Cybersecurity Best Practices

Similar documents
Critical Hygiene for Preventing Major Breaches

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

Introducing Cyber Observer

Effective Strategies for Managing Cybersecurity Risks

Cybersecurity Today Avoid Becoming a News Headline

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

How to get the Enterprise to Understand the Value of Security

Designing and Building a Cybersecurity Program

Exploring Emerging Cyber Attest Requirements

ISE North America Leadership Summit and Awards

Security Operations & Analytics Services

BHConsulting. Your trusted cybersecurity partner

Tips for Passing an Audit or Assessment

Critical Information Infrastructure Protection Law

HITRUST Common Security Framework - Are you prepared?

Certified Information Security Manager (CISM) Course Overview

SPECIALIST CYBER SECURITY SERVICES & CYBER VULNERABILITY HEALTH CHECK FOR SMALLER COMPANIES

Reducing Liability and Threats through Effective Cybersecurity Risk Measurement. Does Your Security Posture Stand Up to Tomorrow s New Threat?

Bradford J. Willke. 19 September 2007

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

Security Diagnostics for IAM

Altius IT Policy Collection Compliance and Standards Matrix

Compliance Is Security. Presented by: Jeff Hall Optiv Security

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Altius IT Policy Collection Compliance and Standards Matrix

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Larry Clinton President & CEO (703)

The Convergence of Security and Compliance

NERC Staff Organization Chart Budget 2019

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

CloudSOC and Security.cloud for Microsoft Office 365

New Guidance on Privacy Controls for the Federal Government

Cybersecurity and the Board of Directors

NERC Staff Organization Chart Budget 2019

Hacking and Cyber Espionage

Managing Cybersecurity Risk

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

NERC Staff Organization Chart Budget 2018

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

NERC Staff Organization Chart Budget 2017

BHConsulting. Your trusted cybersecurity partner

Cybersecurity Auditing in an Unsecure World

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

LESSONS LEARNED IN SMART GRID CYBER SECURITY

Security by Default: Enabling Transformation Through Cyber Resilience

Sage Data Security Services Directory

HITRUST CSF: One Framework

Cyber Risks in the Boardroom Conference

Industrial Defender ASM. for Automation Systems Management

Defensible Security DefSec 101

An Overview of ISA-99 & Cyber Security for the Water or Wastewater Specialist

Establishing a Credible Cybersecurity Program. September 2016

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

White Paper. The North American Electric Reliability Corporation Standards for Critical Infrastructure Protection

Avoiding an Information Security Mismanagement Program through Fundamentals. Bill Curtis, SynerComm

Fidelis Overview. 15 August 2016 ISC2 Cyber Defense Forum

Cyber Security Technologies

IT Security Mandatory Solutions. Andris Soroka 2nd of July, RIGA

DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.

Background FAST FACTS

THE POWER OF TECH-SAVVY BOARDS:

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

It Takes the Village to Secure the Village SM

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

Reinvent Your 2013 Security Management Strategy

Aligning IT, Security and Risk Management Programs. Ahmed Qurram Baig, CISSP, CBCP, CRISC, CISM Information Security & GRC Expert

CISO as Change Agent: Getting to Yes

Cybersecurity: Achieving Prevailing Practices. Session 229, March 8 Mark W. Dill, Partner and Principal Consultant,

NCSF-CFM Practitioner Syllabus

THE TRIPWIRE NERC SOLUTION SUITE

Measuring and Evaluating Cyber Risk in ICS Components, Products and Systems

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Cyber Fraud What can you do about it?

The Business Value of including Cybersecurity and Vendor Risk in ERM

NERC Staff Organization Chart Budget

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Advanced Security Tester Course Outline

K12 Cybersecurity Roadmap

Automating the Top 20 CIS Critical Security Controls

How to Develop Key Performance Indicators for Security

Mark Littlejohn June 23, 2016 DON T GO IT ALONE. Achieving Cyber Security using Managed Services

DEVELOP YOUR TAILORED CYBERSECURITY ROADMAP

Protecting vital data with NIST Framework

Balancing Between Risk and Compliance

May 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations

TRAINING WEEK COURSE OUTLINE May RADISSON HOTEL TRINIDAD Port of Spain, Trinidad, W.I.

National Policy and Guiding Principles

Art of Performing Risk Assessments

Protecting Your Cloud

Cybersecurity is a Journey and Not a Destination: Developing a risk management culture in your business. Thursday, May 21, 2015

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

FFIEC Cyber Security Assessment Tool. Overview and Key Considerations

Maximizing IT Security with Configuration Management WHITE PAPER

This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.

How NOT To Get Hacked

CyberSecurity: Top 20 Controls

Transcription:

Cybersecurity Best Practices Securing Your Organization, Systems and Platforms Health IT Summit The Cybersecurity Forum August 2017 Tony Sager Sr. Vice President and Chief Evangelist, CIS 1

Classic Risk Equation Risk = { } ƒ Vulnerability, Threat, Consequence countermeasures 2

A Lifetime of Cybersecurity Lessons Knowing about vulnerabilities doesn t get them fixed The Bad Guy doesn t perform magic USENIX Enigma 2016 - NSA TAO Chief on Disrupting Nation State Hackers There s a large but limited number of defensive choices the 80/20 rule applies (The Pareto Principle) Cybersecurity => Information Management not Information Sharing, not technology when you hear share, think translate and execute Few people/enterprises make security decisions they make economic and social decisions Cybersecurity is more like Groundhog Day than Independence Day 3

"The reason for collecting, analyzing and disseminating information on a disease is to control that disease. Collection and analysis should not be allowed to consume resources if action does not follow. --Foege WH, et al. International Journal Of Epidemiology 1976; 5:29-37 4

The anti-malware governance baseline configuration standards SDL audit logs need-to-know security controls DLP continuous monitoring supply-chain security certification penetration testing threat feed best practice virtualization browser isolation maturity model whitelisting assessment SIEM sandbox risk management framework compliance encryption threat intelligence security bulletins user awareness training incident response two-factor authentication 5

DHS CDM Program NISP DoD 5220.22-M ENISA Security Framework FISMA NIST Cybersecurity Framework NIST 800-53 COBIT HIPAA NATO CCD Cybersecurity Framework Bank of England CBEST ISO 27001/27002 PCI DSS HITRUST Common Security Framework NERC CIP ISF Standard of Good Practice 6

The Defender s Dilemma 1. What s the right thing to do? and how much do I need to do? 2. How do I actually do it? 3. And how can I demonstrate to others that I have done the right thing? 7

from Best Practice Common Practice How do we know what is best? Based on data? Solution to the worst problem? Trusted source? What is a practice? How specific? How do I actually do it? What do I need to do this? What are the barriers? Knowledge? Cost? Tools? Training? Enforcement? Misalignment? It takes more than a list of practices Marketplace, tools, training; community-building; sharing of ideas; alignment of practices with oversight, auditing, compliance. 8

Health & Human Services - Best Practices Where are we today in cyberdefense? Research Validated Best Practice Field Tested Best Practice Promising Practice A program, activity or strategy.. that has the highest degree of proven effectiveness supported by objective and comprehensive research and evaluation... that has been shown to work effectively and produce successful outcomes and is supported to some degree by subjective and objective data sources... that has worked within one organization and shows promise during its early stages for becoming a best practice with long term sustainable impact. must have some objective basis for claiming effectiveness and must have the potential for replication among other organizations. 9

CIS Best Practice Workflow 10

CIS Controls

Who is CIS? We develop and support best practices for effective defenses against cyber attacks We mobilize and organize volunteers in a community model Not-for-profit, independent, objective, and international in scope. CIS delivers Confidence in the Connected World 12

Website: www.cisecurity.org Email: Controlsinfo@cisecurity.org Twitter: @CISecurity Facebook: Center for Internet Security LinkedIn Groups: Center for Internet Security 20 Critical Security Controls 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback