Upload
evelyn-stanton
View
38
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Cybersecurity Framework October 7, 2014. Sarah Ackerman, Wendy Huber, Keith Swartz Clark Schaefer Consulting. Agenda. History of the Framework Critical Infrastructure Sectors Overview of Cyber Risk Overview of Framework Framework Core Cybersecurity Functions - PowerPoint PPT Presentation
Citation preview
Cybersecurity FrameworkOctober 7, 2014
Sarah Ackerman, Wendy Huber,
Keith SwartzClark Schaefer Consulting
2
Agenda
• History of the Framework• Critical Infrastructure Sectors• Overview of Cyber Risk• Overview of Framework• Framework Core• Cybersecurity Functions• Framework Functional Categories• Assessment of Critical Functions• Framework Tiers• Framework Profiles• Alignment with Other Standards• Applying the Framework• Implementation Benefits• Implementation Challenges• Available Tools• What's Next for Framework
3
Introductions
Clark Schaefer Consulting:
Serving elite and emerging companies with practical solutions, Clark Schaefer Consulting
is a regional consulting firm with practices in accounting, controls, and technology.
Sarah Ackerman, CISSP, CISA, CICPAs the Director of Technology, Sarah Ackerman provides the Firm with extensive experience and knowledge regarding
information security, IT audit, and other technology and control related services. Sarah’s work in security operations has resulted
in a proven track record of success in identifying system control weaknesses, protecting information assets, and leading clients to
successful organizational changes. She is well versed in internal controls and has successfully served in a variety of roles
including consulting, risk management, and internal audit.
Wendy Huber, CISA, Security+, CICPWendy is an experienced professional with a strong information technology background. She has experience with monitoring
system security, process improvement, documenting and testing internal controls, and working with internal and external auditors.
In addition, she possesses extensive experience with change management and logical security. Wendy is familiar with a variety
of systems and technologies with expertise related to security, administration, and report writing.
Keith Swartz, CISA, CICPKeith is an experienced professional who has an extensive IT background and continuously developing IT security knowledge.
He has aided small and large, private and public businesses with IT control and security initiatives, and adapts quickly to changing
environments. He possesses excellent communication skills and can work as a team member or individually to achieve desired
results in a timely fashion. Keith is well versed in internal controls and has successfully served in a variety of roles, including as a
systems administrator.
4
History of the Framework
• Repeated cyber intrusions demonstrated the need for improved cybersecurity
• February 12, 2013: President Obama issued Executive Order 13636 -- Improving Critical Infrastructure Cybersecurity
– Objective: Develop a voluntary, cybersecurity framework
• National Institute of Standards and Technology (NIST) developed the “Framework for Improving Critical Infrastructure Cybersecurity” (Framework)
– Input from over 1000 different entities (government, academics, individuals)
• Final version released in February 2014– Delivered to critical infrastructure providers and the public
5
Critical Infrastructure Sectors
– Chemical Sector – Commercial Facility– Communications– Critical Manufacturing– Dams Sector– Defense Industrial Base – Emergency Services– Energy
– Financial Services– Food and Agriculture– Government Facilities– Healthcare/Public Health– Information Technology– Nuclear Reactors/Materials– Transportation Systems– Water Systems
6
Overview of Cyber Risk
• Cyber Risk definition• Group of risks• Differ in technology, attack vectors, and means• Examples include:
– Organization-specific malware– Third party provider attacks– Vulnerability exploitation– Advanced persistent threats
• Effort invested in addressing these high-impact risks is known as cybersecurity
• High-impact risks becoming more frequent• Need to become better at protecting assets
7
Overview of Framework
• Key takeaways of the Framework– Voluntary– Performance-based– Adaptable and flexible– Cost-effective– Leverages standards, methodologies, and processes
• Not a compliance checklist– Not regulated or ruleset– Focus on consistent, solid security program
• Risk-based approach• Focus on the high impact risks and work your way
down
8
Overview of Framework (continued)
• Allows organizations to:– Describe current cybersecurity posture– Describe target state for cybersecurity– Identify and prioritize opportunities for improvement– Assess progress towards target state– Communicate using common language among internal and
external stakeholders about cybersecurity risk
• Complements, does not replace, risk management processes
– Organizations without cybersecurity programs can use Framework as reference to establish one
9
Overview of Framework (continued)
• Composed of three parts– Framework Core
• Set of activities, desired outcomes, and applicable references (e.g., ISO, NIST 800-53)
• Consists of five functions: Identify, Protect, Detect, Respond, Recover
– Identifies key categories for each function
– Framework Implementation Tiers• Characterize cybersecurity practices over a range from Partial (Tier
1) to Adaptive (Tier 4)• Provide context on how an organization views cybersecurity risk
– Framework Profiles• Used to identify opportunities to improve cybersecurity posture by
comparing a Current profile (“as is” state) to a Target profile (“to be” state)
• Supports prioritization and measurement of progress towards Target profile
10
Framework Core Structure
• Not a checklist of actions to perform• Presents key cybersecurity outcomes identified as
helpful in managing risk
11
Cybersecurity Functions
• Focus on the following five key framework functions needed to drive a comprehensive cybersecurity program:
– Identifying risks to resources supporting critical functions– Protecting these resources and limiting the impact of cybersecurity
events– Detecting incidents that have occurred– Responding to the detection of events– Recovering following response procedures
• Each function places heavy reliance on the development of those preceding it
– You cannot protect your environment correctly without first identifying your key systems and the risks faced by each
– You cannot to respond to events if you have not first implemented proper measures to detect them
12
Framework Functional Categories
• Each function has several categories subdividing them into more detailed groups of activities:
13
Framework Core Example
14
Assessment of Critical Functions
• Allows organizations to assess each critical cybersecurity function
15
Framework Tiers
• Developed to provide context on how the organization views cybersecurity risk along with the processes in place to manage that risk
• Characterize the organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4)
• Progression to higher Tiers is encouraged when this would reduce cybersecurity risk and be cost effective
– Similar to the Capability Maturity Model (CMM), but tiers do not represent maturity levels
16
Framework Tiers (continued)
Tier 1: Partial• Risk management is not formalized, managed in an ad
hoc, reactive manner• Limited awareness of cybersecurity risk at
organizational level• No enterprise-wide approach to managing
cybersecurity risk• May not have processes in place to coordinate or
collaborate with other entities
17
Framework Tiers (continued)
Tier 2: Risk Informed• Risk management practices approved by management
but not established across entire organization• Prioritization of cybersecurity activities informed by
organizational risk objectives, threat environment, or business requirements
• Awareness of cybersecurity risk at organizational level
• Processes and procedures are defined and implemented
• Has not formalized capabilities to share information externally
18
Framework Tiers (continued)
Tier 3: Repeatable• Risk management practices are formally approved
and documented– Organization-wide approach to manage cybersecurity risk– Policies and procedures are defined, implemented, reviewed
• Cybersecurity practices updated based on formalized risk management processes
– Addresses changes in business requirements or changing threat environment
• Organization collaborates with partners
19
Framework Tiers (continued)
Tier 4: Adaptive• Organization-wide approach to manage cybersecurity risk
– Part of organizational culture
• Formalized risk-informed policies, processes, and procedures• Cybersecurity practices are adapted based on lessons learned
and predictive indicators– Actively adapts to changing cybersecurity landscape– Responds to evolving threats in timely manner
• Continuous improvement incorporating advanced cybersecurity technologies and practices
– Awareness of previous activities and current activities on systems and networks
• Actively shares information with partners to improve cybersecurity before an event occurs
20
Framework Profiles
• Aligns the Functions and Categories with:– Business requirements and goals– Risk tolerance– Available resources– Legal/regulatory requirements– Industry best practices
• Used to describe current and desired state of specific cybersecurity activities
• Comparison of profiles identifies gaps– An action plan can then be developed to address gaps and
prioritize efforts
21
Framework Profiles (continued)
• Current Profile (“as is” state)– Indicates cybersecurity outcomes that are currently being
achieved
• Target Profile (“to be” state)– Indicates outcomes needed to achieve desired cybersecurity
risk management goals– Successful implementation of Framework is based upon
achievement of outcomes described in Target Profile (not upon Tier determination)
22
Alignment with Other Standards
• Framework Core provides references to existing standards or guidelines
– COBIT 5 (Control Objectives for Information and Related Technology)
– ISO 27001 (International Organization for Standardization – IT Security Techniques, Information Security Management Systems Requirements)
– NIST 800-53 (National Institute of Standards and Technology – Security and Privacy Controls for Federal Information Systems and Organizations)
– Also other standards from CCS (Council on CyberSecurity), ISA (International Society of Automation)
23
Alignment with Other Standards
NIST SP 800-53 Rev. 4• Security and Privacy Controls for Federal Information
Systems• Composed of control baselines across areas such as:
– Access Control– Awareness and Training– Security Assessment and Authorization– Configuration Management– Contingency and Planning– Identification and Authentication– Incident Response– Maintenance – Physical/Environmental Protection– Information Integrity
24
Alignment with Other Standards (cont.)
ISO/IEC 27001:2013
(International Organization for Standardization)• Total of 114 controls across 14 areas such as:
– A.5: Information security policies– A.6: Organization of information security– A.7: Human resource security– A.8: Asset management – A.9: Access control – A.10: Cryptography – A.11: Physical and environmental security – A.12: Operations security – A.13: Communications security
25
Alignment with Other Standards (cont.)
COBIT 5• Divided into Governance and Management domains
– Governance: Contains five governance processes; within each process, evaluate, direct and monitor (EDM)
– Management: Contains four domains, in line with the responsibility areas of plan, build, run and monitor (PBRM)
• Align, Plan and Organize (APO)• Build, Acquire and Implement (BAI)• Deliver, Service and Support (DSS)• Monitor, Evaluate and Assess (MEA)
26
Alignment with Other Standards (cont.)
• Example of alignment with other standards:– Function: Identify– Category: Asset Management– Subcategory: ID.AM-1: Physical devices and systems
within the organization are inventoried– Informative References include:
• COBIT 5 BAI09.01, BAI09.02 • ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 • NIST SP 800-53 Rev. 4 CM-8
27
Applying The Framework
• Can be used as a supplement to an organization’s risk management process in order to assess cybersecurity and align with best practices
• Implementation purpose is left to the organization’s discretion
– Basic review of existing cybersecurity practices– Establishing or improving a cybersecurity program– Communicating cybersecurity requirements with
stakeholders
“There are two types of companies. Those that have been hacked, and those that have been hacked but don’t know it yet”
28
Applying The Framework (continued)
Develop the “As-Is” profile
Develop the “To-Be” profile
Identify gaps and opportunities
Develop a prioritized action plan
Rep
eata
ble
29
Implementation Benefits
• Voluntary nature of assessment leads to more open and honest discussion of cybersecurity risk exposure
• Helps expose areas of risk that may not have been previously considered
– Electronic emanations??
• Encourages information sharing and collaboration with external partners
– Vulnerability intelligence
– Threat information
– Protection & response strategies
• Encourages a layered approach to cybersecurity
30
Implementation Challenges
• Requires “buy-in” from key stakeholders– Time and resources from multiple departments
– Executive prioritization
• Communicating risks– Why does this matter?
• Cybersecurity is a long term process
• The Framework is in its infancy– NIST is seeking information and user experiences from early
adopters
31
Available Tools
• CForum (http://cyber.securityframework.org)– An industry led forum focused on the evolution and the use
of the Cybersecurity Framework
• Utilization of a third party to facilitate– Provides direction
– Objective approach
• www.nist.gov– Framework
– Excel version of Core
32
What’s Next for Framework
• Plans to expand future versions for:– Authentication
• Focus on development of better identity and authentication mechanisms– Automated Indicator Sharing
• Sharing information that is discovered prior to and during incident response activities
– Conformity Assessment• Used to show that a product, service, or system meets specified requirements for
managing cybersecurity risk– Cybersecurity Workforce
• ISACA’s Cybersecurity Nexus (CSX): New security knowledge platform and professional program
– Data Analytics• Big data and analytic tools coupled with cloud, mobile, and social computing
– Federal Agency Cybersecurity Alignment• FISMA, FIPS, etc.
– International Alignment– Supply Chain Risk Management– Privacy Standards
33
For More Information
If you wish to discuss any aspects of this presentation in more detail, please feel free to contact us:
Clark Schaefer Consulting, LLC.120 East Fourth Street, Suite 1100Cincinnati, OH 45202(513) 768-7100www.clarkschaefer.com
Or send an e-mail directly to Sarah at:[email protected]
34
Questions?
Questions?