Smart Grid Cybersecurity Committee. July 28, 2017
|
|
- Stephanie Skinner
- 6 years ago
- Views:
Transcription
1 Smart Grid Cybersecurity Committee July 28,
2 2017 Technical Program Smart Grid Cybersecurity Committee (SGCC) Working Group Meeting 2
3 Antitrust Guidelines for SEPA Meetings & Conferences The antitrust laws and other business laws apply to SEPA, its members, funders, and advisers; violations can lead to civil and criminal liability. SEPA is committed to full compliance, as well as to maintaining the highest ethical standards in all of our operations and activities. These guidelines apply to all occasions: before, during, and after SEPA meetings and conferences, including in the hallways, over lunch, cocktails and at dinner. SEPA'S MISSION is to facilitate the utility industry s smart transition to a clean energy future through education, research, standards, and collaboration. YOUR ROLE AT SEPA MEETINGS AND CONFERENCES varies based on what you are attending, but could include sharing information with and learning from peers, potential partners, and industry experts and/or to provide guidance to SEPA on its activities. Consult with your company counsel if at any time you believe discussions are touching on sensitive antitrust subjects such as pricing, bids, allocation of customers or territories, boycotts, tying arrangements and the like. DO NOT DISCUSS pricing, price terms, such as, for example, discount and credit policies, promotions, or product category pricing levels and industry pricing levels, production capacity, or cost information which is not publicly available; confidential market strategies or business plans; or other competitively sensitive information. Do not disparage suppliers and/or competitors of SEPA and/or SEPA Members and participants. BE ACCURATE, OBJECTIVE, AND FACTUAL in any discussions of goods and services offered in the market by others, including your competitors, suppliers, and customers. SEPA DOES NOT RECOMMEND the use of particular vendors, contractors or consultants. SEPA will not promote or endorse commercial products or services of third parties. You must draw your own conclusions and make your own choices independently. DO NOT AGREE WITH OTHERS to discriminate against or refuse to deal with (i.e., "boycott") a supplier; or to do business only on certain terms and conditions; or to set price, divide markets, or allocate customers. PLEASE BE AWARE that an agreement regarding price need not relate to a specific price, but may relate to levels, discounts policy, allowance policy, and other terms affecting price levels or movements and may be inferred from a discussion and ensuing conduct. DO NOT TRY TO INFLUENCE or advise others on their business decisions, and do not discuss yours (except to the extent that they are already public). ASK for advice from your own legal department, if you have questions about any aspect of these guidelines or about a particular situation or activity at SEPA; or ask the responsible SEPA manager to contact SEPA's Legal Counsel. 3
4 Agenda Working Group Updates SGCC Cyber-Physical Resiliency Subgroup Presentation Chair: Dr. Elizabeth Sisley, Calm Sunrise Consulting, LLC Vice Chair: Dr. Michael Cohen, MITRE Corp. OpenFMB Cybersecurity Aaron Smallwood, Directory Technology, SEPA SGCC Leadership Presentation: Public Key Infrastructure (PKI) PKI: All the Facts You Wanted to Know and Were Afraid to Ask Presentation by William T. Polk, Group Manager for Cryptographic Technology Group, National Institute of Standards and Technology (NIST) 4
5 Cyber-Physical Resiliency Chair: Dr. Elizabeth Sisley Vice-Chair: Dr. Michael Cohen 5
6 Cyber-Physical Resiliency Architecture/ Engineering Cyber-Physical Resiliency Cybersecurity Why SGCC (Smart Grid Cybersecurity Committee) and GAWG (Grid Architecture Working Group) both Sponsor Resiliency The Smart Grid needs not only sound architecture for functionality and cybersecurity for security, but also resilience to satisfy its high operational availability requirements. There are existing best practices and tools (and an opportunity to identify any gaps), that could be more widely used across system(s) lifecycle, to address the need for Cyber-Physical Resiliency. 6
7 What Problem Do We Have? Takeaway: The electric system is, for better or worse, of such size and complexity of: Stakeholders Decision-makers Changing Technologies that it will not stand still to be designed like a single systemof-systems, nor will there be a person or group of people charged with designing it as such. Resilience implies adaptability to change and improvement. It must also continue to operate in providing electricity while being under stress, attack, and upgrade. E.G. Continue to deliver electricity while sophisticated adversary is inside the system. 7
8 Resiliency Definitions Presidential Policy Directive 21 Critical Infrastructure Security and Resilience The term "resilience" means the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents. Traditionally this is Architecture/ Engineering The terms "secure" and "security" refers to reducing the risk to critical infrastructure by physical means or defensive cyber measures to intrusions, attacks, or the effects of natural or manmade disasters. Traditionally this is Cybersecurity Both Architecture/Engineering and Security are Necessary 8
9 Deliverables Phase 1 (launched Sept 29 th ): Catalog/Repository Identify Published Best Practices Inclusion Criteria Architecture/Engineering Cybersecurity Exclusion Criteria Webinar March 21 st : registered 207, attended 95 Will publish via SEPA process Phase 2 (just launching): Task 1: Identification of Smart Grid Resiliency Gaps Task 2: Prepare Resiliency Gap Filler Supplement to NISTIR 7628 Rev.1 Red text update from Tuesday s Grid Architecture Working Group 9
10 Inclusion Criteria: Lifecycle Focuses on resilience that is designed and engineered into the Cyber-Physical System (CPS) itself Designs the CPS to use evolving technologies, such as predictive self-healing, to allow systems to automatically fix themselves Designs the CPS to gracefully shut down, and implement fault tolerance mechanisms Design CPS to operate in degraded or alternative modes of operation, and recovery. Lessens the reliance of the CPS on external dependencies or mitigates the impacts of the loss of those dependencies 10
11 Architecture/Engineering: Inclusion Criteria Describes employment of all resilience strategies during CPS design and operations such as: Eliminating single points of failure and designing for fault tolerance Utilizing redundancy and diversity/heterogeneity Includes the use of analog or manual backups Design for Graceful Degradation 11
12 Cybersecurity: Inclusion Criteria Describes employment of all resilience strategies during CPS design and operations such as: NIST Framework functions: Identify, Protect, Detect, Respond, and Recover Anticipate, continue to operate correctly in the face of, recover from, and evolve to better adapt to advanced cyber threats Malware and forensic analysis Technical defense-in-depth Dynamic threat modeling 12
13 Exclusion Criteria Focuses exclusively on traditional IT Cybersecurity, addressed by e.g. NIST Rev 4, etc. Focuses exclusively on traditional physical security external to the system, e.g., guns, gates, and guards Focuses on IT supply chain risk management, addressed by e.g. NIST , NERC-013, etc. Focuses on external (to the CPS) organizational continuity of operations/disaster recovery processes and procedures. Reference them as related processes, such as Disaster Recovery Institute Best Practices, NIST , enterprise risk management manuals SP , -35 & -37, etc. 13
14 20+ List of Candidate Best Practices Systems Engineering INCOSE.org worldwide education: BS, MS, Ph.D. Systems Security Engineering An Integrated Approach to Building Trustworthy Resilient Systems Cyber-Physical Systems Framework NISTIR 7628 Rev 1 Cyber Resiliency Engineering Aid-The Updated Cyber Resiliency Engineering Framework and Guidance on Applying Cyber Resiliency Techniques CREDC: Cyber Resilient Energy Delivery Consortium IIC Security Framework Named Data Networks (NDN) and its applicability to critical and challenged networks MITRE-Developed Cyber Security and Resiliency Assessment Tools Intelligence Preparation for Operational Resilience (IPOR) CERT Resilience Management Model (RMM) v1.1: Code of Practice Crosswalk CRR NIST Framework Crosswalk Cross-reference chart for how the NIST Cybersecurity Framework aligns to the Cyber Resilience Review (CRR) IEC TC57 WG15 - IEC Resilience and security for power systems with Distributed Energy Resources (DER) Stanford Seminar - Engineering Cyber Resiliency: A Pragmatic Approach - (references to power grid & tool) Cybersecurity Procurement Language for Energy Delivery Systems And more! 14
15 Catalog/Repository Attributes 1. Item Name (short) 8. Classify as Specify, Design, Build (Re-Engineer), Operate 2. Item Full Title 9. Short Description 3. URL 10. Attribute indicating whether the item contains Cybersecurity, or Architectural, or Both, specific to addressing resiliency and its cousins e.g. availability, reliability, fault-tolerance, etc. 4. Linked to Industry Standards 11. Context (specific technique, set of processes, framework, tool, etc.) 5. Content Owner 12. Maturity / Industry Acceptance Level of this Technique. (To show history include origination date and date of last modification) 6. Education: webinars, training/classes, degrees, etc. 7. Applicability to What Grid Domains 13. Attribute indicating whether the item contains Cybersecurity, or Architecture, or Both specific to addressing resiliency and its cousins e.g. availability, reliability, fault-tolerance, etc. Etc. 15
16 Phase 2 (just launching) Task 1: Identification of Smart Grid Resiliency Gaps Task 2: Prepare SEPA Resiliency [Gap Filler] Supplement to NISTIR 7628 Rev.1 NOTE: Call for Participation Details during Friday s 1:00-3:00 Smart Grid Cybersecurity Committee (SGCC) meeting 16
17 Phase 2: Proposed Tasks Objective: Enable Smart Grid resilience as well as Cybersecurity Task 1:Identification of Smart Grid Resiliency Gaps Identify resiliency gaps that currently exist in NISTIR 7628 Rev1. SG.AC-1 SG.AC-2 SG.AC-3 SG.AC-4 SG.AC-5 SG.AC-6 SG.AC-7 SG.AC-8 SG.AC-9 SG.AC-10 SG.AC-11 SG.AC-12 SG.AC-13 SG.AC-14 SG.AC-15 SG.AC-16 SG.AC-17 SG.AC-18 SG.AC-19 SG.AC-20 SG.AC-21 NISTIR 7628 Rev.1 MAPPING to Resiliency Best Practices NISTIR 7628, Rev. 1 High-Level Security Requirements Access Control (SG.AC) Access Control Policy and Procedures Remote Access Policy and Procedures Account Management Access Enforcement Information Flow Enforcement Separation of Duties Least Privilege Unsuccessful Login Attempts Cross- Walk Between NISTIR 7628r1 and Resiliency Controls Smart Grid Information System Use Notification Previous Logon Notification Concurrent Session Control Session Lock Remote Session Termination Permitted Actions without Identification or Authentication Remote Access Wireless Access Restrictions Access Control for Portable and Mobile Devices Use of External Information Control Systems Control System Access Restrictions Publicly Accessible Content Passwords Awareness and Training (SG.AT) Resiliency Best Practice Resiliency Best Practice Systems Security Cyber-Physical Systems Engineering : Appendix Framework H Resiliency Best Practice Cyber Resiliency Engineering Aid 17
18 Phase 2 Proposed Tasks Task 2: Prepare SEPA Resiliency [Gap Filler] Supplement to NISTIR 7628 Rev.1 This task will prepare a draft Resiliency Supplement to NISTIR 7628r1. Entries will consist of: Resiliency Family Name (either an existing Security Requirement Family Name or a new Resiliency Family Name) Resiliency Requirement Description Requirement Enhancements (optional) Additional Considerations (optional) Impact Level Allocation 18
19 Agenda Working Group Updates SGCC Cyber-Physical Resiliency Subgroup Presentation Chair: Dr. Elizabeth Sisley, Calm Sunrise Consulting, LLC Vice Chair: Dr. Michael Cohen, MITRE Corp. OpenFMB Cybersecurity Aaron Smallwood, Directory Technology, SEPA SGCC Leadership Nelson Hastings Presentation: Public Key Infrastructure (PKI) PKI: All the Facts You Wanted to Know and Were Afraid to Ask Presentation by William T. Polk, Group Manager for Cryptographic Technology Group, National Institute of Standards and Technology (NIST) 19
20 Agenda Working Group Updates SGCC Cyber-Physical Resiliency Subgroup Presentation Chair: Dr. Elizabeth Sisley, Calm Sunrise Consulting, LLC Vice Chair: Dr. Michael Cohen, MITRE Corp. OpenFMB Cybersecurity Aaron Smallwood, Directory Technology, SEPA SGCC Leadership Nelson Hastings Presentation: Public Key Infrastructure (PKI) PKI: All the Facts You Wanted to Know and Were Afraid to Ask Presentation by William T. Polk, Group Manager for Cryptographic Technology Group, National Institute of Standards and Technology (NIST) 20
21 NIST Cybersecurity Smart Grid Efforts and Proposed SGCC Activities Nelson Hastings, NIST Cybersecurity and Privacy Applications Group Leader Applied Cybersecurity Division 21
22 NIST Smart Grid Cybersecurity Efforts Supporting SEPA by chairing the Smart Grid Cybersecurity Committee (SGCC) Applying the NIST Cybersecurity Framework to identity/characterize risk to emerging smart grid architectures To be integrated into the NIST Smart Grid Interoperability Framework update 22
23 Security of Grid Edge Devices Grid edge devices include Smart Meters, Inverters, Thermostats, HVAC systems, Securing these devices is critical to scaling control systems that may leverage grid edge devices. The NISTIR 7628 provides Guidelines for Smart Grid Cyber Security. Ideally we would like a strategy to decompose these system level guidelines to device specifications.
24 Profiling performance of Grid Edge Devices We are currently developing technology to profile the performance impact of security solutions on grid edge devices. The eventual goal is to balance cybersecurity tools across a DER architecture, minimizing system level risk exposure. Diversity in design, legacy and communication protocols pose a challenge requiring continuing engagement with device manufacturers.
25 Proposed SGCC Activities for Discussion Develop best practices for identity management from a relying party perspective Managing identities of an organizations employees or owned devices verses customers or devices not owned by an organization connected to their network Profiling the NIST Cybersecurity Framework for a smart grid use case Similar to what was created for the manufacturing sector ring-profile-draft.pdf 25
26 An Example: Manufacturing Profile 26
27 Core Cybersecurity Framework Components What processes and assets need protection? What safeguards are available? What techniques can identify incidents? What techniques can contain impacts of incidents? What techniques can restore capabilities? 27
28 Core Cybersecurity Framework Components Function Category ID Identify Protect Detect Respond Recover Asset Management Business Environment Governance Risk Assessment Risk Management Strategy Access Control Awareness and Training Data Security Information Protection Processes & Procedures Maintenance Protective Technology Anomalies and Events Security Continuous Monitoring Detection Processes Response Planning Communications Analysis Mitigation Improvements Recovery Planning Improvements Communications ID.AM ID.BE ID.GV ID.RA ID.RM PR.AC PR.AT PR.DS PR.IP PR.MA PR.PT DE.AE DE.CM DE.DP RS.RP RS.CO RS.AN RS.MI RS.IM RC.RP RC.IM RC.CO Subcategory ID.BE-1: The organization s role in the supply chain is identified and communicated ID.BE-2: The organization s place in critical infrastructure and its industry sector is identified and communicated ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated Informative References COBIT 5 APO01.02, DSS06.03 ISA : ISO/IEC 27001:2013 A NIST SP Rev. 4 CP-2, PS-7, PM-11 COBIT 5 APO08.04, APO08.05, APO10.03, APO10.04, APO10.05 ISO/IEC 27001:2013 A , A , A NIST SP Rev. 4 CP-2, SA-12 COBIT 5 APO02.06, APO03.01 NIST SP Rev. 4 PM-8 ID.BE-4: Dependencies COBIT 5 APO02.01, APO02.06, and critical functions for APO03.01 delivery of critical services ISA : , NIST SP Rev. 4 PM-11, SA-14 are established ID.BE-5: Resilience requirements to support delivery of critical services are established ISO/IEC 27001:2013 A , A , A NIST SP Rev. 4 CP-8, PE-9, PE- 11, PM-8, SA-14 28
29 Ways to think about a Profile A customization of the Core for given sector, subsector, or organization A fusion of business/mission logic Respond and cybersecurity outcomes An alignment of cybersecurity requirements with operational methodologies A basis for assessment and expressing target state A decision support tool for cybersecurity risk management Identify Protect Detect Recover 29
30 Business/Mission Objectives Prioritized cybersecurity practices that will promote and support key business/mission goals for the manufacturer. Maintain Personnel Safety Maintain Environmental Safety Maintain Product Quality Maintain Production Goals Maintain Trade Secrets 30
31 31
32 Profile Example ID AM ID.AM-1 Physical devices and systems within the organization are inventoried 32 32
33 Profile Language ID.AM-1 33
34 Agenda SGCC Leadership Nelson Hastings Working Group Updates SGCC Cyber-Physical Resiliency Subgroup Presentation Chair: Dr. Elizabeth Sisley, Calm Sunrise Consulting, LLC Vice Chair: Dr. Michael Cohen, MITRE Corp. OpenFMB Cybersecurity Aaron Smallwood, Directory Technology, SEPA Presentation: Public Key Infrastructure (PKI) PKI: All the Facts You Wanted to Know and Were Afraid to Ask Presentation by William T. Polk, Group Manager for Cryptographic Technology Group, National Institute of Standards and Technology (NIST) 37
35 Why PKI Is So Darn Complicated and Why You Might Want to Use it Anyway Tim Polk 38
36 Objectives Establish the historical context Understand how PKI works Why it is so complex Which design choices matter Recognize which problems PKI can (and can t) solve 39
37 History of PKI in 4 Slides 40
38 Secret Key Cryptography is Easy, Key Management is Hard Sharing secrets has always been hard Secret key cryptography is easy (Caesar could do it!) This allows Alice and Bob to share a secret But there is a bootstrap problem You have to share a secret, and sharing secrets has always been hard 41
39 Public Key Cryptography is Easy, Key Management is Hard 1976, public key cryptography is invented and sharing secrets is easy Alice uses her private key, which no one else knows, to encrypt a message Alice shares her public key with everyone, Bob uses it to decrypt the secret But there is a bootstrap problem authenticating the public key (e.g., ensuring it [still] belongs to Alice) is hard almost as hard as sharing a secret Public key certificates were proposed soon after But we need a scalable mechanism for authenticating certificates And saying that key is no good anymore 42
40 PKI Standards are simple, as long as you support one application 1988, the X.509 certificate standard is published to facilitate the interconnection of information processing systems for the emerging Global X.500 directory Approximately 12 of the 21 normative pages specify formats and processes to create a strictly hierarchical trust infrastructure, so a single public key authenticates the world Hey, we can use that to support lots of applications! But many details required to support more general applications are omitted, so they soon published versions 2 and 3 And the emerging Global directory system doesn t materialize 43
41 The great thing about PKI standards is there are so many of them 1999, IETF publishes RFC 2459 to align X.509 v3 with the needs of Internet applications and leverage the Lightweight Directory Protocol RFC 2459 had 64 normative pages, and another 65 pages of appendices to aid implementers And we omitted stuff in 2459, so we had to publish RFCs 3280 and 5280 And another 67 supporting RFCs to cover new revocation strategies, logos, and trust anchors 44
42 So Why In the World Should You Use PKI? PKI offers a scalable mechanism to implement strong authentication to systems, digitally sign documents and code, share secret keys to support encrypted , sessions, etc., etc., etc. As a toolkit, it is kind of a Swiss Army knife for security, supporting a broad range of applications and services Of course, a Swiss Army knife isn t usually the very best knife for any particular purpose When features are carefully chosen, it can be a very successful and straightforward mechanism 45
43 PKI Roles and Objects Mandatory Roles and Objects Certification authorities (CAs), Registration authorities (RAs), a repository to store and distribute certificates and CRLs, certificate subjects (the entities that hold the private keys), and relying parties (who use the public keys) Optional Attribute certificates to specify extra information about certificate subjects Certificate Status Responders Path Validation Servers 46
44 Certificates Certificates bind an identity (the subject) to a public key. An issuing or certifying authority builds a certificate that contains: Subject s Distinguished Name Subject s Public Key Issuer s Distinguished Name Extensions that further describe the subject, limit the use of the key, or The issuer digitally signs the certificate so no one can change its contents. Certificate of Authenticity 47
45 X.509 Certificate Format O=USG, OU=Commerce, CN=CA1 O=USG, OU=Commerce, CN=Tim Polk ACBDEFGH VERSION SERIAL NUMBER SIGNATURE ALGORITHM ISSUER v1 or v2 or v3 RSA with SHA-2 VALIDITY 1/1/16-1/1/19 SUBJECT SUBJECT PUBLIC KEY INFO ISSUER UNIQUE ID SUBJECT UNIQUE ID RSA, RSTUVWXY EXTENSIONS SIGNATURE 48
46 Public Keys Public key associated with any asymmetric algorithm Public key used to support: Digital Signature and Non-repudiation Key Management Data Encipherment Certificate Signature Certificate Revocation List Signature Best Current Practice: Give certificate subjects two ECC keys, one for signatures and another for key management. 49
47 X.509 Certificate Extensions Authority Key Identifier Subject Key Identifier Key Usage Private Key Usage Period Certificate Policies Policy Mappings Subject Alternative Name Issuer Alternative Name Freshest CRL Basic Constraints Name Constraints Policy Constraints Extended Key Usage CRL Distribution Points Inhibit Any-Policy Authority Information Access Subject Information Access Subject Directory Attributes Please don t define your own proprietary extension. We have at least one solution for almost everything! 50
48 Certificate Revocation Lists (CRLs) Lists of certificates that should no longer be trusted Can be big! Delta CRLs, Sliding Window Delta CRLs, Indirect CRLs are all optimizations for different environments 51
49 X.509 CRL Format v1 or v2 O=USG, OU=Commerce, CN=CA1 7/29/17 VERSION SIGNATURE ALGORITHM ISSUER LAST UPDATE 7/28/17 NEXT UPDATE REVOKED CERTIFICATES CRL EXTENSIONS RSA with SHA-2 SIGNATURE SEQUENCE OF 6/4/17 SERIAL NUMBER REVOCATION DATE CRL ENTRY EXTENSIONS 52
50 Certification Authority Establish and maintain an accurate binding between the public key and attributes contained in a certificate Manages and publishes certificates Issues and renews certificates Issues Certificate Revocation Lists (CRLs) Initializes tokens (optional) Generates and provides recovery for public/private key pairs (optional) 53
51 How do I get a certificate, anyway? The RA confirms the subjects identity and any other attributes in the certificate, then the CA issues the certificate and passes it to both the certificate subject and the repository Two basic strategies: Face-to-face registration Online registration Unfortunate note: there are lots of Certificate Management Protocols to implement this 54
52 Making it Scale: Certification Path Alice can verify Bob s certificate by verifying a chain of certificates ending in one issued by a Certification Authority (CA) she trusts 55
53 Making it Scale: Public Key Infrastructure Topologies 56
54 Customizing PKI Online Certificate Status Protocol (OCSP) Responder answers the basic question: is this certificate revoked? Irrevocable trust in OCSP responder Delegated Path Validation Trusted server builds the entire path, but the relying party makes its own decision Simple Certificate Validation Protocol (SCVP) Server builds path and validates it for the client 57
55 Which leaves us with A certificate subject (Alice) with a couple of private keys and certificates who wants to sign and/or encrypt some data A relying party (Bob) that has selected one or more trusted roots, knows how to build and validate a path, and Can use public keys from validated certificates to verify the signature or decrypt the data And this works even though Alice and Bob may work for different organizations 58
56 Takeaways PKI is not for the faint of heart, but PKI provides a scalable and flexible foundation for the full range of cryptographic security in applications across organizational boundaries 59
57 THANK YOU
Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments
Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments 1 ID.AM-1: Physical devices and systems within the organization are inventoried Asset Management (ID.AM): The
More informationCybersecurity Framework Manufacturing Profile
Cybersecurity Framework Manufacturing Profile Keith Stouffer Project Leader, Cybersecurity for Smart Manufacturing Systems Engineering Lab, NIST National Institute of Standards and Technology (NIST) NIST
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity May 2017 cyberframework@nist.gov Why Cybersecurity Framework? Cybersecurity Framework Uses Identify mission or business cybersecurity dependencies
More informationThe Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor,
The Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor, National Institute of Standards and Technology 1 Speaker
More informationNIST Cybersecurity Testbed for Transportation Systems. CheeYee Tang Electronics Engineer National Institute of Standards and Technology
NIST Cybersecurity Testbed for Transportation Systems CheeYee Tang Electronics Engineer National Institute of Standards and Technology National Institute of Standards and Technology (NIST) About NIST NIST
More informationKnowledge Set of Attack Surface and Cybersecurity Rating for Firms in a Supply Chain Dr. Shaun Wang, FCAS, CERA
Knowledge Set of Attack Surface and Cybersecurity Rating for Firms in a Supply Chain Dr. Shaun Wang, FCAS, CERA 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 1 Cyber Risk Management Project Government University
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 National Institute of Standards and Technology February 12, 2014 Table of Contents Executive Summary...1 1.0 Framework Introduction...3
More informationSecuring an IT. Governance, Risk. Management, and Audit
Securing an IT Organization through Governance, Risk Management, and Audit Ken Sigler Dr. James L. Rainey, III CRC Press Taylor & Francis Group Boca Raton London New York CRC Press Is an imprint cf the
More informationImproving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework
1 Improving Critical Infrastructure Cybersecurity Executive Order 13636 Preliminary Cybersecurity Framework 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity November 2017 cyberframework@nist.gov Supporting Risk Management with Framework 2 Core: A Common Language Foundational for Integrated Teams
More informationCyber Information Sharing
Cyber Information Sharing Renault Ross CISSP, MCSE, CHSS, VCP5 Chief Cybersecurity Business Strategist Ian Schmertzler President Know Your Team Under Pressure Trust Your Eyes Know the Supply Chain Have
More informationThe NIST Cybersecurity Framework
The NIST Cybersecurity Framework U.S. German Standards Panel 2018 April 10, 2018 Adam.Sedgewick@nist.gov National Institute of Standards and Technology About NIST Agency of U.S. Department of Commerce
More informationTrack 4A: NIST Workshop
Track 4A: NIST Workshop National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) GridSecCon October 18, 2016 AGENDA TOPIC PRESENTER(S) DURATION NIST/NCCoE
More informationDesigning & Building a Cybersecurity Program. Based on the NIST Cybersecurity Framework (CSF)
Designing & Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson Lesson 2 June, 2015 1 Lesson 2: Controls Factory Components Part 1: The Controls Factory Part 2:
More informationNIST (NCF) & GDPR to Microsoft Technologies MAP
NIST (NCF) & GDPR to Microsoft Technologies MAP Digital Transformation Realized.TM IDENTIFY (ID) Asset Management (ID.AM) The data, personnel, devices, systems, and facilities that enable the organization
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationResponsible Care Security Code
Chemical Sector Guidance for Implementing the NIST Cybersecurity Framework and the ACC Responsible Care Security Code ACC Chemical Information Technology Council (ChemITC) January 2016 Legal and Copyright
More informationHow to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
How to implement NIST Cybersecurity Framework using ISO 27001 WHITE PAPER Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationPKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006
PKI-An Operational Perspective NANOG 38 ARIN XVIII October 10, 2006 Briefing Contents PKI Usage Benefits Constituency Acceptance Specific Discussion of Requirements Certificate Policy Certificate Policy
More informationEvaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure
Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure March 2015 Pamela Curtis Dr. Nader Mehravari Katie Stewart Cyber Risk and Resilience Management Team CERT
More informationCOMPLIANCE BRIEF: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY S FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY
COMPLIANCE BRIEF: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY S FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY OVERVIEW On February 2013, President Barack Obama issued an Executive Order
More informationCYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS
CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS WILLIAM (THE GONZ) FLINN M.S. INFORMATION SYSTEMS SECURITY MANAGEMENT; COMPTIA SECURITY+, I-NET+, NETWORK+; CERTIFIED
More informationISO based Written Information Security Program (WISP) (a)(1)(i) & (a)(3)(i) & (ii) & (A) (A)(5)(ii) & (ii)(a)
1 Information Security Program Policy 1.2 Management Direction for Information Security 5.1 1.2.8 1.2.1.1 Publishing An Information Security Policy 5.1.1 500.03 1.1.0 2.1.0-2.2.3 3.1.0-3.1.2 4.1.0-4.2.4
More informationSecurity Management Models And Practices Feb 5, 2008
TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008 Objectives Overview basic standards and best practices Overview of ISO 17799 Overview of NIST SP documents related
More informationAcalvio Deception and the NIST Cybersecurity Framework 1.1
Acalvio Deception and the NIST Cybersecurity Framework 1.1 June 2018 The Framework enables organizations regardless of size, degree of cybersecurity risk, or cybersecurity sophistication to apply the principles
More informationOpportunities (a.k.a challenges) Interfaces Governance Security boundaries expanded Legacy systems New application Compliance
KY HEALTH & NIST CSF 1115 Waiver Involves legacy systems New development Interfaces between systems with and without sensitive information Changes the security boundaries Opportunities (a.k.a challenges)
More informationNIST Cybersecurity Framework Based Written Information Security Program (WISP)
Cybersecurity Governance (GOV) Title 52.20 21 66A.622 GOV 1 Publishing Cybersecurity Policies & s ID.GV 1 500.02 500.03 66A.622(2)(d) GOV 2 Periodic Review & Update of Cybersecurity Documentation ID.GV
More informationHow to Align with the NIST Cybersecurity Framework
How to Align with the NIST Cybersecurity Framework 1 Title Table of Contents Identify (ID) 4 Protect (PR) 5 Detect (DE) 6 Respond (RS) 7 Recover (RC) 8 visibility detection control 2 SilentDefense Facilitates
More informationMINIMUM SECURITY CONTROLS SUMMARY
APPENDIX D MINIMUM SECURITY CONTROLS SUMMARY LOW-IMPACT, MODERATE-IMPACT, AND HIGH-IMPACT INFORMATION SYSTEMS The following table lists the minimum security controls, or security control baselines, for
More informationSSL Certificates Certificate Policy (CP)
SSL Certificates Last Revision Date: February 26, 2015 Version 1.0 Revisions Version Date Description of changes Author s Name Draft 17 Jan 2011 Initial Release (Draft) Ivo Vitorino 1.0 26 Feb 2015 Full
More informationUsing Metrics to Gain Management Support for Cyber Security Initiatives
Using Metrics to Gain Management Support for Cyber Security Initiatives Craig Schumacher Chief Information Security Officer Idaho Transportation Dept. January 2016 Why Metrics Based on NIST Framework?
More informationApple Inc. Certification Authority Certification Practice Statement
Apple Inc. Certification Authority Certification Practice Statement Apple Application Integration Sub-CA Apple Application Integration 2 Sub-CA Apple Application Integration - G3 Sub-CA Version 6.3 Effective
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationFramework for Improving Critical Infrastructure Cybersecurity
1 Framework for Improving Critical Infrastructure Cybersecurity Standards Certification Education & Training Publishing Conferences & Exhibits Dean Bickerton ISA New Orleans April 5, 2016 A Brief Commercial
More informationApple Inc. Certification Authority Certification Practice Statement
Apple Inc. Certification Authority Certification Practice Statement Apple Application Integration Sub-CA Apple Application Integration 2 Sub-CA Apple Application Integration - G3 Sub-CA Version 6.2 Effective
More informationNCSF Foundation Certification
NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity
More informationAssurance over Cybersecurity using COBIT 5
Assurance over Cybersecurity using COBIT 5 Special thanks to ISACA for supplying material for this presentation. Anthony Noble, VP IT Audit, Viacom Inc. Anthony.noble@viacom.com Disclamer The opinions
More informationCyber Security Standards Developments
INTERNATIONAL ELECTROTECHNICAL COMMISSION Cyber Security Standards Developments Bart de Wijs Head of Cyber Security Power Grids Division ABB b.v. Frédéric Buchi Sales&Consulting Cyber Security Siemens
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationCertification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure
Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure 1.0 INTRODUCTION 1.1 Overview The Federal Reserve Banks operate a public key infrastructure (PKI) that manages
More informationFRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.
FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013 Visit us online at Flank.org to learn more. HITRUST CSF v9 Framework ISO 27001/27002:2013 Framework FLANK ISO 27001/27002:2013 Documentation from
More informationApple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.
Apple Inc. Certificate Policy and Certification Practice Statement Version 1.0 Effective Date: March 12, 2015 Table of Contents 1. Introduction... 4 1.1. Trademarks... 4 1.2. Table of acronyms... 4 1.3.
More informationOil & Natural Gas Third Party Collaboration IT Security NIST Profile API ITSS Third Party Collaboration IT Security Workgroup
Oil & Natural Gas Third Party Collaboration IT Security NIST Profile API ITSS Third Party Collaboration IT Security Workgroup 12/16/2016 Contents 1 Introduction... 3 2 Approach... 3 2.1 Relevant NIST Categories...
More informationApple Inc. Certification Authority Certification Practice Statement. Apple Application Integration Sub-CA Apple Application Integration 2 Sub-CA
Apple Inc. Certification Authority Certification Practice Statement Apple Application Integration Sub-CA Apple Application Integration 2 Sub-CA Version 4.0 Effective Date: September 18, 2013 Table of Contents
More informationIn support of this, the Coalition intends to host an event bringing together government and private sector leaders and experts to further discuss this
Coalition for Cybersecurity Policy & Law Coalition for Cybersecurity Policy & Law 600 Massachusetts Ave, NW, Washington, DC 20001 February 12, 2018 VIA EMAIL: counter_botnet@list.commerce.gov Evelyn L.
More informationDiscussion Draft of the Preliminary Cybersecurity Framework August 28, 2013
1 Discussion Draft of the Preliminary Cybersecurity Framework August 28, 2013 2 3 A Discussion Draft of the Preliminary Cybersecurity Framework for improving critical 4 infrastructure cybersecurity is
More informationCyber Security & Homeland Security:
Cyber Security & Homeland Security: Cyber Security for CIKR and SLTT Michael Leking 19 March 2014 Cyber Security Advisor Northeast Region Office of Cybersecurity and Communications (CS&C) U.S. Department
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationAmerican Association of Port Authorities Port Security Seminar & Expo Cyber Security Preparedness and Resiliency in the Marine Environment
American Association of Port Authorities Port Security Seminar & Expo Cyber Security Preparedness and Resiliency in the Marine Environment July 20, 2017 DECIDEPLATFORM.COM The new Reality of Cyber Security
More informationUpdates to the NIST Cybersecurity Framework
Updates to the NIST Cybersecurity Framework NIST Cybersecurity Framework Overview and Other Documentation October 2016 Agenda: Overview of NIST Cybersecurity Framework Updates to the NIST Cybersecurity
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationTexas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13
Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13 I. Vision A highly reliable and secure bulk power system in the Electric Reliability Council of Texas
More informationQuickBooks Online Security White Paper July 2017
QuickBooks Online Security White Paper July 2017 Page 1 of 6 Introduction At Intuit QuickBooks Online (QBO), we consider the security of your information as well as your customers and employees data a
More informationExecutive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI
Executive Order 13636 & Presidential Policy Directive 21 Ed Goff, Duke Energy Melanie Seader, EEI Agenda Executive Order 13636 Presidential Policy Directive 21 Nation Infrastructure Protection Plan Cybersecurity
More informationThe Key Principles of Cyber Security for Connected and Automated Vehicles. Government
The Key Principles of Cyber Security for Connected and Automated Vehicles Government Contents Intelligent Transport System (ITS) & Connected and Automated Vehicle (CAV) System Security Principles: 1. Organisational
More informationInformation Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC
Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/protect/ndcbf_
More informationTechnical Conference on Critical Infrastructure Protection Supply Chain Risk Management
Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management Remarks of Marcus Sachs, Senior Vice President and the Chief Security Officer North American Electric Reliability
More informationBUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW
BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW EXECUTIVE SUMMARY CenturyLink is committed to ensuring business resiliency and survivability during an incident or business disruption. Our Corporate Business
More informationISA99 - Industrial Automation and Controls Systems Security
ISA99 - Industrial Automation and Controls Systems Security Committee Summary and Activity Update Standards Certification Education & Training Publishing Conferences & Exhibits September 2016 Copyright
More informationusing COBIT 5 best practices?
How to effectively mitigate Risks and ensure effective deployment of IOT using COBIT 5 best practices? CA. Abdul Rafeq, FCA, CISA, CIA, CGEIT Managing Director, Wincer Infotech Limited Past Member, COBIT
More informationGoogle Cloud & the General Data Protection Regulation (GDPR)
Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to
More informationAppendix A. Syllabus. NIST Cybersecurity Foundation. Syllabus. Status: First Draft
Appendix A Syllabus NIST Cybersecurity Foundation Syllabus Status: First Draft Version Status Sign off Date / Names V1.0.0 First Draft Content Group Lead Author: Mark E.S. Bernard Copyright 2018 Secure
More informationSYSTEMS ASSET MANAGEMENT POLICY
SYSTEMS ASSET MANAGEMENT POLICY Policy: Asset Management Policy Owner: CIO Change Management Original Implementation Date: 7/1/2017 Effective Date: 7/1/2017 Revision Date: Approved By: NIST Cyber Security
More informationCyber Security Program
Cyber Security Program Cyber Security Program Goals and Objectives Goals Provide comprehensive Security Education and Awareness to the University community Build trust with the University community by
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 11: Public Key Infrastructure Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Public key infrastructure Certificates Trust
More informationProtecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations
Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations January 9 th, 2018 SPEAKER Chris Seiders, CISSP Security Analyst Computing Services and Systems Development
More informationNW NATURAL CYBER SECURITY 2016.JUNE.16
NW NATURAL CYBER SECURITY 2016.JUNE.16 ADOPTED CYBER SECURITY FRAMEWORKS CYBER SECURITY TESTING SCADA TRANSPORT SECURITY AID AGREEMENTS CONCLUSION QUESTIONS ADOPTED CYBER SECURITY FRAMEWORKS THE FOLLOWING
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationFramework for Improving Critical Infrastructure Cybersecurity. and Risk Approach
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 and Risk Approach June 9, 2016 cyberframework@nist.gov Executive Order: Improving Critical Infrastructure
More informationexisting customer base (commercial and guidance and directives and all Federal regulations as federal)
ATTACHMENT 7 BSS RISK MANAGEMENT FRAMEWORK PLAN [L.30.2.7, M.2.2.(7), G.5.6; F.2.1(41) THROUGH (76)] A7.1 BSS SECURITY REQUIREMENTS Our Business Support Systems (BSS) Risk MetTel ensures the security of
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationLayer Security White Paper
Layer Security White Paper Content PEOPLE SECURITY PRODUCT SECURITY CLOUD & NETWORK INFRASTRUCTURE SECURITY RISK MANAGEMENT PHYSICAL SECURITY BUSINESS CONTINUITY & DISASTER RECOVERY VENDOR SECURITY SECURITY
More informationServer-based Certificate Validation Protocol
Server-based Certificate Validation Protocol Digital Certificate and PKI a public-key certificate is a digital certificate that binds a system entity's identity to a public key value, and possibly to additional
More informationImplementing Executive Order and Presidential Policy Directive 21
March 26, 2013 Implementing Executive Order 13636 and Presidential Policy Directive 21 Mike Smith, Senior Cyber Policy Advisor, Office of Electricity Delivery and Energy Reliability, Department of Energy
More informationSYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security
SYMANTEC: SECURITY ADVISORY SERVICES Symantec Security Advisory Services The World Leader in Information Security Knowledge, as the saying goes, is power. At Symantec we couldn t agree more. And when it
More informationTwilio cloud communications SECURITY
WHITEPAPER Twilio cloud communications SECURITY From the world s largest public companies to early-stage startups, people rely on Twilio s cloud communications platform to exchange millions of calls and
More informationДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT
ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT ENERGY AUTOMATION - SMART GRID Restricted Siemens AG 20XX All rights reserved. siemens.com/answers Frederic Buchi, Energy Management Division, Siemens AG Cyber
More informationRisk-Based Cyber Security for the 21 st Century
Risk-Based Cyber Security for the 21 st Century 7 th Securing the E-Campus Dartmouth College July 16, 2013 Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL INSTITUTE OF
More informationDigital Certificates Demystified
Digital Certificates Demystified Ross Cooper, CISSP IBM Corporation RACF/PKI Development Poughkeepsie, NY Email: rdc@us.ibm.com August 9 th, 2012 Session 11622 Agenda Cryptography What are Digital Certificates
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationWhy you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More informationCertified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) 1. Domain 1 The Process of Auditing Information Systems Provide audit services in accordance with IT audit standards to assist the organization in protecting
More informationDirectTrust Governmental Trust Anchor Bundle Standard Operating Procedure
DirectTrust Governmental Trust Anchor Bundle Standard Operating Procedure Change Control Date Version Description of changes 15-December- 2016 1-December- 2016 17-March- 2016 4-February- 2016 3-February-
More informationBecause Security Gives Us Freedom
Because Security Gives Us Freedom PANOPTIC CYBERDEFENSE CYBERSECURITY LEADERSHIP Panoptic Cyberdefense is a monitoring and detection service in three levels: Security Management and Reporting Managed Detection
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationCybersecurity & Privacy Enhancements
Business, Industry and Government Cybersecurity & Privacy Enhancements John Lainhart, Director, Grant Thornton The National Institute of Standards and Technology (NIST) is in the process of updating their
More informationCybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com
Cybersecurity Presidential Policy Directive Frequently Asked Questions kpmg.com Introduction On February 12, 2013, the White House released the official version of the Presidential Policy Directive regarding
More informationNIST Compliance Controls
NIST 800-53 Compliance s The following control families represent a portion of special publication NIST 800-53 revision 4. This guide is intended to aid McAfee, its partners, and its customers, in aligning
More informationCritical Information Infrastructure Protection Law
Critical Information Infrastructure Protection Law CCD COE Training 8 September 2009 Tallinn, Estonia Maeve Dion Center for Infrastructure Protection George Mason University School of Law Arlington, Virginia.
More information_isms_27001_fnd_en_sample_set01_v2, Group A
1) What is correct with respect to the PDCA cycle? a) PDCA describes the characteristics of information to be maintained in the context of information security. (0%) b) The structure of the ISO/IEC 27001
More informationInformation technology Security techniques Information security controls for the energy utility industry
INTERNATIONAL STANDARD ISO/IEC 27019 First edition 2017-10 Information technology Security techniques Information security controls for the energy utility industry Technologies de l'information Techniques
More informationSTRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE
STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby
More informationCERTIFICATE POLICY CIGNA PKI Certificates
CERTIFICATE POLICY CIGNA PKI Certificates Version: 1.1 Effective Date: August 7, 2001 a Copyright 2001 CIGNA 1. Introduction...3 1.1 Important Note for Relying Parties... 3 1.2 Policy Identification...
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationThe NIS Directive and Cybersecurity in
The NIS Directive and Cybersecurity in ehealth Dr. Athanasios Drougkas Officer in NIS Belgian Hospitals Meeting on Security Brussels 13 th October European Union Agency For Network And Information Security
More informationSeven Requirements for Successfully Implementing Information Security Policies and Standards
Seven Requirements for Successfully Implementing and Standards A guide for executives Stan Stahl, Ph.D., President, Citadel Information Group Kimberly A. Pease, CISSP, Vice President, Citadel Information
More informationData Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory
Audience: NDCBF IT Security Team Last Reviewed/Updated: March 2018 Contact: Henry Draughon hdraughon@processdeliveysystems.com Overview... 2 Sensitive Data Inventory and Classification... 3 Applicable
More informationStandard CIP Cyber Security Critical Cyber Asset Identification
Standard CIP 002 1 Cyber Security Critical Cyber Asset Identification Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed
More informationStrengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure Executive Order 13800 Update July 2017 In Brief On May 11, 2017, President Trump issued Executive Order 13800, Strengthening
More information