Cybersecurity Framework

Similar documents
Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity

NCSF Foundation Certification

Framework for Improving Critical Infrastructure Cybersecurity

Using Metrics to Gain Management Support for Cyber Security Initiatives

NCSF Foundation Certification

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

The NIST Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Framework for Improving Critical Infrastructure Cybersecurity

Altius IT Policy Collection Compliance and Standards Matrix

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Why you should adopt the NIST Cybersecurity Framework

Altius IT Policy Collection Compliance and Standards Matrix

Using the NIST Framework for Metrics 5/14/2015

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

Framework for Improving Critical Infrastructure Cybersecurity

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Updates to the NIST Cybersecurity Framework

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Cybersecurity for Health Care Providers

Using the NIST Cybersecurity Framework to Guide your Security Program August 31, 2017

Knowledge Set of Attack Surface and Cybersecurity Rating for Firms in a Supply Chain Dr. Shaun Wang, FCAS, CERA

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

NIST (NCF) & GDPR to Microsoft Technologies MAP

Overview of the Cybersecurity Framework

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

ACR 2 Solutions Compliance Tools

Assurance over Cybersecurity using COBIT 5

Discussion Draft of the Preliminary Cybersecurity Framework August 28, 2013

SAC PA Security Frameworks - FISMA and NIST

DeMystifying Data Breaches and Information Security Compliance

Cybersecurity in Higher Ed

National Policy and Guiding Principles

Assurance through the ISO27002 Standard and the US NIST Cybersecurity Framework. Keith Price Principal Consultant

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Designing & Building a Cybersecurity Program. Based on the NIST Cybersecurity Framework (CSF)

Cybersecurity Framework Manufacturing Profile

THE POWER OF TECH-SAVVY BOARDS:

MITIGATE CYBER ATTACK RISK

Cybersecurity & Privacy Enhancements

Cybersecurity, safety and resilience - Airline perspective

Re: McAfee s comments in response to NIST s Solicitation for Comments on Draft 2 of Cybersecurity Framework Version 1.1

NIST Cybersecurity Testbed for Transportation Systems. CheeYee Tang Electronics Engineer National Institute of Standards and Technology

Designing and Building a Cybersecurity Program

Improving Cybersecurity through the use of the Cybersecurity Framework

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

HITRUST CSF: One Framework

FDA & Medical Device Cybersecurity

The Office of Infrastructure Protection

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

Aligning Your Organization s Business Units to Achieve a Cohesive Cybersecurity Strategy

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Security Breaches: How to Prepare and Respond

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

The Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor,

SYSTEMS ASSET MANAGEMENT POLICY

Security and Privacy Governance Program Guidelines

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

MYTH vs. REALITY The Revised Cybersecurity Act of 2012, S. 3414

Cyber Security Standards Developments

Cyber Security & Homeland Security:

ISACA GEEK WEEK SECURITY MANAGEMENT TO ENTERPRISE RISK MANAGEMENT USING THE ISO FRAMEWORK AUGUST 19, 2015

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Cyber Resilience. Think18. Felicity March IBM Corporation

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Resolution adopted by the General Assembly on 21 December [on the report of the Second Committee (A/64/422/Add.3)]

G7 Bar Associations and Councils

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

INTELLIGENCE DRIVEN GRC FOR SECURITY

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Cyber Risks in the Boardroom Conference

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

THE WHITE HOUSE. Office of the Press Secretary. EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

Cyber Security Incident Response Fighting Fire with Fire

Implementing Executive Order and Presidential Policy Directive 21

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

DHS Cybersecurity: Services for State and Local Officials. February 2017

Mapping to the National Broadband Plan

Cybersecurity and Hospitals: A Board Perspective

A Controls Factory Approach To Operationalizing a Cyber Security Program Based on the NIST Cybersecurity Framework

MEDICAL DEVICE CYBERSECURITY: FDA APPROACH

Rethinking Information Security Risk Management CRM002

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Transcription:

Catherine Bruder Shareholder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Cybercrime Economic Impact Cybercrime is costing the global economy $575 billion and the U.S. economy $100 billion annually, according to a report from Intel Security and the Center for Strategic and International Studies - making the U.S. the hardest hit of any country. Presented by Catherine Bruder, Doeren Mayhew 1

Cybercrime Since Target Breach. A major data breach discovered almost every month, Michaels Stores Sally Beauty Supply Neiman Marcus AOL ebay P.F Chang's Chinese Bistro June 2014 -The site reported that the cards being sold are advertised at 100 percent valid meaning that 100 percent of the cards sold are guaranteed to work. Cybercrime Since Target Breach. Based on a recent Ponemon Institute survey, an estimated 47 percent of all American adults have been affected by data breaches over the last year, with an estimated 432 million online accounts being affected. According to the Identity Theft Resource Center, there were more than 600 reported data breaches in 2013 - a 30 percent increase over 2012. According to the Verizon 2013 Data Breach Investigations Report, a breakdown of incidents across industries actually resulting from network intrusions, the retail industry was the number one target, with nearly 22 percent of network intrusions occurring at retailers. Presented by Catherine Bruder, Doeren Mayhew 2

Cybercrime Since Target Breach. A recent Javelin Strategy & Research report (December 2013) found that financial institutions are doing a much better job than retailers when it comes to credit card security. The latest Javelin study, "2014 Data Breach Fraud Impact Report: Consumers Shoot the Messenger and Financial Institutions Take the Bullet," confirms that although financial institutions are the ones that often notify the cardholder of the breach, they are the ones that consumers associate with the breach, even if they were not responsible for it. Dashlane Study E-Retailers Continue to Have Weak Password Security Even in the wake of the recent Heartbleed bug, several Top 500 e-retailers continue to have weak password requirements (Dashlane Study) Survey of 31 e-commerce sites 80.6 percent had scores below +50 Median score in the e-commerce sector was -12.5 The worst performing e-commerce site was Overstock.com, which had a score of -55 Fab.com, Amazon.com, and Groupon also had poor scores of - 50, -45 and -45, respectively. 18 e-commerce sites enable users to create passwords with just letters or numbers, and only 5 required a capital letter Presented by Catherine Bruder, Doeren Mayhew 3

Dashlane Study E-Retailers Continue to Have Weak Password Security Dashlane believes good password habits include: Minimum of eight characters that are alphanumeric and case-sensitive Websites reject the 10 worst passwords, such as "abc123," "password," and "monkey." Users should be required to confirm a password change via email and be blocked from logging in after 10 failed attempts. From "E-Retailers Are Too Lax With Password Security" Internet Retailer (05/22/14) Callard, Abby Objectives What is the What is included in the Framework Gain an understanding of the categories and subcategories Understanding the value provided Determining the benefit to your credit union 8 Presented by Catherine Bruder, Doeren Mayhew 4

Presidential Executive Order 13636 Improving Critical Infrastructure Cybersecurity February 12, 2013 It is the Policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. Directs NIST to develop a DHS Critical Infrastructure Cyber Community Voluntary Program C 3 V.1 more to come Presidential Executive Order 13636 Improving Critical Infrastructure Cybersecurity In enacting this policy, the Executive Order calls for the development of a voluntary risk-based Cybersecurity Framework a set of industry standards and best practices to help organizations manage cybersecurity risks. Created through collaboration between government and the private sector Uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses Presented by Catherine Bruder, Doeren Mayhew 5

Executive Order Strategy Framework should be cost effective Voluntary adoption should be motivated by incentives A roadmap for the incentives is under-development Collaboration between Government and industry standards and practices Main problem isn t a lack of information or standards ISO 27001 27002 NIST SP800-53 ISACA COBIT The IIA GTAG ISA 99 Presented by Catherine Bruder, Doeren Mayhew 6

C 3- Critical Infrastructure Cyber Community Voluntary Program Incentives for implementing the Framework Currently only technical assistance is available No financial incentives Rates for energy industry Grant requirements Regulatory streamlining Future possibility of legislation to expand liability protections (SAFETY Act amendment going through congress) Belief that market incentives such as trustmark-like certifications or lower insurance premiums will grow Framework Concern Framework is only an initial framework for those who have not effectively implemented other, stronger and effective standards Can be used to remediate Gaps that have not yet been incorporated into your existing cybersecurity strategy Presented by Catherine Bruder, Doeren Mayhew 7

Concerns around the Framework Exposed to liability if the Framework is not adopted or is imperfectly implemented Will agencies base regulations on the Framework? Does the Framework become the de facto standard of care? Framework Basics Leverages the existing cybersecurity best practices Council for Cyber Security - Critical Controls for Effective Cyber Defense International Standards Organization - ISO 27001, ISO 27002, National Institute of Standards and Technology SP800-53 (NIST SP800-53) ISACA COBIT 5 International Society of Automation (www.isa.org) - ISA 99, Etc. Presented by Catherine Bruder, Doeren Mayhew 8

Framework Risk Management using business drivers to guide cybersecurity activities. The Framework consists of three parts: 1. the Framework Core 2. the Framework Profile 3. Framework Implementation Tiers Framework The Framework enables organizations regardless of size, degree of cybersecurity risk, or cybersecurity sophistication to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure. The Framework provides organization and structure to today s multiple approaches to cybersecurity by assembling standards, guidelines, and practices that are working effectively in industry today. Presented by Catherine Bruder, Doeren Mayhew 9

Framework The Framework is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure. Organizations will continue to have unique risks different threats, different vulnerabilities, different risk tolerances and how they implement the practices in the Framework will vary. Organizations can determine activities that are important to critical service delivery and can prioritize investments to maximize the impact of each dollar spent. Presented by Catherine Bruder, Doeren Mayhew 10

The Framework allows an organization to achieve the following: 1. Describe their current cybersecurity posture 2. Describe their target state for cybersecurity 3. Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process 4. Assess progress toward the target state 5. Communicate among internal and external stakeholders about cybersecurity risk Since most credit union s already have a risk management process and a security program The Framework complements, and does not replace, an organization s risk management process and cybersecurity program. The organization can use its current processes and leverage the Framework to identify opportunities to strengthen and communicate its management of cybersecurity risk while aligning with industry practices. Presented by Catherine Bruder, Doeren Mayhew 11

Composed of three parts The Framework Core The Framework Implementation Tiers The Framework Profiles The Framework Core A set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors The Core presents industry standards, guidelines, and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive level to the implementation/operations level The Framework Core consists of five concurrent and continuous functions Identify Protect Detect Respond Recover Presented by Catherine Bruder, Doeren Mayhew 12

The Framework Core When considered together, these Functions provide a high-level, strategic view of the lifecycle of an organization s management of cybersecurity risk. The Framework Core then identifies underlying key Categories and Subcategories for each Function, and matches them with example Informative References such as existing standards, guidelines, and practices for each Subcategory. The Framework Core Presented by Catherine Bruder, Doeren Mayhew 13

The Framework Core - Functions Functions organize basic cybersecurity activities at their highest level. They aid an organization in expressing its management of cybersecurity risk by organizing information, enabling risk management decisions, addressing threats, and improving by learning from previous activities. The Framework Core - Categories Categories are the subdivisions of a Function Examples of Categories include: Asset Management Access Control Detection Processes Presented by Catherine Bruder, Doeren Mayhew 14

The Framework - Subcategories Divide a Category into specific outcomes of technical and/or management activities Provide a set of results that, while not exhaustive, help support achievement of the outcomes in each Category Examples of Subcategories include: External information systems are catalogued, Data-at-rest is protected, and Notifications from detection systems are investigated. The Framework Core Informative References Informative References are specific sections of standards, guidelines, and practices common among critical infrastructure sectors that illustrate a method to achieve the outcomes associated with each Subcategory. http://www.nist.gov/cyberframework/ Presented by Catherine Bruder, Doeren Mayhew 15

The Framework Core Function Identify Identify Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. Categories within the Identify Function include: Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy Sample for Identify Function Identify Category Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. Sub Category ID.RA 1: Asset vulnerabilities are identified and documented ID.RA 2: Threat and vulnerability information is received from information sharing forums and sources CCS CSC 4 Informative Resources COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04 ISA 62443-2-1:2009 4.2.3, 4.2.3.7, 4.2.3.9, 4.2.3.12 ISO/IEC 27001:2013 A.12.6.1, A.18.2.3 NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5 ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12 ISO/IEC 27001:2013 A.6.1.4 NIST SP 800-53 Rev. 4 PM-15, PM-16, SI- 5 Presented by Catherine Bruder, Doeren Mayhew 16

The Framework Core Function Protect Protect Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. Categories within the Protect Function include: Access Control Awareness and Training Data Security Information Protection Processes and Procedures Maintenance Protective Technology Sample for Protect Function Category Sub Category Informative Resources Protect Access Control (PR.AC): Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions. PR.AC 1: Identities and credentials are managed for authorized devices and users PR.AC 2: Physical access to assets is managed and protected CCS CSC 16 COBIT 5 DSS05.04, DSS06.03 ISA 62443-2-1:2009 4.3.3.5.1 ISA 62443-3-3:2013 SR 1.1, SR 1.2, SR 1.3, SR 1.4, SR 1.5, SR 1.7, SR 1.8, SR 1.9 ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3 NIST SP 800-53 Rev. 4 AC-2, IA Family COBIT 5 DSS01.04, DSS05.05 ISA 62443-2-1:2009 4.3.3.3.2, 4.3.3.3.8 ISO/IEC 27001:2013 A.11.1.1, A.11.1.2, A.11.1.4, A.11.1.6, A.11.2.3 NIST SP 800-53 Rev. 4 PE-2, PE-3, PE-4, PE-5, PE-6, PE-9 Presented by Catherine Bruder, Doeren Mayhew 17

The Framework Core Function Detect Protect Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. Categories within the Protect Function include: Access Control Awareness and Training Data Security Information Protection Processes and Procedures Maintenance Protective Technology Sample for Detect Function Category Sub Category Informative Resources Detect Security Continuous Monitoring (DE.CM): The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures. DE.CM-1: The network is monitored to detect potential cybersecurity events DE.CM-2: The physical environment is monitored to detect potential cybersecurity events CCS CSC 14, 16 COBIT 5 DSS05.07 ISA 62443-3-3:2013 SR 6.2 NIST SP 800-53 Rev. 4 AC-2, AU- 12, CA-7, CM-3, SC-5, SC-7, SI-4 ISA 62443-2-1:2009 4.3.3.3.8 NIST SP 800-53 Rev. 4 CA-7, PE-3, PE-6, PE-20 Presented by Catherine Bruder, Doeren Mayhew 18

The Framework Core Function Respond Respond Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. Examples of outcome Categories within this Function include: Response Planning Communications Analysis Mitigation Improvements Sample for Respond Function Category Sub Category Informative Resources Respond Response Planning (RS.RP): Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events. RS.RP 1: Response plan is executed during or after an event COBIT 5 BAI01.10 CCS CSC 18 ISA 62443-2-1:2009 4.3.4.5.1 ISO/IEC 27001:2013 A.16.1.5 NIST SP 800-53 Rev. 4 CP-2, CP- 10, IR-4, IR-8 Presented by Catherine Bruder, Doeren Mayhew 19

The Framework Core Function Recovery Recover Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. Examples of outcome Categories within this Function include: Recovery Planning Improvements Communications Sample for Recovery Function Category Sub Category Informative Resources Recovery Recovery Planning (RC.RP): Recovery processes and procedures are executed and maintained to ensure timely restoration of systems or assets affected by cybersecurity events. RC.IM-1: Recovery plans incorporate lessons learned RC.IM-2: Recovery strategies are updated COBIT 5 BAI05.07 ISA 62443-2-1 4.4.3.4 NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8 COBIT 5 BAI07.08 NIST SP 800-53 Rev. 4 CP-2, IR-4, IR-8 Presented by Catherine Bruder, Doeren Mayhew 20

Framework Implementation Tiers The Framework Implementation Tiers ( Tiers ) provide context on how an organization views cybersecurity risk and the processes in place to manage that risk. The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor and sophistication in cybersecurity risk management practices and the extent to which cybersecurity risk management is informed by business needs and is integrated into an organization s overall risk management practices. Framework Tiers Tier 1: Partial Risk Management Process Organizational cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc and sometimes reactive manner. Prioritization of cybersecurity activities may not be directly informed by organizational risk objectives, the threat environment, or business/mission requirements. Integrated Risk Management Program There is limited awareness of cybersecurity risk at the organizational level and an organization-wide approach to managing cybersecurity risk has not been established. The organization implements cybersecurity risk management on an irregular, case-by-case basis due to varied experience or information gained from outside sources. The organization may not have processes that enable cybersecurity information to be shared within the organization. External Participation An organization may not have the processes in place to participate in coordination or collaboration with other entities. Presented by Catherine Bruder, Doeren Mayhew 21

Framework Tiers Tier 2: Informed Risk Management Process Risk management practices are approved by management but may not be established as organizationalwide policy. Prioritization of cybersecurity activities is directly informed by organizational risk objectives, the threat environment, or business/mission requirements. Integrated Risk Management Program There is an awareness of cybersecurity risk at the organizational level but an organization-wide approach to managing cybersecurity risk has not been established. Riskinformed, management-approved processes and procedures are defined and implemented, and staff has adequate resources to perform their cybersecurity duties. Cybersecurity information is shared within the organization on an informal basis. External Participation The organization knows its role in the larger ecosystem, but has not formalized its capabilities to interact and share information externally. Framework Tiers Tier 3: Repeatable Risk Management Process The organization s risk management practices are formally approved and expressed as policy. Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape. Integrated Risk Management Program There is an organization-wide approach to manage cybersecurity risk. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Consistent methods are in place to respond effectively to changes in risk. Personnel possess the knowledge and skills to perform their appointed roles and responsibilities. External Participation The organization understands its dependencies and partners and receives information from these partners that enables collaboration and risk-based management decisions within the organization in response to events. Presented by Catherine Bruder, Doeren Mayhew 22

Framework Tiers Tier 4: Adaptive Risk Management Process The organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities. Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organization actively adapts to a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely manner. Integrated Risk Management Program There is an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. Cybersecurity risk management is part of the organizational culture and evolves from an awareness of previous activities, information shared by other sources, and continuous awareness of activities on their systems and networks. External Participation The organization manages risk and actively shares information with partners to ensure that accurate, current information is being distributed and consumed to improve cybersecurity before a cybersecurity event occurs. Framework Profiles The Framework Profile ( Profile ) is the alignment of the Functions, Categories, and Subcategories with the business requirements, risk tolerance, and resources of the organization Framework Profiles can be used to describe the current state or the desired target state of specific cybersecurity activities. The Current Profile indicates the cybersecurity outcomes that are currently being achieved. The Target Profile indicates the outcomes needed to achieve the desired cybersecurity risk management goals. Comparison of Profiles (e.g., the Current Profile and Target Profile) may reveal gaps to be addressed to meet cybersecurity risk management objectives. Presented by Catherine Bruder, Doeren Mayhew 23

Informational Flow Industry Updates Michigan Texas Florida Insight. Oversight. Foresight. SM Presented by Catherine Bruder, Doeren Mayhew 24

NAFCU Initiatives June 12, 2014 NAFCU President and CEO Dan Berger yesterday reiterated a call for national data security and breach notification standards The continued lack of national data security standards is an open invitation to cybercriminals. NAFCU is continuing to press lawmakers for action on national standards on data security and breach notification for retailers. Credit unions are already subject to such standards under the Gramm-Leach-Bliley Act, but retailers are not. NAFCU INITIATIVES NAFCU recommends Congress priorities Payment of Breach Costs by Breached Entities: Require entities to be accountable for costs of data breaches that result on their end, especially when their own negligence is to blame National Standards for Safekeeping Information: Require any entity responsible for the storage of consumer data to meet standards similar to those imposed on financial institutions under the Gramm-Leach-Bliley Act Data Security Policy Disclosure: Require merchants to post their data security policies at the point of sale if they take sensitive financial data. Such a disclosure requirement would come at little or no cost to the merchant but would provide an important benefit to the public at large by informing them of the risk Presented by Catherine Bruder, Doeren Mayhew 25

NAFCU INITIATIVES NAFCU recommends Congress priorities, continued Notification of the Account Servicer: The account servicer or owner is in the unique position of being able to monitor for suspicious activity and prevent fraudulent transactions before they occur. Include entities such as financial institutions on the list of those to be informed of any compromised personally identifiable information when associated accounts are involved. Disclosure of Breached Entity: Congress to mandate the disclosure of identities of companies and merchants whose data systems have been violated so consumers are aware of the ones that place their personal information at risk. NAFCU INITIATIVES NAFCU recommends Congress priorities, continued Enforcement of Prohibition on Data Retention: NAFCU believes it is imperative to address the violation of existing agreements and law by merchants and retailers who retain payment card information electronically when they are not supposed to. Many entities do not respect this prohibition and store sensitive personal data in their systems (i.e. how are you able to now return items without a receipt?), which can be breached easily in many cases. Burden of Proof in Data Breach Cases: Make the evidentiary burden of proving a lack of fault should rest with the party who incurred the breach. These parties should have the duty to demonstrate that they took all necessary precautions to guard consumers' personal information but sustained a violation nonetheless. The law is currently vague on this issue, and NAFCU asks that this burden of proof be clarified in statute. Presented by Catherine Bruder, Doeren Mayhew 26

Burden on the Credit Unions Financial institutions continue to pick up the tab for data breaches. Unfortunately, credit unions will likely never recoup much of this cost, as there is no statutory requirement making retailers accountable for costs associated with breaches that result on their end. NAFCU Initiative Presented by Catherine Bruder, Doeren Mayhew 27

References Control Objectives for Information and Related Technology (COBIT): http://www.isaca.org/cobit/pages/default.aspx Council on CyberSecurity (CCS) Top 20 Critical Security Controls (CSC): http://www.counciloncybersecurity.org ANSI/ISA-62443-2-1 (99.02.01)-2009, Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program: http://www.isa.org/template.cfm?section=standards8&template=/ecommerce/produc tdisplay.cfm&productid=10243 ANSI/ISA-62443-3-3 (99.03.03)-2013, Security for Industrial Automation and Control Systems: System Security Requirements and Security Levels: http://www.isa.org/template.cfm?section=standards2&template=/ecommerce/product Display.cfm&ProductID=13420 ISO/IEC 27001, Information technology --Security techniques --Information security management systems --Requirements: http://www.iso.org/iso/home/store/catalogue_ics/catalogue_detail_ics.htm?csnumber= 54534 NIST SP 800-53 Rev. 4: NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013 (including updates as of January 15, 2014). http://dx.doi.org/10.6028/nist.sp.80053r4 Thank You! Catherine Bruder Shareholder, Phone: 248.244.3295 or 248.320.3434 bruder@doeren.com)) Michigan 56 Texas Florida Insight. Oversight. Foresight. SM Presented by Catherine Bruder, Doeren Mayhew 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback