Framework for Improving Critical Infrastructure Cybersecurity

Similar documents
The NIST Cybersecurity Framework

Overview of the Cybersecurity Framework

Framework for Improving Critical Infrastructure Cybersecurity

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

Cybersecurity Risk Management:

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

Framework for Improving Critical Infrastructure Cybersecurity

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

The Road Ahead for Healthcare Sector: What to Expect in Cybersecurity Session CS6, February 19, 2017 Donna F. Dodson, Chief Cybersecurity Advisor,

NCSF Foundation Certification

Framework for Improving Critical Infrastructure Cybersecurity

Effectively Measuring Cybersecurity Improvement: A CSF Use Case

Framework for Improving Critical Infrastructure Cybersecurity

Updates to the NIST Cybersecurity Framework

From the Trenches: Lessons learned from using the NIST Cybersecurity Framework

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

NCSF Foundation Certification

National Initiative for Cybersecurity Education

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Track 4A: NIST Workshop

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

Cybersecurity & Privacy Enhancements

Why you should adopt the NIST Cybersecurity Framework

Developing a Model for Cyber Security Maturity Assessment

Cybersecurity, safety and resilience - Airline perspective

Cybersecurity for Health Care Providers

standards and frameworks and controls oh my! Mike Garcia Senior Advisor for Elections Best Practices

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

Improving Cybersecurity through the use of the Cybersecurity Framework

ACR 2 Solutions Compliance Tools

NIST Cybersecurity Testbed for Transportation Systems. CheeYee Tang Electronics Engineer National Institute of Standards and Technology

Implementing Executive Order and Presidential Policy Directive 21

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Cybersecurity Framework Manufacturing Profile

INFORMATION ASSURANCE DIRECTORATE

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Security Metrics. February 25, Annabelle Lee Senior Technical Executive

Appendix 12 Risk Assessment Plan

Appendix 12 Risk Assessment Plan

HITRUST CSF: One Framework

Views on the Framework for Improving Critical Infrastructure Cybersecurity

Cyber Security & Homeland Security:

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

2 nd Cybersecurity Workshop Test and Evaluation to Meet the Advanced Persistent Threat

National Policy and Guiding Principles

Using the NIST Cybersecurity Framework to Guide your Security Program August 31, 2017

COMPASS FOR THE COMPLIANCE WORLD. Asia Pacific ICS Security Summit 3 December 2013

Securing an IT. Governance, Risk. Management, and Audit

Using the NIST Framework for Metrics 5/14/2015

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

THE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER

Four Deadly Traps of Using Frameworks NIST Examples

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

THE WHITE HOUSE Office of the Press Secretary EXECUTIVE ORDER

Re: McAfee s comments in response to NIST s Solicitation for Comments on Draft 2 of Cybersecurity Framework Version 1.1

Dear Mr. Games: Please see our submission attached. With kind regards, Aaron

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Using Metrics to Gain Management Support for Cyber Security Initiatives

SAC PA Security Frameworks - FISMA and NIST

Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment

GUIDELINES ON MARITIME CYBER RISK MANAGEMENT

Kent Landfield, Director Standards and Technology Policy

Discussion Draft of the Preliminary Cybersecurity Framework August 28, 2013

HPH SCC CYBERSECURITY WORKING GROUP

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

Information Technology Branch Organization of Cyber Security Technical Standard

NW NATURAL CYBER SECURITY 2016.JUNE.16

SYSTEMS ASSET MANAGEMENT POLICY

Cybersecurity Risk Management

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

Risk-Based Cyber Security for the 21 st Century

ISAO SO Product Outline

THE POWER OF TECH-SAVVY BOARDS:

FPM-IT-420B: FAC-P/PM-IT Planning & Acquiring Operations of IT Systems Course Details

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

The Water Sector Approach to Cybersecurity

Ontario Energy Board Cyber Security Framework

Australian Energy Sector Cyber Security Framework. Frequently Asked Questions FINAL V1-0

Government Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security

FDA & Medical Device Cybersecurity

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

Maritime Bulk Liquids Transfer Cybersecurity Framework Profile

Information Security Continuous Monitoring (ISCM) Program Evaluation

ACHIEVING SECURITY with the NIST CYBERSECURITY FRAMEWORK INDUSTRY PERSPECTIVE

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Federal Civilian Executive branch State, Local, Tribal, Territorial government (SLTT) Private Sector (PS) Unclassified / Business Networks

NISTCSF.COM. NIST Cybersecurity Framework (NCSF) Workforce Development Solutions

The Key Principles of Cyber Security for Connected and Automated Vehicles. Government

Transcription:

Framework for Improving Critical Infrastructure Cybersecurity November 2017 cyberframework@nist.gov

Supporting Risk Management with Framework 2

Core: A Common Language Foundational for Integrated Teams Senior Executives ID PR DE RS RC IT, Contracts, Marketing, Business Professionals ID PR DE RS RC Cybersecurity Professionals Highly technical and specialized language 3

Industry Resources www.nist.gov/cyberframework/industry-resources Over 70 Unique Resources for Your Understanding and Use! 4

Examples of Framework Industry Resources www.nist.gov/cyberframework/industry-resources Italy s National Framework for Cybersecurity American Water Works Association s Process Control System Security Guidance for the Water Sector The Cybersecurity Framework in Action: An Intel Use Case Cybersecurity Risk Management and Best Practices Working Group 4: Final Report Financial Services Sector Specific Cybersecurity Profile 5

International Use Used by over 30% of U.S. organizations, trending to 50% Used by the United States Government Japanese translation by IPA Italian adaptation within Italy s National Framework for Cybersecurity Hebrew adaptation by Government of Israel Bermuda uses it within government and recommends it to industry Philippines National Cybersecurity Plan for 2022 Focus of International Organization for Standardization (ISO) & International Electrotechnical Commission (IEC) 6

Cybersecurity Framework Charter Improving U.S. Critical Infrastructure Cybersecurity February 12, 2013 December 18, 2014 It is the policy of the United States to enhance the security and resilience of the Nation s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties Amends the National Institute of Standards and Technology Act (15 U.S.C. 272(c)) to say: on an ongoing basis, facilitate and support the development of a voluntary, consensus-based, industry-led set of standards, guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cyber risks to critical infrastructure Executive Order 13636 Cybersecurity Enhancement Act of 2014 (P.L. 113-274) 7

Development of the Framework Engage the Framework Stakeholders EO 13636 Issued February 12, 2013 NIST Issues RFI February 26, 2013 1 st Framework Workshop April 03, 2013 Collect, Categorize, and Post RFI Responses Completed April 08, 2013 Identify Common Practices/Themes May 15, 2013 Analyze RFI Responses 2 nd Framework Workshop at CMU May 2013 Draft Outline of Preliminary Framework June 2013 Ongoing Engagement: Open public comment and review encouraged and promoted throughout the process and to this day Identify Framework Elements 3 rd Workshop at UCSD July 2013 4 th Workshop at UT Dallas Sept 2013 Prepare and Publish Framework 5 th Workshop at NC State Nov 2013 Published Framework Feb 2014 8

Key Attributes It s voluntary Is meant to be customized. It s a framework, not a prescriptive standard Provides a common language and systematic methodology for managing cyber risk. Does not tell an organization how much cyber risk is tolerable, nor provide the one and only formula for cybersecurity. It s a living document Enable best practices to become standard practices for everyone Evolves faster than regulation and legislation Can be updated as stakeholders learn from implementation Can be updated as technology and threats changes. 9

Cybersecurity Framework Components Aligns industry standards and best practices to the Framework Core in an implementation scenario Supports prioritization and measurement while factoring in business needs Framework Profile Framework Core Cybersecurity activities and informative references, organized around particular outcomes Enables communication of cyber risk across an organization Framework Implementation Tiers Describes how cybersecurity risk is managed by an organization and degree the risk management practices exhibit key characteristics 10

Core A Catalog of Cybersecurity Outcomes Function What processes and assets need protection? What safeguards are available? What techniques can identify incidents? What techniques can contain impacts of incidents? What techniques can restore capabilities? Identify Understandable by everyone Protect Detect Respond Recover Applies to any type of risk management Defines the entire breadth of cybersecurity Spans both prevention and reaction 11

Core Example Cybersecurity Framework Component Function Category Subcategory Informative Reference ID.BE-3: Priorities for organizational COBIT 5 APO02.01, APO02.06, APO03.01 Identify Business mission, objectives, ISA 62443-2-1:2009 Environment and activities are 4.2.2.1, 4.2.3.6 established and communicated NIST SP 800-53 Rev. 4 PM-11, SA-14 12 12

Profile Customizing Cybersecurity Framework Ways to think about a Profile: A customization of the Core for a given sector, subsector, or organization A fusion of business/mission logic and cybersecurity outcomes Identify Protect Detect Respond Recover An alignment of cybersecurity requirements with operational methodologies A basis for assessment and expressing target state A decision support tool for cybersecurity risk management 13

Profile Foundational Information A Profile Can be Created from Three Types of Information Cybersecurity Requirements Legislation Regulation Internal & External Policy 1 Business Objectives Objective 1 Objective 2 Objective 3 Subcategory 1 2 98 Technical Environment Threats 2 3 Vulnerabilities Operating Methodologies Controls Catalogs Technical Guidance 14

Framework Seven Step Process Gap Analysis Using Framework Profiles Step 1: Prioritize and Scope Step 2: Orient Step 3: Create a Current Profile Step 4: Conduct a Risk Assessment Step 5: Create a Target Profile Step 6: Determine, Analyze, and Prioritize Gaps Step 7: Implementation Action Plan 15

1. Integrate enterprise and cybersecurity risk management Function What processes and assets need protection? What safeguards are available? What techniques can identify incidents? What techniques can contain impacts of incidents? What techniques can restore capabilities? Identify Understandable by everyone Protect Detect Respond Recover Applies to any type of risk management Defines the entire breadth of cybersecurity Spans both prevention and reaction 16

2. Manage cybersecurity requirements Cybersecurity Requirements Legislation Regulation Internal & External Policy 1 Business Objectives Objective 1 Objective 2 Objective 3 Subcategory 1 2 98 Technical Environment Threats 2 3 Vulnerabilities Operating Methodologies Controls Catalogs Technical Guidance 17

3. Integrate and align cybersecurity and acquisition processes Used to Communicate Requirements to Vendors too 18

4. Evaluate organizational cybersecurity Risk Management Process Integrated Risk Management Program External Participation 1 2 3 4 Partial Risk Informed Repeatable Adaptive The functionality and repeatability of cybersecurity risk management The extent to which cybersecurity is considered in broader risk management decisions The degree to which the organization benefits my sharing or receiving information from outside parties 19 19

5. Manage the cybersecurity program Subcats Reqs Priorities Who What When Where How 1 A, B High 2 C, D, E, F High 3 G, H, I, J Low......... 98 XX, YY, ZZ Mod Reqs Priorities 20

Resource and Budget Decisioning What Can You Do with a CSF Profile As-Is Year 1 To-Be Year 2 To-Be Subcategory Year 1 Year 2 Priority Gaps Budget Activities Activities 1 moderate small $$$ X 2 high large $$ X 3 moderate medium $ X 98 moderate none $$ reassess and supports on-going operational decisions too 21

6. Maintain a comprehensive understanding of cybersecurity risk FIPS 199/SP 800-60 SP 800-137/SP 800-53A FIPS 200/SP 800-53 SP 800-37 Many SPs SP 800-53A

7. Report cybersecurity risks Organizational Inputs 5 22 98 287 Functions Categories Subcategories SP 800-53 Security Controls Reporting 23

Next Steps Stakeholder Recommended Actions Stakeholders should consider activities to: Customize Framework for your sector or community Publish a sector or community Profile or relevant crosswalk Advocate for the Framework throughout your sector or community, with related sectors and communities. Publish summaries of use or case studies of your Framework implementation. Submit a paper during the NIST call for abstracts Share your Framework resources with NIST at cyberframework@nist.gov. 24

Resources Where to Learn More and Stay Current The National Institute of Standards and Technology Web site is available at http://www.nist.gov NIST Computer Security Resource Center is available at http://csrc.nist.gov/ The Framework for Improving Critical Infrastructure Cybersecurity and related news and information are available at www.nist.gov/cyberframework For additional Framework info and help cyberframework@nist.gov

cyberframework@nist.gov Background Slides

Core A Catalog of Cybersecurity Outcomes What processes and assets need protection? What safeguards are available? What techniques can identify incidents? What techniques can contain impacts of incidents? What techniques can restore capabilities? Function Identify Protect Detect Respond Recover Category Asset Management Business Environment Governance Risk Assessment Risk Management Strategy Access Control Awareness and Training Data Security Information Protection Processes & Procedures Maintenance Protective Technology Anomalies and Events Security Continuous Monitoring Detection Processes Response Planning Communications Analysis Mitigation Improvements Recovery Planning Improvements Communications 27

Core for Greater Cybersecurity Participation A Catalog of Cybersecurity Outcomes Organizational Inputs 5 22 98 287 Functions Categories Subcategories Informative References Reporting 28

Operate Use Cybersecurity Framework Profiles to distribute and organize labor Subcats Reqs Priorities Who What When Where How 1 A, B High 2 C, D, E, F High 3 G, H, I, J Low......... 98 XX, YY, ZZ Mod Reqs Priorities 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback