Upload
trinhthuy
View
226
Download
1
Embed Size (px)
Citation preview
What Are Best Practices? Making Sense of NIST
and Other IT Security Frameworks April 27, 2017
Sarah Ackerman and Carly Devlin
Clark Schaefer Consulting
Our webinar will begin shortly.
What Are Best Practices? Making Sense of NIST
and Other IT Security Frameworks April 27, 2017
Sarah Ackerman and Carly Devlin
Clark Schaefer Consulting
Questions
3
How to ask a question during today’s webinar?
Use the “Chat” or “Question” feature on the
GoToWebinar panel.
You can also email DeAnna Bird at
Questions will be addressed at the end of the
webinar.
CPE
4
CPE is available for this event.
You will receive an email by the end of the day that
will contain today’s presentation & CPE form.
You will receive 3 CPE codes during today’s
presentation.
Record those 3 CPE codes to complete the CPE
form.
Introductions
Sarah Ackerman, CISSP, CISA, CICP
Managing Director, Cincinnati Office
Responsible for overall engagement quality and
oversight of projects
Areas of expertise include information security;
risk management; and IT governance, audit, and
compliance
Works with wide variety of clients and industries
across Ohio and Kentucky
In-depth knowledge of IT and security
frameworks, regulations, and standards,
including ISO, NIST, COBIT, GLBA, FDA,
HIPAA, PCI
Introductions
Carly Devlin, CISSP, CISA
Director, Columbus Office
Responsible for management of client
relationships, projects, and consultants
Areas of expertise include information security,
IT audit, IT operations, and risk management
Works with wide variety of clients and industries
across Ohio and Kentucky
In-depth knowledge of IT and security
frameworks, regulations, and standards,
including ISO, NIST, COBIT, GLBA, PCI
7
CPE Code 1
35764
Agenda
Regulatory vs. Security Frameworks
Overview of HIPAA, PCI, GLBA, ISO, NIST
NIST Deep Dive: Top 10
8
Regulatory Frameworks
PCI
HIPAA
GLBA
Security Frameworks
ISO
NIST
Regulatory vs. Security Frameworks
9
Overview of Regulatory Frameworks
10
PCI DSS Payment Card Industry Data Security Standard
What is it? Standards for protecting payment systems from breaches and theft of cardholder data
Who does it apply to? Merchants, financial institutions, point-of-sale vendors
Who enforces it? Individual payment brands or acquiring banks
Overview of Regulatory Frameworks
11
HIPAA Health Insurance Portability and Accountability Act of 1996
What is it? Legislation that provides data privacy and security provisions for safeguarding medical information
Who does it apply to? Healthcare providers, health plans, and healthcare clearing houses
Who enforces it? United States Department of Health and Human Services (HHS)
Overview of Regulatory Frameworks
12
GLBA Gramm-Leach-Bliley Act (Financial Modernization Act of 1999)
What is it? Regulation that requires disclosure of information-sharing practices to customers and safeguarding of sensitive data.
Who does it apply to? Financial Institutions
Who enforces it? FRB, FTC, FDIC, NCUA, OCC, CFPB, FTC
ISO Overview
13
International Organization for Standardization
ISO began operations in 1947
Independent, non-governmental international organization with a membership of 162 national
standards bodies
ISO has published 21,599 international standards and related documents for every industry
NIST Overview
14
National Institute of Standards and Technology
NIST was founded in 1901 and is now part of the U.S. Department of Commerce.
Mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science,
standards, and technology
Standards and guidelines developed by NIST for computer systems are issued as Federal Information
Processing Standards (FIPS)
15
CPE Code 2
13893
NIST: Special Publications
16
http://csrc.nist.gov/publications/PubsSPs.html
800-53: Security and Privacy Controls for Federal Information Systems and
Organizations
800-161: Supply Chain Risk Management Practices
800-61: Computer Security Incident Handling Guide
800-124: Guidelines for Managing the Security of Mobile Devices in the
Enterprise
800-50: Building an Information Technology Security Awareness and
Training Program
800-122: Guide to Protecting the Confidentiality of Personally Identifiable
Information (PII)
800-30: Guide for Conducting Risk Assessments
800-115: Technical Guide to Information Security Testing and Assessment
800-34: Contingency Planning Guide for Federal Information Systems
Cybersecurity Framework
1800 series: Cyber Security Practice Guides
800-53: Security and Privacy Controls for Federal
Information Systems and Organizations
18 security areas
– Management/enterprise
– Operational
– Technical
8 privacy areas
17
800-53: Security – Technical
AC: Access Control
AU: Audit and Accountability
CM: Configuration Management
IA: Identification and Authentication
SC: System and Communications Protection
SI: System and Information Integrity
18
800-53: Security – Operational
CA: Security Assessment and Authorization
CP: Contingency Planning
IR: Incident Response
MA: System Maintenance
MP: Media Protection
PE: Physical and Environmental Protection
19
800-53: Security – Management/ Enterprise
AT: Security Awareness and Training
PL: Security Planning
PM: Program Management
PS: Personnel Security
RA: Risk Assessment
SA: System and Services Acquisition
20
800-53: Privacy
AP: Authority and Purpose
AR: Accountability, Audit, and Risk Management
DI: Data Quality and Integrity
DM: Data Minimization and Retention
IP: Individual Participation and Redress
SE: Security
TR: Transparency
UL: Use Limitation
21
800-53: Example Control
22
800-53: Security and Privacy Controls for Federal
Information Systems and Organizations
Benefits:
– Comprehensive
– Supplemental guidance useful
– Baselines allow risk-based approach
– Supported by 53A, allowing for corresponding assessment
– Cross references throughout and to other NIST SPs
Challenges:
– Comprehensive! (Complex)
– Focus on Federal systems
• Private entities? State/Local government?
– Focus on information systems
• IoT devices, industrial control systems, weapons systems
23
24
800-53: What’s Next?
Revision 5 - 3/28/17
Not yet published
Proposed changes can be found here
All drafts of computer security publications can be
found here
Revision 4, April 2013:
http://nvlpubs.nist.gov/nistpubs/SpecialPublic
ations/NIST.SP.800-53r4.pdf
Excel, XML available:
https://web.nvd.nist.gov/view/800-53/home
25
800-53: Security and Privacy Controls for Federal
Information Systems and Organizations
26
Information and communications technology (ICT)
supply chain risks
Includes the following:
Integration of ICT supply chain risks management (SCRM)
into organization-wide risk management
ICT SCRM Controls (enhanced overlay of NIST 800-53)
ICT Supply Chain Threat Events
Supply Chain Threat Scenarios and Analysis Framework
ICT SCRM Plan Template
800-161: Supply Chain Risk Management Practices for
Federal Information Systems and Organizations
27
Benefits:
Overlay of NIST 800-53
Developed with diverse input
Guidance for each organizational tier, organizational
functions, and system development life cycle
Challenges:
Cyber supply chain risks cut across every major function
and business line
800-161: Supply Chain Risk Management Practices for
Federal Information Systems and Organizations (cont.)
28
800-161: Supply Chain Risk Management Practices
for Federal Information Systems and Organizations
April 2015:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/N
IST.SP.800-161.pdf
29
800-61: Computer Security Incident
Handling Guide
Organizing a Computer Security Incident Response
Capability
Understanding Events and Incidents
Incident Response Policy, Plan, Procedures
Incident Response Team Structure
Handing an Incident
Preparation
Detection and Analysis
Containment, Eradication, and Recovery
Post-Incident Activity
30
800-61: Computer Security Incident
Handling Guide (cont.)
Benefits:
Easy to understand for detection, analyzing, prioritizing,
handling incidents
Provides checklists, scenarios, examples, recommendations
Challenges:
Less focus on establishing incident response program
Doesn’t provide specific template for Incident Response
Policy or Plan
31
800-61: Computer Security Incident
Handling Guide
Revision 2, August 2012:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/N
IST.SP.800-61r2.pdf
32
800-124: Guidelines for Managing the Security of
Mobile Devices in the Enterprise
Organization-provided and BYOD mobile devices
Includes the following:
Mobile Device Overview
Technologies for Mobile Device Management
Security for the Enterprise Mobile Device Solution Life
Cycle
Supporting NIST 800-53 Security Controls
33
800-124: Guidelines for Managing the Security of
Mobile Devices in the Enterprise (cont.)
Benefits:
Recommendations for selecting, implementing and using
centralized management technologies for securing mobile
devices
Refers to applicable NIST 800-53 controls
Challenges:
Addressing BYOD
34
800-124: Guidelines for Managing the Security of
Mobile Devices in the Enterprise
Revision 1, June 2013:
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/N
IST.SP.800-124r1.pdf
35
800-50: Building an Information Technology
Security Awareness and Training Program
Components: Awareness,
Training, Education
Designing the Program
Conducting Needs
Assessment
Developing Strategy and
Plan
Establishing Priorities
Setting the Bar
Funding the Program
Developing Material
Selecting Topics
Sources of Material
Implementing the Program
Communicating the Plan
Techniques for Delivering
Material
Post-Implementation
Monitoring Compliance
Evaluation and Feedback
Managing Change
Ongoing Improvement
Program Success Indicators
36
800-50: Building an Information Technology Security
Awareness and Training Program (cont.)
Appendices
Sample needs assessment interview and questionnaire
Sample metric
Sample program plan template
Sample awareness posters
37
800-50: Building an Information Technology
Security Awareness and Training Program (cont.)
Benefits:
Good starting point
• Comprehensive list of awareness topics
Incorporates various roles from CIO to user
Different program models (centralized, partially/fully
decentralized)
Cross references to other NIST SPs
• Awareness and Training Metric => SP 800-55 Security
Metrics Guide for IT Systems
Challenges:
Outdated
Doesn’t incorporate tools (e.g., phishing)
Awareness and Training Plan template very high level, not
detailed
38
800-50: Building an Information Technology
Security Awareness and Training Program
October 2003:
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecial
publication800-50.pdf
39
800-122: Guide to Protecting the Confidentiality
of Personally Identifiable Information (PII)
Confidentiality of PII
Includes the following:
Introduction to PII
PII Confidentiality Impact Levels
PII Confidentiality Safeguards
Incident Response for Breaches Involving PII
Scenarios for PII Identification and Handling
40
800-122: Guide to Protecting the Confidentiality
of PII (cont.)
Benefits:
Categorizing PII by the confidentiality impact level
Other terms and definitions used to describe personal
information
Challenges:
Identifying all PII residing in environment
Organizations subject to a different combination of laws,
regulations, and other mandates
41
800-122: Guide to Protecting the Confidentiality
of PII
April 2010:
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecial
publication800-122.pdf
42
800-30: Guide for Conducting Risk Assessments
The Fundamentals
Risk management process
Risk assessment
Key risk concepts
Application of risk assessments
43
800-30: Guide for Conducting Risk Assessments
(cont.)
The Risk Assessment Process
44
800-30: Guide for Conducting Risk Assessments
(cont.)
Appendices
Threat Sources
Threat Events
Vulnerabilities and Predisposing Conditions
Likelihood of Occurrence
Impact
Risk Determination
Informing Risk Response
Risk Assessment Reports
Summary of Tasks
45
800-30: Guide for Conducting Risk Assessments
(cont.)
Benefits:
Comprehensive, detailed
Lots of examples
Good summaries of key activities throughout
Flexible
• Different approaches: threat, asset/impact, vulnerability
Challenges:
Complex
Overly granular
46
800-30: Guide for Conducting Risk Assessments
Revision 1, September 2012:
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspeci
alpublication800-30r1.pdf
47
800-115: Technical Guide to Information
Security Testing and Assessment
Security testing and assessments
Includes the following:
Security Testing and Examination Overview
Review Techniques
Target Identification and Analysis Techniques
Target Vulnerability Validation Techniques
Security Assessment Planning
Security Assessment Execution
Post-Testing Activities
48
800-115: Technical Guide to Information
Security Testing and Assessment (cont.)
Benefits:
Includes two live operating system CD distributions
Techniques can be leveraged with the NIST 800-53A
methodology
Challenges:
Technically oriented
Dozens of security testing and examination techniques exist
49
800-115: Technical Guide to Information Security
Testing and Assessment
September 2008:
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecial
publication800-115.pdf
50
800-34: Contingency Planning Guide for
Federal Information Systems
Information system contingency plan (ISCP) development
Includes the following:
Types of Contingency Planning
Information System Contingency Planning Process
Information System Contingency Plan Development
Technical Contingency Planning Considerations
Sample Information System Contingency Plan Templates
51
800-34: Contingency Planning Guide for
Federal Information Systems (cont.)
Benefits:
Integrated with NIST 800-53 contingency planning related
controls
Purpose, scope, and plan relationship for various types of
plans
3 sample formats
Challenges:
Independent of specific hardware platforms, operating
systems, and applications
Does not address facility-level information system planning
(DR plan)
52
800-34: Contingency Planning Guide for Federal
Information Systems
Revision 1, May 2010:
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecial
publication800-34r1.pdf
Cybersecurity Framework (CSF)
Three parts:
– Framework Core
– Framework Implementation Tiers
– Framework Profiles
Framework Core:
53 53
CSF Core
54
CSF: Tiers/Profiles
Tiers
– Tier 1: Partial
– Tier 2: Risk Informed
– Tier 3: Repeatable
– Tier 4: Adaptive
Profiles
– Current profile (“as is”)
– Target profile (“to be”)
55
CSF: Applying The Framework
Develop the “As-Is” profile
Develop the “To-Be” profile
Identify gaps and opportunities
Develop a prioritized action plan
56
Rep
eata
ble
CSF: Benefits, Challenges
Benefits:
– Voluntary
– Expose new risks
– Sharing, collaboration
– Layered approach
Challenges:
– Not “set it and forget it”
– Requires “buy-in”
– Communicating risks
– Large, complex organizations
– Lack of quantifiable metrics
57
58
CSF: What’s Next?
Draft update (v1.1) has been issued
Comments were due 4/10/17
Proposed changes can be found here
Cybersecurity Framework
59
Framework available as PDF, additional support via
Excel
Draft Version 1.1, January 2017:
https://www.nist.gov/cyberframework/draft-
version-11
Version 1, February 2014:
https://www.nist.gov/sites/default/files/documents/c
yberframework/cybersecurity-framework-
021214.pdf
60
1800 Series: Cybersecurity Practice Guides
SP 1800-7
(Draft)
February
2017
Situational Awareness for Electric Utilities
Announcement and Draft Publication
SP 1800-6
(Draft)
November
2016
Domain Name Systems-Based Electronic Mail Security
Announcement and Draft Publication
SP 1800-5
(Draft)
October
2015
IT Asset Management: Financial Services
Announcement and Draft Publication
SP 1800-4
(Draft)
November
2015
Mobile Device Security: Cloud and Hybrid Builds
Announcement and Draft Publication
SP 1800-3
(Draft)
September
2015
Attribute Based Access Control
Announcement and Draft Publication
SP 1800-2
(Draft)
August
2015
Identity and Access Management for Electric Utilities
Announcement and Draft Publication
SP 1800-1
(Draft)
July
2015
Securing Electronic Health Records on Mobile Devices
Announcement and Draft Publication
61
CPE Code 3
56932
Questions?
62
Sarah Ackerman
(513) 371-5613
Carly Devlin
(614) 607-5132
If you wish to discuss any aspect of this presentation in
more detail, please feel free to contact us: