Upload
jerryhorak
View
230
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Na
Citation preview
Derek Boczenowski | IT Auditor | February 12, 2015
Taking Advantage of the NIST Cybersecurity Framework
Agenda
Introduction
Definition of Cybersecurity
Framework Introduction
Framework Core
Framework Implementation Tiers
Framework Profiles
How to use the Framework
Introduction – Why Cybersecurity?
Cybersecurity Breaches Increased reliance on technology Outsourced and Cloud solutions New Vulnerabilities appear every day Risk Assessments aren’t as sexy as they used to be…
Cybersecurity Challenges
Organizational and asset size Federal and state regulations In-house vs. Service Bureau systems Lack of clear guidance Constantly evolving landscape Lack of understanding at the C-Level Lack of formal budget
Cybersecurity Defined
Information Security deals with information, regardless of its format—it encompasses paper documents, digital and intellectual property in people’s minds, and verbal or visual communications.
Cybersecurity, on the other hand, is concerned with protecting digital assets—everything from networks to hardware and information that is processed, stored or transported by internetworked information systems.
If you have a mature information security program in place, leverage it for Cybersecurity too!
What the NIST Cybersecurity Framework Does
Allows organizations to review their current Cybersecurity posture
Develops a target Cybersecurity state to achieve
Identify and prioritize opportunities for improvement
Relies on a set of global standards, guidelines, and practices that are in line with industry standards (ISO, COBiT, FFIEC, Etc.)
Consists of three main areas: The Framework Core, the Framework Implementation Tiers, And the Framework Profile
What the Framework Does NOT
Does not replace Risk Management process.
Does not replace organizational programs already in place
Does not provide a “One Size Fits All” solution.
Does not map to a specific industry or country
Force compliance
Framework Core Overview
Framework Core Set of cybersecurity activities, desired outcomes, and references that are common across critical infrastructure sectors.
Presents industry standards, guidelines, and practices of cybersecurity activities
provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk
Consists of five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover
Framework Core Structure
Framework Core Overview
Framework Core Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities
Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services
Detect – Develop and implement the appropriate activities to identify the occurence of a cybersecurity event.
Respond – Develop and implement the appropriate activities to take action regarding a detected cyber security event
Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore services impacted by a cybersecurity event.
Framework Core Identifiers
Framework Core Maps
Framework Takeaways
A Cybersecurity Risk Assessment will be critical to implementing any controls
NIST did not reinvent the wheel when developing the Cybersecurity Framework. Make sure you don’t either (Unless you want to!)
If you are already working towards an accepted security framework (COBiT, ISO, etc.), you will be able to map the cybersecurity items directly in most cases
While much of Cybersecurity is IT-centric, many key critical metrics such as adoption, communication, and training are enterprise-wide initiatives
Framework Implementation Tiers
Provides context on how an organization views cybersecurity risk and the processes in place to manage that risk.
Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor and sophistication in cybersecurity risk management practices.
Tiers do NOT represent maturity levels. Progression to higher Tiers is encouraged when such a change would reduce cybersecurity risk and be cost effective
Tiers deal with 3 main components: The risk Management process, an Integrated Risk and Management Program, and External Participation.
Framework Implementation Tiers
Tier 1: Partial (Ad Hoc) – Informal processes that are often reactive in nature.
Tier 2: Risk Informed – General awareness of risk, but not formally recognized and established as an organization-wide effort
Tier 3: Repeatable – Organizational- wide risk management effort with policies, procedures and practices regularly updated and reviewed.
Tier 4: Adaptive – Adapts policies and procedures using lessons learned and predictive indicators to anticipate future events.
Framework Tier Takeaways
Progression through the tiers is encouraged if it would both reduce the cybersecurity risk and be cost effective.
You can have a mature cybersecurity program and still be at tier 2. Tiers are not based on maturity levels like the COBiT ratings are.
Successful Cybersecurity programs are based upon the goals the organization has set for itself in regards to cybersecurity, not what tier the organization is at.
Framework Profile
A Framework Profile is a document that uses the ideas and concepts in the framework core
You can have a current profile that shows where the organization is currently, or a target profile that expresses a cybersecurity goal and what needs to be done to get there.
The NIST framework doesn’t provide a profile template. It recognizes that every organization is different and different profiles will be required.
ISACA has some good examples of profiles available.
Sample Framework Profile
Framework Implementation
For companies that have mature Information Security programs in place, use the Framework Core to:
Identify gaps in your current programs.
Develop an action plan to close gaps and improve your cybersecurity posture.
If you are already using a COBiT or ISO framework, map the Framework core to those standards, and make sure you have considered the cybersecurity aspect of the parts of those frameworks
Framework Implementation
For companies that have not yet put a formal Information Security program in place, or would like to overhaul their current program:
Create a current profile with the Framework (Where you are currently).
Conduct a Risk Assessment. Create a target profile with the Framework (Where you want to be).
Develop an action plan based on the profiles.
Implement the action plan
Framework Implementation
Do or Do Not, There is no Try
Do not assume that your IS program is sufficient for a Cybersecurity Assesment/Audit. DO Conduct a Risk Assessment. Do not implement a canned or pre-packaged solution Do get buy in and understanding from Senior Staff and C-Level Executives. Do make sure you have a good security awareness training program in place.
Do or Do Not, There is no Try
Do join the Financial Services Information Sharing and Analysis Center. http://www.fsisac.com/ Do not wait to start looking at getting forensic help on retainer. Do make sure you are familiar with state regulations as well as the federal ones. Do consider getting a third-party assessment to enhance knowledge and understanding.
References & Links
Council on CyberSecurity (CCS) Top 20 Critical Security Controls (CSC): http://www.counciloncybersecurity.org
Framework for Improving Critical Infrastructure Cybersecurity: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf
Update on the Cybersecurity Framework, December 4, 2014: http://www.nist.gov/cyberframework/upload/nist-cybersecurity-framework-update-120514.pdf
NIST Cybersecurity: http://www.nist.gov/cyberframework/
ISACA Cybersecurity nexus: http://www.isaca.org/cyber/Pages/default.aspx
FFIEC Cybersecurity Awareness: https://www.ffiec.gov/cybersecurity.htm
NY Banking CyberSecurity Exam Process: http://www.dfs.ny.gov/banking/bil-2014-10-10_cyber_security.pdf
Derek Boczenowski Senior IT Security Analyst
Contact Information