Cybersecurity and COBITLeveraging the Cybersecurity Framework

Tom Conkle

Voted #1 for Encouraging New Ideas

G2 Inc. delivers innovative ideas to solving our nations critical cybersecurity challenges

• Founded in 2001

• 120+ employees with 2016 revenues in excess of $28M

• Committed to “Turning Ideas into Impact”

• Located in Annapolis Junction, MD

• Mature prime contractor with four active prime contracts

• www.g2-inc.com

G2 was the primary author of the Cybersecurity Framework

• Facilitated and managed five workshops to collect community feedback

• Interviewed hundreds of cybersecurity subject matter experts from across multiple sectors

• Developed analytic techniques to enable ~15,000 comments to be parsed and individually addressed

• Worked closely with industry partners to develop Cybersecurity Framework Core

G2 has supported the implementation and use of the Framework• Assisted NIST in developing the Framework

and continue to support NIST in its evolution

• We wrote the ISACA Implementing the NIST Cybersecurity Framework book and associated certification exam

• Assisted organizations including a large maritime transportation, and higher education organizations implement the Framework

• Facilitated implementation workshops for large logistics company, large financial institution, and higher education organizations

Agenda

• Definitions for a few key terms• Introduction to the NIST Cybersecurity Framework• COBIT 5 Principles and Enablers• Cybersecurity Roles• 5 Phases to Implement a Cybersecurity Program• Q & A

Agenda

• Definitions for a few key terms• Introduction to the NIST Cybersecurity Framework• COBIT 5 Principles and Enablers• Cybersecurity Roles• 5 Phases to Implement a Cybersecurity Program• Q & A

What is Cybersecurity?

ISACA defines cybersecurity as “the protection of information assets by addressing threats to information processed, stored and transported by internetworked information systems.” - CSX Cybersecurity Fundamentals

The terms are often used interchangeably, but in reality cybersecurity is a part of information security.

Information security deals with information, regardless of its format—it encompasses paper documents, digital and intellectual property in people’s minds, and verbal or visual communications.

Agenda

• Definitions for a few key terms• Introduction to the NIST Cybersecurity Framework• COBIT 5 Principles and Enablers• Cybersecurity Roles• 5 Phases to Implement a Cybersecurity Program• Q & A

Cybersecurity spending is increasing, but companies are still being breached

§ Cybersecurity is concerned with protecting digital assets - networks to hardware and information

§ Concepts such as nation-state-sponsored attacks and advanced persistent threats (APTs) belong almost exclusively to cybersecurity

§ $46 billion in Cyber protections spending in 2013 – up by 10% over 2012

Compliant does notalways mean secure

Secure does not always mean appropriate or sufficient

Design Criteria§ Be globally applicable

§ Be non-prescriptive

§ Leverage existing approaches, standards, practices

§ Focus on risk management vs. rote compliance

Framework for Improving Critical Infrastructure Cybersecurity§ Referred to as “The Framework”

§ Issued by NIST on February 12, 2014.

§ Draft v1.1 update released on January 10, 2017

In response Executive Order (EO) 13636 required development of a cybersecurity framework

The Framework is closely related to the existing Risk Management Process / Framework

The Cybersecurity Framework provides three primary components to support holistic cybersecurity

Framework Core Framework ProfilesFramework Tiers

Source: Cybersecurity Framework 1.0, www.nist.gov

The Framework Core functions align to the cybersecurity domains to protecting digital assets§ Establishes a common language for

describing a cybersecurity program § Cybersecurity activities, desired

outcomes, and applicable references common across sectors.

§ Consists of: Identify, Protect, Detect, Respond, Recover. Provide high-level, strategic view of the organizational cyber risk management life cycle.

§ Categories and Subcategories for each Function, with example Informative References point to existing standards, guidelines, and practices for each Subcategory including COBIT 5.

Framework Core

Organizations select an Implementation Tier based on their risk threshold

Three attributes of Tiers§ Risk Management Process§ Integrated Risk

Management Program§ External Participation

Tier 4 is not always the goal!

Four Tiers Available§ Partial§ Risk Informed§ Repeatable§ Adaptive

Current and Target state profiles help organizations capture their cybersecurity program

Agenda

• Definitions for a few key terms• Introduction to the NIST Cybersecurity Framework• COBIT 5 Principles and Enablers• Cybersecurity Roles• 5 Phases to Implement a Cybersecurity Program• Q & A

COBIT 5 Principles’ Role assist organizations in cybersecurity planning and operations

Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved.

Stakeholder needs should help inform security planning, resources, and – most importantly –prioritization.

The enterprise benefits from IT-enabled investments. It should equally achieve IT risk management at an enterprise level.

Application of a single, integrated security framework helps align processes and activities throughout the organization. Use of a common language enhances communication and collaboration.

Governance and Management processes

are critical but separate. Alignment through a framework ensures

effective goal achievement.

A holistic approach to cybersecurity supports activities, outreach and

external information sharing. It also reduces

miscommunication risk.

The COBIT 5 Enablers support a holistic cybersecurity approach

Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.

Agenda

• Definitions for a few key terms• Introduction to the NIST Cybersecurity Framework• COBIT 5 Principles and Enablers• Cybersecurity Roles• 5 Phases to Implement a Cybersecurity Program• Q & A

There are 4 Cybersecurity Roles for organizations to address

Board of

Directors

Executive Committee

Security Management

Cybersecurity Practitioners

Provides strategic direction and impetus. Receives high-level results of comprehensive risk assessments and business impact analyses (BIAs),

The cybersecurity manager (e.g. CISO) will be responsible for developing, overseeing, coordinating and monitoring security program and processes. Manages cybersecurity incidents and their remediation, as well as incorporating lessons learned

Security architects and security specialists help design,implement and manage processes and technical controls and respond to events and incidents.

Responsible for ensuring that needed org functions,resources, and supporting infrastructure are available and properly utilized to fulfill directives of the board, regulatory compliance and other demands.

The Framework clarifies communications within an organization and with external partners

Adapted from Figure 2, Cybersecurity Framework

Agenda

• Definitions for a few key terms• Introduction to the NIST Cybersecurity Framework• COBIT 5 Principles and Enablers• Cybersecurity Roles• 5 Phases to Implement a Cybersecurity Program• Q & A

The Framework identifies seven steps for improving or developing a risk informed cybersecurity program

Phase 1: What are the Drivers?Step 1: Prioritize and ScopePhase 2: Where are we now?Step 2: OrientStep 3: Create a Current ProfilePhase 3: Where do we want to be?Step 4: Conduct a Risk AssessmentStep 5: Create a Target ProfilePhase 4: What needs to be done?Step 6: Determine, Analyze, and Prioritize GapsPhase 5: How do we get there?Step 7: Implement Action Plan (Build a Roadmap)

Phase 1: What Are The Drivers?

Budget

Establish the organizational cybersecurity governance approach§ Identify key authoritative stakeholders

§ Document business drivers, and compliance requirements

§ Determine the scope

§ Identify the risk architecture

§ Use the COBIT 5 goals cascade to translate stakeholder needs into specific, actionable and customized enterprise goals.

Phase 2: Where Are We Now?Gain Situational Awareness (Orient) and Create a Current Profile§ With stakeholder goals and risk architecture in hand,

determine the current threats and the known vulnerabilities they might use

§ Create a Current Profile to determine how the program is currently addressing those threats

§ Leverage a consistent measurement model, such as the Achievement Rating Scale as guided by the principles in the COBIT PAM and Assessor’s Guide

§ Consider the selected Tier in assessing achievement and potential next steps

Phase 3: Where Do We Want To Be?

Consider the risks of the current state given the known threats

§ Use Current Profile and selected Tiers

§ Conduct risk analysis

§ Determine likelihood and impact of potential risks

§ Determine if any Framework Core subcategories are Not Applicable and add any new subcategories as needed

§ Complete Target Profile template

§ The difference between Current and Target provides a useful gap assessment

§ For each subcategory with a gap, use COBIT5 Enabling Processes (as included in the Framework Core) determine required activities.

§ Described in COBIT 5 Enabling Processes as the how, why and what to implement for each governance or management practice to improve IT performance and/or address IT solution and service delivery risk.

§ Additional informative references from the Framework Core may assist with determining appropriate controls or activities.

§ Create and record an action plan of activities with milestones, ensuring appropriate responsibility and accountability, to achieve the desired outcomes according to the determined priorities.

Phase 4: What Needs To Be Done?

Phase 5: How Do We Get There?§ Execute the action plan as defined in Phase 4

§ Consider root causes & success factors from the COBIT 5 Implementation Guide

§ Make small improvements to test approach

§ Involve process owners and other stakeholders in development of the improvement.

§ Apply adequate training where required.

§ Develop processes before attempting to automate.

§ Match roles to individual capabilities and characteristics.

§ Set clear, measurable and realistic goals (outcome expected from the improvement).

§ Set practical performance metrics (to monitor whether the improvement is driving achievement of goals).

Risk tolerances change over time with evolving threats and the adoption of new technology

Security Implications§ Current Threat Landscape

§ Advanced Persistent Threats

Security Opportunities§ Mobile Technology

§ Consumerization of IT and Mobile Devices

§ Cloud and Digital Collaboration

§ Information Sharing

There are several benefits for using the COBIT 5 Principles for cybersecurity

§ Collaboration Opportunities

§ Ability to Demonstrate Due Care

§ Easily Maintain Compliance

§ Secure Supply Chain

§ Cost Efficiency

§ Common Language

Rote Compliance Secure

.

The CSX Practitioner designation is a globally-offered certification for cybersecurity professionals. This certification allows you to professionally serve as afirst responder who is an expert at following established procedures, usingdefined processes, and working mostly with known problems on a singlesystem.

.After completing the Practitioner level, you qualify for a CSX Specialistcertification, designating you as a specialist in one or more of five areas alignedto existing global cyber security frameworks: Identify, Protect, Detect, Respond,Recover — Five separate certifications are available..

As the entry point to our cyber security program, our CybersecurityFundamentals program offers a knowledge-based certificate in the introductoryconcepts that frame and define the standards, guidelines and practices of theindustry.

ISACA Cybersecurity Certifications

A CSX Expert certification designates you as an expert level cybersecurityprofessional who can identify, analyze, respond to, and mitigate complex cybersecurity incidents. For professionals with master-level technical skills who serve asthe authoritative source for all cyber security matters within an organization.

We are available to answer any additional questions

Tom ConkleSecurity Engineer

Tom.Conkle@g2-inc.com(443) 292-6679

ManagetheRisk.com

Follow up questions:

CSF Steps continue to align with the work that AST has been building onOrg. Tier CSF Activities RMF Activities

Tier 1 (Org.)

Organization-wide risk response decisions informed by risk-related information from other tiers. Risk treatment includes risk acceptance, avoidance, mitigation, sharing, and transfer.

Tier 2 (Mission/Business)

Alternative courses of action evaluated in terms of anticipated impacts on organizational missions, processes, and resource requirements. These activities are informed by senior leaders’/executives’ input from earlier steps.

Tier 3 (Information System)

“Step 3 – Current Profile” - record existing security posture (e.g. general support systems, physical / infrastructure security components).“Step 4 – Risk Assessment” - using results from Step 2 (Orient), performs a “needs assessment” to consider courses of action.“Step 5 –Target Profile” - record determined course including planned security activities.“Step 6 – Determine Gaps” Determine gaps between current & target profiles, and create prioritized action plan to address those.

SELECT - select applicable security control baseline (i.e., from SP 800-53) and apply tailoring process to align controls with organization-specific conditions.IMPLEMENT - document the selected course of action (including strategy for continuous monitoring of security control effectiveness) and changes to the information system and its operational environment.ASSESS - assessing security control effectiveness (SP 800-53A) against the planned target.AUTHORIZE - Prepare the plan of action and milestones based on assessment results and confirm that residual risk is acceptable.