threats Today Impact
More informationDear Mr. Games: Please see our submission attached. With kind regards, Aaron
From: Aaron P. Padilla Date: Mon, Apr 10, 2017 at 3:16 PM Subject: API Response to the Proposed Update to the Framework for Improving Critical Infrastructure Cybersecurity To: "cyberframework@nist.gov"
More informationMINIMUM SECURITY CONTROLS SUMMARY
APPENDIX D MINIMUM SECURITY CONTROLS SUMMARY LOW-IMPACT, MODERATE-IMPACT, AND HIGH-IMPACT INFORMATION SYSTEMS The following table lists the minimum security controls, or security control baselines, for
More informationChapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS
Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS The Saskatchewan Power Corporation (SaskPower) is the principal supplier of power in Saskatchewan with its mission to deliver power
More informationNational Initiative for Cybersecurity Education
National Initiative for Cybersecurity Education NIST Special Publication, 800-181 NICE Cybersecurity Workforce Framework Douglas Rausch Cybersecurity Program Director, Bellevue University Lead Skills-based
More informationDEFINITIONS AND REFERENCES
DEFINITIONS AND REFERENCES Definitions: Insider. Cleared contractor personnel with authorized access to any Government or contractor resource, including personnel, facilities, information, equipment, networks,
More informationPlenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m.
Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m. Cybersecurity is a top priority for the financial services industry. Firms dedicate significant resources every
More informationPIPELINE SECURITY An Overview of TSA Programs
PIPELINE SECURITY An Overview of TSA Programs Jack Fox Pipeline Industry Engagement Manager Surface Division Office of Security Policy & Industry Engagement May 5, 2014 TSA and Pipeline Security As the
More informationSecurity and Privacy Governance Program Guidelines
Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by
More informationExecutive Order on Coordinating National Resilience to Electromagnetic Pulses
Executive Order on Coordinating National Resilience to Electromagnetic Pulses The Wh... Page 1 of 11 EXECUTIVE ORDERS Executive Order on Coordinating National Resilience to Electromagnetic Pulses INFRASTRUCTURE
More informationSYSTEMS ASSET MANAGEMENT POLICY
SYSTEMS ASSET MANAGEMENT POLICY Policy: Asset Management Policy Owner: CIO Change Management Original Implementation Date: 7/1/2017 Effective Date: 7/1/2017 Revision Date: Approved By: NIST Cyber Security
More informationDHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017
DHS Cybersecurity Election Infrastructure as Critical Infrastructure June 2017 Department of Homeland Security Safeguard the American People, Our Homeland, and Our Values Homeland Security Missions 1.
More informationICS-CERT Year in Review. Industrial Control Systems Cyber Emergency Response Team
ICS-CERT Year in Review Industrial Control Systems Cyber Emergency Response Team 2012 What s Inside Welcome 1 Organization 3 Outreach 4 Industrial Control Systems Joint Working Group 5 Advanced Analytical
More informationFISMA Cybersecurity Performance Metrics and Scoring
DOT Cybersecurity Summit FISMA Cybersecurity Performance Metrics and Scoring Office of the Federal Chief Information Officer, OMB OMB Cyber and National Security Unit, OMBCyber@omb.eop.gov 2. Cybersecurity
More informationDepartment of Homeland Security Updates
American Association of State Highway and Transportation Officials Special Committee on Transportation Security and Emergency Management 2016 Critical Infrastructure Committee Joint Annual Meeting Department
More informationISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION
ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION Cathy Bates Senior Consultant, Vantage Technology Consulting Group January 30, 2018 Campus Orientation Initiative and Project Orientation Project
More information