Opportunities (a.k.a challenges) Interfaces Governance Security boundaries expanded Legacy systems New application Compliance

Transcription

1 KY HEALTH & NIST CSF 1115 Waiver Involves legacy systems New development Interfaces between systems with and without sensitive information Changes the security boundaries

2 Opportunities (a.k.a challenges) Interfaces Governance Security boundaries expanded Legacy systems New application Compliance

3 Regulatory Requirements Compliance CMS MARS-E 2.0 SSP (350) ISRA POAM OCR HSR (156) IRS SSA DHS (SLTT) KRS Security OMB FISMA (a-130) PCI DSS CSA FEDRAMP NERC CIP AICPA DoD SOX GLBA

4 Simple Enable business Goals Protect/reduce risk & meet compliance Repeatable Auditable/governance Provide a high-level, strategic view of the organization s management of cybersecurity risk

5 Our Strategy NIST CSF Accommodates our goals Simple Check lists Enable business PMO office Protect/reduce risk & meet compliance Repeatable Across divisions, projects, programs Auditable/governance Proof, you can tell me you love me, but do you show me?

6 CSF IMPLEME NTATION Security Architect Mapped to regulatory requirements Aligned to goals and business requirements Innovative

7

8 NIST CSF

9 Cyber Security Framework Components

10

11 CSF IMPLEMENTATION GUIDE ROADMAP ASSESS STRATEGY GAP ANALYSIS PLAN OF ACTION MEASUREMENT WHERE ARE WE NOW WHERE DO WE WANT TO BE WHAT ARE OUR GAPS HOW DO WE GET THERE HOW DO WE KNOW OUR IMPACT CURRENT PROFILE TARGET PROFILE POAMs ROADMAP SCORECARD

12 Keeping it Simple Checklist Validations Use subsets of NIST (and/or other) controls to validate a finite number of controls Do not test against entire control sets Regulatory Stack Conclusions Compliance efforts require responses to hundreds of control questions Ongoing CSF Validations help satisfy regulatory Audits, Examinations, Obligations Policy Stack Provides guidance and procedural requirements to effectively manage checklist validations

13 What Assesse sees Checklists

14 What Assessor sees Checklists

15 Validation Test: CSF Function Total RESPOND RECOVER PROTECT IDENTIFY DETECT

16 Validation Test: CSF Category Total (blank) RS.RP RC.RP PR.RP PR.IP PR.DS PR.AC ID.RA Total ID.BE ID.AM DE.DP DE.CM DE.AE

17 Validation Test: NIST Controls

18 Checklists Gaps by FUNCTION Total DETECT YES IDENTIFY YES PROTECT YES RESPOND YES

19 Checklists Gaps by Category Total YES DE.AE YES DE.CM YES DE.DP YES ID.AM YES PR.AC YES PR.DS YES PR.IP YES RS.RP

20 YES Checklists Gaps by Category Total RS.RP PR.IP PR.DS PR.AC ID.AM Total DE.DP DE.CM DE.AE

21 Validation Test: CSF SUB Categories

22 Validation Test: CSF Categories Function Function Category Identifier Category Current Tier Target Tier ID PR DE RS RC Identify Protect Detect Respond Recover ID.AM Asset Management 1 3 ID.BE Business Environment 2 3 ID.GV Governance 3 3 ID.RA Risk Assessment 1 3 ID.RM Risk Management Strategy 2 3 ID.SC Supply Chain Risk Management 3 3 PR.AC Access Control 1 3 PR.AT Awareness and Training 2 3 PR.DS Data Security 3 3 PR.IP Information Protection Processes and 1 3 Procedures PR.MA Maintenance 2 3 PR.PT Protective Technology 3 3 DE.AE Anomalies and Events 1 3 DE.CM Security Continuous Monitoring 2 3 DE.DP Detection Processes 3 3 RS.RP Response Planning 1 3 RS.CO Communications 2 3 RS.AN Analysis 3 3 RS.MI Mitigation 1 3 RS.IM Improvements 2 3 RC.RP Recovery Planning 3 3 RC.IM Improvements 1 3 RC.CO Communications 1 3

23 Summary Simple Enables business and development Repeatable Auditable Cost savings (time, fines, fixes)

24 Contact Information Dennis E. Leber CISO for CHFS Commonwealth of KY Twitter Mark Enlow Lead/Senior Security Architect CHFS Mark.enlow@ky.gov

25 QUESTIONS??