Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

Similar documents
Overview of the Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity

The NIST Cybersecurity Framework

Cybersecurity Risk Management:

Framework for Improving Critical Infrastructure Cybersecurity

NCSF Foundation Certification

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

NCSF Foundation Certification

Implementing Executive Order and Presidential Policy Directive 21

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

Framework for Improving Critical Infrastructure Cybersecurity

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Improving Cybersecurity through the use of the Cybersecurity Framework

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

Using the NIST Framework for Metrics 5/14/2015

Updates to the NIST Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Cyber Security & Homeland Security:

From the Trenches: Lessons learned from using the NIST Cybersecurity Framework

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

Cybersecurity & Privacy Enhancements

Framework for Improving Critical Infrastructure Cybersecurity

Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment

Why you should adopt the NIST Cybersecurity Framework

THE POWER OF TECH-SAVVY BOARDS:

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Executive Order on Coordinating National Resilience to Electromagnetic Pulses

Cybersecurity, safety and resilience - Airline perspective

The Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor,

Information Security Continuous Monitoring (ISCM) Program Evaluation

Views on the Framework for Improving Critical Infrastructure Cybersecurity

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

Effectively Measuring Cybersecurity Improvement: A CSF Use Case

Cybersecurity, Trade, and Economic Development

General Framework for Secure IoT Systems

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Cybersecurity for Health Care Providers

ISAO SO Product Outline

Federal Civilian Executive branch State, Local, Tribal, Territorial government (SLTT) Private Sector (PS) Unclassified / Business Networks

Re: McAfee s comments in response to NIST s Solicitation for Comments on Draft 2 of Cybersecurity Framework Version 1.1

The Impact of US Cybersecurity Policies on Submarine Cable Systems

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

ACR 2 Solutions Compliance Tools

National Policy and Guiding Principles

NW NATURAL CYBER SECURITY 2016.JUNE.16

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

Section One of the Order: The Cybersecurity of Federal Networks.

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

Apr. 10, Vulnerability disclosure and handling processes strengthen security programs

STATE ENERGY RISK ASSESSMENT INITIATIVE ENERGY INFRASTRUCTURE MODELING AND ANALYSIS. National Association of State Energy Of ficials

Business continuity management and cyber resiliency

Developing a Model for Cyber Security Maturity Assessment

Critical Infrastructure Partnership

The J100 RAMCAP Method

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Information Collection Request: The Department of Homeland. Security, Stakeholder Engagement and Cyber Infrastructure

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

2014 Sector-Specific Plan Guidance. Guide for Developing a Sector-Specific Plan under NIPP 2013 August 2014

Department of Management Services REQUEST FOR INFORMATION

Larry Clinton President & CEO (703)

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

by Fernando M. Pinguelo, Angelo A. Stio III, Suzanne M. Noyes and Daniel Sodroski

Designing and Building a Cybersecurity Program

Organizational Readiness for Digital Transformation

Practical IT Research that Drives Measurable Results OptimizeIT Strategic Planning Bundle

The Office of Infrastructure Protection

Cyber Resilience. Think18. Felicity March IBM Corporation

Toward All-Hazards Security and Resilience for the Power Grid

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

Presidential Documents

ITG. Information Security Management System Manual

Cybersecurity Risk Management Guide for Voluntary Use of the NIST Cybersecurity Framework

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

ITG. Information Security Management System Manual

Intelligent Building and Cybersecurity 2016

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

Government IT Modernization and the Adoption of Hybrid Cloud

FDA & Medical Device Cybersecurity

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

Long-Term Power Outage Response and Recovery Tabletop Exercise

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

AFRICA AND MIDDLE EAST AVIATION SECURITY ROADMAP

Threat and Vulnerability Assessment Tool

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

The Office of Infrastructure Protection

Building UAE s cyber security resilience through effective use of technology, processes and the local people.

Cyber Security Strategy

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

June 5, 2018 Independence, Ohio

A Controls Factory Approach To Building a Cyber Security Program Based on the NIST Cybersecurity Framework (NCSF)

State Governments at Risk: State CIOs and Cybersecurity. CSG Cybersecurity and Privacy Policy Academy November 2, 2017

Transcription:

Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 and Risk Approach June 9, 2016 cyberframework@nist.gov

Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties President Barack Obama Executive Order 13636, Feb. 12, 2013 The National Institute of Standards and Technology (NIST) was directed to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure Version 1.0 of the framework was released on Feb. 12, 2014, along with a roadmap for future work; to allow for adoption, Framework version 2.0 was and is still not planned for the near term 2

April 2016 Workshop plots evolution of NIST Cybersecurity Framework Dell survey published in Dec 2015, states 82% of federal IT security employees surveyed state they are using sections of the framework within their own cybersecurity programs, with 53% using the entire guide. Of those using the framework, 74% state it s used as a foundation for their cybersecurity roadmap, helping to improve organizational security; it s just a good policy no matter what sector is moving to embrace it. NIST posted a Request For Information in Dec 2015, seeking to learn from the private sector how organizations are sharing the framework s best practices, what parts of the framework are utilized more than others and what sections need to be updated. The diversity of the 105 organizations that responded surprised NIST, given that the framework was originally geared toward protecting critical infrastructure. Submitted comments ranged from aerospace company Boeing to telecom giant AT&T, to the likes of Microsoft and trade groups like CompTIA and NASCIO. The April 2016 workshop concluded there are opportunities to make small changes, clarifications, and maybe to expand some areas, but not a version 2.0. 3

The Framework in a Nutshell A guide to insuring you include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks Provides a guide to a prioritized, flexible, repeatable, performancebased, approach, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk Identifies areas for improvement to be addressed through future collaboration with particular sectors and standards-developing organizations Be consistent with voluntary international standards (more later in the presentation) 4

Key Points about the Cybersecurity Framework It s a framework, not a prescription It provides a common language and systematic methodology for managing cyber risk It does not tell a company how much cyber risk is tolerable, nor does it claim to provide the one and only formula for cybersecurity Having a common lexicon to enable action across a very diverse set of stakeholders will enable the best practices of elite companies to become standard practices for everyone The framework is a living document It is intended to be updated over time as stakeholders learn from implementation, and as technology and risks change That s one reason why the framework focuses on questions an organization needs to ask itself to manage its risk. While practices, technology, and standards will change over time principals will not 17

Framework Core When considered together, these Functions provide a high-level, strategic view of the life cycle of an organization's management of cybersecurity risk. What assets need protection? What safeguards are available? What techniques can identify incidents? What techniques can contain impacts of incidents? What techniques can restore capabilities? 6

Framework Core Excerpt Function Category Subcategory Informative References 7

Establish or Improve a Cybersecurity Program Step 1: Prioritize and Scope Requests that organizations scope and prioritize business/mission objectives and high level organizational priorities. This information allows organizations to make strategic decisions regarding the scope of systems and assets that support the selected business lines or processes within the organization. Step 2: Orient Provides organizations an opportunity to identify threats to, and vulnerabilities of, systems identified in the Prioritize and Scope step. Step 3: Create a Current Profile Identifies the requirement to define the current state of the organization's cybersecurity program by establishing a current state profile. Step 4: Conduct a Risk Assessment Allows organizations to conduct a risk assessment using their currently accepted methodology. The information used from this step in the process is used in Step 5. Step 5: Create a Target Profile Allows organizations to develop a risk informed target state profile. The target state profile focuses on the assessment of the Framework Categories and Subcategories describing the organization's desired cybersecurity outcomes. Step 6: Determine, Analyze, and Prioritize Gaps Organizations conduct a gap analysis to determine opportunities for improving the current state. The gaps are identified by overlaying the current state profile with the target state profile. Step 7: Implement Action Plan After the gaps are identified and prioritized, the required actions are taken to 8 close the gaps and work toward obtaining the target state.

Ongoing Risks and Controls 9

Controls That Feed Risk Management 10

The Process Flow 11

An Easy Approach to Ratings A simplified risk rating guideline: To assess likelihood, rate four factors Skill (1 = high skill 5 = low skill) Ease of access (1 = very difficult 5 = very simple) Incentive (1 = low 5 = high) Resource (1 = expensive & rare equipment 5 = little resource) Likelihood overall is highest individual rating Rare Unlikely Possible Likely Almost Certain Impact index is rated relative to Information Asset Profile Insignificant (minor impact absorbed as part of daily activity) Minor (Absorbed at Group level at least one Low CIA ) Moderate (Absorbed at Business Unit Level Medium CIA) Major (Absorbed at Corp at least 1 High CIA) Catastrophic (Absorbed at Corp multiple High CIA) 12

The Complete Methodology 13

Thank you! Questions?

Resources Where to Learn More and Stay Current The National Institute of Standards and Technology Web site is available at http://www.nist.gov NIST Computer Security Division Computer Security Resource Center is available at http://csrc.nist.gov/ The Framework for Improving Critical Infrastructure Cybersecurity and related news and information are available at www.nist.gov/cyberframework For additional Framework info and help cyberframework@nist.gov

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback