Download presentation
1
The NIST Framework for Cybersecurity
Matthew Todd SF Bay InfraGard
2
Get the Framework The National Institute of Standards and Technology [NIST] Framework for Improving Critical Infrastructure Cybersecurity
3
The Executive Order “It is the Policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” Executive Order 13636, February 12, 2013 This Executive Order calls for the development of a voluntary Cybersecurity Framework (“Framework”) that provides a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” to manage cybersecurity risk.
4
Industry standards and best practices
What is it, exactly? Voluntary Risk-based framework Industry standards and best practices Provides organization, structure, and language Cost-effective Based on business needs Considers privacy Can complement or test existing programs
5
Key Goals of the Framework “Lifetime”
Describe the current cybersecurity risk management posture Describe the target posture Identify and prioritize gaps Assess progress towards the target state Communicate with internal and external stakeholders Iterate It may be used outside of a cyclic process, as with a vendor.
6
The Framework: The Parts
The Core The essential elements of a cybersecurity program A common language The Implementation Tiers A way to talk about the extent and sophistication of risk management The Profiles A description of current or target risk management programs
7
Describes activities and desired outcomes Functional areas:
The Framework: Core A matrix of: Functions Categories Subcategories Informative references Describes activities and desired outcomes Functional areas: Identify Protect Detect Respond Recover
8
Function Unique Identifier Category Unique Identifier
Subcategory References ID Identify ID.AM Asset Management ID.BE Business Environment ID.GV Governance ID.RA Risk Assessment ID.RM Risk Management Strategy PR Protect PR.AC Access Control PR.AT Awareness and Training PR.DS Data Security PR.IP Information Protection Processes and Procedures PR.MA Maintenance PR.PT Protective Technology DE Detect DE.AE Anomalies and Events DE.CM Security Continuous Monitoring DE.DP Detection Processes RS Respond RS.RP Response Planning RS.CO Communications RS.AN Analysis RS.MI Mitigation RS.IM Improvements RC Recover RC.RP Recovery Planning RC.IM RC.CO Function Category Subcategory References Identify Asset Management ID.AM-1: Physical devices and systems within the organization are inventoried CCS CSC 1 COBIT 5 BAI09.01, BAI09.02 ISA : ISA :2013 SR 7.8 ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 NIST SP Rev. 4 CM-8 Function Category Subcategory References Detect Security Continuous Monitoring DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events COBIT 5 APO07.06 ISO/IEC 27001:2013 A , A NIST SP Rev. 4 CA-7, PS-7, SA-4, SA-9, SI-4 Function Category Subcategory References Recover Improvements RC.IM-1: Recovery plans incorporate lessons learned COBIT 5 BAI05.07 ISA : NIST SP Rev. 4 CP-2, IR-4, IR-8
9
The Framework: Implementation Tiers
Perspective on risks, and the extent of mitigation Organization-wide Four Tiers: Partial Risk-informed Repeatable Adaptive Can be used with executive management How to use the Tiers is not clearly defined in the Framework!
10
The Framework: Profiles
A Profile is a description of a risk management program Current Profile is an assessment of the current state Target Profile is a goal state, considering: Risks Business requirements Available resources Regulatory or other requirements Current vs. Target is the gap
11
Organizational Structure
Risk Management Executive Level BIA/ Risk Assessment Budget and Priorities Implementation Business/Process Level Desired Profile Progress to Goal Implementation/Operations Level
12
Put it All Together: A Basic Security Program
Identify Business Objectives and Scope Identify Context (environment, regulations, etc.) Create a Current Profile Conduct a Risk Assessment Create a Target Profile Identify and prioritize gaps Create and implement an Action Plan Iterate!
13
The framework relies on your ability to objectively:
Caution The framework relies on your ability to objectively: Identify current risk Assess mitigating controls Acknowledged risks can be used against you. Privacy risks Competing risks Seek independent counsel Prioritize: “What” and “Why” Ensure that privacy requirements are considered Identify and empower the right business owner to make key risk decisions
14
Other Sources SANS Critical Security Controls ISO/IEC 27000-series
20 key controls Available at ISO/IEC series International standard for information security Certifications are available, but non-US based (generally) Federal Financial Institution Examination Council (FFIEC) Examination “handbooks” “…uniform principles, standards, and report forms for the federal examination of financial institutions “ US-CERT C-Cubed PCI/DSS SSAE 16/SOC 2
15
The Framework Template
An Excel spreadsheet Set high/low water marks Highlights areas in yellow and red Rolls up to categories Can be used internally or with vendors Available at member site or on request
16
Q&A
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.