iowa cybercon4 - april 2019 ward · 1,67 7rrov dqg 5hvrxufhv iru 6pdoo 1hwzrun 2shudwruv 0d\ zzz...
TRANSCRIPT
![Page 1: Iowa CyberCon4 - April 2019 Ward · 1,67 7rrov dqg 5hvrxufhv iru 6pdoo 1hwzrun 2shudwruv 0d\ zzz qwfd ruj f\ehuvhfxulw\](https://reader035.vdocuments.net/reader035/viewer/2022071217/604dcbee2a4bc70553330158/html5/thumbnails/1.jpg)
NIST 101Tools and Resources for Small Network Operators
May 8, 2019www.ntca.org/cybersecurity
![Page 2: Iowa CyberCon4 - April 2019 Ward · 1,67 7rrov dqg 5hvrxufhv iru 6pdoo 1hwzrun 2shudwruv 0d\ zzz qwfd ruj f\ehuvhfxulw\](https://reader035.vdocuments.net/reader035/viewer/2022071217/604dcbee2a4bc70553330158/html5/thumbnails/2.jpg)
About Jesse• Director of Industry & Policy Analysis for NTCA• 14 years with the association• Focused on cybersecurity policy • Represent interests of small network providers• Participate in working groups
• NTCA’s Cybersecurity Working Group• FCC’s CSRIC advisory council • DHS ICT Supply Chain Risk Management (SCRM) Task Force • Communications Sector Coordinating Council (CSCC) • Communications Information Sharing and Analysis Center (ISAC)
![Page 3: Iowa CyberCon4 - April 2019 Ward · 1,67 7rrov dqg 5hvrxufhv iru 6pdoo 1hwzrun 2shudwruv 0d\ zzz qwfd ruj f\ehuvhfxulw\](https://reader035.vdocuments.net/reader035/viewer/2022071217/604dcbee2a4bc70553330158/html5/thumbnails/3.jpg)
NIST 101
![Page 4: Iowa CyberCon4 - April 2019 Ward · 1,67 7rrov dqg 5hvrxufhv iru 6pdoo 1hwzrun 2shudwruv 0d\ zzz qwfd ruj f\ehuvhfxulw\](https://reader035.vdocuments.net/reader035/viewer/2022071217/604dcbee2a4bc70553330158/html5/thumbnails/4.jpg)
• To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology
• Non-partisan
• Maintains UTC, the U.S. national standard for time-of-day, time interval, and frequency
• Cybersecurity: Standards; Framework; Center of Excellence
![Page 5: Iowa CyberCon4 - April 2019 Ward · 1,67 7rrov dqg 5hvrxufhv iru 6pdoo 1hwzrun 2shudwruv 0d\ zzz qwfd ruj f\ehuvhfxulw\](https://reader035.vdocuments.net/reader035/viewer/2022071217/604dcbee2a4bc70553330158/html5/thumbnails/5.jpg)
NIST Cybersecurity Framework 1.1
![Page 6: Iowa CyberCon4 - April 2019 Ward · 1,67 7rrov dqg 5hvrxufhv iru 6pdoo 1hwzrun 2shudwruv 0d\ zzz qwfd ruj f\ehuvhfxulw\](https://reader035.vdocuments.net/reader035/viewer/2022071217/604dcbee2a4bc70553330158/html5/thumbnails/6.jpg)
Evolution of the Framework
• Backwards compatible; Roadmap for future evolution• Version 1.1:
• authentication and identity; • supply chain; • vulnerability disclosure; • self-assessment
• Policymakers doubling down on Framework approach
• Focus on metrics
![Page 7: Iowa CyberCon4 - April 2019 Ward · 1,67 7rrov dqg 5hvrxufhv iru 6pdoo 1hwzrun 2shudwruv 0d\ zzz qwfd ruj f\ehuvhfxulw\](https://reader035.vdocuments.net/reader035/viewer/2022071217/604dcbee2a4bc70553330158/html5/thumbnails/7.jpg)
108 Subcategories
ISO 27001, NIST 800-53, COBIT
23 Categories
Framework 1.1 Core Structure
![Page 8: Iowa CyberCon4 - April 2019 Ward · 1,67 7rrov dqg 5hvrxufhv iru 6pdoo 1hwzrun 2shudwruv 0d\ zzz qwfd ruj f\ehuvhfxulw\](https://reader035.vdocuments.net/reader035/viewer/2022071217/604dcbee2a4bc70553330158/html5/thumbnails/8.jpg)
The Value of the NIST Framework
![Page 9: Iowa CyberCon4 - April 2019 Ward · 1,67 7rrov dqg 5hvrxufhv iru 6pdoo 1hwzrun 2shudwruv 0d\ zzz qwfd ruj f\ehuvhfxulw\](https://reader035.vdocuments.net/reader035/viewer/2022071217/604dcbee2a4bc70553330158/html5/thumbnails/9.jpg)
IdentifyIdentify
AssessAssess
RespondRespondRisk-Management Process
![Page 10: Iowa CyberCon4 - April 2019 Ward · 1,67 7rrov dqg 5hvrxufhv iru 6pdoo 1hwzrun 2shudwruv 0d\ zzz qwfd ruj f\ehuvhfxulw\](https://reader035.vdocuments.net/reader035/viewer/2022071217/604dcbee2a4bc70553330158/html5/thumbnails/10.jpg)
You cannot eliminate all risk. Rather, the goal is to understand security risks,
and then reduce those risks to an acceptable level.
“Risk Tolerance”
![Page 11: Iowa CyberCon4 - April 2019 Ward · 1,67 7rrov dqg 5hvrxufhv iru 6pdoo 1hwzrun 2shudwruv 0d\ zzz qwfd ruj f\ehuvhfxulw\](https://reader035.vdocuments.net/reader035/viewer/2022071217/604dcbee2a4bc70553330158/html5/thumbnails/11.jpg)
Risk Management
Approach
• Flexible & dynamic• Company-wide approach• Governed by senior execs• Strives for ongoing improvement
![Page 12: Iowa CyberCon4 - April 2019 Ward · 1,67 7rrov dqg 5hvrxufhv iru 6pdoo 1hwzrun 2shudwruv 0d\ zzz qwfd ruj f\ehuvhfxulw\](https://reader035.vdocuments.net/reader035/viewer/2022071217/604dcbee2a4bc70553330158/html5/thumbnails/12.jpg)
![Page 13: Iowa CyberCon4 - April 2019 Ward · 1,67 7rrov dqg 5hvrxufhv iru 6pdoo 1hwzrun 2shudwruv 0d\ zzz qwfd ruj f\ehuvhfxulw\](https://reader035.vdocuments.net/reader035/viewer/2022071217/604dcbee2a4bc70553330158/html5/thumbnails/13.jpg)
Resources Sector-Specific Guide
NTCA Cybersecurity Bundle
![Page 14: Iowa CyberCon4 - April 2019 Ward · 1,67 7rrov dqg 5hvrxufhv iru 6pdoo 1hwzrun 2shudwruv 0d\ zzz qwfd ruj f\ehuvhfxulw\](https://reader035.vdocuments.net/reader035/viewer/2022071217/604dcbee2a4bc70553330158/html5/thumbnails/14.jpg)
Sector-Specific Guide“The magnitude of the framework can be both intimidating for a smaller business and, due to resource limitations, functionally impossible to implement all at once. As such, the NTCA Member Advisory Group offers the following implementation guidance for small network operators.”
• Operational guidance, drafted by NTCA members• Illustrative and flexible; not a prescriptive checklist• Focus on “core network” and “critical infrastructure and services”
![Page 15: Iowa CyberCon4 - April 2019 Ward · 1,67 7rrov dqg 5hvrxufhv iru 6pdoo 1hwzrun 2shudwruv 0d\ zzz qwfd ruj f\ehuvhfxulw\](https://reader035.vdocuments.net/reader035/viewer/2022071217/604dcbee2a4bc70553330158/html5/thumbnails/15.jpg)
Sector Guide: Framework Analysis• In or Out of Scope
• Criticality (1-5)
• Application to Operating Environment
• Barriers to Implementation
![Page 16: Iowa CyberCon4 - April 2019 Ward · 1,67 7rrov dqg 5hvrxufhv iru 6pdoo 1hwzrun 2shudwruv 0d\ zzz qwfd ruj f\ehuvhfxulw\](https://reader035.vdocuments.net/reader035/viewer/2022071217/604dcbee2a4bc70553330158/html5/thumbnails/16.jpg)
Sector Guide:
Priority Practices
![Page 17: Iowa CyberCon4 - April 2019 Ward · 1,67 7rrov dqg 5hvrxufhv iru 6pdoo 1hwzrun 2shudwruv 0d\ zzz qwfd ruj f\ehuvhfxulw\](https://reader035.vdocuments.net/reader035/viewer/2022071217/604dcbee2a4bc70553330158/html5/thumbnails/17.jpg)
Sector Guide:
Case Study
![Page 18: Iowa CyberCon4 - April 2019 Ward · 1,67 7rrov dqg 5hvrxufhv iru 6pdoo 1hwzrun 2shudwruv 0d\ zzz qwfd ruj f\ehuvhfxulw\](https://reader035.vdocuments.net/reader035/viewer/2022071217/604dcbee2a4bc70553330158/html5/thumbnails/18.jpg)
Sector Guide: Tools and Resources
• Best practices• Planning guides/templates• Tools• Training• Standards
![Page 19: Iowa CyberCon4 - April 2019 Ward · 1,67 7rrov dqg 5hvrxufhv iru 6pdoo 1hwzrun 2shudwruv 0d\ zzz qwfd ruj f\ehuvhfxulw\](https://reader035.vdocuments.net/reader035/viewer/2022071217/604dcbee2a4bc70553330158/html5/thumbnails/19.jpg)
2018 NTCA Cybersecurity Bundle
![Page 20: Iowa CyberCon4 - April 2019 Ward · 1,67 7rrov dqg 5hvrxufhv iru 6pdoo 1hwzrun 2shudwruv 0d\ zzz qwfd ruj f\ehuvhfxulw\](https://reader035.vdocuments.net/reader035/viewer/2022071217/604dcbee2a4bc70553330158/html5/thumbnails/20.jpg)
• “On-ramp” to using the NIST Framework
• Based upon NTCA member best practices
• Encourages robust internal discussion
• Define cyber risk-management team
• Meeting agendas, topics, and questions informed by 5 cybersecurity functions and most critical subcategories from Sector-Specific Guide
![Page 21: Iowa CyberCon4 - April 2019 Ward · 1,67 7rrov dqg 5hvrxufhv iru 6pdoo 1hwzrun 2shudwruv 0d\ zzz qwfd ruj f\ehuvhfxulw\](https://reader035.vdocuments.net/reader035/viewer/2022071217/604dcbee2a4bc70553330158/html5/thumbnails/21.jpg)
Questions?
Save-the-Date: NTCA 2019 Cybersecurity SummitOct 27-29, Salt Lake City, UT
Jesse [email protected]