cs6 nist framework

25
Derek Boczenowski | IT Auditor | February 12, 2015 Taking Advantage of the NIST Cybersecurity Framework

Upload: jerryhorak

Post on 02-Dec-2015

227 views

Category:

Documents


0 download

DESCRIPTION

Na

TRANSCRIPT

Page 1: CS6 NIST Framework

Derek Boczenowski | IT Auditor | February 12, 2015

Taking Advantage of the NIST Cybersecurity Framework

Page 2: CS6 NIST Framework

Agenda

Introduction

Definition of Cybersecurity

Framework Introduction

Framework Core

Framework Implementation Tiers

Framework Profiles

How to use the Framework

Page 3: CS6 NIST Framework

Introduction – Why Cybersecurity?

Cybersecurity Breaches Increased reliance on technology Outsourced and Cloud solutions New Vulnerabilities appear every day Risk Assessments aren’t as sexy as they used to be…

Page 4: CS6 NIST Framework

Cybersecurity Challenges

Organizational and asset size Federal and state regulations In-house vs. Service Bureau systems Lack of clear guidance Constantly evolving landscape Lack of understanding at the C-Level Lack of formal budget

Page 5: CS6 NIST Framework

Cybersecurity Defined

Information Security deals with information, regardless of its format—it encompasses paper documents, digital and intellectual property in people’s minds, and verbal or visual communications.

Cybersecurity, on the other hand, is concerned with protecting digital assets—everything from networks to hardware and information that is processed, stored or transported by internetworked information systems.

If you have a mature information security program in place, leverage it for Cybersecurity too!

Page 6: CS6 NIST Framework

What the NIST Cybersecurity Framework Does

Allows organizations to review their current Cybersecurity posture

Develops a target Cybersecurity state to achieve

Identify and prioritize opportunities for improvement

Relies on a set of global standards, guidelines, and practices that are in line with industry standards (ISO, COBiT, FFIEC, Etc.)

Consists of three main areas: The Framework Core, the Framework Implementation Tiers, And the Framework Profile

Page 7: CS6 NIST Framework

What the Framework Does NOT

Does not replace Risk Management process.

Does not replace organizational programs already in place

Does not provide a “One Size Fits All” solution.

Does not map to a specific industry or country

Force compliance

Page 8: CS6 NIST Framework

Framework Core Overview

Framework Core Set of cybersecurity activities, desired outcomes, and references that are common across critical infrastructure sectors.

Presents industry standards, guidelines, and practices of cybersecurity activities

provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk

Consists of five concurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover

Page 9: CS6 NIST Framework

Framework Core Structure

Page 10: CS6 NIST Framework

Framework Core Overview

Framework Core Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities

Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services

Detect – Develop and implement the appropriate activities to identify the occurence of a cybersecurity event.

Respond – Develop and implement the appropriate activities to take action regarding a detected cyber security event

Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore services impacted by a cybersecurity event.

Page 11: CS6 NIST Framework

Framework Core Identifiers

Page 12: CS6 NIST Framework

Framework Core Maps

Page 13: CS6 NIST Framework

Framework Takeaways

A Cybersecurity Risk Assessment will be critical to implementing any controls

NIST did not reinvent the wheel when developing the Cybersecurity Framework. Make sure you don’t either (Unless you want to!)

If you are already working towards an accepted security framework (COBiT, ISO, etc.), you will be able to map the cybersecurity items directly in most cases

While much of Cybersecurity is IT-centric, many key critical metrics such as adoption, communication, and training are enterprise-wide initiatives

Page 14: CS6 NIST Framework

Framework Implementation Tiers

Provides context on how an organization views cybersecurity risk and the processes in place to manage that risk.

Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor and sophistication in cybersecurity risk management practices.

Tiers do NOT represent maturity levels. Progression to higher Tiers is encouraged when such a change would reduce cybersecurity risk and be cost effective

Tiers deal with 3 main components: The risk Management process, an Integrated Risk and Management Program, and External Participation.

Page 15: CS6 NIST Framework

Framework Implementation Tiers

Tier 1: Partial (Ad Hoc) – Informal processes that are often reactive in nature.

Tier 2: Risk Informed – General awareness of risk, but not formally recognized and established as an organization-wide effort

Tier 3: Repeatable – Organizational- wide risk management effort with policies, procedures and practices regularly updated and reviewed.

Tier 4: Adaptive – Adapts policies and procedures using lessons learned and predictive indicators to anticipate future events.

Page 16: CS6 NIST Framework

Framework Tier Takeaways

Progression through the tiers is encouraged if it would both reduce the cybersecurity risk and be cost effective.

You can have a mature cybersecurity program and still be at tier 2. Tiers are not based on maturity levels like the COBiT ratings are.

Successful Cybersecurity programs are based upon the goals the organization has set for itself in regards to cybersecurity, not what tier the organization is at.

Page 17: CS6 NIST Framework

Framework Profile

A Framework Profile is a document that uses the ideas and concepts in the framework core

You can have a current profile that shows where the organization is currently, or a target profile that expresses a cybersecurity goal and what needs to be done to get there.

The NIST framework doesn’t provide a profile template. It recognizes that every organization is different and different profiles will be required.

ISACA has some good examples of profiles available.

Page 18: CS6 NIST Framework

Sample Framework Profile

Page 19: CS6 NIST Framework

Framework Implementation

For companies that have mature Information Security programs in place, use the Framework Core to:

Identify gaps in your current programs.

Develop an action plan to close gaps and improve your cybersecurity posture.

If you are already using a COBiT or ISO framework, map the Framework core to those standards, and make sure you have considered the cybersecurity aspect of the parts of those frameworks

Page 20: CS6 NIST Framework

Framework Implementation

For companies that have not yet put a formal Information Security program in place, or would like to overhaul their current program:

Create a current profile with the Framework (Where you are currently).

Conduct a Risk Assessment. Create a target profile with the Framework (Where you want to be).

Develop an action plan based on the profiles.

Implement the action plan

Page 21: CS6 NIST Framework

Framework Implementation

Page 22: CS6 NIST Framework

Do or Do Not, There is no Try

Do not assume that your IS program is sufficient for a Cybersecurity Assesment/Audit. DO Conduct a Risk Assessment. Do not implement a canned or pre-packaged solution Do get buy in and understanding from Senior Staff and C-Level Executives. Do make sure you have a good security awareness training program in place.

Page 23: CS6 NIST Framework

Do or Do Not, There is no Try

Do join the Financial Services Information Sharing and Analysis Center. http://www.fsisac.com/ Do not wait to start looking at getting forensic help on retainer. Do make sure you are familiar with state regulations as well as the federal ones. Do consider getting a third-party assessment to enhance knowledge and understanding.

Page 24: CS6 NIST Framework

References & Links

Council on CyberSecurity (CCS) Top 20 Critical Security Controls (CSC): http://www.counciloncybersecurity.org

Framework for Improving Critical Infrastructure Cybersecurity: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf

Update on the Cybersecurity Framework, December 4, 2014: http://www.nist.gov/cyberframework/upload/nist-cybersecurity-framework-update-120514.pdf

NIST Cybersecurity: http://www.nist.gov/cyberframework/

ISACA Cybersecurity nexus: http://www.isaca.org/cyber/Pages/default.aspx

FFIEC Cybersecurity Awareness: https://www.ffiec.gov/cybersecurity.htm

NY Banking CyberSecurity Exam Process: http://www.dfs.ny.gov/banking/bil-2014-10-10_cyber_security.pdf

Page 25: CS6 NIST Framework

Derek Boczenowski Senior IT Security Analyst

[email protected]

Contact Information