The NIST Cybersecurity Framework (CSF)
2y ago
65 Views
1 Downloads
981.29 KB
31 Pages
Report/dmca
Download PDF

Transcription

The NISTCybersecurity Framework (CSF)Unlocking CSF - An Educational SessionRobert SmithSystemwide IT Policy DirectorCompliance & Audit Educational Series5/5/20161

Today’s realityThere are two kinds of bigcompanies in the United States.There are those who've beenhacked by the Chinese and thosewho don't know they've beenhacked by the Chinese.- FBI Director James ComeyThere are two types of companies in theworld: those that know they've been hacked,and those that don't.- British Journalist Misha Glenny5/5/20162

Incident patterns by industry minimum 25incidents (only confirmed data breaches)

How Do We Protect an InstitutionDesigned for Openness?5/5/20164

Threats are real, evolving, andsophisticated The “bad actors” are organized and coordinated– Nation-State– Criminal Syndicates– “Hacktivism” / politically driven They know how to get at what they want––––Compromised devices (“hacked”)Compromised passwords (“phished” or harvested)Lost and stolen devicesInsider (accidental or nefarious)5/5/20165

Think DifferentOld Thinking – “Keep Out” Security is IT’s jobPerimeter defensePlugging the holes“If only we had more ”– Money, Time, People More money More defense more security End state – “we are secure”New Thinking – “Find andrecover” Security is everyone’sresponsibility Asset inventory new perimeter– Separate assets based on risk Resources allocated based on risk Assume you are breached–––––Threat detection and identificationFind intruders and kick them outLimit the damage they can doRecoveryThese are different spendingpriorities End state – “managed risk”5/5/20166

Today’s goal – unlock CSF5/5/20167

Takeaway Identify – Know your assetsProtect – Limit the damageDetect – Find the bad actorsRespond – Hunt the bad actors and expelRecover – Get back to a normal state5/5/20168

Case Study – Hollywood Presbyterian Ransomware Locked-up hospital for more than a week! 17K ransom paid!– But it could have been worse! Think different 5/5/20169

The most important control?5/5/201610

Introduction to the NIST CSFYou just need to look in the right place.5/5/201611

NIST CSF NIST – National Institute of Standards and Technology CSF – Cybersecurity Framework – issued February 2014 Why?– NIST 800-53 is 462 pages long– How can organizations apply a 462 page standard?– The CSF is guidance, based on standards, guidelines, andpractices, for organizations to better manage and reducecybersecurity risk Avoid using a checklist and think about risk– Designed to foster risk and cybersecurity managementcommunications amongst both internal and externalorganizational stakeholders, as well as managed andreduce risk5/5/201612

CSF Introduction Provide a common taxonomy and mechanism:1. Describe current cybersecurity posture2. Describe target state for cybersecurity3. Identify and prioritize opportunities forimprovement within the context of a continuousand repeatable process4. Assess progress toward the target state5. Communicate among internal and externalstakeholders about cybersecurity risk5/5/201613

CSF Overview Framework Implementation Tiers– Tiers provide context on how an organization viewscybersecurity risk and the processes in place to manage that risk Framework Core– Set of cybersecurity activities, desired outcomes, and applicablereferences that are common across sectors Framework Profile– Represents the outcomes based on business needs that anorganization has selected from the Framework Categories andSubcategories– The Profile can be characterized as the alignment of standards,guidelines, and practices to the Framework Core in a particularimplementation scenario.5/5/201614

Maturity modelIMPLEMENTATION TIERS5/5/201615

CSF Implementation Tiers - Maturity Tier 1 – Partial– Cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc andsometimes reactive manner.– Prioritization of cybersecurity activities may not be directly informed by organizational riskobjectives, the threat environment, or business/mission requirements. Tier 2 – Risk Informed– Risk management practices are approved by management but may not be established asorganizational-wide policy.– Prioritization of cybersecurity activities is directly informed by organizational risk objectives, thethreat environment, or business/mission requirements. Tier 3 – Repeatable– Risk management practices are formally approved and expressed as policy. Organizationalcybersecurity practices are regularly updated based on the application of risk managementprocesses to changes in business/mission requirements and a changing threat and technologylandscape. Tier 4 – Adaptive– Adapts its cybersecurity practices based on lessons learned and predictive indicators derived fromprevious and current cybersecurity activities.– Through a process of continuous improvement incorporating advanced cybersecurity technologiesand practices, the organization actively adapts to a changing cybersecurity landscape and respondsto evolving and sophisticated threats in a timely manner.5/5/201616

Talking about security controls relative to riskFRAMEWORK CORE – IPDR25/5/201617

CSF – 5 Functions Identify– Develop the organizational understanding to managecybersecurity risk to systems, assets, data, and capabilities Protect– Develop and implement the appropriate safeguards to ensuredelivery of critical infrastructure services. Detect– Develop and implement the appropriate activities to identify theoccurrence of a cybersecurity event. Respond– Develop and implement the appropriate activities to take actionregarding a detected cyber security event. Recover– Develop and implement the appropriate activities to maintainplans for resilience and to restore any capabilities or services thatwere impaired due to a cybersecurity event5/5/201618

It’s pretty easy A fairly straight forward way to ask anddescribe, here are the main activities in– Identify, Project, Detect, Respond and Recover.– 5 Buckets The next level, categories, is not bad at 22– 3 to 6 per function– See the next slide 5/5/201619

5/5/201620

Functions, Categories, Subcategories 5 Functions 22 Categories– Cybersecurity outcomes closely tied to programmaticneeds and particular activities– Examples: Asset Management Access Control Detection Processes 98 Sub categories– Examples External system cataloged Mobile devices with ePHI identified5/5/201621

5/5/201622

Where are we and where are we goingCREATING A PROFILE5/5/201623

Recommended 7 Step Process Step 1: Prioritize and Scope– Identify business/mission objectives and high-levelorganizational priorities Step 2: Orient– Identify related systems and assets, regulatoryrequirements, and overall risk approach. Theorganization then identifies threats to, andvulnerabilities of, those systems and assets Step 3: Create a Current Profile– Which Category and Subcategory outcomes from theFramework Core are currently being achieved5/5/201624

Recommended 7 Step Process Step 4: Conduct a Risk Assessment– Analyzes the operational environment in order to discernthe likelihood of a cybersecurity event and the impact thatthe event could have on the organization Step 5: Create a Target Profile– Framework Categories and Subcategories describing thedesired cybersecurity outcome Step 6: Determine, Analyze, and Prioritize Gaps– Step 3 vs. Step 5 Step 7: Implement Action Plan– Actions to take– Monitoring of the program5/5/201625

CRGCCRE, CIO & CISOCIO & CISO5/5/201626

Why is this important? UC is driving to adopt a common riskmanagement framework NIST CSF provides the taxonomy and mechanismsto have the conversations across UC and withexternal consulting firms– Consistent– Auditable NIST 800-39 may drive the overall process flow– Managing electronic information security risk5/5/201627

Case StudyUniversity of Central Florida Feb 4, 2016 - Student SSNs exposed in breach– 63,000 current and former students were accessed –class action lawsuit filed within days– Weakness in architecture cited Local database CSF– What do you think?5/5/201628

Case StudyUniversity of Central Florida5/5/201629

Quick review CSF – Cybersecurity FrameworkGovernance is key – investment decisionsTaxonomy and mechanism to talk about cyber-risk5 Functions– They are ? 22 Categories across the 5 Functions A 4-Tier Maturity Model A target profile process that maps where we are andwhere we want to be based on risk and governance– Continuous improvement and adjustment5/5/201630

Robert Smithrobert.smith@ucop.edu5/5/201631

May 05, 2016 · – The CSF is guidance , based on standards, guidelines, and practices, for organizations to better manage and reduce cybersecurity risk Avoid using a checklist and think about risk – Designed to foster risk and cybersecurity man

Related Books

NIST Cybersecurity Framework Policy Template Guide

NIST Cybersecurity Framework Policy Template Guide

Mapping PCI DSS v3.2.1 to the NIST Cybersecurity Framework v1

Mapping PCI DSS v3.2.1 to the NIST Cybersecurity Framework v1

Adapting NIST Cybersecurity Framework for Risk Assessment

Adapting NIST Cybersecurity Framework for Risk Assessment

Cisco and NIST Cybersecurity Framework White Paper

Cisco and NIST Cybersecurity Framework White Paper

NIST SP 800-145, The NIST Definition of Cloud Computing

NIST SP 800-145, The NIST Definition of Cloud Computing

RISK MANAGEMENT FRAMEWORK - NIST Computer

RISK MANAGEMENT FRAMEWORK - NIST Computer

Using COBIT 5 Framework for Cybersecurity Assessment

Using COBIT 5 Framework for Cybersecurity Assessment

The IACS Cybersecurity Certification Framework (ICCF)

The IACS Cybersecurity Certification Framework (ICCF)

MEF Architecture Framework - Part 1: Generic Framework

MEF Architecture Framework - Part 1: Generic Framework

libraky STANDARDS FOR PAPER TOWELS - NIST

libraky STANDARDS FOR PAPER TOWELS - NIST

You Can Get There From Here. - NIST

You Can Get There From Here. - NIST

NIST recommended practice guide : Rockwell hardness .

NIST recommended practice guide : Rockwell hardness .

PopularTags

Recent Views