The Cybersecurity Framework

Slides:



Advertisements
Similar presentations
NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.
Advertisements

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
David A. Brown Chief Information Security Officer State of Ohio
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice
Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order “Improving Critical Infrastructure Cybersecurity”
Introduction to Network Defense
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
SEC835 Database and Web application security Information Security Architecture.
Topic: Information Security Risk Management Framework: China Aerospace Systems Engineering Corporation (Case Study) Supervisor: Dr. Raymond Choo Student:
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Supervision of Information Security and Technology Risk Barbara Yelcich, Federal Reserve Bank of New York Presentation to the World Bank September 10,
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Engineering Essential Characteristics Security Engineering Process Overview.
Ali Alhamdan, PhD National Information Center Ministry of Interior
FFIEC Cyber Security Assessment Tool
Albany Bank Corporation Security Incident Management Program.
Chapter 1: Security Governance Through Principles and Policies
IS3220 Information Technology Infrastructure Security
Information Security tools for records managers Frank Rankin.
The NIST Special Publications for Security Management By: Waylon Coulter.
FFIEC Cybersecurity Assessment Tool Maine Credit Union League September 23, 2015 Patrick Truett, Information Systems Officer National Credit Union Administration.
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.
Law Firm Data Security: What In-house Counsel Need to Know
Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.
Security Operations Update
BruinTech Vendor Meet & Greet December 3, 2015
3 Do you monitor for unauthorized intrusion activity?
IS4550 Security Policies and Implementation
Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.
Leverage What’s Out There
Cybersecurity Policies & Procedures ICA
NIST Cybersecurity Framework
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
Joe, Larry, Josh, Susan, Mary, & Ken
Cybersecurity EXERCISE (CE) ATD Scenario intro
San Francisco IIA Fall Seminar
San Francisco IIA Fall Seminar
Cyber defense management
IS4680 Security Auditing for Compliance
I have many checklists: how do I get started with cyber security?
Making Information Security Manageable with GRC
Implementing and Auditing the Critical Controls
SAM GDPR Assessment <Insert partner logo here>
Managing Change and Other Keys to Successful Implementation
Making Information Security Actionable with GRC
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
IS4680 Security Auditing for Compliance
IS4550 Security Policies and Implementation
How to Mitigate the Consequences What are the Countermeasures?
Cybersecurity ATD technical
IS4680 Security Auditing for Compliance
Cyber Security in a Risk Management Framework
DSC Contract Management Committee Meeting
3 Do you monitor for unauthorized intrusion activity?
Data Security and Privacy Techniques for Modern Databases
Cryptography and Network Security
Security Policies and Implementation Issues
3 Do you monitor for unauthorized intrusion activity?
CMGT/431 INFORMATION SYSTEMS SECURITY The Latest Version // uopcourse.com
CMGT 431 CMGT431 cmgt 431 cmgt431 Entire Course // uopstudy.com
Presentation transcript:

The Cybersecurity Framework Jerry Beasley, CISM Security Services Manager Presented to NASCUS/CUNA Cybersecurity Symposium 2017

Overview Today’s session will explore: The Threat Landscape Defense Strategies Defense Frameworks Implementing the NIST Cybersecurity Framework

Threat Landscape Threat Landscape Attacks ARE increasing: According to Symantec’s 2016 Internet Security Threat Report: 42% increase in targeted attacks 5,585 new vulnerabilities discovered 55% increase in phishing campaigns 415 new vulnerabilities on mobile operating systems 54 zero-day vulnerabilities (up 125%) – no warning before exploit 43% of targeted attacks aimed at businesses with < 250 employees 3

Threat Landscape Threat Landscape Cyber Crime is Growing: Attack distribution for 2015/16 (as reported by hackmageddon.com): 4

Threat Landscape Threat Landscape Cybercrime costs the global economy up to US$575 billion annually according to a recent report by BofA Merrill Lynch Global Research. Another new record was set near the end of the year when 191 million identities were exposed, surpassing the previous record for the largest single data beach. 2017 promises to easily break these records. 5

Threat Landscape Threat Landscape Does it make you “WannaCry” ? 6

What is Cybersecurity? INFORMATION SECURITY Background Cyber ~ “computer” “computer network” “virtual” In our practical application, it is synonymous with: INFORMATION SECURITY

DEFENSE STRATEGIES Information/Cyber Security Lessons Learned We cannot rely solely on firewalls and anti-malware Attack vectors are present at all layers of an organization / infrastructure Attack defenses must address all of these (Defense in Depth) Aggressive testing can help identify undiscovered weaknesses Vulnerability or Penetration Testing alone cannot prevent a breach Successful organizations have a plan and establish a framework

DEFENSE STRATEGIES Defense in Depth An information assurance concept in which multiple layers of security controls (defense) are placed throughout an IT system The strategy is to provide redundancy so that if one layer of defense fails, another layer may thwart or further delay attacks 9

People, Policies & Procedures Defense in Depth Firewall IDS / IPS NAC Permissions HIDS Anti-malware People, Policies & Procedures Updates User Training Analogy – layers of an onion. I like this slide better than the previous – they’ll get this. DiD is an important term… Encryption Backups Physical 10

Building People, Policies, and Procedures: Existing Models DEFENSE STRATEGIES Building People, Policies, and Procedures: Existing Models NIST Risk Management Framework (SP 800-53, 800-53A) CIS 20 Critical Security Controls ISO/IEC 27001 The Cybersecurity Framework Version 1.0 /1.1 (draft) CAREFUL!!! This will open questions like “which one(s) does FP use? What do you audit against, which is best? I’d highlight that these are all guidelines to help make our jobs easier to cover everything.

NIST Risk Management Framework

CIS 20 Critical Security Controls Is a compilation of 20 critical controls providing: Controls mapped to specific attack types Specific actions that organizations are taking to implement, automate, and measure effectiveness Recommended procedures and tools to enable implementation The Critical Controls are characterized by: Increased asset accountability (hardware & software) Increased integration / automation 13

CIS 20 Critical Security Controls The Critical Controls are characterized by: Increased asset accountability (hardware & software) Increased integration / automation 14

ISO/IEC 27001/27002 Code of practice for information security controls: 15

DEFENSE STRATEGIES A National Cybersecurity Framework With executive order 13636, the President initiated the Framework for Improving Critical Infrastructure Cybersecurity A general framework for mass consumption Uses business drivers to focus efforts on the security agenda Use is voluntary, but the framework is gaining steam Flexible – not a “one size fits all” approach Founded on risk management principles

Who is part of this community? National Cybersecurity Framework Who is part of this community? Entities with a role in securing the nation’s infrastructure Members of each critical infrastructure sector perform functions that are supported by information technology (IT) and industrial control systems…”

NIST Implementation The National Institute of Standards and Technology (NIST) Implementation NIST developed the initial implementation guidance: “Framework for Improving Critical Infrastructure Cybersecurity” Also known as, “The Cybersecurity Framework” or CSF

Emphasis for adoption by FDIC, OCC, FFIEC and NCUA, others The Cybersecurity Framework Industry Adoption Emphasis for adoption by FDIC, OCC, FFIEC and NCUA, others

The Cybersecurity Framework FFIEC Cybersecurity Assessment Tool (CSAT) Management tool for evaluating framework implementation

The Cybersecurity Framework Designing your program around the NIST Cybersecurity Framework provides: A framework to implement a defense-in-depth strategy (risk reduction) An method to assure alignment with regulatory guidance (compliance)

The Cybersecurity Framework The framework aligns with the common Cybersecurity functions:

The Cybersecurity Framework The framework provides the required program elements (high-level controls).

The Cybersecurity Framework The framework introduces the concept of “Implementation Tiers” or the degree of implementation. FFIEC’s CSAT translates this concept into “Maturity Levels”

The Cybersecurity Framework The framework maps to implementation guidance

The Cybersecurity Framework A recommended starting point is the Framework Core 98 controls/practices that should be common to most organizations These will be adapted and supplemented based on your needs

The Cybersecurity Framework SO…if you’ve implemented another standard (ISO, CIS 20 Critical Controls, COBIT, etc.)… …You can still use the implementation details within the CSF.

The Cybersecurity Framework Is intended to be integrated into a Risk Management program Source: Cybersecurity Framework Version 1.0

IMPLEMENTATION STRATEGY Risk Assessment Existing Program Inventory Modeling New Program Measuring Progress Adapting Source: Cybersecurity Framework Version 1.0

IMPLEMENTATION STRATEGY Risk Assessment Determine what you are protecting Determine the type and likelihood of threats Determine if your current controls are adequate to reduce the risk Provides prioritization for control implementation Source: Cybersecurity Framework Version 1.0

IMPLEMENTATION STRATEGY Existing Program Inventory Gap Analysis CSAT provides a good program-level view and helps determine the degree of implementation required May also be derived from existing Risk or Compliance Assessments This documents “current” profile Elements of the CSF you already have in place Source: Cybersecurity Framework Version 1.0

IMPLEMENTATION STRATEGY Model New Program Translate functions into strategies Translate categories into roles / responsibilities Translate sub-categories into plans of action Establish your “target” profile Source: Cybersecurity Framework Version 1.0

IMPLEMENTATION STRATEGY Monitor & Re-assess How do you know it’s working? Risk Assessments Audit and Compliance Testing and Exercises New CSAT to determine changes in inherent risk or maturity Source: Cybersecurity Framework Version 1.0

IMPLEMENTATION STRATEGY Adapt Add to or modify the CSF core to ensure effective: Identification – knowing what you have Protection – establishing defense-in-depth Detection – awareness of cybersecurity events Response – knowing what to do when events happen Recovery – having the means to recover from events Source: Cybersecurity Framework Version 1.0

Tier 4 Tier 3 Tier 2 Tier 1 Where to go from here? Improve and optimize Identify Protect Tier 1 Tier 2 Tier 3 Tier 4 Detect IMPROVE/ADAPT Respond Recover

Innovative Advanced Intermediate Evolving Baseline Where to go from here? Improve and optimize Identify Baseline Evolving Intermediate Advanced Innovative Protect Detect IMPROVE/ADAPT Respond Recover

Summary Today we discussed: The Threat Landscape Defense Strategies The Need for Defense in Depth Defense Frameworks Common Frameworks Employing the Cybersecurity Framework

Summary QUESTIONS?

References Executive Order 13636 Improving Critical Infrastructure Cybersecurity NIST Framework for Improving Critical Infrastructure Cybersecurity https://www.nist.gov/cyberframework CIS Critical Controls for Effective Cyber Defense https://www.cisecurity.org/controls/ NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations Symantec’s 2016 Internet Security Threat Report NSA Whitepaper “Defense in Depth” http://www.nsa.gov/ia/_files/support/defenseindepth.pdf

Learn more and request a TraceCSO Demo. Questions? Clean up the “extra” slides now…. Learn more and request a TraceCSO Demo. info@tracesecurity.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.