Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.

Slides:



Advertisements
Similar presentations
NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.
Advertisements

David A. Brown Chief Information Security Officer State of Ohio
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Information Security Governance
Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.
Security Controls – What Works
NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice
SEC835 Database and Web application security Information Security Architecture.
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Continuous Monitoring: Diagnostics & Mitigation October 24, 2012.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.
HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
Critical Security Controls & Effective Cyber Defense Hasain “The Wolf”
IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.
February 2, 2016 | Chicago NFA Cybersecurity Workshop.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
Information Security tools for records managers Frank Rankin.
OFFICE OF VA ENTERPRISE ARCHITECTURE VA EA Cybersecurity Content Line of Sight Report April 29, 2016.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Best Cyber Security Practices for Counties An introduction to cybersecurity framework.
Business Continuity Planning 101
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Douglas DiJulio Director – Enterprise Operations Application Support Cyber Security.
Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.
Security and resilience for Smart Hospitals Key findings
Information Systems Security
Quality Management System Deliverable Software 9115 revision A Key changes presentation IAQG 9115 Team March 2017.
Proposed Updates to the Framework for Improving Critical Infrastructure Cybersecurity (Draft Version 1.1) March 2017
BruinTech Vendor Meet & Greet December 3, 2015
The Cybersecurity Framework
Cybersecurity - What’s Next? June 2017
Disaster and Emergency Planning
Team 1 – Incident Response
Demystifying cybersecurity: Best practices to help strengthen your program Chris Candela Senior Consultant Business Consulting Services Charles Schwab.
Critical Security Controls
Security Standard: “reasonable security”
Leverage What’s Out There
Cybersecurity Policies & Procedures ICA
Cyber Protections: First Step, Risk Assessment
NIST Cybersecurity Framework
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
NYBA 2017 Technology, Compliance &
San Francisco IIA Fall Seminar
ATD session 2: compliancy versus mission assurance
Cyber defense management
Transforming IT Management
I have many checklists: how do I get started with cyber security?
Making Information Security Manageable with GRC
Implementing and Auditing the Critical Controls
IS4680 Security Auditing for Compliance
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
National Cyber Security
IS4550 Security Policies and Implementation
How to Mitigate the Consequences What are the Countermeasures?
Cybersecurity ATD technical
Cybersecurity Threat Assessment
Cyber Security in a Risk Management Framework
November 30, 2017 By: Richard D. Condello NRECA Senior Director
Data Security and Privacy Techniques for Modern Databases
6. Application Software Security
IT Management Services Infrastructure Services
Security Policies and Implementation Issues
CMGT/431 INFORMATION SYSTEMS SECURITY The Latest Version // uopcourse.com
CMGT 431 CMGT431 cmgt 431 cmgt431 Entire Course // uopstudy.com
Presentation transcript:

Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and US DHS August 3, 2017

Our Cyber Security Challenge COMPLEXITY IT Environment Cyber Tools ADVERSARIES APTs Criminal Orgs TALENT One Million Openings Development HOUSTON, WE HAVE A PROBLEM!

Complexity – Evolution of Technology Wireless Technology Internetworked Internet of Things Mobile Devices Mobile Devices Distributed Clouds Client–Server Service- Oriented SQL Database Monolithic Object-Oriented Components Minicomputers Single-Tier Mainframe PCs Time 60s 70s 80s 90s 00s 10s

Complexity – No Longer a Perimeter to Defend

Complexity – Cyber Security Tools Thousands of Products/Solutions Lack of Integration Big Data – but Good Results?

Cyber Security Risk Management Perfect Security Is Not Achievable Too little is clearly not desired Too much can make systems practically unusable Risk to the Organization Financial and reputational risks from breaches How does an organization determine what to do and how much is enough? TWO KEY TOOLS to support answering the risk management question: 1. NIST Cyber Security Framework 2. Center for Internet Security (CIS) 20 Critical Security Controls (CSCs)

NIST Cyber Security Framework Response to Presidential Directive 13636, Improving Critical Infrastructure Cyber Security More than 3,000 people from diverse parts of industry, academia, and government participated in workshops and webinars Other Advantages Appropriate for both government or private-sector Developed as high-level guidance and approach Scalable, flexible, comprehensive, and explicit Suitable for incorporating industry-specific requirements References elements of NIST SP 800, ISO/IEC 27001, and COBIT

NIST Cyber Security Framework “The Framework helps an organization to better understand, manage, and reduce its cyber security risk. It will assist in determining which activities are most important to assure critical operations and service delivery. In turn, that will help to prioritize investments and maximize the impact of each dollar spent on cyber security.” —From the NIST Framework

NIST Framework Elements The Framework Core (“Core”) A set of cyber security activities, desired outcomes, and applicable references The Core covers life cycle of Identify, Protect, Detect, Respond, Recover Framework Implementation Tiers (“Tiers”) Provide context on how an organization views and manages cyber security risk A Framework Profile (“Profile”) Represents the outcomes based on business needs that an organization has Standards, guidelines, and practices to the Framework Core in a particular implementation scenario See http://www.nist.gov/cyberframework/

Core Functions Functions Description Categories Identify Protect Develop the organizational understanding to manage cyber security risk - Asset Management - Business Environment - Governance - Risk Assessment - Risk Management Strategy Protect Appropriate safeguards to ensure delivery of critical infrastructure services - Access Control - Awareness and Training - Data Security - Maintenance - Protective Technology - Information Protection Processes and Procedures Detect Appropriate activities to identify the occurrence of a cyber security event - Anomalies and Events - Detection Processes - Security Continuous Monitoring Respond Appropriate activities to take action regarding a detected cyber security event - Response Planning - Communications - Analysis - Mitigation - Improvements Recover Appropriate activities to maintain plans for resilience and to restore any capabilities - Recovery Planning - Improvements - Communications

Tiers Tiers Title Description 1 Partial Organizational cyber security risk management practices are not formalized, and risk is managed in an ad hoc and sometimes reactive manner 2 Risk Informed Risk management practices are approved by management but may not be established as organization-wide policy; prioritization of cyber security activities is directly informed by organizational risk objectives, the threat environment, or business/mission requirements 3 Repeatable The organization’s risk management practices are formally approved and expressed as policy; organizational cyber security practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape 4 Adaptive The organization adapts its cyber security practices based on lessons learned and predictive indicators derived from previous and current cyber security activities

NIST Cyber Security Framework: Process STEP 3: Create a Current Profile STEP 1: Prioritize and Scope STEP 2: Orient STEP 7: Implement Action Plan STEP 5: Create a Target Profile STEP 4: Conduct a Risk Assessment STEP 6: Determine, Analyze, and Prioritize Gaps

CIS 20 Critical Security Controls CSC Control Title 1 Inventory of Authorized and Unauthorized Devices 2 Inventory of Authorized and Unauthorized Software 3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4 Continuous Vulnerability Assessment and Remediation 5 Controlled Use of Administrative Privileges 6 Maintenance, Monitoring, and Analysis of Audit Logs 7 Email and Web Browser Protections 8 Malware Defenses 9 Limitation and Control of Network Ports, Protocols, and Services 10 Data Recovery Capability CSC Control Title 11 Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 12 Boundary Defense 13 Data Protection 14 Controlled Access Based on the Need to Know 15 Wireless Access Control 16 Account Monitoring and Control 17 Security Skills Assessment and Appropriate Training to Fill Gaps 18 Application Software Security 19 Incident Response and Management 20 Penetration Tests and Red Team Exercises

CIS – First 5 Critical Security Controls Good IT Management Inventory Configurations Basic Cyber Hygiene Vulnerability Assessment Admin Privileges Eliminates Vast Majority of Vulnerabilities CSC Control Title 1 Inventory of Authorized and Unauthorized Devices 2 Inventory of Authorized and Unauthorized Software 3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4 Continuous Vulnerability Assessment and Remediation 5 Controlled Use of Administrative Privileges

Cyber Security and Organization Resilience Risk Management Approach Focus on the Important Organizational Commitment At a Board and Senior Management Level Regular Relook

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.