Using the NIST Framework for Metrics 5/14/2015

Similar documents
The NIST Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

Using Metrics to Gain Management Support for Cyber Security Initiatives

Overview of the Cybersecurity Framework

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

NCSF Foundation Certification

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

Cybersecurity Risk Management:

Framework for Improving Critical Infrastructure Cybersecurity

Updates to the NIST Cybersecurity Framework

Doug Couto Texas A&M Transportation Technology Conference 2017 College Station, Texas May 4, 2017

Cybersecurity, safety and resilience - Airline perspective

standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Why you should adopt the NIST Cybersecurity Framework

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

ACR 2 Solutions Compliance Tools

Improving Cybersecurity through the use of the Cybersecurity Framework

FDA & Medical Device Cybersecurity

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

National Policy and Guiding Principles

The National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne

CONE 2019 Project Proposal on Cybersecurity

Security and Privacy Governance Program Guidelines

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

The Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor,

NCSF Foundation Certification

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

NIST Cybersecurity Testbed for Transportation Systems. CheeYee Tang Electronics Engineer National Institute of Standards and Technology

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Cybersecurity Risk Management Guide for Voluntary Use of the NIST Cybersecurity Framework

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Cybersecurity in Higher Ed

Legal and Regulatory Developments for Privacy and Security

Security Management Models And Practices Feb 5, 2008

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

NISTCSF.COM. NIST Cybersecurity Framework (NCSF) Workforce Development Solutions

Critical Infrastructure Resilience

Cyber Security and Cyber Fraud

A Controls Factory Approach To Operationalizing a Cyber Security Program Based on the NIST Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity

2017 RIMS CYBER SURVEY

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

From the Trenches: Lessons learned from using the NIST Cybersecurity Framework

Cybersecurity Risk Management

Engaging Maryland toward CAV advancements Christine Nizer, Administrator

Peer Collaboration The Next Best Practice for Third Party Risk Management

HITRUST CSF: One Framework

Higher Education in Texas: Serving Texas Through Transformational Education, Research, Discovery & Impact

TEL2813/IS2820 Security Management

FHWA RESILIENCE PRIMER

Performance Measurement, Data and Decision Making: A Matter of Alignment. Mark F. Muriello Assistant Director Tunnels, Bridges & Terminals

CISO as Change Agent: Getting to Yes

Mapping to the National Broadband Plan

Implementing Executive Order and Presidential Policy Directive 21

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Energy Assurance State Examples and Regional Markets Jeffrey R. Pillon, Director of Energy Assurance National Association of State Energy Officials

Statement for the Record

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Kent Landfield, Director Standards and Technology Policy

ENISA EU Threat Landscape

NISTCSF.COM. NIST Cybersecurity Framework (NCSF) Workforce Development Solutions

Re: McAfee s comments in response to NIST s Solicitation for Comments on Draft 2 of Cybersecurity Framework Version 1.1

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

UAE National Space Policy Agenda Item 11; LSC April By: Space Policy and Regulations Directory

Information Collection Request: The Department of Homeland. Security, Stakeholder Engagement and Cyber Infrastructure

MCGILL UNIVERSITY/PEOPIL CONFERENCE DUBLIN OCTOBER 2018

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Cybersecurity, Trade, and Economic Development

Clarity on Cyber Security. Media conference 29 May 2018

Developing a Model for Cyber Security Maturity Assessment

Mission: Continuity BUILDING RESILIENCE AGAINST UNPLANNED SERVICE INTERRUPTIONS

Intelligent Building and Cybersecurity 2016

Metro Ethernet for Government Enhanced Connectivity Drives the Business Transformation of Government

2 1 S T C E NTURY INFRASTRUCTURE C OMMI S SION EXECUTIVE SUMMARY

A Controls Factory Approach To Building a Cyber Security Program Based on the NIST Cybersecurity Framework (NCSF)

AUTOMOTIVE FUNCTIONAL SAFETY: ACCELERATING INNOVATION THROUGH COOPERATION AND CONSENSUS IN STANDARDS

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

What Why Value Methods

Executive Order on Coordinating National Resilience to Electromagnetic Pulses

March 21, 2016 MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES. Building National Capabilities for Long-Term Drought Resilience

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

Cybersecurity & Privacy Enhancements

Cybersecurity for Health Care Providers

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

Protecting vital data with NIST Framework

Deciphering Overlapping Standards and Requirements, Using the BCP Genome

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

U.S. Department of Homeland Security Office of Cybersecurity & Communications

Cybersecurity Framework

BRING EXPERT TRAINING TO YOUR WORKPLACE.

Business Continuity Planning

Transcription:

Using the NIST Framework for Metrics 5/14/2015

ITD - Public Safety Safety improvements reduced total crashes by 29% and injury crashes by 41% in corridors after GARVEE projects were completed Ads / Commercials 2

ITD - Winter Driving Idaho s largest snow removal service: 12,284 lane miles Roads covered: Interstates (like I -84) US Highways (like US 95) State Highways (like SH 21) Includes 1824 bridges. 3

2014 Orange Barrel Migration Season $284.5 Million dollars of construction projects 430 lane miles 39 bridges rehabilitated 4

DMV 1.11 Million licensed drivers 1.63 Million registered vehicles 5

Aeronautics 2400 (approx.) registered aircraft 5900 (approx.) registered pilots 126 public use airports 31 State operated airstrips 6

One last statistic 15.8 Billion vehicle miles traveled in on Idaho s freeways in 2014 7

What is a Cybersecurity Framework A collection of existing standards, guidelines and practices for reducing cyber risks to critical infrastructure. 8

Why use a Cybersecurity Framework A lot of money was spent on gathering really smart people to document what worked and what did not work to protect their technology infrastructure 9

What is the NIST National Institute of Standards (nist.gov) Non-regulatory agency of the US Department of Commerce Mission: Promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. 10

What is the NIST Framework NIST Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 Released February 12 th 2014 The national and economic security of the United States depends on the reliable functioning of critical infrastructure. Cybersecurity threats exploit the increased complexity and connectivity of critical infrastructure systems, placing the Nation s security, economy, and public safety and health at risk. Similar to financial and reputational risk, cybersecurity risk affects a company s bottom line. It can drive up costs and impact revenue. It can harm an organization s ability to innovate and to gain and maintain customers. To better address these risks, the President issued Executive Order 13636, Improving Critical Infrastructure Cybersecurity, on February 12, 2013, which established that [i]t is the Policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. In enacting this policy, the Executive Order calls for the development of a voluntary risk-based Cybersecurity Framework a set of industry standards and best practices to help organizations manage cybersecurity risks. The resulting Framework, created through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses. 11

What we were doing before NIST We were using the ISO/IEC 17799:2005 and ISO/IEC 27001:2005 Other Idaho State Agencies using the SANS top 20 Critical Security Controls ITD IT Auditors using CoBIT 12

Why use NIST Federal Agencies (Including FHWA) use the NIST Framework NASCIO supports adoption of the NIST Framework Other Idaho State Agencies were considering using the NIST Framework Needed to update ISO Framework (not free) NIST Framework (free) 13

NIST Framework Details Functions Functions organize basic cybersecurity activities at their highest level. These Functions are Identify, Protect, Detect, Respond, and Recover. They aid an organization in expressing its management of cybersecurity risk by organizing information, enabling risk management decisions, addressing threats, and improving by learning from previous activities. The Functions also align with existing methodologies for incident management and help show the impact of investments in cybersecurity. 14

NIST Framework Details Functions Categories - Categories are the subdivisions of a Function into groups of cybersecurity outcomes closely tied to programmatic needs and particular activities. 15

NIST Framework Details Functions Categories Subcategories Subcategories further divide a Category into specific outcomes of technical and/or management activities. They provide a set of results that, while not exhaustive, help support achievement of the outcomes in each Category. 16

NIST Framework Details Functions Categories Subcategories Controls Informative References are specific sections of standards, guidelines, and practices common among critical infrastructure sectors that illustrate a method to achieve the outcomes associated with each Subcategory. The Informative References presented in the Framework Core are illustrative and not exhaustive. They are based upon cross-sector guidance most frequently referenced during the Framework development process. 17

NIST Framework Details Functions Categories Subcategories Controls Rated by Tiers 18

What is a metric? Performance metrics measure an organization's activities and performance. It should support a range of stakeholder needs from customers, shareholders to employees. - Mark Graham Brown, Using the Right Metrics to Drive World-class Performance 19

Why does a Cybersecurity program care about Metrics? Shows us how we are doing Allows us to set goals Shows us how we are doing over time Security programs are expensive and metrics show executives they are not just throwing money into a black hole and hoping for the best 20

Why use the NIST Framework to make metrics? Our existing metrics were not very useful, we needed to show how the previous cybersecurity metrics affected day to day operations 21

How we metricized the NIST Framework Planning We developed a matrix (Excel spreadsheet) to help us evaluate the framework by Sub Category by Tier We Baselined (took a really quick guess) at where we were on the framework We set (aggressive) goals on where we would think we should be in 3 to 5 years Set goals by Function Drove Goals down by Category 22

How we metricized the NIST Framework Scoring We created a method of scoring the NIST by numeric value of the Tier (0 through 4) by Sub Category. We score Categories by taking the floor (rounding down) of the average of the component Sub Categories. This gives us a conservative view on the Category. We score Functions by taking the floor (rounding down) of the average of all the component Sub Categories. This gives us a conservative view of the Function. We don t average the Category scores because averaging averages is mathematically bad and causes a dilution of precision that would make anybody look really bad. (Our goal was to be conservative not pessimistic.) 23

How we metricized the NIST Framework Charts We created visual charts to display our metrics Goals and current status. By Function, By Category and by Sub Category. 24

How we metricized the NIST Framework Set Goals We took a look at the difference between our baseline and where we wanted to be and totaled the number of Tiers of improvement needed to reach our goals and spread them over a 3 to 5 year window. 25

How we use the NIST Framework for Metrics We brought in an auditor who specializes in IT from our internal Audit group for a neutral outside view. We evaluate the framework quarterly. We take notes during the evaluation process. This shows us what our thoughts were during the last round and highlights what we can do to improve. 26

How we use the NIST Framework for Metrics To remove the subjective nature of some of the subcategories we started scoring each control and averaging (with traditional rounding) the score to build the sub category. This is painfully slow at first but can really time in the end because key controls are reused in multiple sub categories. This also shows us some of the most important controls to focus on. 27

How we use the NIST Framework for Metrics We only plan on doing a detailed review once a year and the quarterly reviews based upon changes (completing projects, new threats emerging, how things went) 28

Lessons Learned As a group, we are capable of having very impassioned but detailed discussions on the subject. Our baseline was fairly optimistic. Sometimes scores drop. Sometimes scores drop because we get a better understanding of what is needed and what we are doing. Sometimes they drop because of the moving target nature of cyber security. 29

Lessons Learned The projects we were working on at the time focused on things we were already strong on, not on the things we were weak. This is a group sport. Most of the controls evaluated by the NIST are performed by IT groups outside of IT Security. To reach our security goals, we need to work very closely with the other IT Groups. 30

Questions? Email: brian.reed@itd.idaho.gov NIST: http://www.nist.gov/cyberframework/ 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback