Embed Size (px)
DESCRIPTION
Citation preview
CYBERSECURITYUPDATE
October 9, 2013
Southern Risk Council
Public Use
2
The Cybersecurity Activity in Washington
Cyber Security
White House
DHS Regulators
Congress
• Cybersecurity Framework• DHS Integrated Task Force• Regulators (e.g. FCC CSRIC)• Possible Legislation
Public Use
3
DHS Critical Infrastructure Sectors
Communications Sub-sectors:• Cable• Wireless• Wireline• Satellite• Broadcast
Public Use
4
Executive Order on Cybersecurity• President signed an Executive Order and Presidential Policy Directive on
February 12, 2013 to Improve Critical Infrastructure Cybersecurity
• “Critical Infrastructure” is defined as “systems and assets, whether physical or virtual, so vital to the US” that their incapacity or destruction would have debilitating impact on:• Security, • National economic security, • Public health or safety
• Key Parts• Cybersecurity Information Sharing (AG, DHS, and DNI, section 4)• Privacy and Civil Liberties Protections (DHS, section 5)• Develop Baseline Framework to Reduce Cyber Risk to Critical Infrastructure
(NIST, section 7)• Voluntary program to support adoption (DHS, section 8)
• “Procurement requirements related to cybersecurity”
• Identification of Critical Infrastructure at Greatest Risk (DHS, section 9)• Agency review and report on existing regulatory requirements and authority to
establish new framework-based requirements (section 10)Public Use
5
How the Framework has been Developed
5th Framework Workshop – November 14-15Public Use
EO 13,636 and PPD-21 – February 12, 2013
6
The Cybersecurity Framework
Cybersecurity Risk
Management
Identify
Protect
DetectRespond
Recover
Prioritized Flexible Repeatable Performance based
Cost Effective
Basic Cyber Hygiene
Public Use
7
DHS Voluntary Cybersecurity Program
Voluntary Adoption ProgramIncentives
Implementation Guidance
Promote Participation
Adopters
DHS must submit an annual report on the participation in this program
Public Use
8
White House on Cybersecurity IncentivesThe departments of Homeland Security, Commerce and Treasury identified
8 incentives the federal government could use to encourage the nation's critical infrastructure owners to adopt voluntarily the cybersecurity framework being developed under the auspices of the National Institute of Standards and Technology.
The eight incentives are:
1. Cybersecurity insurance,
2. Grants,
3. Process preferences,
4. Liability limitation,
5. Streamlined regulations,
6. Public recognition,
7. Rate recovery for price-regulated industries and
8. Cybersecurity research.
Incentives would help nation's critical infrastructure operators adopt voluntary framework.
Public Use
9
Cybersecurity Timeline
Publication of
Preliminary Framework
5th NIST Workshop
End of 45 Day Comment Period on
Preliminary Framework
Publication of Final
Framework
FCC CSRIC IV
Commences
Regulatory Requirements
Sufficiency Analysis
Framework Effectiveness Assessment
Oct 12, 2013
Nov 14, 2013
Nov 28, 2013
Feb 12, 2014
Feb 2014
May 12, 2014
Feb 2016
Public Use
10
ThanksPhil AgcaoiliChief Information Security Officer, Cox Communications, Inc.
Co-Chair, Communications Sector Coordinating Council (CSCC),
Cybersecurity Committee – Technical Sub-Committee
Member, Communications Information Sharing and Analysis Center (ISAC)
Co-Chair, FCC CSRIC IV, WG 4 (Cybersecurity Best Practices)
Co-Founder & Board Member, Southern CISO Security Council
Distinguished Fellow and Fellows Chairman, Ponemon Institute
Founding Member, Cloud Security Alliance (CSA)
Inventor & Co-Author, CSA Cloud Controls Matrix, GRC Stack,
Security, Trust and Assurance Registry (STAR), and
CSA Open Certification Framework (OCF)
@hacksec
https://www.linkedin.com/in/philA
11
CYBER INSURANCESection 2
