Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.

Published byIsabel Cameron Modified over 6 years ago

Similar presentations

Presentation on theme: "Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and."— Presentation transcript:

1

2 Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and US DHS August 3, 2017

3 Our Cyber Security Challenge
COMPLEXITY IT Environment Cyber Tools ADVERSARIES APTs Criminal Orgs TALENT One Million Openings Development HOUSTON, WE HAVE A PROBLEM!

4 Complexity – Evolution of Technology
Wireless Technology Internetworked Internet of Things Mobile Devices Mobile Devices Distributed Clouds Client–Server Service- Oriented SQL Database Monolithic Object-Oriented Components Minicomputers Single-Tier Mainframe PCs Time 60s s s s s s

5 Complexity – No Longer a Perimeter to Defend

6 Complexity – Cyber Security Tools
Thousands of Products/Solutions Lack of Integration Big Data – but Good Results?

7 Cyber Security Risk Management
Perfect Security Is Not Achievable Too little is clearly not desired Too much can make systems practically unusable Risk to the Organization Financial and reputational risks from breaches How does an organization determine what to do and how much is enough? TWO KEY TOOLS to support answering the risk management question: 1. NIST Cyber Security Framework 2. Center for Internet Security (CIS) Critical Security Controls (CSCs)

8 NIST Cyber Security Framework
Response to Presidential Directive 13636, Improving Critical Infrastructure Cyber Security More than 3,000 people from diverse parts of industry, academia, and government participated in workshops and webinars Other Advantages Appropriate for both government or private-sector Developed as high-level guidance and approach Scalable, flexible, comprehensive, and explicit Suitable for incorporating industry-specific requirements References elements of NIST SP 800, ISO/IEC 27001, and COBIT

9 NIST Cyber Security Framework
“The Framework helps an organization to better understand, manage, and reduce its cyber security risk. It will assist in determining which activities are most important to assure critical operations and service delivery. In turn, that will help to prioritize investments and maximize the impact of each dollar spent on cyber security.” —From the NIST Framework

10 NIST Framework Elements
The Framework Core (“Core”) A set of cyber security activities, desired outcomes, and applicable references The Core covers life cycle of Identify, Protect, Detect, Respond, Recover Framework Implementation Tiers (“Tiers”) Provide context on how an organization views and manages cyber security risk A Framework Profile (“Profile”) Represents the outcomes based on business needs that an organization has Standards, guidelines, and practices to the Framework Core in a particular implementation scenario See

11 Core Functions Functions Description Categories Identify Protect
Develop the organizational understanding to manage cyber security risk - Asset Management - Business Environment - Governance - Risk Assessment - Risk Management Strategy Protect Appropriate safeguards to ensure delivery of critical infrastructure services - Access Control - Awareness and Training - Data Security - Maintenance - Protective Technology - Information Protection Processes and Procedures Detect Appropriate activities to identify the occurrence of a cyber security event - Anomalies and Events - Detection Processes - Security Continuous Monitoring Respond Appropriate activities to take action regarding a detected cyber security event - Response Planning - Communications - Analysis - Mitigation - Improvements Recover Appropriate activities to maintain plans for resilience and to restore any capabilities - Recovery Planning - Improvements - Communications

12 Tiers Tiers Title Description 1 Partial
Organizational cyber security risk management practices are not formalized, and risk is managed in an ad hoc and sometimes reactive manner 2 Risk Informed Risk management practices are approved by management but may not be established as organization-wide policy; prioritization of cyber security activities is directly informed by organizational risk objectives, the threat environment, or business/mission requirements 3 Repeatable The organization’s risk management practices are formally approved and expressed as policy; organizational cyber security practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape 4 Adaptive The organization adapts its cyber security practices based on lessons learned and predictive indicators derived from previous and current cyber security activities

13 NIST Cyber Security Framework: Process
STEP 3: Create a Current Profile STEP 1: Prioritize and Scope STEP 2: Orient STEP 7: Implement Action Plan STEP 5: Create a Target Profile STEP 4: Conduct a Risk Assessment STEP 6: Determine, Analyze, and Prioritize Gaps

14 CIS 20 Critical Security Controls
CSC Control Title 1 Inventory of Authorized and Unauthorized Devices 2 Inventory of Authorized and Unauthorized Software 3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4 Continuous Vulnerability Assessment and Remediation 5 Controlled Use of Administrative Privileges 6 Maintenance, Monitoring, and Analysis of Audit Logs 7 and Web Browser Protections 8 Malware Defenses 9 Limitation and Control of Network Ports, Protocols, and Services 10 Data Recovery Capability CSC Control Title 11 Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 12 Boundary Defense 13 Data Protection 14 Controlled Access Based on the Need to Know 15 Wireless Access Control 16 Account Monitoring and Control 17 Security Skills Assessment and Appropriate Training to Fill Gaps 18 Application Software Security 19 Incident Response and Management 20 Penetration Tests and Red Team Exercises

15 CIS – First 5 Critical Security Controls
Good IT Management Inventory Configurations Basic Cyber Hygiene Vulnerability Assessment Admin Privileges Eliminates Vast Majority of Vulnerabilities CSC Control Title 1 Inventory of Authorized and Unauthorized Devices 2 Inventory of Authorized and Unauthorized Software 3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers 4 Continuous Vulnerability Assessment and Remediation 5 Controlled Use of Administrative Privileges

16 Cyber Security and Organization Resilience
Risk Management Approach Focus on the Important Organizational Commitment At a Board and Senior Management Level Regular Relook

17

Download ppt "Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and."

Similar presentations

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Information Security Governance

Information Security Governance
Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.

Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.
Security Controls – What Works

Security Controls – What Works
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Continuous Monitoring: Diagnostics & Mitigation October 24, 2012.

Continuous Monitoring: Diagnostics & Mitigation October 24, 2012.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.

Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.
HO20110473 1 © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.

HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
Critical Security Controls & Effective Cyber Defense Hasain “The Wolf”

Critical Security Controls & Effective Cyber Defense Hasain “The Wolf”
IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.

IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.
February 2, 2016 | Chicago NFA Cybersecurity Workshop.

February 2, 2016 | Chicago NFA Cybersecurity Workshop.

Similar presentations

Ads by Google