Cybersecurity Framework October 7, 2014 Sarah Ackerman, Wendy Huber, Keith Swartz Clark Schaefer Consulting

Agenda History of the Framework Critical Infrastructure Sectors Overview of Cyber Risk Overview of Framework Framework Core Cybersecurity Functions Framework Functional Categories Assessment of Critical Functions Framework Tiers Framework Profiles Alignment with Other Standards Applying the Framework Implementation Benefits Implementation Challenges Available Tools What's Next for Framework

Introductions Clark Schaefer Consulting: Serving elite and emerging companies with practical solutions, Clark Schaefer Consulting is a regional consulting firm with practices in accounting, controls, and technology. Sarah Ackerman, CISSP, CISA, CICP As the Director of Technology, Sarah Ackerman provides the Firm with extensive experience and knowledge regarding information security, IT audit, and other technology and control related services.   Sarah’s work in security operations has resulted in a proven track record of success in identifying system control weaknesses, protecting information assets, and leading clients to successful organizational changes.  She is well versed in internal controls and has successfully served in a variety of roles including consulting, risk management, and internal audit.  Wendy Huber, CISA, Security+, CICP Wendy is an experienced professional with a strong information technology background. She has experience with monitoring system security, process improvement, documenting and testing internal controls, and working with internal and external auditors. In addition, she possesses extensive experience with change management and logical security. Wendy is familiar with a variety of systems and technologies with expertise related to security, administration, and report writing. Keith Swartz, CISA, CICP Keith is an experienced professional who has an extensive IT background and continuously developing IT security knowledge. He has aided small and large, private and public businesses with IT control and security initiatives, and adapts quickly to changing environments. He possesses excellent communication skills and can work as a team member or individually to achieve desired results in a timely fashion. Keith is well versed in internal controls and has successfully served in a variety of roles, including as a systems administrator.

History of the Framework Repeated cyber intrusions demonstrated the need for improved cybersecurity February 12, 2013: President Obama issued Executive Order 13636 -- Improving Critical Infrastructure Cybersecurity Objective: Develop a voluntary, cybersecurity framework National Institute of Standards and Technology (NIST) developed the “Framework for Improving Critical Infrastructure Cybersecurity” (Framework) Input from over 1000 different entities (government, academics, individuals) Final version released in February 2014 Delivered to critical infrastructure providers and the public

Critical Infrastructure Sectors Chemical Sector Financial Services Commercial Facility Food and Agriculture Communications Government Facilities Critical Manufacturing Healthcare/Public Health Dams Sector Information Technology Defense Industrial Base Nuclear Reactors/Materials Emergency Services Transportation Systems Energy Water Systems

Overview of Cyber Risk Cyber Risk definition Group of risks Differ in technology, attack vectors, and means Examples include: Organization-specific malware Third party provider attacks Vulnerability exploitation Advanced persistent threats Effort invested in addressing these high-impact risks is known as cybersecurity High-impact risks becoming more frequent Need to become better at protecting assets

Overview of Framework Key takeaways of the Framework Voluntary Performance-based Adaptable and flexible Cost-effective Leverages standards, methodologies, and processes Not a compliance checklist Not regulated or ruleset Focus on consistent, solid security program Risk-based approach Focus on the high impact risks and work your way down

Overview of Framework (continued) Allows organizations to: Describe current cybersecurity posture Describe target state for cybersecurity Identify and prioritize opportunities for improvement Assess progress towards target state Communicate using common language among internal and external stakeholders about cybersecurity risk Complements, does not replace, risk management processes Organizations without cybersecurity programs can use Framework as reference to establish one

Overview of Framework (continued) Composed of three parts Framework Core Set of activities, desired outcomes, and applicable references (e.g., ISO, NIST 800-53) Consists of five functions: Identify, Protect, Detect, Respond, Recover Identifies key categories for each function Framework Implementation Tiers Characterize cybersecurity practices over a range from Partial (Tier 1) to Adaptive (Tier 4) Provide context on how an organization views cybersecurity risk Framework Profiles Used to identify opportunities to improve cybersecurity posture by comparing a Current profile (“as is” state) to a Target profile (“to be” state) Supports prioritization and measurement of progress towards Target profile

Framework Core Structure Not a checklist of actions to perform Presents key cybersecurity outcomes identified as helpful in managing risk

Cybersecurity Functions Focus on the following five key framework functions needed to drive a comprehensive cybersecurity program: Identifying risks to resources supporting critical functions Protecting these resources and limiting the impact of cybersecurity events Detecting incidents that have occurred Responding to the detection of events Recovering following response procedures Each function places heavy reliance on the development of those preceding it You cannot protect your environment correctly without first identifying your key systems and the risks faced by each You cannot to respond to events if you have not first implemented proper measures to detect them

Framework Functional Categories Each function has several categories subdividing them into more detailed groups of activities:

Framework Core Example

Assessment of Critical Functions Allows organizations to assess each critical cybersecurity function

Framework Tiers Developed to provide context on how the organization views cybersecurity risk along with the processes in place to manage that risk Characterize the organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4) Progression to higher Tiers is encouraged when this would reduce cybersecurity risk and be cost effective Similar to the Capability Maturity Model (CMM), but tiers do not represent maturity levels

Framework Tiers (continued) Tier 1: Partial Risk management is not formalized, managed in an ad hoc, reactive manner Limited awareness of cybersecurity risk at organizational level No enterprise-wide approach to managing cybersecurity risk May not have processes in place to coordinate or collaborate with other entities

Framework Tiers (continued) Tier 2: Risk Informed Risk management practices approved by management but not established across entire organization Prioritization of cybersecurity activities informed by organizational risk objectives, threat environment, or business requirements Awareness of cybersecurity risk at organizational level Processes and procedures are defined and implemented Has not formalized capabilities to share information externally

Framework Tiers (continued) Tier 3: Repeatable Risk management practices are formally approved and documented Organization-wide approach to manage cybersecurity risk Policies and procedures are defined, implemented, reviewed Cybersecurity practices updated based on formalized risk management processes Addresses changes in business requirements or changing threat environment Organization collaborates with partners

Framework Tiers (continued) Tier 4: Adaptive Organization-wide approach to manage cybersecurity risk Part of organizational culture Formalized risk-informed policies, processes, and procedures Cybersecurity practices are adapted based on lessons learned and predictive indicators Actively adapts to changing cybersecurity landscape Responds to evolving threats in timely manner Continuous improvement incorporating advanced cybersecurity technologies and practices Awareness of previous activities and current activities on systems and networks Actively shares information with partners to improve cybersecurity before an event occurs

Framework Profiles Aligns the Functions and Categories with: Business requirements and goals Risk tolerance Available resources Legal/regulatory requirements Industry best practices Used to describe current and desired state of specific cybersecurity activities Comparison of profiles identifies gaps An action plan can then be developed to address gaps and prioritize efforts

Framework Profiles (continued) Current Profile (“as is” state) Indicates cybersecurity outcomes that are currently being achieved Target Profile (“to be” state) Indicates outcomes needed to achieve desired cybersecurity risk management goals Successful implementation of Framework is based upon achievement of outcomes described in Target Profile (not upon Tier determination)

Alignment with Other Standards Framework Core provides references to existing standards or guidelines COBIT 5 (Control Objectives for Information and Related Technology) ISO 27001 (International Organization for Standardization – IT Security Techniques, Information Security Management Systems Requirements) NIST 800-53 (National Institute of Standards and Technology – Security and Privacy Controls for Federal Information Systems and Organizations) Also other standards from CCS (Council on CyberSecurity), ISA (International Society of Automation)

Alignment with Other Standards NIST SP 800-53 Rev. 4 Security and Privacy Controls for Federal Information Systems Composed of control baselines across areas such as: Access Control Awareness and Training Security Assessment and Authorization Configuration Management Contingency and Planning Identification and Authentication Incident Response Maintenance Physical/Environmental Protection Information Integrity

Alignment with Other Standards (cont.) ISO/IEC 27001:2013 (International Organization for Standardization) Total of 114 controls across 14 areas such as: A.5: Information security policies A.6: Organization of information security A.7: Human resource security A.8: Asset management A.9: Access control A.10: Cryptography A.11: Physical and environmental security A.12: Operations security A.13: Communications security

Alignment with Other Standards (cont.) COBIT 5 Divided into Governance and Management domains Governance: Contains five governance processes; within each process, evaluate, direct and monitor (EDM) Management: Contains four domains, in line with the responsibility areas of plan, build, run and monitor (PBRM) Align, Plan and Organize (APO) Build, Acquire and Implement (BAI) Deliver, Service and Support (DSS) Monitor, Evaluate and Assess (MEA)

Alignment with Other Standards (cont.) Example of alignment with other standards: Function: Identify Category: Asset Management Subcategory: ID.AM-1: Physical devices and systems within the organization are inventoried Informative References include: COBIT 5 BAI09.01, BAI09.02 ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 NIST SP 800-53 Rev. 4 CM-8

Applying The Framework Can be used as a supplement to an organization’s risk management process in order to assess cybersecurity and align with best practices Implementation purpose is left to the organization’s discretion Basic review of existing cybersecurity practices Establishing or improving a cybersecurity program Communicating cybersecurity requirements with stakeholders “There are two types of companies. Those that have been hacked, and those that have been hacked but don’t know it yet”

Applying The Framework (continued) Develop the “As-Is” profile Develop the “To-Be” profile Identify gaps and opportunities Develop a prioritized action plan Repeatable

Implementation Benefits Voluntary nature of assessment leads to more open and honest discussion of cybersecurity risk exposure Helps expose areas of risk that may not have been previously considered Electronic emanations?? Encourages information sharing and collaboration with external partners Vulnerability intelligence Threat information Protection & response strategies Encourages a layered approach to cybersecurity

Implementation Challenges Requires “buy-in” from key stakeholders Time and resources from multiple departments Executive prioritization Communicating risks Why does this matter? Cybersecurity is a long term process The Framework is in its infancy NIST is seeking information and user experiences from early adopters

Available Tools CForum (http://cyber.securityframework.org) An industry led forum focused on the evolution and the use of the Cybersecurity Framework Utilization of a third party to facilitate Provides direction Objective approach www.nist.gov Framework Excel version of Core

What’s Next for Framework Plans to expand future versions for: Authentication Focus on development of better identity and authentication mechanisms Automated Indicator Sharing Sharing information that is discovered prior to and during incident response activities Conformity Assessment Used to show that a product, service, or system meets specified requirements for managing cybersecurity risk Cybersecurity Workforce ISACA’s Cybersecurity Nexus (CSX): New security knowledge platform and professional program Data Analytics Big data and analytic tools coupled with cloud, mobile, and social computing Federal Agency Cybersecurity Alignment FISMA, FIPS, etc. International Alignment Supply Chain Risk Management Privacy Standards

For More Information If you wish to discuss any aspects of this presentation in more detail, please feel free to contact us: Clark Schaefer Consulting, LLC. 120 East Fourth Street, Suite 1100 Cincinnati, OH 45202 (513) 768-7100 www.clarkschaefer.com Or send an e-mail directly to Sarah at: sackerman@clarkschaefer.com

Questions? Questions?