standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices

Similar documents
The NIST Cybersecurity Framework

K12 Cybersecurity Roadmap

Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity & Privacy Enhancements

NCSF Foundation Certification

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

A Controls Factory Approach To Operationalizing a Cyber Security Program Based on the NIST Cybersecurity Framework

Cybersecurity Risk Management:

CISO as Change Agent: Getting to Yes

Updates to the NIST Cybersecurity Framework

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Why you should adopt the NIST Cybersecurity Framework

THE POWER OF TECH-SAVVY BOARDS:

A Controls Factory Approach To Building a Cyber Security Program Based on the NIST Cybersecurity Framework (NCSF)

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

John Snare Chair Standards Australia Committee IT/12/4

Information Security Management Systems Standards ISO/IEC Global Opportunity for the Business Community

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Securing Your Digital Transformation

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

An Overview of ISO/IEC family of Information Security Management System Standards

NCSF Foundation Certification

CYBERSECURITY MATURITY ASSESSMENT

Security and Privacy Governance Program Guidelines

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

WELCOME ISO/IEC 27001:2017 Information Briefing

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Dear Mr. Games: Please see our submission attached. With kind regards, Aaron

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant

NCCoE TRUSTED CLOUD: A SECURE SOLUTION

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Using the NIST Framework for Metrics 5/14/2015

Automating the Top 20 CIS Critical Security Controls

Security Metrics. February 25, Annabelle Lee Senior Technical Executive

Framework for Improving Critical Infrastructure Cybersecurity

TAN Jenny Partner PwC Singapore

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

Risk-Based Cyber Security for the 21 st Century

Re: McAfee s comments in response to NIST s Solicitation for Comments on Draft 2 of Cybersecurity Framework Version 1.1

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

Framework for Improving Critical Infrastructure Cybersecurity

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Kent Landfield, Director Standards and Technology Policy

Framework for Improving Critical Infrastructure Cybersecurity

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

SOLUTION BRIEF Virtual CISO

Designing and Building a Cybersecurity Program

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security management systems Overview and vocabulary

Vendor Risk Management. How to Confront Third-Party Cyber Risk in Your Supply Chain

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

National Cybersecurity Center of Excellence

ISAO SO Product Outline

Cyber Security Standards Developments

Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

Moving Beyond the Heat Map: Making Better Decisions with Cyber Risk Quantification

Acalvio Deception and the NIST Cybersecurity Framework 1.1

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

ISO/IEC ISO/IEC

Protect Your Institution with Effective Cybersecurity Governance. Baker Tilly Virchow Krause, LLP

HITRUST CSF: One Framework

ISA99 - Industrial Automation and Controls Systems Security

TEL2813/IS2820 Security Management

EXAM PREPARATION GUIDE

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

INFORMATION SECURITY MANAGEMENT SYSTEMS CERTIFICATION RESEARCH IN THE ROMANIAN ORGANIZATIONS

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Implementing Executive Order and Presidential Policy Directive 21

Cybersecurity for Health Care Providers

Protecting vital data with NIST Framework

Developing a Model for Cyber Security Maturity Assessment

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Overview of the Cybersecurity Framework

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

European Union Agency for Network and Information Security

Cybersecurity in Higher Ed

Predstavenie štandardu ISO/IEC 27005

Ontario Energy Board Cyber Security Framework

Cymsoft Information Technologies

NIST Security Certification and Accreditation Project

Q&A TAKING ENTERPRISE SECURITY TO THE NEXT LEVEL. An interview with John Summers, Enterprise VP and GM, Akamai

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Ensuring System Protection throughout the Operational Lifecycle

Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS

Security Management Models And Practices Feb 5, 2008

CONE 2019 Project Proposal on Cybersecurity

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Framework for Improving Critical Infrastructure Cybersecurity

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

SOC for cybersecurity

What is ISO/IEC 27001?

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Transcription:

standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices mike.garcia@cisecurity.org

The big three in their own words ISO 27000: family of standards to help organizations manage the security of assets such as financial information, intellectual property, employee details and [3rd party] information. NIST CSF: prioritized, flexible, and cost-effective framework to manage cybersecurity-related risk. Helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security. CIS Controls: a concise, prioritized set of cyber practices created to stop today's most pervasive and dangerous cyber attacks. 2

Questions? Mike Garcia Senior Advisor for Elections Best Practices mike.garcia@cisecurity.org 3

More specifically ISO 27000: family of standards to help organizations manage the security of assets such as financial information, intellectual property, employee details and 3rd party information. NIST CSF: prioritized, flexible, and cost-effective framework to manage cybersecurity-related risk. Helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security. CIS Controls: a concise, prioritized set of cyber practices created to stop today's most pervasive and dangerous cyber attacks. The Controls are developed, refined, and validated by a community of leading experts from around the world. 4

More simply ISO 27000: family of standards NIST CSF: framework CIS Controls: actions 5

In one bullet ISO 27000: family of standards policy and process, less tactical NIST CSF: framework puts the organize in your organization CIS Controls: cyber practices the things you put in place to get results 6

What they have in common All drive a standardized approach to security Standard here means repeatability and comparability; they turn amorphous cybersecurity blah blah into apples All are developed with an open, consensus-based approach Experts gather, exfoliate brilliance, reach consensus All work for all orgs regardless of size or substance The content is applicable to all; it s up to the org to place the goalpost They get along but serve different purposes 7

ISO 27000 Pros About establishing appropriate conditions to do the right thing Something for everyone: a great deal of detail, including governance, privacy, supply chain High specificity, including sector-specific for different sectors such as energy, health, teleco, cloud Cons Requires substantial expertise to understand and implement Can be costly to very small orgs Rather overwhelming to navigate 8

NIST Cybersecurity Framework Pros (Mostly) understandable by non-technical readers Can be completed quickly or in great detail to suit the orgs needs Has a self-contained maturity model helps you understand what s right for your org and track to it Highly flexible for different types of orgs Cons Better suited for diagnostic, organizational, and planning than for executing Helps you focus; doesn t tell you what to do or how to do it 9

CIS Controls Pros Prioritized and concise Action oriented: provides technical implementation information i.e., use a tool to do this, deploy controls to do that Relatively rapid updates Cons Less tailored to discuss overall organizational posture at an executive level Partial maturity model (but v7.1 should fix this) 10

ISO 27000

Just a dip of the big toe 27000: Overview and vocabulary 27001: Requirements 27002: Code of practices for information security controls 27003: Guidance 27004: Monitoring, measurement, analysis, and evaluation 27005: Information security risk management 27006: Requirements for bodies providing audit and certification of information security management systems 27007: Guidelines for information security management systems auditing 27008: Guidelines for auditors on information security controls 12

And the other big toe 27009: Sector-specific application of ISO/IEC 27001 Requirements 27010: Information security management for inter-sector and inter-organizational communications 27011: Code of practice for information security controls based on ISO/IEC 27002 for telecommunications organizations 27013: Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 27014: Governance of information security 27016: Organizational economics 27017: Code of practice for information security controls based on ISO/IEC 27002 for cloud services 27018: Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors 27019: Information security controls for the energy utility industry 27021: Competence requirements for information security management systems professionals 27799: Information security management in health using ISO/IEC 27002 13

But ISO 27000 doesn t have to be scary 27000 family focus on how to develop a system and making sure you use that system in a secure way Helps with the policies, procedures, people, assets that need to be managed and how to make them work in a system Example: ISO 27002, 15.1 on supplier relationships Details how to develop a policy for supplier access to organizational information. 14

NIST Cybersecurity Framework

Truly a framework Gives orgs a common taxonomy and mechanism to: 1. Describe their current cybersecurity posture; 2. Describe their target state for cybersecurity; 3. Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; 4. Assess progress toward the target state; 5. Communicate among internal and external stakeholders about cybersecurity risk. 5 functions, 23 categories, and 108 subcategories Has implementation tiers for maturity and profiles to customize 16

Truly a framework Example: Function: Protect (PR) Category: Identity Management, Authentication and Access Control (PR.AC): Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions. Subcat: PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes References include CIS Controls 1, 5, 15, 16 17

CIS Controls

A complete but not overwhelming model Informed by 5 tenets: Offense informs defense Prioritization Measurements and Metrics Continuous diagnostics and mitigation Automation 20 controls encompassing a total of 171 sub-controls Organized into 3 sets: basic, foundational, organizational Starting in v7.1, sub-controls are organized into 3 implementation group to help implement a maturity model 19

CIS Controls Version 7 20

A complete (but not overwhelming) model Example: CIS Control 16: Account Monitoring and Control Includes 13 sub-controls Sub-controls related to NIST CSF PR-AC1 include: 1. Maintain an Inventory of Authentication Systems 2. Configure Centralized Point of Authentication 3. Encrypt or Hash All Authentication Credentials 4. Encrypt Transmittal of Username and Authentication Credentials 5. Maintain an Inventory of Accounts 6. Establish Process for Revoking Access 7. Disable Any Unassociated Accounts 8. Disable Dormant Accounts 9. Ensure All Accounts Have An Expiration Date 21

Summarizing

Comparing NIST CSF to CIS Controls NIST CSF PR.AC-1 Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes CIS Control: CIS Control 16, relevant sub-controls 1. Maintain an Inventory of Authentication Systems 2. Configure Centralized Point of Authentication 3. Encrypt or Hash All Authentication Credentials 4. Encrypt Transmittal of Username and Authentication Credentials 5. Maintain an Inventory of Accounts 6. Establish Process for Revoking Access 7. Disable Any Unassociated Accounts 8. Disable Dormant Accounts 9. Ensure All Accounts Have An Expiration Date 23

In summary All widely accepted and don t compete with each other ISO 27000 family Best for developing management systems Lots of detail on developing policies and procedures NIST CSF Best as an executive diagnostic and communication tool Structured for setting organizational targets and objectives CIS Controls Best for bridging the big picture and the details Faster rev rate, so better suited for evolving threats 24

Thank You Mike Garcia Senior Advisor for Elections Best Practices mike.garcia@cisecurity.org 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback