The Center for Internet Security

Similar documents
The CIS Security Metrics & Benchmarking Service. Clint Kreitner The Center for Internet Security

Security Metrics Establishing unambiguous and logically defensible security metrics. Steven Piliero CSO The Center for Internet Security

Gujarat Forensic Sciences University

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

CA Security Management

THE POWER OF TECH-SAVVY BOARDS:

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

A Methodology to Build Lasting, Intelligent Cybersecurity Programs

The University of Queensland

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Adaptive & Unified Approach to Risk Management and Compliance via CCF

Protecting your data. EY s approach to data privacy and information security

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

Converged security. Gerben Verstraete, CTO, HP Software Services Colin Henderson, Managing Principal, Enterprise Security Products

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

NATIONAL GUIDELINES ON CLOUD COMPUTING FOR GOVERNMENT, MINISTRIES, DEPARTMENTS AND AGENCIES

External Supplier Control Obligations. Cyber Security

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Cyber Criminal Methods & Prevention Techniques. By

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group

Cyber Security Program

Demystifying GRC. Abstract

Optimisation drives digital transformation

Angela McKay Director, Government Security Policy and Strategy Microsoft

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

CCISO Blueprint v1. EC-Council

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

What is ISO ISMS? Business Beam

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

The Common Controls Framework BY ADOBE

Cybersecurity and Hospitals: A Board Perspective

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

FDA & Medical Device Cybersecurity

A Risk Management Platform

A Practical Guide to Efficient Security Response

Virtustream Cloud and Managed Services Solutions for US State & Local Governments and Education

Information Technology General Control Review

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

A Survival Guide to Continuity of Operations. David B. Little Senior Principal Product Specialist

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

79th OREGON LEGISLATIVE ASSEMBLY Regular Session. Senate Bill 90

INTELLIGENCE DRIVEN GRC FOR SECURITY

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Symantec Data Center Transformation

ISO/IEC Information technology Security techniques Code of practice for information security management

align security instill confidence

Effective: 12/31/17 Last Revised: 8/28/17. Responsible University Administrator: Vice Chancellor for Information Services & CIO

Implementing Executive Order and Presidential Policy Directive 21

Security

United States Energy Association Energy Technology and Governance Program REQUEST FOR PROPOSALS

KEDAYAM A KAAPAGAM MANAGED SECURITY SERVICES. Kaapagam Technologies Sdn. Bhd. ( T)

Designing and Building a Cybersecurity Program

Business Continuity Management Standards A Side-by-Side Comparison

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Building UAE s cyber security resilience through effective use of technology, processes and the local people.

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

What is Penetration Testing?

An ICS Whitepaper Choosing the Right Security Assessment

whitepaper How to Measure, Report On, and Actually Reduce Vulnerability Risk

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

EUROPEAN ICT PROFESSIONAL ROLE PROFILES VERSION 2 CWA 16458:2018 LOGFILE

Oregon State Police. Information Technology. Honor Loyalty. Pride Dedication

Position Title: IT Security Specialist

Certified Information Security Manager (CISM) Course Overview

THALES DATA THREAT REPORT

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

General Framework for Secure IoT Systems

European Union Agency for Network and Information Security

Modern Database Architectures Demand Modern Data Security Measures

Achilles System Certification (ASC) from GE Digital

Your Data and Artificial Intelligence: Wise Athena Security, Privacy and Trust. Wise Athena Security Team

Advanced Security Centers. Enabling threat and vulnerability services in a borderless world

Smart Grid Standards and Certification

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Transformation in Technology Barbara Duck Chief Information Officer. Investor Day 2018

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

OneUConn IT Service Delivery Vision

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Gain Control Over Your Cloud Use with Cisco Cloud Consumption Professional Services

The NIST Cybersecurity Framework

NYDFS Cybersecurity Regulations

Introducing Cyber Observer

STRATEGIC PLAN

COMPTIA CLO-001 EXAM QUESTIONS & ANSWERS

ISAO SO Product Outline

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

2017 Company Profile

Google Cloud & the General Data Protection Regulation (GDPR)

Jim Reavis CEO and Founder Cloud Security Alliance December 2017

Security and resilience in Information Society: the European approach

Security In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Transcription:

The Center for Internet Security The CIS Security Metrics Service July 1 2008 Organizations struggle to make cost-effective security investment decisions; information security professionals lack widely accepted and unambiguous metrics for decision support. CIS has established a consensus team of industry experts to address this need. The result will be an independent, metric framework and service to define, collect and analyze data on security process benefits and outcomes. Service Overview 1 P a g e

Contents Introduction... 3 Background... 3 The CIS Security Metrics Service... 5 Goals... 5 Initial Scope... 5 Requirements... 5 Solution... 5 Security Metrics Consensus Team Progress... 6 Accomplishments... 6 Outcomes... 6 Processes and Practices... 6 Metric Schema... 6 Future Benefits... 7 Contact... 7 2 P a g e

Introduction Cyber threats and attacks are on the rise and becoming ever more sophisticated. The TJ Maxx security breach and DNS cache poisoning of recent memory illustrate the need for tighter cyber security to not only keep up with such attacks but to proactively prevent them. The results of attacks can be devastating for all parties involved: customers private data is at risk or tampered with, business reputations are often damaged, trust amongst customers is destroyed sending them to competitors, and millions of dollars must be spent to fix the breach and its many consequences. To remedy this growing problem, our goal is to develop practical, security outcome metrics to enable businesses and organizations to make cost-effective security investment decisions. Furthermore, since there are no standardized security outcome metrics currently in place, it is our aim to become the definitive source for standardized metrics for use amongst all industries and sectors. Background Whether it is for personal or organizational purposes, it is clear that global cyber infrastructure serves as an indispensible tool to conduct human affairs; individuals and organizations now depend almost wholly on consistent access to information. Therefore, information must be consistently available and the cyber infrastructure that supports its access must be fully functional on demand. The concept of electricity and the power grid can be applied here: success is measured by available electricity and the grid functioning as designed when needed. After expending considerable resources in recent years to improve cyber security, legislators and senior executives in both the public and private sectors responsible for allocation of said resources have begun to raise questions regarding the effectiveness of these expenditures: What are the business benefits for current and alternative efforts? Which measure(s) should we pursue to achieve a desired business benefit? How do we spend a given budget to obtain the greatest benefit from available resources? Which effort should be implemented first to maximize business benefit? These appropriate and timely questions motivate us to define and measure the results (outcomes) of our cyber security efforts. The primary focus of efforts to date has been on the use of so-called best practices and compliance with them. 3 P a g e

Consequently, there is scant information on the correlation between the benefit(s) of various best practices and actual security outcomes. Until greater knowledge is available, making cost-effective security investment decisions will continue to be an intuitive process rather than one based on hard data. The primary desired outcomes of cyber security are: (1) a sustained reduction over time of the frequency and severity of security incidents, defined as operational interruptions (Availability) or unauthorized access to/disclosure of/tampering with information (Confidentiality and Integrity); and (2) a basis for correlating specific security practices with incident reduction to make better security investment decisions. Generally, an unacceptable outcome indicates that one or more of the processes that produced that outcome needs improvement. Monitoring the outcomes of enterprise security practices via outcome metrics constitutes a critical feedback loop required for improving those outcomes over time. This feedback mechanism is a fundamental and indispensible characteristic of the competitive free enterprise system. 4 P a g e

The CIS Security Metrics Service Goals CIS s successful use of the consensus process in producing widely used security configuration benchmarks is being employed to: (1) Achieve community consensus on a small number (fewer than 10) of unambiguous business outcome and process security metrics, and (2) Provide an operational security metrics service that enables: communication of internal security performance over time, anonymous inter-organization comparison of security status, mechanisms for organizations to determine security practice and outcome benefits to capacitate more informed security investment decisions in the future. Initial Scope Key criteria were established for the initial set of consensus metrics. They are a balanced combination of outcome and practice metrics measuring: (1) The frequency and severity of security incidents, (2) Incident recovery performance, and (3) Use of security practices generally regarded as effective. Developing metrics that utilize data commonly available in most enterprises was recognized as a practical consideration. Requirements Critical requirements for participant submission of their metric values were also recognized as key factors. They include: (1) Privacy and assurance that individual data values cannot be traced back to their identity, (2) Protection against the submission of non-legitimate data by non-legitimate submitters, and (3) Provision of a robust set of analysis and reporting features. Solution To fulfill these requirements, the CIS Security Metrics Service is designed with the following core features: (1) Anonymity of data submitter, (2) Strong authentication and validation for syntactical as well as semantic validity, and (3) The first integration for security metrics of several specialized open source technologies for business intelligence, statistical processing, spreadsheet-based data analysis, visualization, and the semantic web. 5 P a g e

Security Metrics Consensus Team Progress Accomplishments A team of over 60 government, private, and academic experts have been working to reach consensus on a small initial set, fewer than ten (10), of security outcome and practice metrics. At present these are not fully and unambiguously defined metrics, only concepts. They represent outcome and practice areas of security regarded by the consensus team as important yet subject to further refinement by the team. Currently, the team has achieved agreement on developing metrics in the following conceptual areas: Outcomes Mean time between security incidents Mean time to recover from security incidents Processes and Practices % of systems configured to approved standards % of systems patched to policy % of systems with anti-virus protection % of business applications that underwent risk assessment % of business applications that underwent penetration or vulnerability assessment % of application code that underwent security assessment, threat model analysis, or code review prior to production deployment Metric Schema A security metric schema has been developed that will serve as a structure for the final definition of each metric so that terms, definitions, and computational aspects are unambiguous. 6 P a g e

Future Benefits Once a significant volume of outcome metrics data is available, a number of important purposes will be served: (1) The ability of organizations to compare their outcomes against the distribution curves derived from data populated by other entities, thus creating an intrinsic improvement mechanism by invoking the desire to remain competitive and innovative. (2) The understanding of practical benefits and effectiveness of best practices such as monitoring information flows, risk assessment models, patching, configuration, and maturity models, as they affect the reduction of the frequency and impact of security incidents. In that respect, business outcome metrics will serve as the learning and feedback loop that is currently missing from these practices. (3) The provision of a rational basis for making cost-effective security investments. (4) The sustained downward trend over time of security incidents impacting the availability, confidentiality, and integrity of information needed by users of the cyber infrastructure through wiser security investment decisions. Contact If you are interested in actively participating as a member of the virtual, CIS Security Consensus Metrics Team or have questions, please contact Steven Piliero at spiliero@cisecurity.org. 7 P a g e

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback