350 likes | 555 Views
Cybersecurity Framework October 7, 2014. Sarah Ackerman, Wendy Huber, Keith Swartz Clark Schaefer Consulting. Agenda. History of the Framework Critical Infrastructure Sectors Overview of Cyber Risk Overview of Framework Framework Core Cybersecurity Functions
E N D
Cybersecurity FrameworkOctober 7, 2014 Sarah Ackerman, Wendy Huber, Keith Swartz Clark Schaefer Consulting
Agenda • History of the Framework • Critical Infrastructure Sectors • Overview of Cyber Risk • Overview of Framework • Framework Core • Cybersecurity Functions • Framework Functional Categories • Assessment of Critical Functions • Framework Tiers • Framework Profiles • Alignment with Other Standards • Applying the Framework • Implementation Benefits • Implementation Challenges • Available Tools • What's Next for Framework
Introductions Clark Schaefer Consulting: Serving elite and emerging companies with practical solutions, Clark Schaefer Consulting is a regional consulting firm with practices in accounting, controls, and technology. Sarah Ackerman, CISSP, CISA, CICP As the Director of Technology, Sarah Ackerman provides the Firm with extensive experience and knowledge regarding information security, IT audit, and other technology and control related services. Sarah’s work in security operations has resulted in a proven track record of success in identifying system control weaknesses, protecting information assets, and leading clients to successful organizational changes. She is well versed in internal controls and has successfully served in a variety of roles including consulting, risk management, and internal audit. Wendy Huber, CISA, Security+, CICP Wendy is an experienced professional with a strong information technology background. She has experience with monitoring system security, process improvement, documenting and testing internal controls, and working with internal and external auditors. In addition, she possesses extensive experience with change management and logical security. Wendy is familiar with a variety of systems and technologies with expertise related to security, administration, and report writing. Keith Swartz, CISA, CICP Keith is an experienced professional who has an extensive IT background and continuously developing IT security knowledge. He has aided small and large, private and public businesses with IT control and security initiatives, and adapts quickly to changing environments. He possesses excellent communication skills and can work as a team member or individually to achieve desired results in a timely fashion. Keith is well versed in internal controls and has successfully served in a variety of roles, including as a systems administrator.
History of the Framework • Repeated cyber intrusions demonstrated the need for improved cybersecurity • February 12, 2013: President Obama issued Executive Order 13636 -- Improving Critical Infrastructure Cybersecurity • Objective: Develop a voluntary, cybersecurity framework • National Institute of Standards and Technology (NIST) developed the “Framework for Improving Critical Infrastructure Cybersecurity” (Framework) • Input from over 1000 different entities (government, academics, individuals) • Final version released in February 2014 • Delivered to critical infrastructure providers and the public
Critical Infrastructure Sectors • Chemical Sector • Commercial Facility • Communications • Critical Manufacturing • Dams Sector • Defense Industrial Base • Emergency Services • Energy • Financial Services • Food and Agriculture • Government Facilities • Healthcare/Public Health • Information Technology • Nuclear Reactors/Materials • Transportation Systems • Water Systems
Overview of Cyber Risk • Cyber Risk definition • Group of risks • Differ in technology, attack vectors, and means • Examples include: • Organization-specific malware • Third party provider attacks • Vulnerability exploitation • Advanced persistent threats • Effort invested in addressing these high-impact risks is known as cybersecurity • High-impact risks becoming more frequent • Need to become better at protecting assets
Overview of Framework • Key takeaways of the Framework • Voluntary • Performance-based • Adaptable and flexible • Cost-effective • Leverages standards, methodologies, and processes • Not a compliance checklist • Not regulated or ruleset • Focus on consistent, solid security program • Risk-based approach • Focus on the high impact risks and work your way down
Overview of Framework (continued) • Allows organizations to: • Describe current cybersecurity posture • Describe target state for cybersecurity • Identify and prioritize opportunities for improvement • Assess progress towards target state • Communicate using common language among internal and external stakeholders about cybersecurity risk • Complements, does not replace, risk management processes • Organizations without cybersecurity programs can use Framework as reference to establish one
Overview of Framework (continued) • Composed of three parts • Framework Core • Set of activities, desired outcomes, and applicable references (e.g., ISO, NIST 800-53) • Consists of five functions: Identify, Protect, Detect, Respond, Recover • Identifies key categories for each function • Framework Implementation Tiers • Characterize cybersecurity practices over a range from Partial (Tier 1) to Adaptive (Tier 4) • Provide context on how an organization views cybersecurity risk • Framework Profiles • Used to identify opportunities to improve cybersecurity posture by comparing a Current profile (“as is” state) to a Target profile (“to be” state) • Supports prioritization and measurement of progress towards Target profile
Framework Core Structure • Not a checklist of actions to perform • Presents key cybersecurity outcomes identified as helpful in managing risk
Cybersecurity Functions • Focus on the following five key framework functions needed to drive a comprehensive cybersecurity program: • Identifying risks to resources supporting critical functions • Protecting these resources and limiting the impact of cybersecurity events • Detecting incidents that have occurred • Responding to the detection of events • Recovering following response procedures • Each function places heavy reliance on the development of those preceding it • You cannot protect your environment correctly without first identifying your key systems and the risks faced by each • You cannot to respond to events if you have not first implemented proper measures to detect them
Framework Functional Categories • Each function has several categories subdividing them into more detailed groups of activities:
Assessment of Critical Functions • Allows organizations to assess each critical cybersecurity function
Framework Tiers • Developed to provide context on how the organization views cybersecurity risk along with the processes in place to manage that risk • Characterize the organization’s practices over a range, from Partial (Tier 1) to Adaptive (Tier 4) • Progression to higher Tiers is encouraged when this would reduce cybersecurity risk and be cost effective • Similar to the Capability Maturity Model (CMM), but tiers do not represent maturity levels
Framework Tiers (continued) Tier 1: Partial • Risk management is not formalized, managed in an ad hoc, reactive manner • Limited awareness of cybersecurity risk at organizational level • No enterprise-wide approach to managing cybersecurity risk • May not have processes in place to coordinate or collaborate with other entities
Framework Tiers (continued) Tier 2: Risk Informed • Risk management practices approved by management but not established across entire organization • Prioritization of cybersecurity activities informed by organizational risk objectives, threat environment, or business requirements • Awareness of cybersecurity risk at organizational level • Processes and procedures are defined and implemented • Has not formalized capabilities to share information externally
Framework Tiers (continued) Tier 3: Repeatable • Risk management practices are formally approved and documented • Organization-wide approach to manage cybersecurity risk • Policies and procedures are defined, implemented, reviewed • Cybersecurity practices updated based on formalized risk management processes • Addresses changes in business requirements or changing threat environment • Organization collaborates with partners
Framework Tiers (continued) Tier 4: Adaptive • Organization-wide approach to manage cybersecurity risk • Part of organizational culture • Formalized risk-informed policies, processes, and procedures • Cybersecurity practices are adapted based on lessons learned and predictive indicators • Actively adapts to changing cybersecurity landscape • Responds to evolving threats in timely manner • Continuous improvement incorporating advanced cybersecurity technologies and practices • Awareness of previous activities and current activities on systems and networks • Actively shares information with partners to improve cybersecurity before an event occurs
Framework Profiles • Aligns the Functions and Categories with: • Business requirements and goals • Risk tolerance • Available resources • Legal/regulatory requirements • Industry best practices • Used to describe current and desired state of specific cybersecurity activities • Comparison of profiles identifies gaps • An action plan can then be developed to address gaps and prioritize efforts
Framework Profiles (continued) • Current Profile (“as is” state) • Indicates cybersecurity outcomes that are currently being achieved • Target Profile (“to be” state) • Indicates outcomes needed to achieve desired cybersecurity risk management goals • Successful implementation of Framework is based upon achievement of outcomes described in Target Profile (not upon Tier determination)
Alignment with Other Standards • Framework Core provides references to existing standards or guidelines • COBIT 5 (Control Objectives for Information and Related Technology) • ISO 27001 (International Organization for Standardization – IT Security Techniques, Information Security Management Systems Requirements) • NIST 800-53 (National Institute of Standards and Technology – Security and Privacy Controls for Federal Information Systems and Organizations) • Also other standards from CCS (Council on CyberSecurity), ISA (International Society of Automation)
Alignment with Other Standards NIST SP 800-53 Rev. 4 • Security and Privacy Controls for Federal Information Systems • Composed of control baselines across areas such as: • Access Control • Awareness and Training • Security Assessment and Authorization • Configuration Management • Contingency and Planning • Identification and Authentication • Incident Response • Maintenance • Physical/Environmental Protection • Information Integrity
Alignment with Other Standards (cont.) ISO/IEC 27001:2013 (International Organization for Standardization) • Total of 114 controls across 14 areas such as: • A.5: Information security policies • A.6: Organization of information security • A.7: Human resource security • A.8: Asset management • A.9: Access control • A.10: Cryptography • A.11: Physical and environmental security • A.12: Operations security • A.13: Communications security
Alignment with Other Standards (cont.) COBIT 5 • Divided into Governance and Management domains • Governance: Contains five governance processes; within each process, evaluate, direct and monitor (EDM) • Management: Contains four domains, in line with the responsibility areas of plan, build, run and monitor (PBRM) • Align, Plan and Organize (APO) • Build, Acquire and Implement (BAI) • Deliver, Service and Support (DSS) • Monitor, Evaluate and Assess (MEA)
Alignment with Other Standards (cont.) • Example of alignment with other standards: • Function: Identify • Category: Asset Management • Subcategory: ID.AM-1: Physical devices and systems within the organization are inventoried • Informative References include: • COBIT 5 BAI09.01, BAI09.02 • ISO/IEC 27001:2013 A.8.1.1, A.8.1.2 • NIST SP 800-53 Rev. 4 CM-8
Applying The Framework • Can be used as a supplement to an organization’s risk management process in order to assess cybersecurity and align with best practices • Implementation purpose is left to the organization’s discretion • Basic review of existing cybersecurity practices • Establishing or improving a cybersecurity program • Communicating cybersecurity requirements with stakeholders “There are two types of companies. Those that have been hacked, and those that have been hacked but don’t know it yet”
Applying The Framework (continued) Develop the “As-Is” profile Develop the “To-Be” profile Identify gaps and opportunities Develop a prioritized action plan Repeatable
Implementation Benefits • Voluntary nature of assessment leads to more open and honest discussion of cybersecurity risk exposure • Helps expose areas of risk that may not have been previously considered • Electronic emanations?? • Encourages information sharing and collaboration with external partners • Vulnerability intelligence • Threat information • Protection & response strategies • Encourages a layered approach to cybersecurity
Implementation Challenges • Requires “buy-in” from key stakeholders • Time and resources from multiple departments • Executive prioritization • Communicating risks • Why does this matter? • Cybersecurity is a long term process • The Framework is in its infancy • NIST is seeking information and user experiences from early adopters
Available Tools • CForum (http://cyber.securityframework.org) • An industry led forum focused on the evolution and the use of the Cybersecurity Framework • Utilization of a third party to facilitate • Provides direction • Objective approach • www.nist.gov • Framework • Excel version of Core
What’s Next for Framework • Plans to expand future versions for: • Authentication • Focus on development of better identity and authentication mechanisms • Automated Indicator Sharing • Sharing information that is discovered prior to and during incident response activities • Conformity Assessment • Used to show that a product, service, or system meets specified requirements for managing cybersecurity risk • Cybersecurity Workforce • ISACA’s Cybersecurity Nexus (CSX): New security knowledge platform and professional program • Data Analytics • Big data and analytic tools coupled with cloud, mobile, and social computing • Federal Agency Cybersecurity Alignment • FISMA, FIPS, etc. • International Alignment • Supply Chain Risk Management • Privacy Standards
For More Information If you wish to discuss any aspects of this presentation in more detail, please feel free to contact us: Clark Schaefer Consulting, LLC. 120 East Fourth Street, Suite 1100 Cincinnati, OH 45202 (513) 768-7100 www.clarkschaefer.com Or send an e-mail directly to Sarah at: sackerman@clarkschaefer.com
Questions? Questions?