Why you should adopt the NIST Cybersecurity Framework

Similar documents
Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

NCSF Foundation Certification

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Improving Cybersecurity through the use of the Cybersecurity Framework

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

The NIST Cybersecurity Framework

Cybersecurity for Health Care Providers

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Critical Infrastructure Resilience

THE WHITE HOUSE. Office of the Press Secretary. EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

NCSF Foundation Certification

Framework for Improving Critical Infrastructure Cybersecurity

RSA Cybersecurity Poverty Index

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Cyber Resilience. Think18. Felicity March IBM Corporation

Critical Infrastructure Sectors and DHS ICS CERT Overview

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

Updates to the NIST Cybersecurity Framework

SOLUTION BRIEF Virtual CISO

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Bradford J. Willke. 19 September 2007

Office of Infrastructure Protection Overview

NIST Cybersecurity Testbed for Transportation Systems. CheeYee Tang Electronics Engineer National Institute of Standards and Technology

Achieving Cyber-Readiness through Information Sharing Analysis Organizations (ISAOs)

Energy Assurance Plans

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Framework for Improving Critical Infrastructure Cybersecurity

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

ACR 2 Solutions Compliance Tools

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Effectively Measuring Cybersecurity Improvement: A CSF Use Case

The Office of Infrastructure Protection

CRITICAL INFRASTRUCTURE AND CYBER THREAT CRITICAL INFRASTRUCTURE AND CYBER THREAT

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Framework for Improving Critical Infrastructure Cybersecurity

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Overview of the Cybersecurity Framework

DEVELOP YOUR TAILORED CYBERSECURITY ROADMAP

The Office of Infrastructure Protection

Building a Resilient Security Posture for Effective Breach Prevention

RSA Cybersecurity Poverty Index : APJ

From the Trenches: Lessons learned from using the NIST Cybersecurity Framework

ISA99 - Industrial Automation and Controls Systems Security

MITIGATE CYBER ATTACK RISK

Cybersecurity in Higher Ed

Building a BC/DR Control Library and Regulatory Response Program

NHS Gloucestershire Clinical Commissioning Group. Business Continuity Strategy

Continuous protection to reduce risk and maintain production availability

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

Kent Landfield, Director Standards and Technology Policy

Cybersecurity, safety and resilience - Airline perspective

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Emerging Issues: Cybersecurity. Directors College 2015

John Snare Chair Standards Australia Committee IT/12/4

SFC strengthens internet trading regulatory controls

ISAO SO Product Outline

Ontario Energy Board Cyber Security Framework

BUSINESS CONTINUITY MANAGEMENT PROGRAM OVERVIEW

NYDFS Cybersecurity Regulations

CYBERSECURITY MATURITY ASSESSMENT

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

National Policy and Guiding Principles

Business continuity management and cyber resiliency

Cyber Risk in the Marine Transportation System

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

INTELLIGENCE DRIVEN GRC FOR SECURITY

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment

Cybersecurity What Companies are Doing & How to Evaluate. Miguel Romero - NAIC David Gunkel & Dan Ford Rook Security

Digital Wind Cyber Security from GE Renewable Energy

COUNTERING IMPROVISED EXPLOSIVE DEVICES

Cyber Security Requirements for Supply Chain. June 17, 2015

Table of Contents. Sample

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Security Metrics. February 25, Annabelle Lee Senior Technical Executive

The Value of Bipartisanship

The Confluence of Physical and Cyber Security Management

United States Coast Guard Office of Port and Facility Compliance (CG-FAC) Cybersecurity and the Marine Transportation System.

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

NW NATURAL CYBER SECURITY 2016.JUNE.16

Cyber Risks in the Boardroom Conference

Designing and Building a Cybersecurity Program

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Data Security Standards

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

SOLUTION BRIEF RSA ARCHER BUSINESS RESILIENCY

The Water Sector Approach to Cybersecurity

The Office of Infrastructure Protection

Understanding Cyber Insurance & Regulatory Drivers for Business Continuity

Cybersecurity and the Board of Directors

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Transcription:

Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive leaders and board members understand.

The NIST framework is a risk based framework based on leading cybersecurity standards It is valuable for ALL Businesses.

Critical infrastructure US Presidential Policy Directive 21 defines critical infrastructure as the following 16 sectors: Chemicals Commercial facilities Communications Critical manufacturing Dams Defense industrial base Emergency services Energy Financial services Food & agriculture Government facilities Healthcare & public health Information technology Nuclear reactors, materials, & waste Transportation systems Water & wastewater systems Source: Department of Homeland Security, Critical Infrastructure Sector While the NIST Cybersecurity Framework targets organizations that own or operate critical infrastructure, adoption may prove advantageous for businesses across virtually all industries 1. The Framework does not introduce new standards or concepts; rather, it leverages and integrates industry-leading cybersecurity practices that have been developed by organizations like NIST and the International Standardization Organization (ISO). The Framework is the result of a February 2013 Executive Order titled Improving Critical Infrastructure Cybersecurity and 10 months of collaborative discussions with more than 3,000 security professionals. 2 It comprises a risk-based compilation of guidelines that can help organizations identify, implement, and improve cybersecurity practices, and creates a common language for internal and external communication of cybersecurity issues. The Framework is a reiterative process designed to evolve in sync with changes in cybersecurity threats, processes, and technologies. It will be revised periodically to incorporate lessons learned and industry feedback. In effect, the Framework envisions effective cybersecurity as a dynamic, continuous loop of response to both threats and solutions. The Framework provides an assessment mechanism that enables organizations to determine their current cybersecurity capabilities, set individual goals for a target state, and establish a plan for improving and maintaining cybersecurity programs. It comprises three primary components: Profile, Implementation Tiers, and Core.

The Profile component enables organizations to align and improve cybersecurity practices based on their individual business needs, tolerance for risk, and available resources. To do so, organizations create a Current Profile by measuring their existing programs against the recommended practices in the Framework Core. These practices include processes, procedures, and technologies such as asset management, alignment with business strategy, risk assessment, access control, employee training, data security, event logging and analysis, and incident response plans. To identify a Target Profile, organizations employ the same Core criteria to determine the outcomes necessary to improve their cybersecurity posture. Unique requirements by industry, customers, and business partners can be factored into the Target Profile. Once completed, a comparison of the Current and Target Profiles will identify the gaps that should be closed to enhance cybersecurity and provide the basis for a prioritized roadmap to help achieve these improvements. Implementation Tiers help create a context that enables organizations to understand how their current cybersecurity risk-management capabilities stack up against the characteristics described by the Framework. Tiers range from Partial (Tier 1) to Adaptive (Tier 4) (Figure 1.). NIST recommends that organizations seeking to achieve an effective, defensible cybersecurity program progress totier 3 or Tier 4. Figure 1: Tiers of cybersecurity maturity Tier 1 Partial Risk management is ad hoc, with limited awareness of risks and no collaboration with others Tier 2 Risk Informed Risk-management processes and program are in place but are not integrated enterprise-wide; collaboration is understood but organization lacks formal capabilities Tier 3 Repeatable Formal policies for risk-management processes and programs are in place enterprise-wide, with partial external collaboration Tier 4 Adaptive Risk-management processes and programs are based on lessons learned and embedded in culture, with proactive collaboration

The Framework Core defines standardized cybersecurity activities, desired outcomes, and applicable references, and is organized by five continuous functions: Identify, Protect, Detect, Respond, and Recover. (Figure 2.) The Framework Core, in effect, describes the continuous cycle of business processes that constitute effective cybersecurity. Figure 2: Five core functions of effective cybersecurity Functions Definition Categories IDENTIFY An understanding of how to manage cybersecurity risks to systems, assets, data, and capabilities PROTECT DETECT RESPOND RECOVER The controls and safeguards necessary to protect or deter cybersecurity threats Continuous monitoring to provide proactive and realtime alerts of cybersecurityrelated events Incident-response activities Business continuity plans to maintain resilience and recover capabilities after a cyber-breach Asset management, business environment, governance, risk assessment, risk management strategy Access control, awareness and training, data security, data protection processes, maintenance, protective technologies Anomalies and events, continuous monitoring, detection processes Response planning, communications, analysis, mitigation, improvements Recovery planning, improvements, communications

For most organizations, whether they are owners, operators, or suppliers for critical infrastructure, the NIST Cybersecurity Framework may be well worth adopting solely for its stated goal of improving risk-based security. But it also can deliver ancillary benefits that include effective collaboration and communication of security posture with executives and industry organizations, as well as potential future improvements in legal exposure and even assistance with regulatory compliance. U.S. Securities and Exchange Commission SEC) s Office of Compliance Inspections and Examinations (OCIE) cybersecurity examinations of registered entities include questions outlined in the NIST Cybersecurity Framework. It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management. With good reason: Executive leaders and board members typically are well-versed in risk management, and framing cybersecurity in this context will enable security leaders to more effectively articulate the importance and goals of cybersecurity. The Framework has already been suggested as a potential baseline for best practices by companies, including in assessing legal or regulatory exposure to these issues or for insurance purposes. At a minimum, boards should work with management to assess their corporate policies to ensure how they match-up to the Framework s guidelines and whether more may be needed. If SEC or other proposed federal regulation of cybersecurity becomes a reality, implementing the Framework could be a mandatory exercise. By choosing to act now, organizations have the benefit of more flexibility in how they implement the Framework. Call OutSecure (203)81608061 and schedule a free initial assessment to determine how your business can benefit from adopting the NIST cybersecurity framework.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback