Information Security Continuous Monitoring (ISCM) Program Evaluation

Size: px
Start display at page:

Download "Information Security Continuous Monitoring (ISCM) Program Evaluation"

Transcription

1 Information Security Continuous Monitoring (ISCM) Program Evaluation Cybersecurity Assurance Branch Federal Network Resilience Division Chad J. Baer FNR Program Manager Chief Operational Assurance

2 Agenda INTRODUCTION CYBERSECURITY ASSURANCE BRANCH ASSISTANCE FEDERAL ISCM EVALUTION

3 Introduction Chad J. Baer, Chief Operational Assurance Cybersecurity Assurance Branch, Federal Network Resilience NIST NCCoE tasked in three areas to support Federal Network Resilience Develop Information Security Continuous Monitoring Assessment Methodology NCCoE will develop a methodology to assess federal agency ISCM programs. The methodology will be based on a staff assistance approach as opposed to a more traditional compliance based approach. Get out of the Audit mindset for this presentation!

4 CAB Security Assistance Approach Strategy to deploy an adaptive and continuous engagement evaluation model based on continuously improving assessment methodologies

5 Federal Cybersecurity Priorities and Drivers FISMA 2014 Authorities The Secretary of DHS, in consultation with the Director of OMB, shall administer the implementation of agency information security policies and practices for information systems: monitoring agency implementation of information security policies and practices providing operational and technical assistance to agencies in implementing policies, principles, standards, and guidelines on information security Assists Federal Agencies in meeting responsibilities under Section 3554 to assess risk and evaluate effectiveness of security programs Administration Cross-Agency Priority Goals (FY15-17) Information Security Continuous Monitoring Mitigation (ISCM) Provide ongoing observation, assessment, analysis, and diagnosis of an organization s cybersecurity: posture, hygiene, and operational readiness OMB Memorandum Enhancing the Security of Federal Information and Information Systems

6 FNR Mission Goals Improve Federal cybersecurity Develop measureable cybersecurity performance metrics Engage with civilian agencies to support priority cybersecurity programs INTEGRATED CYBERSECURITY SERVICES CYBERSECURITY PERFORMANCE MANAGEMENT CYBERSECURITY ASSURANCE

7 Cybersecurity Assurance Branch Goals Deploy adaptive assessments for agencies, to validate current state cybersecurity against federal cybersecurity initiatives, and improve agency and federal cybersecurity posture. Provide continuous assistance, review security architecture, help define critical systems, and ensure quality data collection and integration of priority cybersecurity programs. Provide a holistic view of Federal cybersecurity posture to show realized agency improvements

8 Operational Assurance & Readiness Capability Does the agency have a capability adopted and defined? Operations Are they meeting those capabilities functionally in operations? ACT CAPABILITY PLAN Analysis Do they collect and understand data outputs? RESPONSE Operational Assurance Readiness Review OPERATIONS Response Does the agency use this information to improve their capabilities, operations, and analysis? CHECK ANALYSIS DO

9 Security Assistance Value Proposition Federal Audit Model Assessment Based Temporal Auditing Internally Facing Stagnant Criteria Insulated Information Prescriptive Reports CAB Assistance Model Assistance Focused Continuous Engagement Externally Facing Adaptive Criteria Accessible Information Tailorable Reports

10 OA Program Principles Iterative and Adaptive program approach promoting continuous improvement in both the agency implementation, and the evaluations Continuous engagement, continuous loopback, continuous improvement

11 Federal ISCM Evaluation A modular evaluation of ISCM programs to ensure readiness of organizations to make ongoing authorization and risk management decisions

12 OBJECTIVES Measure the adoption and implementation of ISCM at agencies Quantify the impact of CDM in ISCM programs Determine the extent ISCM programs support risk management decisions Measure the readiness of agencies for ongoing authorization

13 Building an ISCM Program maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decision. 13

14 ISCM Under Construction Foundational Assessment Focused Here 14

15 Mapping to Business Objectives Are you doing things that are clearly relevant to organizational business goals? The top down drivers Are the critical things you re doing being appropriately recognized in organizational strategic planning? The bottom up drivers Connect strategy to operations!

16 ISCM Evaluation Provides a foundation of high level cybersecurity goals which can then incorporate modular security domains for evaluation. Provide a balanced scorecard measuring ISCM implementation based on associated program perspectives to determine posture health Define automation gaps and assess compensating approach All assessment activity will be based on and reference appropriate NIST standards and widely accepted best practices. Assumption: Information Security Continuous Monitoring (ISCM) strategy represents a baseline technical foundation for prescribed cybersecurity implementation at this time

17 Guiding Principles Focus on the basic principles of ISCM. NIST SP Office of Inspector General Maturity Model Stay at a high level. Most agencies are just getting started. Should be more general than detailed approaches like CDM and NISTIR Avoid being prescriptive -- evaluation criteria should not pre-determine program approach Provide traceability to authoritative sources. Keep it simple and straightforward for both agencies and assessment teams. Be capable of adapting as agency programs mature. Provide value to agencies so they engage regularly to measure their progress.

18 Evaluation Approach Workflow consists of 3 phases in collaboration with the environment owner: Preparation, Execution, and Delivery Prepare baseline of environment Collect and review relevant data Documents: organizational policies and strategies, operational ISCM processes Dynamic ISCM data: dashboards and reports Human insight and interviews Incorporate a sound process for analyzing ISCM based on assessment perspectives Develop relevant reports Process/ Perspectives Groupings Assertions Criteria Goal Criteria Subcriteria Subcriteria Subcriteria

19 ISCM Process Steps Define the strategy Establish a program Implement the program Analyze and Report findings Respond to findings Increment 1 Review Review and Update the program and strategy Review Respond Define Analyze Establish Maps to risk tolerance Adapts to ongoing needs Actively involves management Implement NIST Process Steps 19

20 Assessment Perspectives (Goals) Adoption Measures the extent to which ISCM is defined and implemented Utilization Measures the integration of ISCM program into the organizations technical and business processes Readiness Measures the capability to use the ISCM program to inform the organization for Ongoing Authorization; as well as investments, mitigations, etc. Sustainment Measures the degree to which the organization has established support structures to ensure long-term viability of ISCM program

21 Increment 1 Objectives Measure the adoption and implementation of ISCM at agencies Determine the extent ISCM programs support risk management decisions Measure the readiness of agencies to achieve ongoing authorization Why This Approach? Ensures the foundation is sufficiently load bearing to support full ISCM program Gains insight into agency cybersecurity programs to support future service development 21

22 Flexibility The breadth is flexible. Begins with Define Can stop after any step to accommodate less mature programs, e.g., Stop after Define (a strategy assessment) Stop after Establish (a design assessment) Stop after Implement (an implementation assessment) Include all steps (a full ISCM assessment) The scope of ISCMA version 1 is steps 1-3.

23 Assertion Development Assertions are Statements to be validated by the assessment team Extracted or derived from authoritative documents Associated with each cell of the matrix At various levels of detail Assertions are generally based directly on the statements related to continuous monitoring extracted from the authoritative sources. A small number of assertions were derived from other sources and best practices. Source statements were reworded to read consistently as assertions. Assertions are also annotated as being critical vs. non-critical, with critical assertions weighted higher in the final scoring. Guidance for marking assertions critical includes, e.g., those that address national cybersecurity initiatives.

24 Assessment Scope The assessment scope is a designated agency or possibly a major component of an agency. Assertions about each mission/component : Are reviewed for each mission/component in the designated scope. Must be true for all such missions/components, otherwise they are only partially true. Assertions about each information system : Are reviewed for each high-value system (at a minimum) in the designated scope. Must be true for all reviewed systems, otherwise they are only partially true.

25 Sample Assertions Example Assertions for Define * The ISCM strategy includes any federal data and assets hosted by external service providers. The ISCM strategy addresses how the agency will conduct ongoing authorizations of information systems. Example Assertions for Establish * There is evidence that system owners establish ISCM metric targets for their systems. The ISCM program defines, for each source of data, a method for measuring the timeliness with which that data is being collected and a minimum acceptable threshold for this measurement. Example Assertions for Implement * There is evidence that there is adequate staff to meet the objectives of the ISCM program. There is evidence that, for each source of data, the ISCM program meets its timeliness threshold. Assessment results include actionable recommendations based on discussions around each assertion. FOR OFFICIAL USE ONLY

26 Building the ISCM Foundation Situational Awareness of Agency Cybersecurity Health & Readiness G O E R N A N C E Business Objectives Performance Drivers M E T R I C S Data Collection T O O L S DEFINE: The ISCM strategy addresses the need for developing a comprehensive metrics program. ESTABLISH: The ISCM program defines a comprehensive set of metrics and procedures for their reporting IMPLEMENT: The ISCM program implements the metrics established by/for system owners. FOR OFFICIAL USE ONLY

27 Assertion Distribution Sustainment, Utilization and Readiness will contain additional assertions when the remaining SP steps are added.

28 Cyber Posture Scorecard A balanced scorecard based on relevant performance perspectives Quantifies the health of ISCM strategy and implementation within agency Provides decision makers meaningful views of security posture Can be used to support maturity model determination

29 Analytic Outcomes Where can efficiencies be found in the ISCM program? How is ISCM affecting risk decisions? What portion of ISCM program can be implemented via automation? What portion of the ISCM program is implemented via CDM?

30 Future Directions Add Process Steps for Analyze/Report, Respond, and Review/Update. Explore other scoring techniques. Explore integration with existing assessments of maturity level. Explore integration with the CyberSecurity Framework..

31 Thank you! Please contact Chad Baer (DHS) with any further questions!

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011 Federal Continuous Monitoring Working Group March 21, 2011 DOJ Cybersecurity Conference 2/8/2011 4/12/2011 Why Continuous Monitoring? Case for Change Strategy Future State Current State Current State Case

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Risk Monitoring Risk Monitoring assesses the effectiveness of the risk decisions that are made by the Enterprise.

More information

FISMA Cybersecurity Performance Metrics and Scoring

FISMA Cybersecurity Performance Metrics and Scoring DOT Cybersecurity Summit FISMA Cybersecurity Performance Metrics and Scoring Office of the Federal Chief Information Officer, OMB OMB Cyber and National Security Unit, OMBCyber@omb.eop.gov 2. Cybersecurity

More information

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure March 2015 Pamela Curtis Dr. Nader Mehravari Katie Stewart Cyber Risk and Resilience Management Team CERT

More information

White Paper. View cyber and mission-critical data in one dashboard

White Paper. View cyber and mission-critical data in one dashboard View cyber and mission-critical data in one dashboard Table of contents Rising cyber events 2 Mitigating threats 2 Heighten awareness 3 Evolving the solution 5 One of the direct benefits of the Homeland

More information

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI Executive Order 13636 & Presidential Policy Directive 21 Ed Goff, Duke Energy Melanie Seader, EEI Agenda Executive Order 13636 Presidential Policy Directive 21 Nation Infrastructure Protection Plan Cybersecurity

More information

NCSF Foundation Certification

NCSF Foundation Certification NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity

More information

Information Technology Branch Organization of Cyber Security Technical Standard

Information Technology Branch Organization of Cyber Security Technical Standard Information Technology Branch Organization of Cyber Security Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 1 November 20, 2014 Approved:

More information

The NIST Cybersecurity Framework

The NIST Cybersecurity Framework The NIST Cybersecurity Framework U.S. German Standards Panel 2018 April 10, 2018 Adam.Sedgewick@nist.gov National Institute of Standards and Technology About NIST Agency of U.S. Department of Commerce

More information

ISACA Arizona May 2016 Chapter Meeting

ISACA Arizona May 2016 Chapter Meeting ISACA Arizona May 2016 Chapter Meeting Suzanne Farr / Carlos A. Villalba Agenda Introduction Preliminary questions CCM Preliminaries Definition Benefits Challenges Beyond Templates Questions 1 Background

More information

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA? A brief overview of security requirements for Federal government agencies applicable to contracted IT services,

More information

HITRUST CSF: One Framework

HITRUST CSF: One Framework HITRUST CSF: One Framework Leveraging the HITRUST CSF to Support ISO, HIPAA, & NIST Implementation and Compliance, and SSAE 16 SOC Reporting Dr. Bryan Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP Senior

More information

WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 1 OF 3

WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 1 OF 3 WHITE PAPER CONTINUOUS MONITORING INTRODUCTION & CONSIDERATIONS PART 1 OF 3 ABSTRACT This white paper is Part 1 in a three-part series of white papers on the sometimes daunting subject of continuous monitoring

More information

Information Collection Request: The Department of Homeland. Security, Stakeholder Engagement and Cyber Infrastructure

Information Collection Request: The Department of Homeland. Security, Stakeholder Engagement and Cyber Infrastructure This document is scheduled to be published in the Federal Register on 07/18/2017 and available online at https://federalregister.gov/d/2017-15068, and on FDsys.gov 9110-9P P DEPARTMENT OF HOMELAND SECURITY

More information

Inspector General. Report on the Peace Corps Information Security Program. Peace Corps Office of. Background FISCAL YEAR 2017

Inspector General. Report on the Peace Corps Information Security Program. Peace Corps Office of. Background FISCAL YEAR 2017 Peace Corps Office of Inspector General Our Mission: Through audits, evaluations, and investigations, the Office of Inspector General provides independent oversight of agency programs and operations in

More information

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com Cybersecurity Presidential Policy Directive Frequently Asked Questions kpmg.com Introduction On February 12, 2013, the White House released the official version of the Presidential Policy Directive regarding

More information

Office of Security Capabilities Cybersecurity Management Framework

Office of Security Capabilities Cybersecurity Management Framework Transportation Security Administration Office of Security Capabilities Version 1.5 Updated: August 10, 2015 The contents of this framework draw from and are in alignment with requirements identified in

More information

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018 Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018 The Homeland Security Systems Engineering and Development Institute (HSSEDI ) is a trademark of the U.S. Department of Homeland

More information

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE 1 WHAT IS YOUR SITUATION? Excel spreadsheets Manually intensive Too many competing priorities Lack of effective reporting Too many consultants Not

More information

Improving Cybersecurity through the use of the Cybersecurity Framework

Improving Cybersecurity through the use of the Cybersecurity Framework Improving Cybersecurity through the use of the Cybersecurity Framework March 11, 2015 Tom Conkle G2, Inc. Agenda Cybersecurity Framework Why it was created What is it Why it matters How do you use it 2

More information

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 PPD-21: CI Security and Resilience On February 12, 2013, President Obama signed Presidential Policy Directive

More information

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI EXECUTIVE SUMMARY The shortage of cybersecurity skills Organizations continue to face a shortage of IT skill

More information

TEL2813/IS2820 Security Management

TEL2813/IS2820 Security Management TEL2813/IS2820 Security Management Security Management Models And Practices Lecture 6 Jan 27, 2005 Introduction To create or maintain a secure environment 1. Design working security plan 2. Implement management

More information

Assured Compliance through Information Security Continuous Monitoring

Assured Compliance through Information Security Continuous Monitoring Assured Compliance through Information Security Continuous Monitoring Trey Breckenridge Director, High Performance Computing Mississippi State University 24 July 2018 Summary Information Security Continuous

More information

NCSF Foundation Certification

NCSF Foundation Certification NCSF Foundation Certification Overview This ACQUIROS accredited training program is targeted at IT and Cybersecurity professionals looking to become certified on how to operationalize the NIST Cybersecurity

More information

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity May 2017 cyberframework@nist.gov Why Cybersecurity Framework? Cybersecurity Framework Uses Identify mission or business cybersecurity dependencies

More information

Space Cyber: An Aerospace Perspective

Space Cyber: An Aerospace Perspective Space Cyber: An Aerospace Perspective USAF Cyber Vision 2025 AFSPC 19-21 March 2012 Frank Belz and Joe Betser The Aerospace Corporation Computers and Software Division 20 March 2012 frank.belz@aero.org

More information

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment Preparing Your Organization for a HHS OIG Information Security Audit David Holtzman, JD, CIPP/G CynergisTek, Inc. Brian C. Johnson, CPA, CISA HHS OIG Section 1: Models for Risk Assessment Section 2: Preparing

More information

Evolving Cybersecurity Strategies

Evolving Cybersecurity Strategies Evolving Cybersecurity Strategies NIST Special Publication 800-53, Revision 4 ISSA National Capital Chapter April 17, 2012 Dr. Ron Ross Computer Security Division Information Technology Laboratory NATIONAL

More information

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose: STAFF REPORT January 26, 2001 To: From: Subject: Audit Committee City Auditor Information Security Framework Purpose: To review the adequacy of the Information Security Framework governing the security

More information

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 and Risk Approach June 9, 2016 cyberframework@nist.gov Executive Order: Improving Critical Infrastructure

More information

State of South Carolina Interim Security Assessment

State of South Carolina Interim Security Assessment State of South Carolina Interim Security Assessment Deloitte & Touche LLP Date: October 28, 2013 Our services were performed in accordance with the Statement on Standards for Consulting Services that is

More information

Vulnerability Assessments and Penetration Testing

Vulnerability Assessments and Penetration Testing CYBERSECURITY Vulnerability Assessments and Penetration Testing A guide to understanding vulnerability assessments and penetration tests. OVERVIEW When organizations begin developing a strategy to analyze

More information

David Missouri VP- Governance ISACA

David Missouri VP- Governance ISACA David Missouri VP- Governance ISACA Present-Senior Agency Information Security Officer (SAISO) @GA DJJ 2012-2016 Information System Security Officer (ISSO) @ US DOL WHD 2011-2012 Network Administrator

More information

FPM-IT-420B: FAC-P/PM-IT Planning & Acquiring Operations of IT Systems Course Details

FPM-IT-420B: FAC-P/PM-IT Planning & Acquiring Operations of IT Systems Course Details FPM-IT-420B: FAC-P/PM-IT Planning & Acquiring Operations of IT Systems Course Details 2 FPM IT 420B: FAC P/PM IT Planning & Acquiring Operations of IT Systems FPM-IT-420B: FAC-P/PM-IT PLANNING & ACQUIRING

More information

MIS Week 9 Host Hardening

MIS Week 9 Host Hardening MIS 5214 Week 9 Host Hardening Agenda NIST Risk Management Framework A quick review Implementing controls Host hardening Security configuration checklist (w/disa STIG Viewer) NIST 800-53Ar4 How Controls

More information

Cybersecurity Risk Management:

Cybersecurity Risk Management: Cybersecurity Risk Management: Building a Culture of Responsibility G7 ICT and Industry Multistakeholder Conference September 25 2017 Adam Sedgewick asedgewick@doc.gov Cybersecurity in the Department of

More information

Program Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS

Program Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS Program Review for Information Security Management Assistance Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS Disclaimer and Purpose PRISMA, FISMA, and NIST, oh my! PRISMA versus an Assessment

More information

Developing a Model for Cyber Security Maturity Assessment

Developing a Model for Cyber Security Maturity Assessment Developing a Model for Cyber Security Maturity Assessment Tariq Al-idrissi, Associate Vice President IT, Trent University Ian Thomson, Information Security Officer, Trent University June 20 th, 2018 (8:45am

More information

Cybersecurity & Privacy Enhancements

Cybersecurity & Privacy Enhancements Business, Industry and Government Cybersecurity & Privacy Enhancements John Lainhart, Director, Grant Thornton The National Institute of Standards and Technology (NIST) is in the process of updating their

More information

Cyber Semantic Landscape Ontology and Taxonomy

Cyber Semantic Landscape Ontology and Taxonomy The Cyber Semantic Landscape Ontology and Taxonomy (CSLOT) provides a structured approach to the dynamic needs of the Cyber security concepts, theories, standards, and compliance issues facing the 21st

More information

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT RSA ARCHER IT & SECURITY RISK MANAGEMENT INTRODUCTION Organizations battle growing security challenges by building layer upon layer of defenses: firewalls, antivirus, intrusion prevention systems, intrusion

More information

Security Management Models And Practices Feb 5, 2008

Security Management Models And Practices Feb 5, 2008 TEL2813/IS2820 Security Management Security Management Models And Practices Feb 5, 2008 Objectives Overview basic standards and best practices Overview of ISO 17799 Overview of NIST SP documents related

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Network Hunting The Network Hunting is employed to proactively look for indicators of an active threat or exploitation

More information

Cyber Security & Homeland Security:

Cyber Security & Homeland Security: Cyber Security & Homeland Security: Cyber Security for CIKR and SLTT Michael Leking 19 March 2014 Cyber Security Advisor Northeast Region Office of Cybersecurity and Communications (CS&C) U.S. Department

More information

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity November 2017 cyberframework@nist.gov Supporting Risk Management with Framework 2 Core: A Common Language Foundational for Integrated Teams

More information

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information The HITRUST CSF A Revolutionary Way to Protect Electronic Health Information June 2015 The HITRUST CSF 2 Organizations in the healthcare industry are under immense pressure to improve quality, reduce complexity,

More information

Ensuring System Protection throughout the Operational Lifecycle

Ensuring System Protection throughout the Operational Lifecycle Ensuring System Protection throughout the Operational Lifecycle The global cyber landscape is currently occupied with a diversity of security threats, from novice attackers running pre-packaged distributed-denial-of-service

More information

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23 Risk: Security s New Compliance Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23 Agenda Market Dynamics Organizational Challenges Risk: Security s New Compliance

More information

The next generation of knowledge and expertise

The next generation of knowledge and expertise The next generation of knowledge and expertise UNDERSTANDING FISMA REPORTING REQUIREMENTS 1 HTA Technology Security Consulting., 30 S. Wacker Dr, 22 nd Floor, Chicago, IL 60606, 708-862-6348 (voice), 708-868-2404

More information

CYBERSECURITY MATURITY ASSESSMENT

CYBERSECURITY MATURITY ASSESSMENT CYBERSECURITY MATURITY ASSESSMENT ANTICIPATE. IMPROVE. PREPARE. The CrowdStrike Cybersecurity Maturity Assessment (CSMA) is unique in the security assessment arena. Rather than focusing solely on compliance

More information

Cyber Hygiene: A Baseline Set of Practices

Cyber Hygiene: A Baseline Set of Practices [DISTRIBUTION STATEMENT A] Approved for public Cyber Hygiene: A Baseline Set of Practices Matt Trevors Charles M. Wallen Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Copyright

More information

CYBERSECURITY RESILIENCE

CYBERSECURITY RESILIENCE CLOSING THE IN CYBERSECURITY RESILIENCE AT U.S. GOVERNMENT AGENCIES Two-thirds of federal IT executives in a new survey say their agency s ability to withstand a cyber event, and continue to function,

More information

Medical Device Cybersecurity: FDA Perspective

Medical Device Cybersecurity: FDA Perspective Medical Device Cybersecurity: FDA Perspective Suzanne B. Schwartz MD, MBA Associate Director for Science and Strategic Partnerships Office of the Center Director (OCD) Center for Devices and Radiological

More information

STATE ENERGY RISK ASSESSMENT INITIATIVE ENERGY INFRASTRUCTURE MODELING AND ANALYSIS. National Association of State Energy Of ficials

STATE ENERGY RISK ASSESSMENT INITIATIVE ENERGY INFRASTRUCTURE MODELING AND ANALYSIS. National Association of State Energy Of ficials STATE ENERGY RISK ASSESSMENT INITIATIVE ENERGY INFRASTRUCTURE MODELING AND ANALYSIS Alice Lipper t Senior Technical Advisor Of fice of Electricity Deliver y and Energy Reliability (OE) US Depar tment of

More information

Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment

Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment SWG G 3 2016 v0.2 ISAO Standards Organization Standards Working Group 3: Information Sharing Kent Landfield, Chair

More information

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium Securing Cyber Space & America s Cyber Assets: Threats, Strategies & Opportunities September 10, 2009, Crystal Gateway Marriott, Arlington,

More information

Fiscal Year 2013 Federal Information Security Management Act Report

Fiscal Year 2013 Federal Information Security Management Act Report U.S. ENVIRONMENTAL PROTECTION AGENCY OFFICE OF INSPECTOR GENERAL Fiscal Year 2013 Federal Information Security Management Act Report Status of EPA s Computer Security Program Report. 14-P-0033 vember 26,

More information

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations FFIEC Cyber Security Assessment Tool Overview and Key Considerations Overview of FFIEC Cybersecurity Assessment Tool Agenda Overview of assessment tool Review inherent risk profile categories Review domain

More information

Information Security and Service Management. Security and Risk Management ISSM and ITIL/ITSM Interrelationship

Information Security and Service Management. Security and Risk Management ISSM and ITIL/ITSM Interrelationship Information Security and Service Management for Management better business for State outcomes & Local Governments Security and Risk Management ISSM and ITIL/ITSM Interrelationship Introduction Over the

More information

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO White Paper Incentives for IoT Security May 2018 Author: Dr. Cédric LEVY-BENCHETON, CEO Table of Content Defining the IoT 5 Insecurity by design... 5 But why are IoT systems so vulnerable?... 5 Integrating

More information

In 2017, the Auditor General initiated an audit of the City s information technology infrastructure and assets.

In 2017, the Auditor General initiated an audit of the City s information technology infrastructure and assets. REPORT FOR ACTION IT Infrastructure and IT Asset Management Review: Phase 1: Establishing an Information Technology Roadmap to Guide the Way Forward for Infrastructure and Asset Management Date: January

More information

Leveraging FISMA Guidance to Support an Effective Risk Management Strategy to Secure IT Systems and Meet Regulatory Requirements.

Leveraging FISMA Guidance to Support an Effective Risk Management Strategy to Secure IT Systems and Meet Regulatory Requirements. Leveraging FISMA Guidance to Support an Effective Risk Management Strategy to Secure IT Systems and Meet Regulatory Requirements. Thomas Chimento Ph.D., CISSP, CCE, CISA Product Manager Webroot Software

More information

Federal Civilian Executive branch State, Local, Tribal, Territorial government (SLTT) Private Sector (PS) Unclassified / Business Networks

Federal Civilian Executive branch State, Local, Tribal, Territorial government (SLTT) Private Sector (PS) Unclassified / Business Networks Brownsville Public Utilities Board Cyber Security Initiative A result of the BPUB IT Strategic Plan implemented a Cyber Security Framework (CSF) that utilizes : Security standards Tools and Best practices

More information

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON Testimony Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON Defending Our Democracy: Building Partnerships to Protect America

More information

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber Initiatives 30 January 2018 1 Agenda Federal Landscape Cybersecurity

More information

ISAO SO Product Outline

ISAO SO Product Outline Draft Document Request For Comment ISAO SO 2016 v0.2 ISAO Standards Organization Dr. Greg White, Executive Director Rick Lipsey, Deputy Director May 2, 2016 Copyright 2016, ISAO SO (Information Sharing

More information

Houston Urban Area Security Initiative (UASI) Cybersecurity Mini-Assessment Workshop

Houston Urban Area Security Initiative (UASI) Cybersecurity Mini-Assessment Workshop Houston Urban Area Security Initiative (UASI) Cybersecurity Mini-Assessment Workshop 3 June 2016 2 Agenda UASI Introduction Cyber Security Mini-Assessment 10:00AM - 10:30AM 10:30AM - Noon Networking Lunch

More information

Threat and Vulnerability Assessment Tool

Threat and Vulnerability Assessment Tool TABLE OF CONTENTS Threat & Vulnerability Assessment Process... 3 Purpose... 4 Components of a Threat & Vulnerability Assessment... 4 Administrative Safeguards... 4 Logical Safeguards... 4 Physical Safeguards...

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE CGS Host Intrusion The Host Intrusion employs a response to a perceived incident of interference on a host-based system

More information

NCCoE TRUSTED CLOUD: A SECURE SOLUTION

NCCoE TRUSTED CLOUD: A SECURE SOLUTION SESSION ID: SPO1-W14 NCCoE TRUSTED CLOUD: A SECURE SOLUTION Donna Dodson Associate Director Chief Cyber Security Advisor of the Information Technology Laboratory, Chief Cybersecurity Advisor for the National

More information

INFORMATION ASSURANCE DIRECTORATE

INFORMATION ASSURANCE DIRECTORATE National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE Digital Policy Management consists of a set of computer programs used to generate, convert, deconflict, validate, assess

More information

Updates to the NIST Cybersecurity Framework

Updates to the NIST Cybersecurity Framework Updates to the NIST Cybersecurity Framework NIST Cybersecurity Framework Overview and Other Documentation October 2016 Agenda: Overview of NIST Cybersecurity Framework Updates to the NIST Cybersecurity

More information

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK. Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK. In today s escalating cyber risk environment, you need to make sure you re focused on the right priorities by

More information

IT-CNP, Inc. Capability Statement

IT-CNP, Inc. Capability Statement Securing America s Infrastructure Security Compliant IT Operations Hosting Cyber Security Information FISMA Cloud Management Hosting Security Compliant IT Logistics Hosting 1 IT-CNP, Inc. is a Government

More information

Using Metrics to Gain Management Support for Cyber Security Initiatives

Using Metrics to Gain Management Support for Cyber Security Initiatives Using Metrics to Gain Management Support for Cyber Security Initiatives Craig Schumacher Chief Information Security Officer Idaho Transportation Dept. January 2016 Why Metrics Based on NIST Framework?

More information

Security and Privacy Governance Program Guidelines

Security and Privacy Governance Program Guidelines Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by

More information

Introducing Cyber Observer

Introducing Cyber Observer "Organizations are failing at early breach detection, with more than 92% of breaches undetected by the breached organization. The situation can be improved with stronger threat intelligence, the addition

More information

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure Executive Order 13800 Update July 2017 In Brief On May 11, 2017, President Trump issued Executive Order 13800, Strengthening

More information

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface

How to Underpin Security Transformation With Complete Visibility of Your Attack Surface How to Underpin Security Transformation With Complete Visibility of Your Attack Surface YOU CAN T SECURE WHAT YOU CAN T SEE There are many reasons why you may be considering or engaged in a security transformation

More information

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018 Enterprise Risk Management (ERM) and Cybersecurity Na9onal Science Founda9on March 14, 2018 Agenda Guiding Principles for Implementing ERM at NSF (Based on COSO) NSF s ERM Framework ERM Cybersecurity Risk

More information

National Policy and Guiding Principles

National Policy and Guiding Principles National Policy and Guiding Principles National Policy, Principles, and Organization This section describes the national policy that shapes the National Strategy to Secure Cyberspace and the basic framework

More information

FDA & Medical Device Cybersecurity

FDA & Medical Device Cybersecurity FDA & Medical Device Cybersecurity Closing Keynote, February 19, 2017 Suzanne B. Schwartz, M.D., MBA Associate Director for Science & Strategic Partnerships Center for Devices and Radiological Health US

More information

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report Nationwide Cyber Security Review: Summary Report Nationwide Cyber Security Review: Summary Report ii Nationwide Cyber Security Review: Summary Report Acknowledgments The Multi-State Information Sharing

More information

TEL2813/IS2621 Security Management

TEL2813/IS2621 Security Management TEL2813/IS2621 Security Management James Joshi Associate Professor Lecture 4 + Feb 12, 2014 NIST Risk Management Risk management concept Goal to establish a relationship between aggregated risks from information

More information

Moving Beyond the Heat Map: Making Better Decisions with Cyber Risk Quantification

Moving Beyond the Heat Map: Making Better Decisions with Cyber Risk Quantification A CLOSER LOOK Moving Beyond the Heat Map: Making Better Decisions with Cyber Risk Quantification A major cybersecurity event can dissolve millions of dollars in assets and tarnish even the strongest company

More information

Defining the Challenges and Solutions. Resiliency Model. A Holistic Approach to Risk Management. Discussion Outline

Defining the Challenges and Solutions. Resiliency Model. A Holistic Approach to Risk Management. Discussion Outline Resiliency Model A Holistic Approach to Risk Management Discussion Outline Defining the Challenges and Solutions The Underlying Concepts of Our Approach Outlining the Resiliency Model (RM) Next Steps The

More information

IoT & SCADA Cyber Security Services

IoT & SCADA Cyber Security Services RIOT SOLUTIONS PTY LTD P.O. Box 10087 Adelaide St Brisbane QLD 4000 BRISBANE HEAD OFFICE Level 22, 144 Edward St Brisbane, QLD 4000 T: 1300 744 028 Email: sales@riotsolutions.com.au www.riotsolutions.com.au

More information

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE EXECUTIVE SUMMARY ALIGNING CYBERSECURITY WITH RISK The agility and cost efficiencies

More information

Implementing Executive Order and Presidential Policy Directive 21

Implementing Executive Order and Presidential Policy Directive 21 March 26, 2013 Implementing Executive Order 13636 and Presidential Policy Directive 21 Mike Smith, Senior Cyber Policy Advisor, Office of Electricity Delivery and Energy Reliability, Department of Energy

More information

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief Publication Date: March 10, 2017 Requirements for Financial Services Companies (23NYCRR 500) Solution Brief EventTracker 8815 Centre Park Drive, Columbia MD 21045 About EventTracker EventTracker s advanced

More information

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Continual disclosed and reported

More information

CISM Certified Information Security Manager

CISM Certified Information Security Manager CISM Certified Information Security Manager Firebrand Custom Designed Courseware Logistics Start Time Breaks End Time Fire escapes Instructor Introductions Introduction to Information Security Management

More information

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18 Pierce County Classification Description IT SECURITY OFFICER Department: Information Technology Job Class #: 634900 Pay Range: Professional 18 FLSA: Exempt Represented: No Classification descriptions are

More information

Aboriginal Affairs and Northern Development Canada. Internal Audit Report Summary. Audit of Information Technology Security.

Aboriginal Affairs and Northern Development Canada. Internal Audit Report Summary. Audit of Information Technology Security. Aboriginal Affairs and Northern Development Canada Internal Audit Report Summary Audit of Information Technology Security Prepared by: Audit and Assurance Services Branch April 2015 NCR#7367040 - NCR#7358318

More information

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology It s a hot topic!! Executives are asking their CISOs a LOT of questions about it Issues are costly, from a financial and a reputational

More information

Business Continuity Management: How to get started. Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018

Business Continuity Management: How to get started. Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018 Business Continuity Management: How to get started Presented by: Tony Drewitt, Managing Director IT Governance Ltd 19 April 2018 Introduction Tony Drewitt - Managing Director: IT Governance UK and EU One

More information

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby

More information

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Enhancing the Cybersecurity of Federal Information and Assets through CSIP TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3

More information

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS The Saskatchewan Power Corporation (SaskPower) is the principal supplier of power in Saskatchewan with its mission to deliver power

More information