Cybersecurity FrameworkOctober 7, 2014

Sarah Ackerman, Wendy Huber,

Keith SwartzClark Schaefer Consulting

2

Agenda

• History of the Framework• Critical Infrastructure Sectors• Overview of Cyber Risk• Overview of Framework• Framework Core• Cybersecurity Functions• Framework Functional Categories• Assessment of Critical Functions• Framework Tiers• Framework Profiles• Alignment with Other Standards• Applying the Framework• Implementation Benefits• Implementation Challenges• Available Tools• What's Next for Framework

3

Introductions

Clark Schaefer Consulting:

Serving elite and emerging companies with practical solutions, Clark Schaefer Consulting

is a regional consulting firm with practices in accounting, controls, and technology.

Sarah Ackerman, CISSP, CISA, CICPAs the Director of Technology, Sarah Ackerman provides the Firm with extensive experience and knowledge regarding

information security, IT audit, and other technology and control related services.   Sarah’s work in security operations has resulted

in a proven track record of success in identifying system control weaknesses, protecting information assets, and leading clients to

successful organizational changes.  She is well versed in internal controls and has successfully served in a variety of roles

including consulting, risk management, and internal audit. 

Wendy Huber, CISA, Security+, CICPWendy is an experienced professional with a strong information technology background. She has experience with monitoring

system security, process improvement, documenting and testing internal controls, and working with internal and external auditors.

In addition, she possesses extensive experience with change management and logical security. Wendy is familiar with a variety

of systems and technologies with expertise related to security, administration, and report writing.

Keith Swartz, CISA, CICPKeith is an experienced professional who has an extensive IT background and continuously developing IT security knowledge.

He has aided small and large, private and public businesses with IT control and security initiatives, and adapts quickly to changing

environments. He possesses excellent communication skills and can work as a team member or individually to achieve desired

results in a timely fashion. Keith is well versed in internal controls and has successfully served in a variety of roles, including as a

systems administrator.

4

History of the Framework

• Repeated cyber intrusions demonstrated the need for improved cybersecurity

• February 12, 2013: President Obama issued Executive Order 13636 -- Improving Critical Infrastructure Cybersecurity

– Objective: Develop a voluntary, cybersecurity framework

• National Institute of Standards and Technology (NIST) developed the “Framework for Improving Critical Infrastructure Cybersecurity” (Framework)

– Input from over 1000 different entities (government, academics, individuals)

• Final version released in February 2014– Delivered to critical infrastructure providers and the public

5

Critical Infrastructure Sectors

– Chemical Sector – Commercial Facility– Communications– Critical Manufacturing– Dams Sector– Defense Industrial Base – Emergency Services– Energy

– Financial Services– Food and Agriculture– Government Facilities– Healthcare/Public Health– Information Technology– Nuclear Reactors/Materials– Transportation Systems– Water Systems

6

Overview of Cyber Risk

• Cyber Risk definition• Group of risks• Differ in technology, attack vectors, and means• Examples include:

– Organization-specific malware– Third party provider attacks– Vulnerability exploitation– Advanced persistent threats

• Effort invested in addressing these high-impact risks is known as cybersecurity

• High-impact risks becoming more frequent• Need to become better at protecting assets

7

Overview of Framework

• Key takeaways of the Framework– Voluntary– Performance-based– Adaptable and flexible– Cost-effective– Leverages standards, methodologies, and processes

• Not a compliance checklist– Not regulated or ruleset– Focus on consistent, solid security program

• Risk-based approach• Focus on the high impact risks and work your way

down

8

Overview of Framework (continued)

• Allows organizations to:– Describe current cybersecurity posture– Describe target state for cybersecurity– Identify and prioritize opportunities for improvement– Assess progress towards target state– Communicate using common language among internal and

external stakeholders about cybersecurity risk

• Complements, does not replace, risk management processes

– Organizations without cybersecurity programs can use Framework as reference to establish one

9

Overview of Framework (continued)

• Composed of three parts– Framework Core

• Set of activities, desired outcomes, and applicable references (e.g., ISO, NIST 800-53)

• Consists of five functions: Identify, Protect, Detect, Respond, Recover

– Identifies key categories for each function

– Framework Implementation Tiers• Characterize cybersecurity practices over a range from Partial (Tier

1) to Adaptive (Tier 4)• Provide context on how an organization views cybersecurity risk

– Framework Profiles• Used to identify opportunities to improve cybersecurity posture by

comparing a Current profile (“as is” state) to a Target profile (“to be” state)

• Supports prioritization and measurement of progress towards Target profile

10

Framework Core Structure

• Not a checklist of actions to perform• Presents key cybersecurity outcomes identified as

helpful in managing risk

11

Cybersecurity Functions

• Focus on the following five key framework functions needed to drive a comprehensive cybersecurity program:

– Identifying risks to resources supporting critical functions– Protecting these resources and limiting the impact of cybersecurity

events– Detecting incidents that have occurred– Responding to the detection of events– Recovering following response procedures

• Each function places heavy reliance on the development of those preceding it

– You cannot protect your environment correctly without first identifying your key systems and the risks faced by each

– You cannot to respond to events if you have not first implemented proper measures to detect them

12

Framework Functional Categories

• Each function has several categories subdividing them into more detailed groups of activities:

13

Framework Core Example

14

Assessment of Critical Functions

• Allows organizations to assess each critical cybersecurity function

15

Framework Tiers

• Developed to provide context on how the organization views cybersecurity risk along with the processes in place to manage that risk

• Characterize the organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4)

• Progression to higher Tiers is encouraged when this would reduce cybersecurity risk and be cost effective

– Similar to the Capability Maturity Model (CMM), but tiers do not represent maturity levels

16

Framework Tiers (continued)

Tier 1: Partial• Risk management is not formalized, managed in an ad

hoc, reactive manner• Limited awareness of cybersecurity risk at

organizational level• No enterprise-wide approach to managing

cybersecurity risk• May not have processes in place to coordinate or

collaborate with other entities

17

Framework Tiers (continued)

Tier 2: Risk Informed• Risk management practices approved by management

but not established across entire organization• Prioritization of cybersecurity activities informed by

organizational risk objectives, threat environment, or business requirements

• Awareness of cybersecurity risk at organizational level

• Processes and procedures are defined and implemented

• Has not formalized capabilities to share information externally

18

Framework Tiers (continued)

Tier 3: Repeatable• Risk management practices are formally approved

and documented– Organization-wide approach to manage cybersecurity risk– Policies and procedures are defined, implemented, reviewed

• Cybersecurity practices updated based on formalized risk management processes

– Addresses changes in business requirements or changing threat environment

• Organization collaborates with partners

19

Framework Tiers (continued)

Tier 4: Adaptive• Organization-wide approach to manage cybersecurity risk

– Part of organizational culture

• Formalized risk-informed policies, processes, and procedures• Cybersecurity practices are adapted based on lessons learned

and predictive indicators– Actively adapts to changing cybersecurity landscape– Responds to evolving threats in timely manner

• Continuous improvement incorporating advanced cybersecurity technologies and practices

– Awareness of previous activities and current activities on systems and networks

• Actively shares information with partners to improve cybersecurity before an event occurs

20

Framework Profiles

• Aligns the Functions and Categories with:– Business requirements and goals– Risk tolerance– Available resources– Legal/regulatory requirements– Industry best practices

• Used to describe current and desired state of specific cybersecurity activities

• Comparison of profiles identifies gaps– An action plan can then be developed to address gaps and

prioritize efforts

21

Framework Profiles (continued)

• Current Profile (“as is” state)– Indicates cybersecurity outcomes that are currently being

achieved

• Target Profile (“to be” state)– Indicates outcomes needed to achieve desired cybersecurity

risk management goals– Successful implementation of Framework is based upon

achievement of outcomes described in Target Profile (not upon Tier determination)

22

Alignment with Other Standards

• Framework Core provides references to existing standards or guidelines

– COBIT 5 (Control Objectives for Information and Related Technology)

– ISO 27001 (International Organization for Standardization – IT Security Techniques, Information Security Management Systems Requirements)

– NIST 800-53 (National Institute of Standards and Technology – Security and Privacy Controls for Federal Information Systems and Organizations)

– Also other standards from CCS (Council on CyberSecurity), ISA (International Society of Automation)

23

Alignment with Other Standards

NIST SP 800-53 Rev. 4• Security and Privacy Controls for Federal Information

Systems• Composed of control baselines across areas such as:

– Access Control– Awareness and Training– Security Assessment and Authorization– Configuration Management– Contingency and Planning– Identification and Authentication– Incident Response– Maintenance – Physical/Environmental Protection– Information Integrity

24

Alignment with Other Standards (cont.)

ISO/IEC 27001:2013

(International Organization for Standardization)• Total of 114 controls across 14 areas such as:

– A.5: Information security policies– A.6: Organization of information security– A.7: Human resource security– A.8: Asset management – A.9: Access control – A.10: Cryptography – A.11: Physical and environmental security – A.12: Operations security – A.13: Communications security

25

Alignment with Other Standards (cont.)

COBIT 5• Divided into Governance and Management domains

– Governance: Contains five governance processes; within each process, evaluate, direct and monitor (EDM)

– Management: Contains four domains, in line with the responsibility areas of plan, build, run and monitor (PBRM)

• Align, Plan and Organize (APO)• Build, Acquire and Implement (BAI)• Deliver, Service and Support (DSS)• Monitor, Evaluate and Assess (MEA)

26

Alignment with Other Standards (cont.)

• Example of alignment with other standards:– Function: Identify– Category: Asset Management– Subcategory: ID.AM-1: Physical devices and systems

within the organization are inventoried– Informative References include:

• COBIT 5 BAI09.01, BAI09.02 • ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 • NIST SP 800-53 Rev. 4 CM-8

27

Applying The Framework

• Can be used as a supplement to an organization’s risk management process in order to assess cybersecurity and align with best practices

• Implementation purpose is left to the organization’s discretion

– Basic review of existing cybersecurity practices– Establishing or improving a cybersecurity program– Communicating cybersecurity requirements with

stakeholders

“There are two types of companies. Those that have been hacked, and those that have been hacked but don’t know it yet”

28

Applying The Framework (continued)

Develop the “As-Is” profile

Develop the “To-Be” profile

Identify gaps and opportunities

Develop a prioritized action plan

Rep

eata

ble

29

Implementation Benefits

• Voluntary nature of assessment leads to more open and honest discussion of cybersecurity risk exposure

• Helps expose areas of risk that may not have been previously considered

– Electronic emanations??

• Encourages information sharing and collaboration with external partners

– Vulnerability intelligence

– Threat information

– Protection & response strategies

• Encourages a layered approach to cybersecurity

30

Implementation Challenges

• Requires “buy-in” from key stakeholders– Time and resources from multiple departments

– Executive prioritization

• Communicating risks– Why does this matter?

• Cybersecurity is a long term process

• The Framework is in its infancy– NIST is seeking information and user experiences from early

adopters

31

Available Tools

• CForum (http://cyber.securityframework.org)– An industry led forum focused on the evolution and the use

of the Cybersecurity Framework

• Utilization of a third party to facilitate– Provides direction

– Objective approach

• www.nist.gov– Framework

– Excel version of Core

32

What’s Next for Framework

• Plans to expand future versions for:– Authentication

• Focus on development of better identity and authentication mechanisms– Automated Indicator Sharing

• Sharing information that is discovered prior to and during incident response activities

– Conformity Assessment• Used to show that a product, service, or system meets specified requirements for

managing cybersecurity risk– Cybersecurity Workforce

• ISACA’s Cybersecurity Nexus (CSX): New security knowledge platform and professional program

– Data Analytics• Big data and analytic tools coupled with cloud, mobile, and social computing

– Federal Agency Cybersecurity Alignment• FISMA, FIPS, etc.

– International Alignment– Supply Chain Risk Management– Privacy Standards

33

For More Information

If you wish to discuss any aspects of this presentation in more detail, please feel free to contact us:

Clark Schaefer Consulting, LLC.120 East Fourth Street, Suite 1100Cincinnati, OH  45202(513) 768-7100www.clarkschaefer.com

Or send an e-mail directly to Sarah at:sackerman@clarkschaefer.com

34

Questions?

Questions?