Framework for Improving Critical Infrastructure Cybersecurity
|
|
- Amberly Rosalind Wilkerson
- 6 years ago
- Views:
Transcription
1 Framework for Improving Critical Infrastructure Cybersecurity May 2017
2 Why Cybersecurity Framework? Cybersecurity Framework Uses Identify mission or business cybersecurity dependencies Align and de-conflict cybersecurity requirements Prioritize cybersecurity outcomes Organize, authorize, task, and track work Express risk disposition Understand gaps between current and target 2
3 The Cybersecurity Framework... Includes a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. Provides a prioritized, flexible, repeatable, performancebased, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. Identifies areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations. Is consistent with voluntary international standards. 3
4 The Framework Is for Organizations Of any size, in any sector in (and outside of) the critical infrastructure. That already have a mature cyber risk management and cybersecurity program. That don t yet have a cyber risk management or cybersecurity program. Needing to keep up-to-date managing risks, facing business or societal threats. In the federal government, too since it is compatible with FISMA requirements and goals. 4
5 Cybersecurity Framework Components Aligns industry standards and best practices to the Framework Core in a particular implementation scenario Cybersecurity activities and informative references, organized around particular outcomes Supports prioritization and measurement while factoring in business needs Framework Profile Framework Core Enables communication of cyber risk across an organization Framework Implementation Tiers Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics 5
6 Implementation Tiers Risk Management Process Integrated Risk Management Program External Participation Partial Risk Informed Repeatable Adaptive The functionality and repeatability of cybersecurity risk management The extent to which cybersecurity is considered in broader risk management decisions The degree to which the organization benefits my sharing or receiving information from outside parties 6 6
7 Core Cybersecurity Framework Component Senior Executives Broad enterprise considerations Abstracted risk vocabulary Specialists in Other Fields Specific focus outside of cybersecurity Specialized or no risk vocabulary Implementation/ Operations Deep technical considerations Highly specialized vocabulary 7
8 Core Cybersecurity Framework Component What processes and assets need protection? What safeguards are available? What techniques can identify incidents? What techniques can contain impacts of incidents? What techniques can restore capabilities? Function Category ID Asset Management ID.AM Business Environment ID.BE Governance ID.GV Identify Risk Assessment ID.RA Protect Detect Respond Recover Risk Management Strategy Access Control Awareness and Training Data Security Information Protection Processes & Procedures Maintenance Protective Technology Anomalies and Events Security Continuous Monitoring Detection Processes Response Planning Communications Analysis Mitigation Improvements Recovery Planning Improvements Communications ID.RM PR.AC PR.AT PR.DS PR.IP PR.MA PR.PT DE.AE DE.CM DE.DP RS.RP RS.CO RS.AN RS.MI RS.IM RC.RP RC.IM RC.CO 8
9 Core Example Cybersecurity Framework Component Function Category Subcategory Informative Reference 9
10 Profile Cybersecurity Framework Component Ways to think about a Profile: A customization of the Core for a given sector, subsector, or organization. A fusion of business/mission logic and cybersecurity outcomes. Identify Protect Detect Respond Recover An alignment of cybersecurity requirements with operational methodologies. A basis for assessment and expressing target state. A decision support tool for cybersecurity risk management. 10
11 Building a Profile A Profile Can be Created in Three Steps 1 Mission Objective A B C Cybersecurity Requirements Legislation Regulation Internal & External Policy Best Practice Subcategory Operating Methodologies 2 3 Guidance and methodology on implementing, managing, and monitoring 11
12 Framework 7-Step Process Step 1: Prioritize and Scope Step 2: Orient Step 3: Create a Current Profile Step 4: Conduct a Risk Assessment Step 5: Create a Target Profile Step 6: Determine, Analyze, and Prioritize Gaps Step 7: Implementation Action Plan 12
13 Supporting Risk Management with Framework 13
14 Conceptual Profile Value Proposition 2 Cybersecurity 1 3 Operating Requirements Subcategory Priority Methodologies A 1 moderate I II B C 2 high III D IV 3 moderate E V F VI VII G 98 moderate VIII When you organize yourself in this way: Compliance reporting becomes a byproduct of running your security operation Adding new security requirements is straightforward Adding or changing operational methodology is nonintrusive to on-going operation 14
15 Resource and Budget Decision Making What Can You Do with a CSF Profile? As-Is Year 1 To-Be Year 2 To-Be Sub- Year 1 Year 2 category Priority Gaps Budget Activities Activities 1 moderate small $$$ X 2 high large $$ X 3 moderate medium $ X 98 moderate none $$ reassess and supports on-going operational decisions, too 15
16 Profile Ecosystem TAXONOMY NIST REQUIREMENTS 1 Req A 2 Req B 3 Req C Req ZZ Community PRIORITIES 1 Req A High 2 Req B Mod 3 Req C Low Req ZZ High Organization or Community Cybersecurity Framework Core Crosswalks Mappings Cybersecurity Framework Profile 16
17 Key Attributes It s voluntary Is meant to be customized. It s a framework, not a prescriptive standard Provides a common language and systematic methodology Does not tell an organization how much cyber risk is tolerable, nor provide the one and only formula for cybersecurity. Enable best practices to become standard practices for everyone It s a living document Can be updated as stakeholders learn from implementation Can be updated as technology and threats changes. It s broadly applicable All size organizations; all maturities of risk practices; both inside and outside of critical infrastructure; industries, governments, and academia 17
18 Examples of Framework Industry Resources Italy s National Framework for Cybersecurity American Water Works Association s Process Control System Security Guidance for the Water Sector The Cybersecurity Framework in Action: An Intel Use Case Cybersecurity Risk Management and Best Practices Working Group 4: Final Report Energy Sector Cybersecurity Framework Implementation Guidance 18
19 Examples of State & Local Use Texas, Department of Information Resources Aligned Agency Security Plans with Framework Aligned Product and Service Vendor Requirements with Framework North Dakota, Information Technology Department Allocated Roles & Responsibilities using Framework Adopted the Framework into their Security Operation Strategy National Association of State CIOs 2 out of 3 CIOs from the 2015 NASCIO Awards cited Framework as a part of their award-winning strategy Houston, Greater Houston Partnership Integrated Framework into their Cybersecurity Guide Offer On-Line Framework Self-Assessment New Jersey Developed a cybersecurity framework that aligns controls and procedures with Framework 19
20 NIST Manufacturing Profile NIST Discrete Manufacturing Cybersecurity Framework Profile Utilizing CSF Informative References to create tailored language for the manufacturing sector NIST SP NIST SP ISA / IEC
21 U.S. Coast Guard Maritime Bulk Liquids Transfer Framework Profile NCCoE and United States Coast Guard (USCG) worked together to draft a USCG Maritime Profile, based on the Cybersecurity Framework Aligns the USCG s cyber strategy with cybersecurity activities of the maritime bulk liquid transport operations of the oil & natural gas industry, utilizing standards and best practices guided by the Framework The profile can help individual companies clarify how cybersecurity fits into their mission priorities and how best to allocate resources to secure their information and operational systems. The profile is available at: 21
22 NIST Baldrige Excellence Builders Baldrige Cybersecurity Excellence Builder Manufacturing Service Small Business Education Healthcare Non-profit Cybersecurity (2017) Self-assessment criteria with basis in Cybersecurity Framework Complements NIST Baldrige Program s performance excellence successes. April 2-5, th Annual Quest for Excellence Conference Pre-conference workshop that focuses on cybersecurity will be held on April 2 nd - visit: 22
23 Continued Improvement of Critical Infrastructure Cybersecurity Amends the National Institute of Standards and Technology Act (15 U.S.C. 272(c)) to say: on an ongoing basis, facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure Cybersecurity Enhancement Act of 2014 (P.L ) 18 December
24 Basics about the Proposed Revision to Framework Draft Cybersecurity Framework Version 1.1 Draft Version 1.1 of the Cybersecurity Framework seeks to clarify, refine, and enhance the Framework The Framework remains flexible, voluntary, and cost-effective The update is fully compatible with V1.0 Updates were derived from feedback NIST received since publication of Cybersecurity Framework Version 1.0 A 90 day public comment period for the version 1.1 draft ended April 10 th, 2017 There will be a Workshop May 16-17, 2017 to continue discussion 24
25 Input to the Framework Update Draft Cybersecurity Framework Version 1.1 The Update was based on feedback from the cybersecurity community including: December 2015 request for information Lessons learned from Framework use Shared resources from industry partners April 2016 Cybersecurity Framework workshop Advances made in areas identified in the Roadmap issued with the Framework in February
26 Major Themes from Inputs Draft Cybersecurity Framework Version 1.1 Several major themes were identified and considered during the update which included: Strengthening authentication & identity management in the Framework Core Guidance for acquisition and supply chain risk management (SCRM) Methodology for measurement and generating metrics Clarity on Implementation tiers and their relationship to profiles 26
27 Cyber Supply Chain Risk Management (SCRM) Overview Draft Cybersecurity Framework Version 1.1 The most notable changes in the draft update related to SCRM Section 3.3 now explains role of SCRM in cybersecurity Multiple provisions were added, including a new category in the Framework Core 27
28 Implementation Tiers and Profiles Draft Cybersecurity Framework Version 1.1 Additional language added on use of Framework Tiers to include prioritization within target Profile and to inform progress in addressing Profile gaps Language added to reflect integration of Framework considerations within organizational risk management programs Tiers have been expanded to include cyber SCRM considerations Figure 2.0 updated to include actions from the Framework Tiers 28
29 Identity Management Draft Cybersecurity Framework Version 1.1 Language of the Access Control category refined to better account for authorization Subcategory on identity proofing (PR.AC-6) added to the Access Control category Access Control category renamed to Identity Management, Authentication and Access Control (PR.AC) to better represent Category and Subcategories scope 29
30 Cybersecurity Measurement Draft Cybersecurity Framework Version 1.1 Sections 4.0 and 4.1 Correlation between business results and cybersecurity risk management outcomes Metrics versus measures Leading versus lagging Section 4.2 Types of Cybersecurity Measurement Framework measurement provides a basis for strong, trusted relationships, both inside and outside of an organization Higher-Level Lower-Level Behaviors Implementation Tiers Process Behaviors Outcomes Core Informative References Outcomes Metrics Practices Management Measures Process Technical 30
31 Resources Where to Learn More and Stay Current Framework for Improving Critical Infrastructure Cybersecurity and related news, information: Additional cybersecurity resources: Questions, comments, ideas:
The NIST Cybersecurity Framework
The NIST Cybersecurity Framework U.S. German Standards Panel 2018 April 10, 2018 Adam.Sedgewick@nist.gov National Institute of Standards and Technology About NIST Agency of U.S. Department of Commerce
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity November 2017 cyberframework@nist.gov Supporting Risk Management with Framework 2 Core: A Common Language Foundational for Integrated Teams
More informationThe Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor,
The Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor, National Institute of Standards and Technology 1 Speaker
More informationNIST Cybersecurity Testbed for Transportation Systems. CheeYee Tang Electronics Engineer National Institute of Standards and Technology
NIST Cybersecurity Testbed for Transportation Systems CheeYee Tang Electronics Engineer National Institute of Standards and Technology National Institute of Standards and Technology (NIST) About NIST NIST
More informationFunction Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments
Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments 1 ID.AM-1: Physical devices and systems within the organization are inventoried Asset Management (ID.AM): The
More informationCybersecurity Framework Manufacturing Profile
Cybersecurity Framework Manufacturing Profile Keith Stouffer Project Leader, Cybersecurity for Smart Manufacturing Systems Engineering Lab, NIST National Institute of Standards and Technology (NIST) NIST
More informationOpportunities (a.k.a challenges) Interfaces Governance Security boundaries expanded Legacy systems New application Compliance
KY HEALTH & NIST CSF 1115 Waiver Involves legacy systems New development Interfaces between systems with and without sensitive information Changes the security boundaries Opportunities (a.k.a challenges)
More informationSecuring an IT. Governance, Risk. Management, and Audit
Securing an IT Organization through Governance, Risk Management, and Audit Ken Sigler Dr. James L. Rainey, III CRC Press Taylor & Francis Group Boca Raton London New York CRC Press Is an imprint cf the
More informationCybersecurity Risk Management:
Cybersecurity Risk Management: Building a Culture of Responsibility G7 ICT and Industry Multistakeholder Conference September 25 2017 Adam Sedgewick asedgewick@doc.gov Cybersecurity in the Department of
More informationOverview of the Cybersecurity Framework
Overview of the Cybersecurity Framework Implementation of Executive Order 13636 Matt Barrett Program Manager matthew.barrett@nist.gov cyberframework@nist.gov 15 January 2015 Executive Order: Improving
More informationFramework for Improving Critical Infrastructure Cybersecurity. and Risk Approach
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 and Risk Approach June 9, 2016 cyberframework@nist.gov Executive Order: Improving Critical Infrastructure
More informationAcalvio Deception and the NIST Cybersecurity Framework 1.1
Acalvio Deception and the NIST Cybersecurity Framework 1.1 June 2018 The Framework enables organizations regardless of size, degree of cybersecurity risk, or cybersecurity sophistication to apply the principles
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 National Institute of Standards and Technology February 12, 2014 Table of Contents Executive Summary...1 1.0 Framework Introduction...3
More informationUpdates to the NIST Cybersecurity Framework
Updates to the NIST Cybersecurity Framework NIST Cybersecurity Framework Overview and Other Documentation October 2016 Agenda: Overview of NIST Cybersecurity Framework Updates to the NIST Cybersecurity
More informationCyber Information Sharing
Cyber Information Sharing Renault Ross CISSP, MCSE, CHSS, VCP5 Chief Cybersecurity Business Strategist Ian Schmertzler President Know Your Team Under Pressure Trust Your Eyes Know the Supply Chain Have
More informationTrack 4A: NIST Workshop
Track 4A: NIST Workshop National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) GridSecCon October 18, 2016 AGENDA TOPIC PRESENTER(S) DURATION NIST/NCCoE
More informationKnowledge Set of Attack Surface and Cybersecurity Rating for Firms in a Supply Chain Dr. Shaun Wang, FCAS, CERA
Knowledge Set of Attack Surface and Cybersecurity Rating for Firms in a Supply Chain Dr. Shaun Wang, FCAS, CERA 04/13/2018 ULaval Shaun.Wang@ntu.edu.sg 1 Cyber Risk Management Project Government University
More informationLESSONS LEARNED IN DEVELOPING CYBERSECURITY FRAMEWORK (CSF) PROFILES WITH INDUSTRY AND THE U.S. COAST GUARD (USCG)
UNCLASSIFIED The United States Coast Guard LESSONS LEARNED IN DEVELOPING CYBERSECURITY FRAMEWORK (CSF) PROFILES WITH INDUSTRY AND THE U.S. COAST GUARD (USCG) Homeland Security UNCLASSIFIED 1 Lessons Learned
More informationImproving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework
1 Improving Critical Infrastructure Cybersecurity Executive Order 13636 Preliminary Cybersecurity Framework 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
More informationHow to Align with the NIST Cybersecurity Framework
How to Align with the NIST Cybersecurity Framework 1 Title Table of Contents Identify (ID) 4 Protect (PR) 5 Detect (DE) 6 Respond (RS) 7 Recover (RC) 8 visibility detection control 2 SilentDefense Facilitates
More informationWhy you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More informationNCSF Foundation Certification
NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity
More informationDear Mr. Games: Please see our submission attached. With kind regards, Aaron
From: Aaron P. Padilla Date: Mon, Apr 10, 2017 at 3:16 PM Subject: API Response to the Proposed Update to the Framework for Improving Critical Infrastructure Cybersecurity To: "cyberframework@nist.gov"
More informationNIST (NCF) & GDPR to Microsoft Technologies MAP
NIST (NCF) & GDPR to Microsoft Technologies MAP Digital Transformation Realized.TM IDENTIFY (ID) Asset Management (ID.AM) The data, personnel, devices, systems, and facilities that enable the organization
More informationResponsible Care Security Code
Chemical Sector Guidance for Implementing the NIST Cybersecurity Framework and the ACC Responsible Care Security Code ACC Chemical Information Technology Council (ChemITC) January 2016 Legal and Copyright
More informationNational Cybersecurity Center of Excellence
The 3rd Annual Intelligence and National Security Forum Jim McCarthy NIST / NCCoE 05/11/2018 This presentation is unclassified in its entirety Foundations Collaborative Hub The NCCoE assembles experts
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Draft Version 1.1 National Institute of Standards and Technology January 10, 2017 Note to Reviewers on the Update and Next Steps The draft
More informationEffectively Measuring Cybersecurity Improvement: A CSF Use Case
SESSION ID: GRC R03F Effectively Measuring Cybersecurity Improvement: A CSF Use Case Greg Witte Sr. Cybersecurity Engineer G2, Inc. @TheNetworkGuy Tom Conkle Cybersecurity Engineer G2, Inc. @TomConkle
More informationImproving Cybersecurity through the use of the Cybersecurity Framework
Improving Cybersecurity through the use of the Cybersecurity Framework March 11, 2015 Tom Conkle G2, Inc. Agenda Cybersecurity Framework Why it was created What is it Why it matters How do you use it 2
More informationOverview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 PPD-21: CI Security and Resilience On February 12, 2013, President Obama signed Presidential Policy Directive
More informationNIST Cybersecurity Framework Based Written Information Security Program (WISP)
Cybersecurity Governance (GOV) Title 52.20 21 66A.622 GOV 1 Publishing Cybersecurity Policies & s ID.GV 1 500.02 500.03 66A.622(2)(d) GOV 2 Periodic Review & Update of Cybersecurity Documentation ID.GV
More informationIn support of this, the Coalition intends to host an event bringing together government and private sector leaders and experts to further discuss this
Coalition for Cybersecurity Policy & Law Coalition for Cybersecurity Policy & Law 600 Massachusetts Ave, NW, Washington, DC 20001 February 12, 2018 VIA EMAIL: counter_botnet@list.commerce.gov Evelyn L.
More informationCOMPLIANCE BRIEF: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY S FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY
COMPLIANCE BRIEF: NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY S FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY OVERVIEW On February 2013, President Barack Obama issued an Executive Order
More informationExecutive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI
Executive Order 13636 & Presidential Policy Directive 21 Ed Goff, Duke Energy Melanie Seader, EEI Agenda Executive Order 13636 Presidential Policy Directive 21 Nation Infrastructure Protection Plan Cybersecurity
More informationNCSF Foundation Certification
NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity
More informationusing COBIT 5 best practices?
How to effectively mitigate Risks and ensure effective deployment of IOT using COBIT 5 best practices? CA. Abdul Rafeq, FCA, CISA, CIA, CGEIT Managing Director, Wincer Infotech Limited Past Member, COBIT
More informationDesigning & Building a Cybersecurity Program. Based on the NIST Cybersecurity Framework (CSF)
Designing & Building a Cybersecurity Program Based on the NIST Cybersecurity Framework (CSF) Larry Wilson Lesson 2 June, 2015 1 Lesson 2: Controls Factory Components Part 1: The Controls Factory Part 2:
More informationFramework for Improving Critical Infrastructure Cybersecurity
1 Framework for Improving Critical Infrastructure Cybersecurity Standards Certification Education & Training Publishing Conferences & Exhibits Dean Bickerton ISA New Orleans April 5, 2016 A Brief Commercial
More informationAmerican Association of Port Authorities Port Security Seminar & Expo Cyber Security Preparedness and Resiliency in the Marine Environment
American Association of Port Authorities Port Security Seminar & Expo Cyber Security Preparedness and Resiliency in the Marine Environment July 20, 2017 DECIDEPLATFORM.COM The new Reality of Cyber Security
More informationMaritime Bulk Liquids Transfer Cybersecurity Framework Profile
Maritime Bulk Liquids Transfer Cybersecurity Framework Profile Table of Contents Executive Summary... iv Background... iv The Profile... iv Benefits... v 1. Introduction... 1 1.1. Purpose... 1 1.2. Audience
More informationRe: McAfee s comments in response to NIST s Solicitation for Comments on Draft 2 of Cybersecurity Framework Version 1.1
January 19, 2018 VIA EMAIL: cyberframework@nist.gov Edwin Games National Institute of Standards and Technology 100 Bureau Drive, Mail Stop 8930 Gaithersburg, MD 20899 Re: McAfee s comments in response
More informationViews on the Framework for Improving Critical Infrastructure Cybersecurity
This document is scheduled to be published in the Federal Register on 12/11/2015 and available online at http://federalregister.gov/a/2015-31217, and on FDsys.gov Billing Code: 3510-13 DEPARTMENT OF COMMERCE
More informationCYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS
CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS WILLIAM (THE GONZ) FLINN M.S. INFORMATION SYSTEMS SECURITY MANAGEMENT; COMPTIA SECURITY+, I-NET+, NETWORK+; CERTIFIED
More informationOil & Natural Gas Third Party Collaboration IT Security NIST Profile API ITSS Third Party Collaboration IT Security Workgroup
Oil & Natural Gas Third Party Collaboration IT Security NIST Profile API ITSS Third Party Collaboration IT Security Workgroup 12/16/2016 Contents 1 Introduction... 3 2 Approach... 3 2.1 Relevant NIST Categories...
More informationCybersecurity & Privacy Enhancements
Business, Industry and Government Cybersecurity & Privacy Enhancements John Lainhart, Director, Grant Thornton The National Institute of Standards and Technology (NIST) is in the process of updating their
More informationFrom the Trenches: Lessons learned from using the NIST Cybersecurity Framework
From the Trenches: Lessons learned from using the NIST Cybersecurity Framework Greg Witte Sr. Cybersecurity Engineer G2, Inc. Greg.Witte@G2-inc.com Tom Conkle Cybersecurity Engineer G2, Inc. Tom.Conkle@G2-inc.com
More informationMapping and Auditing Your DevOps Systems
Mapping and Auditing Your DevOps Systems David Cuthbertson, CEO Square Mile Systems Ltd david.cuthbertson@squaremilesystems.com www.squaremilesystems.com Personal Background Personal Experience Industry
More informationISO based Written Information Security Program (WISP) (a)(1)(i) & (a)(3)(i) & (ii) & (A) (A)(5)(ii) & (ii)(a)
1 Information Security Program Policy 1.2 Management Direction for Information Security 5.1 1.2.8 1.2.1.1 Publishing An Information Security Policy 5.1.1 500.03 1.1.0 2.1.0-2.2.3 3.1.0-3.1.2 4.1.0-4.2.4
More informationNW NATURAL CYBER SECURITY 2016.JUNE.16
NW NATURAL CYBER SECURITY 2016.JUNE.16 ADOPTED CYBER SECURITY FRAMEWORKS CYBER SECURITY TESTING SCADA TRANSPORT SECURITY AID AGREEMENTS CONCLUSION QUESTIONS ADOPTED CYBER SECURITY FRAMEWORKS THE FOLLOWING
More informationCybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com
Cybersecurity Presidential Policy Directive Frequently Asked Questions kpmg.com Introduction On February 12, 2013, the White House released the official version of the Presidential Policy Directive regarding
More informationSYSTEMS ASSET MANAGEMENT POLICY
SYSTEMS ASSET MANAGEMENT POLICY Policy: Asset Management Policy Owner: CIO Change Management Original Implementation Date: 7/1/2017 Effective Date: 7/1/2017 Revision Date: Approved By: NIST Cyber Security
More informationEvaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure
Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure March 2015 Pamela Curtis Dr. Nader Mehravari Katie Stewart Cyber Risk and Resilience Management Team CERT
More informationCybersecurity Overview
Cybersecurity Overview DLA Energy Worldwide Energy Conference April 12, 2017 1 Enterprise Risk Management Risk Based: o Use of a risk-based approach for cyber threats with a focus on critical systems where
More informationInformation Security Continuous Monitoring (ISCM) Program Evaluation
Information Security Continuous Monitoring (ISCM) Program Evaluation Cybersecurity Assurance Branch Federal Network Resilience Division Chad J. Baer FNR Program Manager Chief Operational Assurance Agenda
More informationCybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment
Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment SWG G 3 2016 v0.2 ISAO Standards Organization Standards Working Group 3: Information Sharing Kent Landfield, Chair
More informationKent Landfield, Director Standards and Technology Policy
Kent Landfield, Director Standards and Technology Policy How would you represent your entire risk landscape to your senior management? And how would you get there? A Changing Landscape Drives Security
More informationHow to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
How to implement NIST Cybersecurity Framework using ISO 27001 WHITE PAPER Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.
More informationUnited States Coast Guard Office of Port and Facility Compliance (CG-FAC) Cybersecurity and the Marine Transportation System.
United States Coast Guard Office of Port and Facility Compliance (CG-FAC) Cybersecurity and the Marine Transportation System Overview Coast Guard Cyber Strategy Cyber Framework (CSF) What does it mean
More informationHPH SCC CYBERSECURITY WORKING GROUP
HPH SCC A PRIMER 1 What Is It? The cross sector coordinating body representing one of 16 critical infrastructure sectors identified in Presidential Executive Order (PPD 21) A trust community partnership
More informationUsing Metrics to Gain Management Support for Cyber Security Initiatives
Using Metrics to Gain Management Support for Cyber Security Initiatives Craig Schumacher Chief Information Security Officer Idaho Transportation Dept. January 2016 Why Metrics Based on NIST Framework?
More informationSecurity Metrics. February 25, Annabelle Lee Senior Technical Executive
Security Metrics February 25, 2015 Annabelle Lee Senior Technical Executive alee@epri.com Cybersecurity Capability Maturity Model (C2M2) Overview Expansion Project and Comparative Analysis Framework Implementation
More informationDeveloping a Model for Cyber Security Maturity Assessment
Developing a Model for Cyber Security Maturity Assessment Tariq Al-idrissi, Associate Vice President IT, Trent University Ian Thomson, Information Security Officer, Trent University June 20 th, 2018 (8:45am
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA
Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA Information Security Policy and Procedures Identify Risk Assessment ID.RA Table of Contents Identify
More informationOntario Energy Board Cyber Security Framework
Ontario Energy Board Cyber Security Framework Accelerating compliance using Security-as-a-Service (SECaaS) Office: 888.876.0504 Email: info@stratejm.com Website: www.stratejm.com About this Whitepaper
More informationRocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency
Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency Mr. Ed Brindley Acting Deputy Cyber Security Department of Defense 7 March 2018 SUPPORT THE WARFIGHTER 2 Overview Secretary Mattis Priorities
More informationEnhancing the Cybersecurity of Federal Information and Assets through CSIP
TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3
More informationNIST Framework for Improving Critical Infrastructure Cybersecurity Technical Control Automation
NIST Framework for Improving Critical Infrastructure Cybersecurity Technical Control Automation Automating Cybersecurity Framework Technical Controls with Tenable SecurityCenter Continuous View February
More informationBonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology
Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology It s a hot topic!! Executives are asking their CISOs a LOT of questions about it Issues are costly, from a financial and a reputational
More informationSTRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE
STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby
More informationCyber Bounty Hunter. Key capabilities of today s. Renault Ross CISSP,MCSE,VCP5,CHSS Distinguished Engineer Chief Security Business Strategist
Key capabilities of today s Cyber Bounty Hunter Renault Ross CISSP,MCSE,VCP5,CHSS Distinguished Engineer Chief Security Business Strategist Copyright 2016 Symantec Corporation 1 2 3 The Cyber Skills Gap
More informationACR 2 Solutions Compliance Tools
ACR 2 Solutions Compliance Tools What s all the noise about the Cyber Security Framework? The Cyber Security Framework Airs Conference May 2017 About ACR 2 Solutions your NIST experts ACR2 is a developer
More informationSecurity Management Models And Practices Feb 5, 2008
TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008 Objectives Overview basic standards and best practices Overview of ISO 17799 Overview of NIST SP documents related
More informationChoosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist
Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist Agenda Industry Background Cybersecurity Assessment Tools Cybersecurity Best Practices 2 Cybersecurity
More informationHITRUST CSF: One Framework
HITRUST CSF: One Framework Leveraging the HITRUST CSF to Support ISO, HIPAA, & NIST Implementation and Compliance, and SSAE 16 SOC Reporting Dr. Bryan Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP Senior
More informationDiscussion Draft of the Preliminary Cybersecurity Framework August 28, 2013
1 Discussion Draft of the Preliminary Cybersecurity Framework August 28, 2013 2 3 A Discussion Draft of the Preliminary Cybersecurity Framework for improving critical 4 infrastructure cybersecurity is
More informationSmart Grid Standards and Certification
Smart Grid Standards and Certification June 27, 2012 Annabelle Lee Technical Executive Cyber Security alee@epri.com Current Environment 2 Current Grid Environment Legacy SCADA systems Limited cyber security
More informationTEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management
More informationTinker & The Primes 2017 Innovating Together
Tinker & The Primes 2017 Innovating Together Protecting Controlled Unclassified Information Systems and Organizations Larry Findeiss Bid Assistance Coordinator Oklahoma s Procurement Technical Assistance
More informationImplementing Executive Order and Presidential Policy Directive 21
March 26, 2013 Implementing Executive Order 13636 and Presidential Policy Directive 21 Mike Smith, Senior Cyber Policy Advisor, Office of Electricity Delivery and Energy Reliability, Department of Energy
More informationCybersecurity for Health Care Providers
Cybersecurity for Health Care Providers Montgomery County Medical Society Provider Meeting February 28, 2017 T h e MARYLAND HEALTH CARE COMMISSION Overview Cybersecurity defined Cyber-Threats Today Impact
More information2014 Sector-Specific Plan Guidance. Guide for Developing a Sector-Specific Plan under NIPP 2013 August 2014
2014 -Specific Plan Guidance Guide for Developing a -Specific Plan under NIPP 2013 August 2014 How to Use this Guidance This page provides a roadmap to assist critical infrastructure partners in navigating
More informationAppendix 12 Risk Assessment Plan
Appendix 12 Risk Assessment Plan DRAFT December 13, 2006 Revision XX Qwest Government Services, Inc. 4250 North Fairfax Drive Arlington, VA 22203 A12-1 RFP: TQC-JTB-05-0001 December 13, 2006 REVISION HISTORY
More information2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report
Nationwide Cyber Security Review: Summary Report Nationwide Cyber Security Review: Summary Report ii Nationwide Cyber Security Review: Summary Report Acknowledgments The Multi-State Information Sharing
More informationUNCLASSIFIED. FY 2016 Base FY 2016 OCO
Exhibit R-2, RDT&E Budget Item Justification: PB 2016 Office of the Secretary Of Defense : February 2015 0400: Research, Development, Test & Evaluation, Defense-Wide / BA 7: Operational Systems Development
More informationstandards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices
standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices mike.garcia@cisecurity.org The big three in their own words ISO 27000: family of standards to help organizations
More informationNCCoE TRUSTED CLOUD: A SECURE SOLUTION
SESSION ID: SPO1-W14 NCCoE TRUSTED CLOUD: A SECURE SOLUTION Donna Dodson Associate Director Chief Cyber Security Advisor of the Information Technology Laboratory, Chief Cybersecurity Advisor for the National
More informationDecember 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development
December 10, 2014 Statement of the Securities Industry and Financial Markets Association Senate Committee on Banking, Housing, and Urban Development Hearing Entitled Cybersecurity: Enhancing Coordination
More informationFISMA Cybersecurity Performance Metrics and Scoring
DOT Cybersecurity Summit FISMA Cybersecurity Performance Metrics and Scoring Office of the Federal Chief Information Officer, OMB OMB Cyber and National Security Unit, OMBCyber@omb.eop.gov 2. Cybersecurity
More informationcybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services
Enhancing infrastructure cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services European Union Agency for Network and Information Security Securing Europe s Information society 2
More informationThe CIS Critical Security Controls are a relatively small number of prioritized, well-vetted, and supported security actions that organizations can
The CIS Critical Security are a relatively small number of prioritized, well-vetted, and supported security actions that organizations can take to assess and improve their current security state. They
More informationNew York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief
Publication Date: March 10, 2017 Requirements for Financial Services Companies (23NYCRR 500) Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker s advanced
More informationAssurance over Cybersecurity using COBIT 5
Assurance over Cybersecurity using COBIT 5 Special thanks to ISACA for supplying material for this presentation. Anthony Noble, VP IT Audit, Viacom Inc. Anthony.noble@viacom.com Disclamer The opinions
More informationCyber Security & Homeland Security:
Cyber Security & Homeland Security: Cyber Security for CIKR and SLTT Michael Leking 19 March 2014 Cyber Security Advisor Northeast Region Office of Cybersecurity and Communications (CS&C) U.S. Department
More informationTechnical Conference on Critical Infrastructure Protection Supply Chain Risk Management
Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management Remarks of Marcus Sachs, Senior Vice President and the Chief Security Officer North American Electric Reliability
More informationNavigation and Vessel Inspection Circular (NVIC) 05-17; Guidelines for Addressing
This document is scheduled to be published in the Federal Register on 07/12/2017 and available online at https://federalregister.gov/d/2017-14616, and on FDsys.gov 9110-04-P DEPARTMENT OF HOMELAND SECURITY
More informationTHE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER
THE WHITE HOUSE Office of the Press Secretary FOR IMMEDIATE RELEASE May 11, 2017 EXECUTIVE ORDER - - - - - - - STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE By the authority
More informationUsing the NIST Cybersecurity Framework to Guide your Security Program August 31, 2017
Using the NIST Cybersecurity Framework to Guide your Security Program August 31, 2017 Presenters: Allie Russell, Conexxus Kara Gunderson, DSSC Chair, CITGO Petroleum Chris Lietz & Bob Post, Coalfire Housekeeping
More informationBUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE
BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not
More informationMr. Games, Thank you. Kent Landfield McAfee, LLC. [Attachment Copied Below]
From: Landfield, Kent Date: Mon, Apr 10, 2017 at 4:05 PM Subject: Intel and McAfee Comments on Draft Update of the Framework for Improving Critical Infrastructure Cybersecurity To: "cyberframework@nist.gov"
More informationPresidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure EXECUTIVE ORDER [13800] - - - - - - - STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS
More information