From the Trenches: Lessons learned from using the NIST Cybersecurity Framework

Similar documents
Effectively Measuring Cybersecurity Improvement: A CSF Use Case

Improving Cybersecurity through the use of the Cybersecurity Framework

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

Framework for Improving Critical Infrastructure Cybersecurity

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

Overview of the Cybersecurity Framework

Why you should adopt the NIST Cybersecurity Framework

Updates to the NIST Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

Framework for Improving Critical Infrastructure Cybersecurity

NCSF Foundation Certification

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Developing a Model for Cyber Security Maturity Assessment

Framework for Improving Critical Infrastructure Cybersecurity

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

ACR 2 Solutions Compliance Tools

Framework for Improving Critical Infrastructure Cybersecurity

Security Metrics. February 25, Annabelle Lee Senior Technical Executive

Framework for Improving Critical Infrastructure Cybersecurity

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

NCSF Foundation Certification

The NIST Cybersecurity Framework

OPUC Workshop March 13, 2015 Cyber Security Electric Utilities. Portland General Electric Co. Travis Anderson Scott Smith

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Kent Landfield, Director Standards and Technology Policy

Views on the Framework for Improving Critical Infrastructure Cybersecurity

National Cyber Security Strategy (NCS) Toolkit

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

MEJORES PRACTICAS EN CIBERSEGURIDAD

FISMAand the Risk Management Framework

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Houston Urban Area Security Initiative (UASI) Cybersecurity Mini-Assessment Workshop

Using the NIST Cybersecurity Framework to Guide your Security Program August 31, 2017

Update on the Key Initiatives Recommended by NTT Data regarding the Agency Cyber Security Framework

How Boards use the NIST Cybersecurity Framework as a Roadmap to oversee cybersecurity

What It Takes to be a CISO in 2017

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

ACHIEVING SECURITY with the NIST CYBERSECURITY FRAMEWORK INDUSTRY PERSPECTIVE

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Re: McAfee s comments in response to NIST s Solicitation for Comments on Draft 2 of Cybersecurity Framework Version 1.1

Water Information Sharing and Analysis Center

Using the NIST Framework for Metrics 5/14/2015

HITRUST CSF: One Framework

NIST Cybersecurity Testbed for Transportation Systems. CheeYee Tang Electronics Engineer National Institute of Standards and Technology

TACOMA PUBLIC UTILITIES CYBERSECURITY PROGRAM NIAC WORKSHOP JUNE 2017

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Dear Mr. Games: Please see our submission attached. With kind regards, Aaron

Using Metrics to Gain Management Support for Cyber Security Initiatives

MULTI-YEAR TRAINING AND EXERCISE PLAN. Boone County Office of Emergency Management

The MEP National Network: Providing Hands-on Technical Assistance to U.S. Manufacturers

Aligning Your Organization s Business Units to Achieve a Cohesive Cybersecurity Strategy

Peer Collaboration The Next Best Practice for Third Party Risk Management

LESSONS LEARNED IN DEVELOPING CYBERSECURITY FRAMEWORK (CSF) PROFILES WITH INDUSTRY AND THE U.S. COAST GUARD (USCG)

HITRUST CSF Roadmap for 2018 and Beyond HITRUST Alliance.

Medical Device Cybersecurity: FDA Perspective

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

The Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor,

Maritime Bulk Liquids Transfer Cybersecurity Framework Profile

Rethinking Information Security Risk Management CRM002

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

GridEx IV Initial Lessons Learned and Resilience Initiatives

HIPAA Security Rule: Annual Checkup. Matt Sorensen

Cybersecurity & Privacy Enhancements

Designing and Building a Cybersecurity Program

Building cyber security

Mr. Games, Thank you. Kent Landfield McAfee, LLC. [Attachment Copied Below]

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

ISAO SO Product Outline

Compliance & Security in Azure. April 21, 2018

Directive on security of network and information systems (NIS): State of Play

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

and The Technical Assist Database Presented to the Regional GIS Council October 8, 2008

CYBER SECURITY WORKSHOP NOVEMBER 2, Anurag Sharma [CISA, CISSP, CRISC] Principal Cyber & Information Security Services

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Organizational Readiness for Digital Transformation

Cyber Resilience. Think18. Felicity March IBM Corporation

Cybersecurity for Health Care Providers

HITRUST CSF Updates: How v10 and MyCSF 2.0 Improve Your HITRUST Experience. Michael Frederick, HITRUST VP Operations Ken Vander Wal, HITRUST CCO

United States Energy Association Energy Technology and Governance Program REQUEST FOR PROPOSALS

Ontario Energy Board Cyber Security Framework

Getting Security Operations Right with TTP0

United States Government Cloud Standards Perspectives

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Cybersecurity for the Electric Grid

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events

NCSF-CFM Practitioner Syllabus

CYBERSECURITY MATURITY ASSESSMENT

Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA

Welcome to the CyberSecure My Business Webinar Series We will begin promptly at 2pm EDT All speakers will be muted until that time

Protecting vital data with NIST Framework

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Threat and Hazard Identification and Risk Assessment (THIRA) In Progress Review (IPR) July 2012

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

FDA & Medical Device Cybersecurity

Transcription:

From the Trenches: Lessons learned from using the NIST Cybersecurity Framework Greg Witte Sr. Cybersecurity Engineer G2, Inc. Greg.Witte@G2-inc.com Tom Conkle Cybersecurity Engineer G2, Inc. Tom.Conkle@G2-inc.com

Defining cybersecurity programs is typically done through compliance 2

Compliant does not always mean secure 3

4

Agenda Why the Cybersecurity Framework was needed What is the Cybersecurity Framework How the Cybersecurity Framework assists with communications Preparing to use the Cybersecurity Framework 5

More breaches every day despite increased compliance requirements and billions in spending $46 billion in Cybersecurity spending in 2013 Cybersecurity spending increased by 10% in 2013 $3.5M average cost of data breach Up 15% 6

A need to communicating cyber-risk to determine the appropriate spending 7

Executive Order 13636 asked for the creation of a Cybersecurity Framework applicable to all sectors Executive Order Requirements Be flexible Be non-prescriptive Leverage existing approaches, standards, practices Be globally applicable Focus on risk management vs. rote compliance Framework for Improving Critical Infrastructure Cybersecurity Referred to as The Framework Issued by NIST on February 12, 2014. 8

The Framework was developed in partnership among industry, academia and government San Diego, CA July 10 12, 2013 3 Pittsburg, PA May 29 31, 2013 2 Washington, DC April 3, 2013 1 Dallas, TX Sep 11 13, 2013 4 Raleigh, NC Nov 14 15, 2013 5 NIST Conducted 5 workshops 6 Tampa, FL Oct 29 30, 2013 Released 2 RFIs 9

The Framework establishes three primary components Framework Core Implementation Tiers Framework Profiles 10

The Framework Core establishes a common language for describing a cybersecurity program A set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors. Consists of 5 Functions - Identify, Protect, Detect, Respond, Recover. These provide a high-level, strategic view of the lifecycle of an organization s management of cybersecurity risk. Categories and Subcategories for each Function, matched with example Informative References such as existing standards, guidelines, and practices for each Subcategory. Framework Core 11

The subcategories describe expected outcomes Framework Core 12

Organizations select an Implementation Tier based on their risk threshold Three attributes of Tiers: - Risk Management Process - Integrated Risk Management Program - External Participation Tier 4 may not always be the goal 13

Current and Target state profiles help organizations capture their cybersecurity program 14

The Framework establishes a common language for cybersecurity 15

Communications can occur at all levels within an organization using the Framework 16

The Framework identifies seven steps for developing/improving a cybersecurity program Step 1: Prioritize and Scope Step 2: Orient Step 3: Create a Current Profile Step 4: Conduct a Risk Assessment Step 5: Create a Target Profile Step 6: Determine, Analyze, and Prioritize Gaps Step 7: Implement Action Plan (Build a Roadmap) 17

Organizations identify their business and mission objectives to initiate the process 18

The orient step aligns the business goals, assets, and regulatory requirements for the program Risk Thresholds People 19

Next organization assess their current and target cybersecurity programs to identify gaps 20

The final step is to implement and monitor an action plan to close identified gaps 21

Using the Framework improves communications and eases compliance HIPAA PCI SOC FedRAMP Cybersecurity Program Identify Protect Detect Respond Recover 22

There are several resources available to help you use the Framework Government Programs Department of Homeland Security s C3 Voluntary Program NIST Industry Resources Internet Resource Centers Cybersecurity Framework (CForum) Other ISACs InfraGard 23

Q&A Tom Conkle Cybersecurity Engineer G2, Inc. Tom.Conkle@G2-inc.com Greg Witte Sr. Security Engineer G2, Inc. Greg.Witte@G2-inc.com 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback