Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Cyber Security Framework: Intel’s Implementation Pilot Tim Casey, CISSP Senior Strategic Risk

Published byJonathan Briggs Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Cyber Security Framework: Intel’s Implementation Pilot Tim Casey, CISSP Senior Strategic Risk"— Presentation transcript:

1 1 Cyber Security Framework: Intel’s Implementation Pilot Tim Casey, CISSP Senior Strategic Risk Analyst @timcaseycyber

2 2 Background 2

3 3 A Changing Landscape Drives Security Challenges are increasing in size, intensity, and complexity over time Data Aggregation & Amount of Valuable Data Number of Connected People A security program must keep pace with the evolving threat landscape. It must become an intrinsic part of the enterprise that grows along with it. 3

4 4 EO 13636 addresses the lack of robust security within the U.S. cyber- ecosystem with a tool to jump-start good security programs Developed over a year as a joint project between NIST and U.S. industry, with international participation Uses existing industry models and best practices Comprised of a Risk Management Framework and a Maturity Model Initial pilots have shown it is flexible, extensible, and easily tailored to individual environments The Framework is a tool to help create a harmonized risk management approach – it is NOT a compliance checklist! 4

5 5 National Cybersecurity Framework Structure Framework Core Tiers Profiles Illustrative Examples References Executive Overview Governance Define “Critical Infrastructure” Voluntary Program Metrics Incentives 5

6 6 Top Concerns of Industry Alignment to existing practices Privacy Adoption Governance Minimizing regulatory impacts Critical Infrastructure vagueness DHS Voluntary Program Development 6

7 7 The Cybersecurity Framework 7

8 8 The Framework helps build or augment a security program that equips the enterprise to keep pace with the evolving threats Establish the right level of security for your environment Inform cybersecurity budget planning Communicate cyber risks comprehensively to Senior Leadership Harmonize cybersecurity approaches and provide a common language 8

9 9 Framework Core References COBIT APO01.06, BAI02.01 ISO/IEC 27001 A.15.1.3 CCS CSC 17 NIST SP 800-53 Rev 4 SC- 28 Data Security (DS): Protect information & data from natural and man-made hazards to achieve organizational PR.DS-1: Protect data (including phys records) during storage to achieve Categories Data Security (DS): Protect information & data from natural and man-made hazards to achieve organizational confidentiality, integrity, and availability requirements. Subcategories PR.DS-1: Protect data (including physical records) during storage to achieve confidentiality, integrity, and availability goals Data Security (DS): Protect information & data from natural and man-made hazards to achieve organizational 9

10 10 Framework Profiles PROFILE EXAMPLE: Tiers Tier 3: Adaptive Tier 2: Repeatable Tier 1: Risk-Informed Tier 0: Partial GAPS 10

11 11 Intel’s CSF Pilot 11

12 12 Alignment Strategy: 3-Tiered Approach Infrastructure  Align Macro-level risk management practices to CSF  Perform initial CSF assessment against infrastructure Product  Explore mapping of products and services capabilities to CSF  Examine product assurance initiatives (SDL, etc.) through CSF lens. Supply Chain/Third Party Contracting  Examine and potentially pilot contracting updates to align to CSF language We are here 12

13 13 Infrastructure Risk – Using the CSF DesignOfficeManufacturingEnterpriseServices Identify Business Environment Asset Management Governance Risk Assessment Risk Management Strategy Protect Access Control Awareness/Training Data Security Protective Process and Procedures Maintenance Protective Technologies Detect Anomolies/Events Secruity Continous Monitoring Detection Process Threat Intelligence Respond Response Planning Communication Analysis Mitigations Improvements Recover Recovery Planning Improvements Communications Goals Use CSF to  Establish alignment on risk tolerance  Inform budget planning for 2015  Communicate risk heat map to Senior Leadership  CSF as risk management approach NOT a compliance checklist Strategy Utilize DOMES approach  Enables holistic view across the infrastructure while enabling cross- sectional view of our business  Focus on OFFICE and ENTERPRISE initially 13

14 14 Infrastructure Assessment Process Set Targets Establish Core Group (key SME’s and Managers) F2F Session with Core Group to set targets and score actuals (2x4 hour sessions/8-10 SME’s) Create tailored Subcategories Validate Targets with Decision Makers (CISO & Staff) Assess Current State Identify Key SME Scorers Train SMEs SME Use Tools to self score Analyze Results Aggregate Individual SME roll-up with Core Team Actuals and compare to Targets Use simple heat map to identify gaps >1 Drill down on subcategories for identified gaps >1 to identify key issues Communicate Results Review findings & recommendations with CISO & Staff Inform impacted Managers to ensure prioritization feed into budget and planning cycles Brief Senior Leadership on findings and resulting recommendations 14

15 15 Assessment Tool – SME & Core Team Subcategories scoring confused participants. Recommend changing to Heat Map (Over/Under) Key Learning: Scorers do not need to know Target. Scorers do not need to know Target 15

16 16 Tiers – People, Process, Technology & Ecosystem Need to harmonize wording (staff, personnel, etc.) Need to refine ‘seams’ between Tiers Need to clarify scope of dimension quality when using in categories Overall: Tiers Definitions worked well for participants 16

17 17 Assessment Tool : SME Rollup Sample NOTIONAL / EXAMPLE ONLY Siobhan SanviPatrick Siobhan Nala MateoTerry 17

18 18 SME Rollup – Unexpected Benefits #1 NOTIONAL / EXAMPLE ONLY Evaluating by functional area provided greater insights 18

19 19 SME Rollup – Unexpected Benefits #2 NOTIONAL / EXAMPLE ONLY 1 1 Mapping highlighted outliers and major differences 19

20 20 Assessment Tool : SME/CORE/TARGET Roll Up NOTIONAL / EXAMPLE ONLY High 2’s – Focus Areas stand out Significant differences between Core and Individual scores can highlight visibility issues Results matched “Gut Check” expectations 20

21 21 Additional Key Learnings Discussion is a benefit itself  Security is a process, not an endpoint –Targets especially interesting - prescriptive targets would eliminate this benefit Functions  Mapped well to existing risk management practices and SME’s were easily ramped up  No modifications to Functions recommended Categories  Categories were useful and for our initial use only one additional Category added – DETECT: THREAT INTELLIGENCE.  We expect additional Categories to emerge as we move through Design, Manufacturing and Services environments Sub Categories  Still a bit of a puzzle on how to optimally use this granularity while balancing overhead.  Next rev of tool will do away with scoring subcategories and use over/under model for heat mapping inputs.  Comments section on subcategories was helpful in the analytical stage to drill down on high/low Category scores 21

22 22 Key Learnings Continued Program Management  CSF utilization has progressed with no major deviations from plan of record.  Low program management overhead to date as the organization assessed (Enterprise and Office) have a strong risk management culture and mature security-related SMEs  Very light-weight organizationally (leveraged existing processes/org structures) Estimated Cost  Less than 175 work-hours invested to date with 2 verticals (Office/Enterprise) complete  Repeatable tools and techniques developed so additional verticals may be less overhead Feedback from Participants  Easy to understand and score  No concerns about resourcing or time commits 22

23 23 Challenges Granularity – Subcategories and the degree of granularity of assessment using the CSF Repeatability – Changes in SME/scorers YoY may impact quality of assessment Visualization – How to best represent the results to various stakeholders and decision makers Alignment/Harmonization – Maintaining alignment across supply chain/partners on approach and language Governance, risk management, and compliance programs – How does the Framework support / intersect GRCs? 23

24 24  Do it yourself!  Start where you are comfortable  Tailor the Framework to your organization  Involve all levels of security & management within your org Resources:  NIST Website http://www.nist.gov/cyberframework  Intel white paper (Q1 2015)  Sector Information Sharing and Analysis Centers (ISAC)  Industry associations If you want to try it… 24

25 25 This presentation is for informational purposes only. INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS AND SERVICES. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS AND SERVICES INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. Intel, the Intel logo, Look Inside., and the Look Inside. logo are trademarks of Intel Corporation in the U.S. and/or other countries. *Other names and brands may be claimed as the property of others. Copyright © 2015 Intel Corporation. All rights reserved.

Download ppt "1 Cyber Security Framework: Intel’s Implementation Pilot Tim Casey, CISSP Senior Strategic Risk"

Similar presentations

What is Business Architecture?. Overview Agility matters today more than yesterday Previous methods for managing change were designed for the needs of.

What is Business Architecture?. Overview Agility matters today more than yesterday Previous methods for managing change were designed for the needs of.
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.
© 2009 The MITRE Corporation. All rights Reserved. Evolutionary Strategies for the Development of a SOA-Enabled USMC Enterprise Mohamed Hussein, Ph.D.

© 2009 The MITRE Corporation. All rights Reserved. Evolutionary Strategies for the Development of a SOA-Enabled USMC Enterprise Mohamed Hussein, Ph.D.
Lloyds 360 Risk Insight Dec 2010 Malcolm Harkins Malcolm Harkins Chief Information and Security Officer General Manager Intel Information Risk and Security.

Lloyds 360 Risk Insight Dec 2010 Malcolm Harkins Malcolm Harkins Chief Information and Security Officer General Manager Intel Information Risk and Security.
Enterprise Architecture. 2 Agenda What is Enterprise Architecture (EA)? Roles in EA? Why is EA Important? Tangible Benefits from EA? What Do We Need to.

Enterprise Architecture. 2 Agenda What is Enterprise Architecture (EA)? Roles in EA? Why is EA Important? Tangible Benefits from EA? What Do We Need to.
Project Portfolio Management:

Project Portfolio Management:
The NIST Framework for Cybersecurity

The NIST Framework for Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order 13636 “Improving Critical Infrastructure Cybersecurity”

Framework for Improving Critical Infrastructure Cybersecurity Overview and Status Executive Order “Improving Critical Infrastructure Cybersecurity”
Privileged and Confidential Strategic Approach to Asset Management Presented to October 2004 2004 Urban Water Council Regional Seminar.

Privileged and Confidential Strategic Approach to Asset Management Presented to October Urban Water Council Regional Seminar.
Microsoft Office Project Portfolio Server

Microsoft Office Project Portfolio Server
Getting Smarter with Information An Information Agenda Approach

Getting Smarter with Information An Information Agenda Approach
The Evergreen, Background, Methodology and IT Service Management Model

The Evergreen, Background, Methodology and IT Service Management Model
OPR100: Overview of Enterprise Project Management & Project Management Maturity Models Melinda Curtis Product Manager, Microsoft Office Project.

OPR100: Overview of Enterprise Project Management & Project Management Maturity Models Melinda Curtis Product Manager, Microsoft Office Project.
Continual Service Improvement Process

Continual Service Improvement Process
Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.

Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.
Basics of OHSAS Occupational Health & Safety Management System

Basics of OHSAS Occupational Health & Safety Management System
Supporting tools in an IT Project & Portfolio Management environment Ann Van Belle -

Supporting tools in an IT Project & Portfolio Management environment Ann Van Belle -
Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.
THE REGIONAL MUNICIPALITY OF YORK Information Technology Strategy & 5 Year Plan.

THE REGIONAL MUNICIPALITY OF YORK Information Technology Strategy & 5 Year Plan.

Similar presentations

Ads by Google